Fix get_name API, fix malfind

Author: atcuno

volatility3/framework/plugins/linux/elfs.py

@@ -177,7 +177,7 @@ def _generator(self, tasks):
                         name,
                         format_hints.Hex(vma.vm_start),
                         format_hints.Hex(vma.vm_end),
-                        path,
+                        path or renderers.NotAvailableValue(),
                         file_output,
                     ),
                 )

volatility3/framework/plugins/linux/malfind.py

@@ -56,10 +56,10 @@ def _list_injections(self, task):
             )
             if (
                 vma.is_suspicious(proc_layer)
-                and vma.get_name(self.context, task) != "[vdso]"
+                and vma_name != "[vdso]"
             ):
                 data = proc_layer.read(vma.vm_start, 64, pad=True)
-                yield vma, data
+                yield vma, vma_name, data
 
     def _generator(self, tasks):
         # determine if we're on a 32 or 64 bit kernel
@@ -71,7 +71,7 @@ def _generator(self, tasks):
         for task in tasks:
             process_name = utility.array_to_string(task.comm)
 
-            for vma, data in self._list_injections(task):
+            for vma, vma_name, data in self._list_injections(task):
                 if is_32bit_arch:
                     architecture = "intel"
                 else:
@@ -88,6 +88,7 @@ def _generator(self, tasks):
                         process_name,
                         format_hints.Hex(vma.vm_start),
                         format_hints.Hex(vma.vm_end),
+                        vma_name or renderers.NotAvailableValue(),
                         vma.get_protection(),
                         format_hints.HexBytes(data),
                         disasm,
@@ -103,6 +104,7 @@ def run(self):
                 ("Process", str),
                 ("Start", format_hints.Hex),
                 ("End", format_hints.Hex),
+                ("Path", str),
                 ("Protection", str),
                 ("Hexdump", format_hints.HexBytes),
                 ("Disasm", interfaces.renderers.Disassembly),

volatility3/framework/plugins/linux/proc.py

@@ -246,7 +246,7 @@ def vma_filter_function(x: interfaces.objects.ObjectInterface) -> bool:
                         major,
                         minor,
                         inode_num,
-                        path,
+                        path or renderers.NotAvailableValue(),
                         file_output,
                     ),
                 )

volatility3/framework/symbols/linux/extensions/__init__.py

@@ -1056,7 +1056,7 @@ def get_page_offset(self) -> int:
         parent_layer = self._context.layers[self.vol.layer_name]
         return self.vm_pgoff << parent_layer.page_shift
 
-    def get_name(self, context, task):
+    def _do_get_name(self, context, task) -> str:
         if self.vm_file != 0:
             fname = linux.LinuxUtilities.path_for_file(context, task, self.vm_file)
         elif self.vm_start <= task.mm.start_brk and self.vm_end >= task.mm.brk:
@@ -1072,6 +1072,12 @@ def get_name(self, context, task):
             fname = "Anonymous Mapping"
         return fname
 
+    def get_name(self, context, task) -> Optional[str]:
+        try:
+            return self._do_get_name(context, task)
+        except exceptions.InvalidAddressException:
+            return None
+
     # used by malfind
     def is_suspicious(self, proclayer=None):
         ret = False