Linux: Rename net extensions to allow for net variable name

Author: ikelos

volatility3/framework/plugins/linux/ip.py

@@ -6,8 +6,8 @@
 from volatility3.framework import interfaces, renderers, constants
 from volatility3.framework.configuration import requirements
 from volatility3.framework.interfaces import plugins
-from volatility3.framework.symbols.linux import net
-from volatility3.framework.symbols.linux.extensions import net as net_extensions
+from volatility3.framework.symbols.linux import network
+from volatility3.framework.symbols.linux.extensions import network as net_extensions
 
 
 class Addr(plugins.PluginInterface):
@@ -26,7 +26,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
                 architectures=["Intel32", "Intel64"],
             ),
             requirements.VersionRequirement(
-                name="Net", component=net.NetSymbols, version=(1, 0, 0)
+                name="Net", component=network.NetSymbols, version=(1, 0, 0)
             ),
         ]
 
@@ -62,7 +62,7 @@ def _generator(self):
 
         net_type_symname = vmlinux.symbol_table_name + constants.BANG + "net"
         net_device_symname = vmlinux.symbol_table_name + constants.BANG + "net_device"
-        net.NetSymbols.apply(self.context.symbol_space[vmlinux.symbol_table_name])
+        network.NetSymbols.apply(self.context.symbol_space[vmlinux.symbol_table_name])
 
         # 'net_namespace_list' exists from kernels >= 2.6.24
         net_namespace_list = vmlinux.object_from_symbol("net_namespace_list")
@@ -102,7 +102,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
                 architectures=["Intel32", "Intel64"],
             ),
             requirements.VersionRequirement(
-                name="Net", component=net.NetSymbols, version=(1, 0, 0)
+                name="Net", component=network.NetSymbols, version=(1, 0, 0)
             ),
         ]
 

volatility3/framework/plugins/linux/netfilter.py

@@ -17,7 +17,7 @@
 from volatility3.framework.renderers import format_hints
 from volatility3.framework.configuration import requirements
 from volatility3.framework.symbols import linux
-from volatility3.framework.symbols.linux import net
+from volatility3.framework.symbols.linux import network
 from volatility3.plugins.linux import lsmod
 
 vollog = logging.getLogger(__name__)
@@ -101,7 +101,7 @@ def __init__(
             )
 
         linux_net_required_version = Netfilter._required_linuxnet_version
-        linux_net_current_version = net.NetSymbols.version
+        linux_net_current_version = network.NetSymbols.version
         if not requirements.VersionRequirement.matches_required(
             linux_net_required_version, linux_net_current_version
         ):
@@ -124,7 +124,7 @@ def __init__(
             )
 
         symbol_table = self._context.symbol_space[self.vmlinux.symbol_table_name]
-        net.NetSymbols.apply(symbol_table)
+        network.NetSymbols.apply(symbol_table)
 
         modules = lsmod.Lsmod.list_modules(context, kernel_module_name)
         self.handlers = linux.LinuxUtilities.generate_kernel_handler_info(
@@ -204,11 +204,9 @@ def _run(self) -> Iterator[Tuple[int, str, str, int, int, str, bool]]:
             module_name [str]: Linux kernel module name
             hooked [bool]: "True" if the network stack has been hijacked
         """
-        for netns, network in self.get_net_namespaces():
+        for netns, net in self.get_net_namespaces():
             for proto_idx, proto_name, hook_idx, hook_name in self._proto_hook_loop():
-                hooks_container = self.get_hooks_container(
-                    network, proto_name, hook_name
-                )
+                hooks_container = self.get_hooks_container(net, proto_name, hook_name)
 
                 for hook_container in hooks_container:
                     for hook_ops in self.get_hook_ops(
@@ -313,9 +311,9 @@ def get_net_namespaces(self):
         """
         nethead = self.vmlinux.object_from_symbol("net_namespace_list")
         symbol_net_name = self.get_symbol_fullname("net")
-        for network in nethead.to_list(symbol_net_name, "list"):
-            net_ns_id = network.ns.inum
-            yield net_ns_id, network
+        for net in nethead.to_list(symbol_net_name, "list"):
+            net_ns_id = net.ns.inum
+            yield net_ns_id, net
 
     def get_hooks_container(self, net, proto_name, hook_name):
         """Returns the data structure used in a specific kernel implementation to store
@@ -737,7 +735,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             ),
             requirements.VersionRequirement(
                 name="linuxnet",
-                component=net.NetSymbols,
+                component=network.NetSymbols,
                 version=cls._required_linuxnet_version,
             ),
         ]

volatility3/framework/plugins/linux/sockstat.py

@@ -13,7 +13,7 @@
 from volatility3.framework.symbols import linux
 from volatility3.plugins.linux import lsof
 from volatility3.plugins.linux import pslist
-from volatility3.framework.symbols.linux import net
+from volatility3.framework.symbols.linux import network
 
