Merge branch 'develop' into issues/issue1577

Author: ikelos

volatility3/framework/objects/utility.py

@@ -33,20 +33,23 @@ def array_to_string(
 ) -> interfaces.objects.ObjectInterface:
     """Takes a volatility Array of characters and returns a string."""
     # TODO: Consider checking the Array's target is a native char
-    if count is None:
-        count = array.vol.count
     if not isinstance(array, objects.Array):
         raise TypeError("Array_to_string takes an Array of char")
 
+    if count is None:
+        count = array.vol.count
+
     return array.cast("string", max_length=count, errors=errors)
 
 
 def pointer_to_string(pointer: "objects.Pointer", count: int, errors: str = "replace"):
     """Takes a volatility Pointer to characters and returns a string."""
     if not isinstance(pointer, objects.Pointer):
         raise TypeError("pointer_to_string takes a Pointer")
+
     if count < 1:
         raise ValueError("pointer_to_string requires a positive count")
+
     char = pointer.dereference()
     return char.cast("string", max_length=count, errors=errors)
 

volatility3/framework/plugins/linux/envars.py

@@ -18,7 +18,7 @@ class Envars(plugins.PluginInterface):
     """Lists processes with their environment variables"""
 
     _required_framework_version = (2, 13, 0)
-    _version = (2, 0, 0)
+    _version = (2, 0, 1)
 
     @classmethod
     def get_requirements(cls):
@@ -40,8 +40,9 @@ def get_requirements(cls):
             ),
         ]
 
-    @staticmethod
+    @classmethod
     def get_task_env_variables(
+        cls,
         context: interfaces.context.ContextInterface,
         task: interfaces.objects.ObjectInterface,
         env_area_max_size: int = 8192,

volatility3/framework/plugins/linux/hidden_modules.py

@@ -16,8 +16,7 @@ class Hidden_modules(interfaces.plugins.PluginInterface):
     """Carves memory to find hidden kernel modules"""
 
     _required_framework_version = (2, 10, 0)
-
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -32,8 +31,9 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             ),
         ]
 
-    @staticmethod
+    @classmethod
     def get_modules_memory_boundaries(
+        cls,
         context: interfaces.context.ContextInterface,
         vmlinux_module_name: str,
     ) -> Tuple[int]:

volatility3/framework/plugins/linux/mountinfo.py

@@ -36,7 +36,7 @@ class MountInfo(plugins.PluginInterface):
     """Lists mount points on processes mount namespaces"""
 
     _required_framework_version = (2, 2, 0)
-    _version = (1, 2, 3)
+    _version = (1, 2, 4)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -152,9 +152,11 @@ def _get_tasks_mountpoints(
             if not (
                 task
                 and task.fs
-                and task.fs.root
+                and task.fs.is_readable()
                 and task.nsproxy
+                and task.nsproxy.is_readable()
                 and task.nsproxy.mnt_ns
+                and task.nsproxy.mnt_ns.is_readable()
             ):
                 # This task doesn't have all the information required.
                 # It should be a kernel < 2.6.30

volatility3/framework/plugins/linux/pagecache.py

@@ -104,7 +104,7 @@ class Files(plugins.PluginInterface, timeliner.TimeLinerInterface):
 
     _required_framework_version = (2, 0, 0)
 
-    _version = (1, 0, 2)
+    _version = (1, 0, 3)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -360,8 +360,8 @@ def generate_timeline(self):
             yield description, timeliner.TimeLinerType.MODIFIED, inode_out.modification_time
             yield description, timeliner.TimeLinerType.CHANGED, inode_out.change_time
 
-    @staticmethod
-    def format_fields_with_headers(headers, generator):
+    @classmethod
+    def format_fields_with_headers(cls, headers, generator):
         """Uses the headers type to cast the fields obtained from the generator"""
         for level, fields in generator:
             formatted_fields = []
@@ -405,7 +405,7 @@ class InodePages(plugins.PluginInterface):
 
     _required_framework_version = (2, 0, 0)
 
-    _version = (2, 0, 1)
+    _version = (2, 0, 2)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -436,8 +436,9 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             ),
         ]
 
-    @staticmethod
+    @classmethod
     def write_inode_content_to_file(
+        cls,
         inode: interfaces.objects.ObjectInterface,
         filename: str,
         open_method: Type[interfaces.plugins.FileHandlerInterface],

volatility3/framework/plugins/linux/vmayarascan.py

@@ -18,7 +18,7 @@ class VmaYaraScan(interfaces.plugins.PluginInterface):
     """Scans all virtual memory areas for tasks using yara."""
 
