search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 461 forks source link

Linux - Add support for task threads in kernels >= 6.7 #1311

Closed gcmoreira closed 1 month ago

gcmoreira commented 1 month ago

In Linux kernels 6.7 (https://github.com/torvalds/linux/commit/8e1f385104ac044f1552686ad6e1cbc71cc05a30 ) the task_struct's thread_group member was removed. The changes in this PR allow to fetch task threads from the signal handlers . This will work from kernel 3.14 when the thread_head was added to the signal_struct. This is also how the kernel obtains the task threads since then. Otherwise, it will use the previous method via the thread_group member. This fix revives all plugins that enumerate threads when running with kernels 6.7 and above.

Before:

$ python3 ./vol.py \
  -f ./dump_ubuntu2404amd64_6.8.0-41-generic.core \
  linux.pslist --threads 
Volatility 3 Framework 2.11.0
OFFSET (V)      PID     TID     PPID    COMM    File output

0x981e8130a900  1       1       0       systemd DisabledTraceback (most recent call last):
...
  File "/home/user/vol3_fix_pslist_thread_group/volatility3/framework/symbols/linux/extensions/__init__.py", line 372, in get_threads
    for task in self.thread_group.to_list(
  File "/home/user/vol3_fix_pslist_thread_group/volatility3/framework/objects/__init__.py", line 969, in __getattr__
    raise AttributeError(
AttributeError: StructType has no attribute: symbol_table_name1!task_struct.thread_group

After:

python3 ./vol.py \
  -f ./dump_ubuntu2404amd64_6.8.0-41-generic.core \
  linux.pslist --threads 
Volatility 3 Framework 2.11.0
OFFSET (V)      PID     TID     PPID    COMM    File output

