Update mount enumeration v2

Author: atcuno

volatility/plugins/linux/common.py

@@ -144,7 +144,7 @@ def walk_internal_list(struct_name, list_member, list_start, addr_space = None):
         list_start = getattr(list_struct, list_member)
 
 # based on __d_path
-def do_get_path(rdentry, rmnt, dentry, vfsmnt):
+def do_get_path(dentry, rmnt, rdentry, vfsmnt):
     ret_path = []
 
     inode = dentry.d_inode
@@ -153,16 +153,16 @@ def do_get_path(rdentry, rmnt, dentry, vfsmnt):
         return []
 
     while (dentry != rdentry or vfsmnt != rmnt) and dentry.d_name.name.is_valid():
-        dname = dentry.d_name.name.dereference_as("String", length = MAX_STRING_LENGTH)
-
-        ret_path.append(dname.strip('/'))
-
         if dentry == vfsmnt.mnt_root or dentry == dentry.d_parent:
+            ret_path.append('')
             if vfsmnt.mnt_parent == vfsmnt.v():
                 break
             dentry = vfsmnt.mnt_mountpoint
             vfsmnt = vfsmnt.mnt_parent
             continue
+        
+        dname = dentry.d_name.name.dereference_as("String", length = MAX_STRING_LENGTH)
+        ret_path.append(dname.strip('/'))
 
         parent = dentry.d_parent
         dentry = parent

volatility/plugins/linux/mount.py

@@ -67,12 +67,7 @@ def _parse_mnt(self, mnt, ns, fs_types):
         if not fstype.is_valid():
             return ret
 
-        #print fs_types
-        #if str(fstype) not in fs_types:
-        #    return ret
-
         path = linux_common.do_get_path(mnt.mnt_sb.s_root, mnt.mnt_parent, mnt.mnt_root, mnt)
-
         if path == []:
             return ret
 
@@ -173,7 +168,7 @@ def calculate(self):
         for t in tmp_mnts:
             tt = t.mnt_devname.dereference_as("String", length = linux_common.MAX_STRING_LENGTH)
             if tt:
-                if len(str(tt)) > 2:
+                if len(str(tt)) > 2 or str(tt)[0] == '/':
                     all_mnts.append(t)
 
         list_mnts    = {}