     _required_framework_version = (2, 4, 0)
-    _version = (1, 0, 2)
+    _version = (1, 0, 3)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -105,8 +105,9 @@ def _generator(self):
                         value,
                     )
 
-    @staticmethod
+    @classmethod
     def get_vma_maps(
+        cls,
         task: interfaces.objects.ObjectInterface,
     ) -> Iterable[Tuple[int, int]]:
         """Creates a map of start/end addresses for each virtual memory area in a task.

volatility3/framework/plugins/windows/cachedump.py

@@ -22,7 +22,7 @@ class Cachedump(interfaces.plugins.PluginInterface):
     """Dumps lsa secrets from memory"""
 
     _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
 
     @classmethod
     def get_requirements(cls):
@@ -43,16 +43,16 @@ def get_requirements(cls):
             ),
         ]
 
-    @staticmethod
+    @classmethod
     def get_nlkm(
-        sechive: registry.RegistryHive, lsakey: bytes, is_vista_or_later: bool
+        cls, sechive: registry.RegistryHive, lsakey: bytes, is_vista_or_later: bool
     ):
         return lsadump.Lsadump.get_secret_by_name(
             sechive, "NL$KM", lsakey, is_vista_or_later
         )
 
-    @staticmethod
-    def decrypt_hash(edata: bytes, nlkm: bytes, ch, xp: bool):
+    @classmethod
+    def decrypt_hash(cls, edata: bytes, nlkm: bytes, ch, xp: bool):
         if xp:
             hmac_md5 = HMAC.new(nlkm, ch)
             rc4key = hmac_md5.digest()
@@ -69,8 +69,8 @@ def decrypt_hash(edata: bytes, nlkm: bytes, ch, xp: bool):
                 data += aes.decrypt(buf)
         return data
 
-    @staticmethod
-    def parse_cache_entry(cache_data: bytes) -> Tuple[int, int, int, bytes, bytes]:
+    @classmethod
+    def parse_cache_entry(cls, cache_data: bytes) -> Tuple[int, int, int, bytes, bytes]:
         (uname_len, domain_len) = unpack("<HH", cache_data[:4])
         if len(cache_data[60:62]) == 0:
             return (uname_len, domain_len, 0, b"", b"")
@@ -79,9 +79,9 @@ def parse_cache_entry(cache_data: bytes) -> Tuple[int, int, int, bytes, bytes]:
         enc_data = cache_data[96:]
         return (uname_len, domain_len, domain_name_len, enc_data, ch)
 
-    @staticmethod
+    @classmethod
     def parse_decrypted_cache(
-        dec_data: bytes, uname_len: int, domain_len: int, domain_name_len: int
+        cls, dec_data: bytes, uname_len: int, domain_len: int, domain_name_len: int
     ) -> Tuple[str, str, str, bytes]:
         """Get the data from the cache and separate it into the username, domain name, and hash data"""
         uname_offset = 72

volatility3/framework/plugins/windows/direct_system_calls.py

@@ -53,7 +53,7 @@ class DirectSystemCalls(interfaces.plugins.PluginInterface):
     """Detects the Direct System Call technique used to bypass EDRs"""
 
     _required_framework_version = (2, 4, 0)
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
 