0x981e8130a900  1       1       0       systemd Disabled
0x981e81308000  2       2       0       kthreadd        Disabled
0x981e8130d200  3       3       2       pool_workqueue_ Disabled
0x981e81398000  4       4       2       kworker/R-rcu_g Disabled
0x981e8139d200  5       5       2       kworker/R-rcu_p Disabled
0x981e8139a900  6       6       2       kworker/R-slub_ Disabled
0x981e813a0000  7       7       2       kworker/R-netns Disabled
0x981e813a2900  9       9       2       kworker/0:0H    Disabled
0x981e813a8000  12      12      2       kworker/R-mm_pe Disabled
0x981e813b0000  13      13      2       rcu_tasks_kthre Disabled
0x981e813b5200  14      14      2       rcu_tasks_rude_ Disabled
0x981e813b2900  15      15      2       rcu_tasks_trace Disabled
0x981e813b8000  16      16      2       ksoftirqd/0     Disabled
0x981e813bd200  17      17      2       rcu_preempt     Disabled
0x981e813ba900  18      18      2       migration/0     Disabled
0x981e813ca900  19      19      2       idle_inject/0   Disabled
0x981e813c8000  20      20      2       cpuhp/0 Disabled
0x981e813cd200  21      21      2       kdevtmpfs       Disabled
0x981e813f5200  22      22      2       kworker/R-inet_ Disabled
0x981e813f0000  24      24      2       kauditd Disabled
0x981e81b78000  25      25      2       khungtaskd      Disabled
0x981e81b7d200  26      26      2       oom_reaper      Disabled
0x981e81b82900  28      28      2       kworker/R-write Disabled
0x981e81b80000  29      29      2       kcompactd0      Disabled
0x981e81b85200  30      30      2       ksmd    Disabled
0x981e81ba8000  31      31      2       kworker/R-kinte Disabled
0x981e81bad200  32      32      2       kworker/R-kbloc Disabled
0x981e81baa900  33      33      2       kworker/R-blkcg Disabled
0x981e81bc5200  34      34      2       irq/9-acpi      Disabled
0x981e81bc2900  35      35      2       kworker/R-tpm_d Disabled
0x981e81bc0000  36      36      2       kworker/R-ata_s Disabled
0x981e81c30000  37      37      2       kworker/R-md    Disabled
0x981e81c35200  38      38      2       kworker/R-md_bi Disabled
0x981e81c32900  39      39      2       kworker/R-edac- Disabled
0x981e81c3d200  40      40      2       kworker/R-devfr Disabled
0x981e81c3a900  41      41      2       watchdogd       Disabled
0x981e81c38000  42      42      2       kworker/0:1H    Disabled
0x981e81e08000  43      43      2       kswapd0 Disabled
0x981e81e0d200  44      44      2       ecryptfs-kthrea Disabled
0x981e81e0a900  45      45      2       kworker/R-kthro Disabled
0x981e82a78000  46      46      2       kworker/R-acpi_ Disabled
0x981e82a7d200  47      47      2       scsi_eh_0       Disabled
0x981e82a7a900  48      48      2       kworker/R-scsi_ Disabled
0x981e86055200  49      49      2       scsi_eh_1       Disabled
0x981e86052900  50      50      2       kworker/R-scsi_ Disabled
0x981e8608a900  53      53      2       kworker/R-mld   Disabled
0x981e86088000  54      54      2       kworker/R-ipv6_ Disabled
0x981e86902900  61      61      2       kworker/R-kstrp Disabled
0x981e86905200  63      63      2       kworker/u3:0    Disabled
0x981e870ad200  68      68      2       kworker/R-crypt Disabled
0x981e870a8000  78      78      2       kworker/R-charg Disabled
0x981e9c348000  141     141     2       kworker/R-kdmfl Disabled
0x981e9c34d200  167     167     2       kworker/R-raid5 Disabled
0x981e9c382900  206     206     2       jbd2/dm-0-8     Disabled
0x981e9c380000  207     207     2       kworker/R-ext4- Disabled
0x981e8711a900  277     277     1       systemd-journal Disabled
0x981e9c378000  301     301     2       kworker/R-kmpat Disabled
0x981e9c385200  302     302     2       kworker/R-kmpat Disabled
0x981e9c37a900  329     329     1       multipathd      Disabled
0x981e871ba900  329     340     1       multipathd      Disabled
0x981e871c0000  329     342     1       multipathd      Disabled
0x981e871b8000  329     343     1       multipathd      Disabled
0x981e870b8000  329     344     1       multipathd      Disabled
0x981e870ba900  329     345     1       multipathd      Disabled
0x981e870bd200  329     346     1       multipathd      Disabled
0x981e871c2900  341     341     1       systemd-udevd   Disabled
0x981e8710d200  348     348     2       psimon  Disabled
0x981e858b2900  404     404     2       jbd2/vda2-8     Disabled
0x981e858b5200  405     405     2       kworker/R-ext4- Disabled
0x981e82d7a900  458     458     1       systemd-network Disabled
0x981e828a8000  475     475     1       rpcbind Disabled
0x981e82d6d200  483     483     1       systemd-resolve Disabled
0x981e85e92900  490     490     1       systemd-timesyn Disabled
0x981e871bd200  490     551     1       sd-resolve      Disabled
0x981e828ad200  531     531     2       kworker/R-rpcio Disabled
0x981e828a5200  532     532     2       kworker/R-xprti Disabled
0x981e82515200  562     562     2       kworker/R-cfg80 Disabled
0x981e8257a900  573     573     1       dbus-daemon     Disabled
0x981e82512900  577     577     1       polkitd Disabled
0x981e85e90000  577     665     1       gmain   Disabled
0x981e84945200  577     669     1       pool-spawner    Disabled
0x981e84942900  577     670     1       gdbus   Disabled
0x981e82d68000  585     585     1       systemd-logind  Disabled
0x981e85e88000  587     587     1       udisksd Disabled
0x981e9c37d200  587     604     1       gmain   Disabled
0x981e84542900  587     608     1       pool-spawner    Disabled
0x981e836f0000  587     613     1       gdbus   Disabled
0x981e836e8000  587     705     1       probing-thread  Disabled
0x981e84938000  587     713     1       cleanup Disabled
0x981e841e2900  614     614     1       rsyslogd        Disabled
0x981e841d2900  614     650     1       in:imuxsock     Disabled
0x981e836ed200  614     651     1       in:imklog       Disabled
0x981e841d0000  614     653     1       rs:main Q:Reg   Disabled
0x981e8493a900  692     692     1       ModemManager    Disabled
0x981e836ea900  692     706     1       gmain   Disabled
0x981e841d5200  692     707     1       pool-spawner    Disabled
0x981e82510000  692     710     1       gdbus   Disabled
0x981e84545200  739     739     1       cron    Disabled
0x981e836fd200  750     750     1       agetty  Disabled
0x981e8494d200  778     778     1       sshd    Disabled
0x981e8494a900  779     779     778     sshd    Disabled
0x981e87118000  782     782     2       psimon  Disabled
0x981e828a2900  784     784     1       systemd Disabled
0x981e828a0000  785     785     784     (sd-pam)        Disabled
0x981e82bdd200  824     824     779     sshd    Disabled
0x981e82bda900  825     825     824     bash    Disabled
0x981e87108000  957     957     1       upowerd Disabled
0x981e82d6a900  957     959     1       pool-spawner    Disabled
0x981e8493d200  957     960     1       gmain   Disabled
0x981e8711d200  957     961     1       gdbus   Disabled
0x981e836f2900  1451    1451    2       kworker/0:2     Disabled
0x981e8257d200  1557    1557    2       kworker/u2:0    Disabled
0x981e841e0000  1575    1575    2       kworker/u2:3    Disabled
0x981e813aa900  1619    1619    2       kworker/u2:2    Disabled
0x981e84948000  1637    1637    2       kworker/0:1     Disabled
0x981e871c5200  1650    1650    2       kworker/0:0     Disabled
0x981e8710a900  1651    1651    2       kworker/0:3     Disabled
0x981e82578000  1653    1653    2       kworker/u2:1    Disabled