Merge pull request #1261 from gcmoreira/linux_checkcreds_pointer_verification_improvements

ikelos · web-flow · commit 67f8265def9c · 2024-09-22T15:12:46.000+01:00
Linux checkcreds pointer verification improvements
diff --git a/volatility3/framework/plugins/linux/check_creds.py b/volatility3/framework/plugins/linux/check_creds.py
@@ -2,20 +2,19 @@
 # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
 #
 
-import logging
-
 from volatility3.framework import interfaces, renderers
+from volatility3.framework.renderers import format_hints
 from volatility3.framework.configuration import requirements
 from volatility3.plugins.linux import pslist
 
-vollog = logging.getLogger(__name__)
-
 
 class Check_creds(interfaces.plugins.PluginInterface):
     """Checks if any processes are sharing credential structures"""
 
     _required_framework_version = (2, 0, 0)
 
+    _version = (2, 0, 0)
+
     @classmethod
     def get_requirements(cls):
         return [
@@ -46,20 +45,28 @@ def _generator(self):
         tasks = pslist.PsList.list_tasks(self.context, vmlinux.name)
 
         for task in tasks:
-            cred_addr = task.cred.dereference().vol.offset
+            task_cred_ptr = task.cred
+            if not (task_cred_ptr and task_cred_ptr.is_readable()):
+                continue
 
-            if cred_addr not in creds:
-                creds[cred_addr] = []
+            cred_addr = task_cred_ptr.dereference().vol.offset
 
+            creds.setdefault(cred_addr, [])
             creds[cred_addr].append(task.pid)
 
-        for _, pids in creds.items():
+        for cred_addr, pids in creds.items():
             if len(pids) > 1:
-                pid_str = ""
-                for pid in pids:
-                    pid_str = pid_str + f"{pid:d}, "
-                pid_str = pid_str[:-2]
-                yield (0, [str(pid_str)])
+                pid_str = ", ".join([str(pid) for pid in pids])
+
+                fields = [
+                    format_hints.Hex(cred_addr),
+                    pid_str,
+                ]
+                yield (0, fields)
 
     def run(self):
-        return renderers.TreeGrid([("PIDs", str)], self._generator())
+        headers = [
+            ("CredVAddr", format_hints.Hex),
+            ("PIDs", str),
+        ]
+        return renderers.TreeGrid(headers, self._generator())
