Merge branch 'develop' into stable

Author: ikelos

.github/workflows/codeql.yml

@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "develop" ]
+    branches: ["develop"]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "develop" ]
+    branches: ["develop"]
 #   schedule:
 #     - cron: '16 8 * * 0'
 
@@ -32,43 +32,42 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'python' ]
+        language: ["python"]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v3
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
 
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        queries: security-and-quality # ,security-extended
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          queries: security-and-quality # ,security-extended
 
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
 
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
-      with:
-        category: "/language:${{matrix.language}}"
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

CODING_STYLE.md

@@ -0,0 +1,104 @@
+Coding Standards
+================
+
+The coding standards for volatility are mostly by our linter and our code formatter.
+All code submissions will be vetted automatically through tests from both and the submission will not be accepted if either of these fail.
+
+Code Linter: Ruff
+Code Formatter: Black
+
+In addition, there are some coding practices that we employ to prevent specific failure cases and ensure consistency across the codebase.  These are documented below along with the rationale for the decision.
+
+This is heavily based upon https://google.github.io/styleguide/pyguide.html with minor modifications for volatility use.
+
+Imports
+-------
+
+Use import statements for packages and modules only, not for individual types, classes, or functions and ideally not aliased unless the imported name would cause confusion.  This is to prevent people from importing something that was itself imported from elsewhere (which can lead to confusion and add in an unnecessary dependency in the import chain).
+
+* Use `import x` for importing packages and modules.
+* Use `from x import y` where x is the package prefix and y is the module name with no prefix.
+* Use `from x import y as z` in any of the following circumstances:
+    * Two modules named `y` are to be imported.
+    * `y` conflicts with a top-level name defined in the current module.
+    * `y` conflicts with a common parameter name that is part of the public API (e.g., `features`).
+    * `y` is an inconveniently long name.
+    * `y` is too generic in the context of your code (e.g., `from storage.file_system import options as fs_options`).
+
+Exemptions from this rule:
+
+    * Symbols from the following modules are used to support static analysis and type checking:
+        * `typing` module
+        * `collections.abc` module
+        * `typing_extensions` module
+
+Function calls
+--------------
+
+For longer function calls, where line length is no longer an issue, favour using keyword arguments for clarity over unnamed positional arguments.
+This helps coders learning the code from examples to know what parameters to pass in and avoids ordering mistakes.
+
+Global Mutable State
+--------------------
+
+Avoid mutable global state.
+
+In those rare cases where using global state is warranted, mutable global entities should be declared at the module level or as a class attribute and made internal by prepending an _ to the name. If necessary, external access to mutable global state must be done through public functions or class methods. See Naming below. Please explain the design reasons why mutable global state is being used in a comment or a doc linked to from a comment.
+
+Module-level constants are permitted and encouraged. For example: _MAX_HOLY_HANDGRENADE_COUNT = 3 for an internal use constant or SIR_LANCELOTS_FAVORITE_COLOR = "blue" for a public API constant. Constants must be named using all caps with underscores. See Naming below.
+
+Exceptions
+----------
+
+Never use catch-all except: statements, or catch Exception or StandardError, unless you are
+
+   * re-raising the exception, or
+   * creating an isolation point in the program where exceptions are not propagated but are recorded and suppressed instead, such as protecting a thread from crashing by guarding its outermost block.
+
+Python is very tolerant in this regard and except: will really catch everything including misspelled names, sys.exit() calls, Ctrl+C interrupts, unittest failures and all kinds of other exceptions that you simply don’t want to catch.
+
+Versioning
+----------
+
+Modules that inherit from `VersionableInterface` define a `_version` attribute which states their version. This is a tuple of `(MAJOR, MINOR, PATCH)` numbers, which can then be used for Semantic Versioning (where modifications that change the API in a non-backwards compatible way bump the `MAJOR` version (and set the `MINOR` and `PATCH` to 0) and additive changes increase the `MINOR` version (and set the `PATCH` to 0). Changes that have no effect on the external interface (either input or output form) should have their `PATCH` number incremented.  This allows for callers of the interface to determine when changes have happened and whether their code will still work with it.  Volatility carries out these checks through the requirements system, where a plugin can define what requirements it has.
+
+Shared functionality
+--------------------
+
+Within a plugin, there may be functions that are useful to other plugins.  These are created as `classmethod`s so that the plugin can be depended upon by other plugins in their requirements section, without needing to instantiate a whole copy of the plugin.  It is not a staticmethod, because the caller may wish to determine information about the class the method is defined in, and this is not easily accessible for staticmethods.
+A classmethod usually takes a `context` for its first method (and if it requires one, a configuration string for it second).  All other parameters should generally be basic types (such as strings, numbers, etc) so that future work requiring parallelization does not have complex types to have to keep in sync.  In particular, the idea was to ensure only one context was used per method (and each object brings its own context with it, meaning the function signature should not include objects to avoid discrepancies).
+
+Comprehensions
+--------------
+
+Comprehensions are allowed, however multiple for clauses or filter expressions are not permitted. Optimize for readability, not conciseness.
+
+Lambda functions
+----------------
+
+Okay for one-liners. Prefer generator expressions over map() or filter() with a lambda.
+
+Default Arguments
+-----------------
+
+Default arguments are fine, but not with mutable types (because they're constructed once at module load time and can lead to confusion/errors.)
+
+Format strings
+--------------
+Generally f-strings are preferred, and where possible a format modifier should be used over a separate method call.  As an example, hex output should be `f"0x{offset:x}"` rather than `f"{hex(offset)}"`.
+F-strings should be used over other formatting methods *except* in cases of logging where the f-string gets calculated/executed whether the log message is displayed or not (where as parameters are not evaluated if not needed).
+The ruff linter should alert about these situations and exceptions can be maded if needed.
+
+True/False Evaluations
+----------------------
+
+Use the “implicit” false if possible, e.g., if foo: rather than if foo != []:. There are a few caveats that you should keep in mind though:
+
+   *  Always use `if foo is None:` (or `is not None`) to check for a `None` value. E.g., when testing whether a variable or argument that defaults to `None` was set to some other value. The other value might be a value that’s false in a boolean context!
+   *  Never compare a boolean variable to `False` using `==`. Use `if not x:` instead. If you need to distinguish `False` from `None` then chain the expressions, such as `if not x and x is not None:`.
+   *  For sequences (strings, lists, tuples), use the fact that empty sequences are false, so `if seq:` and `if not seq:` are preferable to `if len(seq):` and `if not len(seq):` respectively.
+
+Logging
+-------
+
+We do allow f-string usage in log messages, although technically it should be avoided since it will be evaluated even if the log message is never emitted.

