Mac - add more sources of vnodes for cached file enumeration

atcuno · atcuno · commit 17a2dfa95278 · 2019-04-29T14:20:34.000-05:00
diff --git a/volatility/plugins/mac/list_files.py b/volatility/plugins/mac/list_files.py
@@ -41,18 +41,45 @@ def __init__(self, config, *args, **kwargs):
             help = 'Show orphans (vnodes without a parent)', 
             action = 'store_true')
 
+    @staticmethod
+    def walk_vnodelist(listhead, loop_vnodes):
+        seen = set()
+
+        vnode = listhead.tqh_first.dereference()
+        while vnode:
+            if vnode in seen:
+                break
+
+            loop_vnodes.add(vnode)
+            vnode = vnode.v_mntvnodes.tqe_next.dereference()
+        
+        return loop_vnodes
+
     @staticmethod
     def list_files(config):
     
         plugin = mac_mount.mac_mount(config)
         mounts = plugin.calculate()
         vnodes = {}
         parent_vnodes = {}
+        loop_vnodes = set()
 
+        seen = set()
         ## build an initial table of all vnodes 
         for mount in mounts:
-            vnode = mount.mnt_vnodelist.tqh_first.dereference()
+            loop_vnodes = mac_list_files.walk_vnodelist(mount.mnt_vnodelist, loop_vnodes)
+
+            loop_vnodes = mac_list_files.walk_vnodelist(mount.mnt_workerqueue, loop_vnodes)
+
+            loop_vnodes = mac_list_files.walk_vnodelist(mount.mnt_newvnodes, loop_vnodes)
+
+            loop_vnodes.add(mount.mnt_vnodecovered)
 
+            loop_vnodes.add(mount.mnt_realrootvp)
+
+            loop_vnodes.add(mount.mnt_devvp)
+
+        for vnode in loop_vnodes:
             while vnode:
                 ## abort here to prevent going in a loop 
                 if vnode.obj_offset in vnodes:
@@ -66,6 +93,7 @@ def list_files(config):
                 
                     entry = [name, None, vnode]
                     vnodes[vnode.obj_offset] = entry
+                
  
                 else:
                     name = vnode.v_name.dereference()
@@ -82,7 +110,7 @@ def list_files(config):
             
                     entry = [name, par_offset, vnode]
                     vnodes[vnode.obj_offset] = entry
-                
+                    
                 vnode = vnode.v_mntvnodes.tqe_next.dereference() 
 
         ## account for vnodes that aren't in the list but are 
@@ -114,7 +142,7 @@ def list_files(config):
                 vnodes[parent.obj_offset] = entry
                
                 parent = next_parent  
-
+        
         ## build the full paths for all directories
         for key, val in vnodes.items():
             name, parent, vnode = val
