Fix bug with PAGE_SHIFT that wasn't shifted, also greatly increases performance

Use black
Better logging

Author: xabrouck

volatility3/framework/layers/intel.py

@@ -110,11 +110,11 @@ def _mask(value: int, high_bit: int, low_bit: int) -> int:
     def _page_is_valid(entry: int) -> bool:
         """Returns whether a particular page is valid based on its entry."""
         return bool(entry & 1)
-    
+
     @staticmethod
     def _page_is_dirty(entry: int) -> bool:
         """Returns whether a particular page is dirty based on its entry."""
-        return bool(entry & (1<<6))
+        return bool(entry & (1 << 6))
 
     def canonicalize(self, addr: int) -> int:
         """Canonicalizes an address by performing an appropiate sign extension on the higher addresses"""
@@ -267,7 +267,7 @@ def is_valid(self, offset: int, length: int = 1) -> bool:
     def is_dirty(self, offset: int) -> bool:
         """Returns whether the page at offset is marked dirty"""
         return self._page_is_dirty(self._translate_entry(offset)[0])
-    
+
     def mapping(
         self, offset: int, length: int, ignore_errors: bool = False
     ) -> Iterable[Tuple[int, int, int, int, str]]:

volatility3/framework/plugins/linux/malfind.py

@@ -3,14 +3,16 @@
 #
 
 from typing import List
-
+import logging
 from volatility3.framework import constants, interfaces
 from volatility3.framework import renderers
 from volatility3.framework.configuration import requirements
 from volatility3.framework.objects import utility
 from volatility3.framework.renderers import format_hints
 from volatility3.plugins.linux import pslist
 
+vollog = logging.getLogger(__name__)
+
 
 class Malfind(interfaces.plugins.PluginInterface):
     """Lists process memory ranges that potentially contain injected code."""
@@ -47,7 +49,14 @@ def _list_injections(self, task):
         proc_layer = self.context.layers[proc_layer_name]
 
         for vma in task.mm.get_vma_iter():
-            if vma.is_suspicious(proc_layer) and vma.get_name(self.context, task) != "[vdso]":
+            vma_name = vma.get_name(self.context, task)
+            vollog.debug(
+                f"Injections : processing PID {task.pid} : VMA {vma_name} : {hex(vma.vm_start)}-{hex(vma.vm_end)}"
+            )
+            if (
+                vma.is_suspicious(proc_layer)
+                and vma.get_name(self.context, task) != "[vdso]"
+            ):
                 data = proc_layer.read(vma.vm_start, 64, pad=True)
                 yield vma, data
 

volatility3/framework/symbols/linux/extensions/__init__.py

@@ -578,7 +578,7 @@ def get_name(self, context, task):
         return fname
 
     # used by malfind
-    def is_suspicious(self, proclayer):
+    def is_suspicious(self, proclayer=None):
         ret = False
 
         flags_str = self.get_protection()
@@ -587,15 +587,24 @@ def is_suspicious(self, proclayer):
             ret = True
         elif flags_str == "r-x" and self.vm_file.dereference().vol.offset == 0:
             ret = True
-        elif "x" in flags_str:
-            for i in range(self.vm_start,self.vm_end,constants.linux.PAGE_SHIFT):
+        elif proclayer and "x" in flags_str:
+            for i in range(self.vm_start, self.vm_end, 1 << constants.linux.PAGE_SHIFT):
                 try:
                     if proclayer.is_dirty(i):
-                        vollog.warning(f"Found malicious (dirty+exec) page at {hex(i)} !")
+                        vollog.warning(
+                            f"Found malicious (dirty+exec) page at {hex(i)} !"
+                        )
+                        # We do not attempt to find other dirty+exec pages once we have found one
                         ret = True
                         break
-                except (exceptions.PagedInvalidAddressException, exceptions.InvalidAddressException):
-                    pass
+                except (
+                    exceptions.PagedInvalidAddressException,
+                    exceptions.InvalidAddressException,
+                ) as excp:
+                    vollog.debug(f"Unable to translate address {hex(i)} : {excp}")
+                    # Abort as it is likely that other addresses in the same range will also fail
+                    ret = False
+                    break
         return ret