Merge pull request #928 from eve-mem/linux_maple_tree

Add basic support for Linux maple tree struct

Author: ikelos

volatility3/framework/plugins/linux/elfs.py

@@ -48,7 +48,7 @@ def _generator(self, tasks):
 
             name = utility.array_to_string(task.comm)
 
-            for vma in task.mm.get_mmap_iter():
+            for vma in task.mm.get_vma_iter():
                 hdr = proc_layer.read(vma.vm_start, 4, pad=True)
                 if not (
                     hdr[0] == 0x7F

volatility3/framework/plugins/linux/malfind.py

@@ -46,7 +46,7 @@ def _list_injections(self, task):
 
         proc_layer = self.context.layers[proc_layer_name]
 
-        for vma in task.mm.get_mmap_iter():
+        for vma in task.mm.get_vma_iter():
             if vma.is_suspicious() and vma.get_name(self.context, task) != "[vdso]":
                 data = proc_layer.read(vma.vm_start, 64, pad=True)
                 yield vma, data

volatility3/framework/plugins/linux/proc.py

@@ -44,7 +44,7 @@ def _generator(self, tasks):
 
             name = utility.array_to_string(task.comm)
 
-            for vma in task.mm.get_mmap_iter():
+            for vma in task.mm.get_vma_iter():
                 flags = vma.get_protection()
                 page_offset = vma.get_page_offset()
                 major = 0

volatility3/framework/symbols/linux/__init__.py

@@ -51,6 +51,9 @@ def __init__(self, *args, **kwargs) -> None:
         self.optional_set_type_class("bt_sock", extensions.bt_sock)
         self.optional_set_type_class("xdp_sock", extensions.xdp_sock)
 
+        # Only found in 6.1+ kernels
+        self.optional_set_type_class("maple_tree", extensions.maple_tree)
+
 
 class LinuxUtilities(interfaces.configuration.VersionableInterface):
     """Class with multiple useful linux functions."""