README.md

@@ -14,10 +14,33 @@ technical and performance challenges associated with the original
 code base that became apparent over the previous 10 years. Another benefit
 of the rewrite is that Volatility 3 could be released under a custom
 license that was more aligned with the goals of the Volatility community,
-the Volatility Software License (VSL). See the 
-[LICENSE](https://www.volatilityfoundation.org/license/vsl-v1.0) file for 
+the Volatility Software License (VSL). See the
+[LICENSE](https://www.volatilityfoundation.org/license/vsl-v1.0) file for
 more details.
 
+## Quick Start
+
+1. Install the required dependencies:
+
+    ```shell
+    pip install --user -e ".[full]"
+    ```
+
+2. See available options:
+
+    ```shell
+    vol -h
+    ```
+
+3. To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run `vol -f <imagepath> windows.info`:
+
+    ```shell
+    vol -f /home/user/samples/stuxnet.vmem windows.info
+    ```
+
+4. Run some other plugins. The `-f` or `--single-location` is not strictly required, but most plugins expect a single sample.
+Some also require/accept other options.  Run `vol <plugin> -h` for more information on a particular command.
+
 ## Installing
 
 Volatility 3 requires Python 3.8.0 or later and is published on the [PyPi registry](https://pypi.org/project/volatility3).
@@ -38,38 +61,19 @@ python3 -m venv venv && . venv/bin/activate
 pip install -e ".[dev]"
 ```
 
-## Quick Start
-
-1. Install Volatility 3 as documented in the Installing section of the readme.
-
-2. See available options:
-
-    ```shell
-    vol -h
-    ```
-
-3. To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run `vol -f <imagepath> windows.info`:
-
-    ```shell
-    vol -f /home/user/samples/stuxnet.vmem windows.info
-    ```
-
-4. Run some other plugins. The `-f` or `--single-location` is not strictly required, but most plugins expect a single sample.
-Some also require/accept other options.  Run `vol <plugin> -h` for more information on a particular command.
-
 ## Symbol Tables
 
 Symbol table packs for the various operating systems are available for download at:
 
-<https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip>  
-<https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip>  
-<https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip>  
+<https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip>
+<https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip>
+<https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip>
 
 The hashes to verify whether any of the symbol pack files have downloaded successfully or have changed can be found at:
 
-<https://downloads.volatilityfoundation.org/volatility3/symbols/SHA256SUMS>  
-<https://downloads.volatilityfoundation.org/volatility3/symbols/SHA1SUMS>  
-<https://downloads.volatilityfoundation.org/volatility3/symbols/MD5SUMS>  
+<https://downloads.volatilityfoundation.org/volatility3/symbols/SHA256SUMS>
+<https://downloads.volatilityfoundation.org/volatility3/symbols/SHA1SUMS>
+<https://downloads.volatilityfoundation.org/volatility3/symbols/MD5SUMS>
 
 Symbol tables zip files must be placed, as named, into the `volatility3/symbols` directory (or just the symbols directory next to the executable file).
 

test/plugins/windows/windows.py

@@ -746,6 +746,51 @@ def test_windows_generic_kpcrs(self, volatility, python, image):
         assert test_volatility.count_entries_flat(json.loads(out)) > 0
 
 
+class TestWindowsSymlinkScan:
+    def test_windows_generic_symlinkscan(self, volatility, python, image):
+        rc, out, _err = test_volatility.runvol_plugin(
+            "windows.symlinkscan.SymlinkScan",
+            image,
+            volatility,
+            python,
+            globalargs=("-r", "json"),
+        )
+        assert rc == 0
+        assert test_volatility.count_entries_flat(json.loads(out)) > 0
+
+    def test_windows_specific_symlinkscan(self, volatility, python):
+        image = WindowsSamples.WINDOWSXP_GENERIC.value.path
+        rc, out, _err = test_volatility.runvol_plugin(
+            "windows.symlinkscan.SymlinkScan",
+            image,
+            volatility,
