Address final feedback

atcuno · atcuno · commit 79b8ff7d05b5 · 2024-09-15T18:29:05.000-05:00
diff --git a/volatility3/framework/plugins/windows/debugregisters.py b/volatility3/framework/plugins/windows/debugregisters.py
@@ -148,12 +148,7 @@ def _generator(
                 file3, sym3 = path_and_symbol(vads, dr3)
 
                 # if none map to an actual file VAD then bail
-                if not (
-                    isinstance(file0, str)
-                    or isinstance(file1, str)
-                    or isinstance(file2, str)
-                    or isinstance(file3, str)
-                ):
+                if not (file0 or file1 or file2 or file3):
                     continue
 
                 process_name = owner_proc.ImageFileName.cast(
@@ -173,17 +168,17 @@ def _generator(
                         thread.Tcb.State,
                         dr7,
                         format_hints.Hex(dr0),
-                        file0,
-                        sym0,
+                        file0 or renderers.NotApplicableValue(),
+                        sym0 or renderers.NotApplicableValue(),
                         format_hints.Hex(dr1),
-                        file1,
-                        sym1,
+                        file1 or renderers.NotApplicableValue(),
+                        sym1 or renderers.NotApplicableValue(),
                         format_hints.Hex(dr2),
-                        file2,
-                        sym2,
+                        file2 or renderers.NotApplicableValue(),
+                        sym2 or renderers.NotApplicableValue(),
                         format_hints.Hex(dr3),
-                        file3,
-                        sym3,
+                        file3 or renderers.NotApplicableValue(),
+                        sym3 or renderers.NotApplicableValue(),
                     ),
                 )
 
diff --git a/volatility3/framework/plugins/windows/pe_symbols.py b/volatility3/framework/plugins/windows/pe_symbols.py
@@ -423,7 +423,7 @@ def path_and_symbol_for_address(
         collected_modules: collected_modules_type,
         ranges: ranges_type,
         address: int,
-    ) -> Tuple[str, str]:
+    ) -> Tuple[Optional[str], Optional[str]]:
         """
         Method for plugins to determine the file path and symbol name for a given address
 
@@ -438,12 +438,12 @@ def path_and_symbol_for_address(
             Tuple[str|renderers.NotApplicableValue|renderers.NotAvailableValue, str|renderers.NotApplicableValue|renderers.NotAvailableValue]
         """
         if not address:
-            return renderers.NotApplicableValue(), renderers.NotApplicableValue()
+            return None, None
 
         filepath = PESymbols.filepath_for_address(ranges, address)
 
         if not filepath:
-            return renderers.NotAvailableValue(), renderers.NotAvailableValue()
+            return None, None
 
         filename = PESymbols.filename_for_path(filepath).lower()
 
@@ -452,12 +452,12 @@ def path_and_symbol_for_address(
             filename: {wanted_addresses_identifier: [address]}
         }
 
-        found_symbols, _missing_msybols = PESymbols.find_symbols(
+        found_symbols, _missing_symbols = PESymbols.find_symbols(
             context, config_path, filter_module, collected_modules
         )
 
         if not found_symbols or filename not in found_symbols:
-            return filepath, renderers.NotAvailableValue()
+            return filepath, None
 
         return filepath, found_symbols[filename][0][0]
 
diff --git a/volatility3/framework/plugins/windows/unhooked_system_calls.py b/volatility3/framework/plugins/windows/unhooked_system_calls.py
@@ -71,6 +71,13 @@ class unhooked_system_calls(interfaces.plugins.PluginInterface):
         }
     }
 
+    # This data structure is used to track unique implementations of functions across processes
+    # The outer dictionary holds the module name (e.g., ntdll.dll)
+    # The next dictionary holds the function names (NtTerminateProcess, NtSetValueKey, etc.) inside a module
+    # The innermost dictionary holds the unique implementation (bytes) of a function across processes
+    # Each implementation is tracked along with the process(es) that host it
+    # For systems without malware, all functions should have the same implementation
+    # When API hooking/module unhooking is done, the victim (infected) processes will have unique implementations
     _code_bytes_type = Dict[str, Dict[str, Dict[bytes, List[Tuple[int, str]]]]]
 
     @classmethod
@@ -127,6 +134,7 @@ def _gather_code_bytes(
                     except exceptions.InvalidAddressException:
                         continue
 
+                    # see the definition of _code_bytes_type for details of this data structure
                     if dll_name not in code_bytes:
                         code_bytes[dll_name] = {}
 
