Linux: Add support for threads in both lsof and sockstat plugins.

gcmoreira commented 2 months ago

This PR includes:

lsof plugin: source code refactored.
lsof plugin: Added the device column to complete the inode information. An inode number is specific to the filesystem/device it belongs to.
lsof/sockstat plugins: Add threads support.
- Threads may or may not share the file descriptor table with the thread group leader, depending on whether the CLONE_FILES flag is included in the clone() syscall.
- Also, once started, a thread can unshare the fd table with its parent. Refer to the unshare() libc syscall wrapper man page, unshare(2).
- Additionally, note that the Linux lsof command in user space includes thread listings by default as well.
- Now, there are two columns to identify the thread group ID (PID) and the task/thread ID (TID).
Added inode getters from both, the dentry and file structs. From kernels +3.9 the file struct caches the inode pointer. So, when possible, we get this value.
Improve smear protection in these plugins and various APIs (https://github.com/volatilityfoundation/volatility3/pull/1243)

pyhon3 ./vol.py -r pretty \
    ../linux-sample-1.bin \
    linux.lsof 
Volatility 3 Framework 2.10.0
  |  PID |  TID |         Process |  FD |                       Path | Device |      Inode | Type |       Mode |                        Changed |                       Modified |                       Accessed |    Size
* |  322 |  322 |           udevd |   0 |                  /dev/null |    0:5 |       1520 |  CHR | crw-rw-rw- | 2014-06-24 10:22:36.468000 UTC | 2014-06-24 10:22:36.468000 UTC | 2014-06-24 10:22:36.468000 UTC |       0
...
* | 3968 | 3973 |           gdbus |  17 |             /tmp/vteNVRRHX |    8:1 |       7132 |  REG | -rw------- | 2014-06-24 10:41:49.976800 UTC | 2014-06-24 10:41:49.976800 UTC | 2014-06-24 10:41:46.448800 UTC |   29281
* | 3968 | 3974 |    dconf worker |   1 | /home/vol/.xsession-errors |    8:1 |     928155 |  REG | -rw------- | 2014-06-24 13:00:20.836818 UTC | 2014-06-24 13:00:20.836818 UTC | 2014-06-24 10:29:34.176798 UTC |    5249
...


python3 ./vol.py -r pretty \
    ../linux-sample-1.bin \
    linux.sockstat.Sockstat 
Volatility 3 Framework 2.10.0     
  | NetNS |  PID |  TID | FD |    Sock Offset |       Family |      Type |                  Proto |                             Source Addr | Source Port |                       Destination Addr | Destination Port |       State |                                         Filter
* |     - |  322 |  322 |  3 | 0x88001b61b0c0 |      AF_UNIX | SEQPACKET |                      - |                       /run/udev/control |        3693 |                                      - |                - | UNCONNECTED |                                              -
...
* |     - | 2652 | 2657 |  7 | 0x88001adf0880 |      AF_UNIX |    STREAM |                      - |                                       - |        7183 |        /var/run/dbus/system_bus_socket |             7184 | ESTABLISHED |                                              -
* |     - | 2652 | 2657 |  9 | 0x88001adf0200 |      AF_UNIX |    STREAM |                      - |                                       - |        7216 |        /var/run/dbus/system_bus_socket |             7217 | ESTABLISHED |                                              -

gcmoreira commented 1 month ago

Ok, after a very long day fighting with my friend GIT and the changes in #1271 + related commits.. I think I managed to resolve all the conflicts

gcmoreira commented 1 month ago

@ikelos all done

volatilityfoundation / volatility3

Linux: Add support for threads in both lsof and sockstat plugins. #1263