Merge pull request #1039 from Abyss-W4tcher/linux_extensions_patches

Linux extensions patches

Author: ikelos

volatility3/framework/symbols/linux/extensions/__init__.py

@@ -71,11 +71,11 @@ def get_name(self):
     def _get_sect_count(self, grp):
         """Try to determine the number of valid sections"""
         arr = self._context.object(
-            self.get_symbol_table().name + constants.BANG + "array",
+            self.get_symbol_table_name() + constants.BANG + "array",
             layer_name=self.vol.layer_name,
             offset=grp.attrs,
             subtype=self._context.symbol_space.get_type(
-                self.get_symbol_table().name + constants.BANG + "pointer"
+                self.get_symbol_table_name() + constants.BANG + "pointer"
             ),
             count=25,
         )
@@ -92,53 +92,94 @@ def get_sections(self):
         else:
             num_sects = self._get_sect_count(self.sect_attrs.grp)
         arr = self._context.object(
-            self.get_symbol_table().name + constants.BANG + "array",
+            self.get_symbol_table_name() + constants.BANG + "array",
             layer_name=self.vol.layer_name,
             offset=self.sect_attrs.attrs.vol.offset,
             subtype=self._context.symbol_space.get_type(
-                self.get_symbol_table().name + constants.BANG + "module_sect_attr"
+                self.get_symbol_table_name() + constants.BANG + "module_sect_attr"
             ),
             count=num_sects,
         )
 
         for attr in arr:
             yield attr
 
-    def get_symbols(self):
-        if symbols.symbol_table_is_64bit(self._context, self.get_symbol_table().name):
-            prefix = "Elf64_"
-        else:
-            prefix = "Elf32_"
+    def get_elf_table_name(self):
         elf_table_name = intermed.IntermediateSymbolTable.create(
-            self.context,
-            self.config_path,
+            self._context,
+            "config_name_elf_symbol_table",
             "linux",
             "elf",
             native_types=None,
             class_types=elf.class_types,
         )
+        return elf_table_name
+
+    def get_symbols(self):
+        """Get symbols of the module
+
+        Yields:
+                A symbol object
+        """
 
+        if not hasattr(self, "_elf_table_name"):
+            self._elf_table_name = self.get_elf_table_name()
+        if symbols.symbol_table_is_64bit(self._context, self.get_symbol_table_name()):
+            prefix = "Elf64_"
+        else:
+            prefix = "Elf32_"
         syms = self._context.object(
-            self.get_symbol_table().name + constants.BANG + "array",
+            self.get_symbol_table_name() + constants.BANG + "array",
             layer_name=self.vol.layer_name,
             offset=self.section_symtab,
             subtype=self._context.symbol_space.get_type(
-                elf_table_name + constants.BANG + prefix + "Sym"
+                self._elf_table_name + constants.BANG + prefix + "Sym"
             ),
             count=self.num_symtab + 1,
         )
         if self.section_strtab:
             for sym in syms:
-                sym.set_cached_strtab(self.section_strtab)
                 yield sym
 
-    def get_symbol(self, wanted_sym_name):
-        """Get value for a given symbol name"""
+    def get_symbols_names_and_addresses(self) -> Tuple[str, int]:
+        """Get names and addresses for each symbol of the module
+
+        Yields:
+                A tuple for each symbol containing the symbol name and its corresponding value
+        """
+
         for sym in self.get_symbols():
-            sym_name = sym.get_name()
-            sym_addr = sym.st_value
+            sym_arr = self._context.object(
+                self.get_symbol_table_name() + constants.BANG + "array",
+                layer_name=self.vol.native_layer_name,
+                offset=self.section_strtab + sym.st_name,
+            )
+            try:
+                sym_name = utility.array_to_string(
+                    sym_arr, 512
+                )  # 512 is the value of KSYM_NAME_LEN kernel constant
+            except exceptions.InvalidAddressException:
+                continue
+            if sym_name != "":
+                # Normalize sym.st_value offset, which is an address pointing to the symbol value
+                mask = self._context.layers[self.vol.layer_name].address_mask
+                sym_address = sym.st_value & mask
+                yield (sym_name, sym_address)
+
+    def get_symbol(self, wanted_sym_name):
+        """Get symbol value for a given symbol name"""
+        for sym_name, sym_address in self.get_symbols_names_and_addresses():
             if wanted_sym_name == sym_name:
-                return sym_addr
+                return sym_address
+
+        return None
+
+    def get_symbol_by_address(self, wanted_sym_address):
+        """Get symbol name for a given symbol address"""
+        for sym_name, sym_address in self.get_symbols_names_and_addresses():
+            if wanted_sym_address == sym_address:
+                return sym_name
+
         return None
 
     @property
@@ -1132,7 +1173,7 @@ def get_devname(self) -> str:
 class kobject(objects.StructType):
     def reference_count(self):
         refcnt = self.kref.refcount
-        if self.has_member("counter"):
+        if refcnt.has_member("counter"):
             ret = refcnt.counter
         else:
             ret = refcnt.refs.counter