     # DLLs that are expected to host system call invocations
     valid_syscall_handlers = ("ntdll.dll", "win32u.dll")
@@ -200,8 +200,8 @@ def _is_syscall_block(
 
         return disasm_bytes, end_inst
 
-    @staticmethod
-    def get_disasm_function(architecture: str) -> Callable:
+    @classmethod
+    def get_disasm_function(cls, architecture: str) -> Callable:
         """
         Returns the disassembly handler for the given architecture
         .detail is used to get full instruction information
@@ -284,8 +284,9 @@ def _is_valid_syscall(
 
         return None
 
-    @staticmethod
+    @classmethod
     def get_vad_maps(
+        cls,
         task: interfaces.objects.ObjectInterface,
     ) -> List[Tuple[int, int, str]]:
         """Creates a map of start/end addresses within a virtual address
@@ -310,9 +311,9 @@ def get_vad_maps(
 
         return vads
 
-    @staticmethod
+    @classmethod
     def get_range_path(
-        ranges: List[Tuple[int, int, str]], address: int
+        cls, ranges: List[Tuple[int, int, str]], address: int
     ) -> Optional[str]:
         """
         Returns the path for the range holding `address`, if found

volatility3/framework/plugins/windows/mftscan.py

@@ -22,7 +22,7 @@ class MFTScan(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface):
 
     _required_framework_version = (2, 0, 0)
 
-    _version = (2, 0, 0)
+    _version = (2, 0, 1)
 
     @classmethod
     def get_requirements(cls):
@@ -37,8 +37,9 @@ def get_requirements(cls):
             ),
         ]
 
-    @staticmethod
+    @classmethod
     def enumerate_mft_records(
+        cls,
         context: interfaces.context.ContextInterface,
         config_path: str,
         primary_layer_name: str,
@@ -128,8 +129,9 @@ def enumerate_mft_records(
                         layer_name=layer.name,
                     )
 
-    @staticmethod
+    @classmethod
     def parse_mft_records(
+        cls,
         record_map: Dict[int, Tuple[str, int, int]],
         mft_record: interfaces.objects.ObjectInterface,
         attr: interfaces.objects.ObjectInterface,
@@ -191,8 +193,9 @@ def parse_mft_records(
                 file_name,
             )
 
-    @staticmethod
+    @classmethod
     def parse_data_record(
+        cls,
         mft_record: interfaces.objects.ObjectInterface,
         attr: interfaces.objects.ObjectInterface,
         record_map: Dict[int, Tuple[str, int, int]],
@@ -325,7 +328,7 @@ class ADS(interfaces.plugins.PluginInterface):
 
     _required_framework_version = (2, 7, 0)
 
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
 
     @classmethod
     def get_requirements(cls):
@@ -343,8 +346,9 @@ def get_requirements(cls):
             ),
         ]
 
-    @staticmethod
+    @classmethod
     def parse_ads_data_records(
+        cls,
         record_map: Dict[int, Tuple[str, int, int]],
         mft_record: interfaces.objects.ObjectInterface,
         attr: interfaces.objects.ObjectInterface,
@@ -394,7 +398,7 @@ class ResidentData(interfaces.plugins.PluginInterface):
 
     _required_framework_version = (2, 7, 0)
 
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
 
     @classmethod
     def get_requirements(cls):
@@ -412,8 +416,9 @@ def get_requirements(cls):
             ),
         ]
 
-    @staticmethod
+    @classmethod
     def parse_first_data_records(
+        cls,
         record_map: Dict[int, Tuple[str, int, int]],
         mft_record: interfaces.objects.ObjectInterface,
         attr: interfaces.objects.ObjectInterface,

volatility3/framework/plugins/windows/netscan.py

@@ -23,7 +23,7 @@ class NetScan(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface):
     """Scans for network objects present in a particular windows memory image."""
 
     _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
 
     @classmethod
     def get_requirements(cls):
@@ -50,9 +50,9 @@ def get_requirements(cls):
             ),
         ]
 
-    @staticmethod
+    @classmethod
     def create_netscan_constraints(
-        context: interfaces.context.ContextInterface, symbol_table: str
+        cls, context: interfaces.context.ContextInterface, symbol_table: str
     ) -> List[poolscanner.PoolConstraint]:
         """Creates a list of Pool Tag Constraints for network objects.