+            python,
+            globalargs=("-r", "json"),
+        )
+        assert rc == 0
+        json_out = json.loads(out)
+        assert test_volatility.count_entries_flat(json_out) > 5
+        expected_rows = [
+            {
+              "CreateTime": "2005-06-25T16:47:28+00:00",
+              "From Name": "AUX",
+              "Offset": 453082584,
+              "To Name": "\\DosDevices\\COM1",
+              "__children": []
+            },
+            {
+              "CreateTime": "2005-06-25T16:47:28+00:00",
+              "From Name": "UNC",
+              "Offset": 453176664,
+              "To Name": "\\Device\\Mup",
+              "__children": []
+            }
+        ]
+
+        for expected_row in expected_rows:
+            assert test_volatility.match_output_row(expected_row, json_out)
+
+
 class TestWindowsLdrModules:
     def test_windows_specific_ldrmodules(self, volatility, python):
         image = WindowsSamples.WINDOWSXP_GENERIC.value.path

volatility3/cli/__init__.py

@@ -505,6 +505,9 @@ def run(self):
         try:
             # Construct and run the plugin
             if constructed:
+                vollog.debug(
+                    f"Successfully constructed {args.plugin} {constructed.version}"
+                )
                 grid = constructed.run()
                 renderer = renderers[args.renderer]()
                 renderer.filter = text_filter.CLIFilter(grid, args.filters)

volatility3/cli/volshell/generic.py

@@ -85,14 +85,17 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
         return reqs
 
     def run(
-        self, additional_locals: Dict[str, Any] = {}
+        self, additional_locals: Dict[str, Any] = None
     ) -> interfaces.renderers.TreeGrid:
         """Runs the interactive volshell plugin.
 
         Returns:
             Return a TreeGrid but this is always empty since the point of this plugin is to run interactively
         """
 
+        if additional_locals is None:
+            additional_locals = {}
+
         # Try to enable tab completion
         if not has_ipython:
             try:

volatility3/framework/constants/_version.py

@@ -1,7 +1,7 @@
 # We use the SemVer 2.0.0 versioning scheme
 VERSION_MAJOR = 2  # Number of releases of the library with a breaking change
 VERSION_MINOR = 26  # Number of changes that only add to the interface
-VERSION_PATCH = 0  # Number of changes that do not change the interface
+VERSION_PATCH = 2  # Number of changes that do not change the interface
 VERSION_SUFFIX = ""
 
 PACKAGE_VERSION = (

volatility3/framework/constants/windows/__init__.py

@@ -28,3 +28,5 @@
 
 # CR3 register within structures describing initial processor state to be started
 PROCESSOR_START_BLOCK_CR3_OFFSET = 0xA0  # PROCESSOR_START_BLOCK->ProcessorState->SpecialRegisters->Cr3, ULONG64 8 bytes
+
+MAX_PID = 0xFFFFFFFC

volatility3/framework/interfaces/layers.py

@@ -678,7 +678,7 @@ def del_layer(self, name: str) -> None:
             if name in self._layers[layer].dependencies:
                 raise exceptions.LayerException(
                     self._layers[layer].name,
-                    f"Layer {self._layers[layer].name} is depended upon by {layer}",
+                    f"Layer {name} is depended upon by {layer}",
                 )
         # Otherwise, wipe out the layer
         self._layers[name].destroy()

volatility3/framework/layers/qemu.py

@@ -102,7 +102,7 @@ def __init__(
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
-        return [
+        return super().get_requirements() + [
             requirements.VersionRequirement(
                 name="regex_scanner",
                 component=scanners.RegExScanner,
@@ -115,7 +115,7 @@ def _check_header(
         cls, base_layer: interfaces.layers.DataLayerInterface, name: str = ""
     ):
         header = base_layer.read(0, 8)
-        if header[:4] != b"\x51\x45\x56\x4D":
+        if header[:4] != b"\x51\x45\x56\x4d":
             raise exceptions.LayerException(name, "No QEMU magic bytes")
         if header[4:] != b"\x00\x00\x00\x03":
             raise exceptions.LayerException(name, "Unsupported QEMU version found")