 
 vollog = logging.getLogger(__name__)
@@ -475,7 +475,7 @@ def get_requirements(cls):
                 name="linuxutils", component=linux.LinuxUtilities, version=(2, 0, 0)
             ),
             requirements.VersionRequirement(
-                name="linux_net", component=net.NetSymbols, version=(1, 0, 0)
+                name="linux_net", component=network.NetSymbols, version=(1, 0, 0)
             ),
             requirements.BooleanRequirement(
                 name="unix",
@@ -618,7 +618,7 @@ def _generator(self, pids: List[int], netns_id_arg: int, kernel_module_name: str
         """
         vmlinux = self.context.modules[kernel_module_name]
         symbol_table = self.context.symbol_space[vmlinux.symbol_table_name]
-        net.NetSymbols.apply(symbol_table)
+        network.NetSymbols.apply(symbol_table)
 
         filter_func = pslist.PsList.create_pid_filter(pids)
         socket_generator = self.list_sockets(

volatility3/framework/symbols/linux/__init__.py

@@ -73,17 +73,17 @@ def __init__(self, *args, **kwargs) -> None:
 
         # Network
         # FIXME: Deprecate all of this once the framework hits version 3
-        self.set_type_class("net", extensions.net.net)
-        self.set_type_class("socket", extensions.net.socket)
-        self.set_type_class("sock", extensions.net.sock)
-        self.set_type_class("inet_sock", extensions.net.inet_sock)
-        self.set_type_class("unix_sock", extensions.net.unix_sock)
+        self.set_type_class("net", extensions.network.net)
+        self.set_type_class("socket", extensions.network.socket)
+        self.set_type_class("sock", extensions.network.sock)
+        self.set_type_class("inet_sock", extensions.network.inet_sock)
+        self.set_type_class("unix_sock", extensions.network.unix_sock)
         # Might not exist in older kernels or the current symbols
-        self.optional_set_type_class("netlink_sock", extensions.net.netlink_sock)
-        self.optional_set_type_class("vsock_sock", extensions.net.vsock_sock)
-        self.optional_set_type_class("packet_sock", extensions.net.packet_sock)
-        self.optional_set_type_class("bt_sock", extensions.net.bt_sock)
-        self.optional_set_type_class("xdp_sock", extensions.net.xdp_sock)
+        self.optional_set_type_class("netlink_sock", extensions.network.netlink_sock)
+        self.optional_set_type_class("vsock_sock", extensions.network.vsock_sock)
+        self.optional_set_type_class("packet_sock", extensions.network.packet_sock)
+        self.optional_set_type_class("bt_sock", extensions.network.bt_sock)
+        self.optional_set_type_class("xdp_sock", extensions.network.xdp_sock)
 
         # Only found in 6.1+ kernels
         self.optional_set_type_class("maple_tree", extensions.maple_tree)

…ramework/symbols/linux/extensions/net.py …work/symbols/linux/extensions/network.pyvolatility3/framework/symbols/linux/extensions/net.py renamed to volatility3/framework/symbols/linux/extensions/network.py volatility3/framework/symbols/linux/extensions/net.py renamed to volatility3/framework/symbols/linux/extensions/network.py

@@ -0,0 +1,27 @@
+from volatility3.framework.symbols import intermed
+from volatility3.framework.symbols.linux.extensions import network
+from volatility3.framework.interfaces.configuration import VersionableInterface
+
+
+class NetSymbols(VersionableInterface):
+    _version = (1, 0, 0)
+
+    @classmethod
+    def apply(cls, symbol_table: intermed.IntermediateSymbolTable):
+        # Network
+        symbol_table.set_type_class("net", network.net)
+        symbol_table.set_type_class("net_device", network.net_device)
+        symbol_table.set_type_class("in_device", network.in_device)
+        symbol_table.set_type_class("in_ifaddr", network.in_ifaddr)
+        symbol_table.set_type_class("inet6_dev", network.inet6_dev)
+        symbol_table.set_type_class("inet6_ifaddr", network.inet6_ifaddr)
+        symbol_table.set_type_class("socket", network.socket)
+        symbol_table.set_type_class("sock", network.sock)
+        symbol_table.set_type_class("inet_sock", network.inet_sock)
+        symbol_table.set_type_class("unix_sock", network.unix_sock)
+        # Might not exist in older kernels or the current symbols
+        symbol_table.optional_set_type_class("netlink_sock", network.netlink_sock)
+        symbol_table.optional_set_type_class("vsock_sock", network.vsock_sock)
+        symbol_table.optional_set_type_class("packet_sock", network.packet_sock)
+        symbol_table.optional_set_type_class("bt_sock", network.bt_sock)
+        symbol_table.optional_set_type_class("xdp_sock", network.xdp_sock)