search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 461 forks source link

Linux lsof: Add namespace dentry name #1264

Closed gcmoreira closed 1 month ago

gcmoreira commented 2 months ago

This PR adds namespace dentry name support. Additionally, it improves the pointer address verification ref https://github.com/volatilityfoundation/volatility3/pull/1243.

Before:

$ python3 ./vol.py -r pretty \
    -f .../ubuntu180464bit_5.4.0-117.core \
    linux.lsof 
Volatility 3 Framework 2.10.0
  |  PID |         Process |  FD |                                                                Path |      Inode | Type |       Mode |                        Changed |                       Modified |                       Accessed |    Size
...
* |  770 |           lxcfs |   4 |                                                           /dev/fuse |         87 |  CHR | crw-rw-rw- | 2024-09-10 23:22:35.468000 UTC | 2024-09-10 23:22:35.468000 UTC | 2024-09-10 23:22:35.468000 UTC |       0
* |  770 |           lxcfs |   5 |                    <unsupported d_op symbol: ns_dname>:[4026532471] | 4026532471 |  REG | -r--r--r-- | 2024-09-10 23:22:37.936000 UTC | 2024-09-10 23:22:37.936000 UTC | 2024-09-10 23:22:37.936000 UTC |       0
* |  770 |           lxcfs |   6 |                                         /run/lxcfs/controllers/rdma |          1 |  DIR | dr-xr-xr-x | 2024-09-10 23:22:34.852000 UTC | 2024-09-10 23:22:34.852000 UTC | 2024-09-10 23:22:34.852000 UTC |       0

After:

$ python3 ./vol.py -r pretty \
    -f .../ubuntu180464bit_5.4.0-117.core \
    linux.lsof 
Volatility 3 Framework 2.10.0
  |  PID |         Process |  FD |                                                                Path |      Inode | Type |       Mode |                        Changed |                       Modified |                       Accessed |    Size
...
* |  770 |           lxcfs |   4 |                                                           /dev/fuse |         87 |  CHR | crw-rw-rw- | 2024-09-10 23:22:35.468000 UTC | 2024-09-10 23:22:35.468000 UTC | 2024-09-10 23:22:35.468000 UTC |       0
* |  770 |           lxcfs |   5 |                                                    mnt:[4026532471] | 4026532471 |  REG | -r--r--r-- | 2024-09-10 23:22:37.936000 UTC | 2024-09-10 23:22:37.936000 UTC | 2024-09-10 23:22:37.936000 UTC |       0
* |  770 |           lxcfs |   6 |                                         /run/lxcfs/controllers/rdma |          1 |  DIR | dr-xr-xr-x | 2024-09-10 23:22:34.852000 UTC | 2024-09-10 23:22:34.852000 UTC | 2024-09-10 23:22:34.852000 UTC |       0
gcmoreira commented 1 month ago

Thanks @ikelos you can merge it. I will update #1263 soon