detect smear in bash artifact enumeration

atcuno · atcuno · commit 7c0e805f9a4a · 2020-04-22T13:48:21.000-05:00
diff --git a/volatility/plugins/overlays/mac/mac.py b/volatility/plugins/overlays/mac/mac.py
@@ -564,10 +564,15 @@ def bash_hash_entries(self):
                     
                     if htable.is_valid():
                         bucket_array = obj.Object(theType="Array", targetType=addr_type, offset = htable.bucket_array, vm = htable.nbuckets.obj_vm, count = 64)
+                        seen = set()
 
                         for bucket_ptr in bucket_array:
                             bucket = obj.Object(bucket_contents_type, offset = bucket_ptr, vm = htable.nbuckets.obj_vm)
                             while bucket != None and bucket.times_found > 0:  
+                                if bucket.v() in seen:
+                                    break
+                                seen.add(bucket.v())
+
                                 pdata = bucket.data 
 
                                 if pdata == None:
