ikelos
commented
1 week ago The core problem here is we all have a concept of what a "physical layer" should be and in general we can all come to an agreement about it, but that's not specific enough when it comes certain possibilities, more specifically where a memory layer is actually made up of several different components (such as swap, or compressed memory regions).
Situations involving nesting (such as virtualization where physical memory of the guest can live within the virtual memory of the host) can usually be dealt with by "one layer below the paging layer" and that tends to work, and mostly that's how people have gotten past the situation. This again runs up against the problem of layers being a tree and not a simple one-on-one stack. How do you choose which parent you actually needed, did they want the swap, or the RAM or both in some weird accessible way? How should we stitch them together? This is why there is not and has not been work towards, providing a single unified mechanism. Layers expose which sub layers make them up (through the dependencies field), and specific, well known layers (like intel) have named children (memory_layer) and that's why those techniques are used, because on the whole they work, but there are certain situations they don't work which would then require massively hacky solutions to provide and we'd be right back where we were...
This gets worse if the model were a more flexible graph structure, where one layer be stored encoded (for example compressed) chunks of the virtual layer, next to unencoded chunks of the virtual layer.
So I'm happy to discuss mechanisms that could be used to describe and allow access to these things appropriately, but I haven't found a good one that can completely describe all possible situations accurately yet...
eve-mem
Description
Currently, in Volatility3, there is no automatic mechanism to identify which layer represents the 'physical layer' in a given memory image. While a few plugins attempt to infer the physical layer in roundabout ways (e.g., finding the intel layer and getting the next lowest), it would be good to standardize it.
A standardized method for determining the physical layer would improve plugin reliability and reduce redundancy in plugin-specific logic.
Motivation
A few plugins require knowledge of the physical layer for accurate memory analysis. The lack of a uniform mechanism to identify it leads to some repetitive code across plugins, and might lead to some inaccuracies if assumptions about the physical layer are incorrect. It would be great if there a way central way to do this in vol.
As support for more architectures and swap grows, identifying the 'physical layer' becomes increasingly important, and it's not as straightforward as it might initially appear.
Additional Context
This enhancement would help avoid future pitfalls of the current strategies used by some plugins and parts of the framework. For example:
(At least I think of all these examples could benefit form some central mechanism, happy to be shown I'm wrong..!)
Also affects this currently open PR- https://github.com/volatilityfoundation/volatility3/pull/1321
Thanks :fox_face: