Merge pull request #1771 from volatilityfoundation/framework/process_traversal_bugfix

ikelos · web-flow · commit df03d2220a4d · 2025-04-14T23:43:04.000+01:00
Bugfix: Linux/Windows process traversal
diff --git a/volatility3/framework/plugins/linux/pslist.py b/volatility3/framework/plugins/linux/pslist.py
@@ -34,7 +34,7 @@ class PsList(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface):
     """Lists the processes present in a particular linux memory image."""
 
     _required_framework_version = (2, 13, 0)
-    _version = (4, 1, 0)
+    _version = (4, 1, 1)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -262,17 +262,27 @@ def list_tasks(
         init_task = vmlinux.object_from_symbol(symbol_name="init_task")
 
         # Note that the init_task itself is not yielded, since "ps" also never shows it.
-        for task in init_task.tasks:
-            if not task.is_valid():
-                continue
-
-            if filter_func(task):
-                continue
-
-            yield task
-
-            if include_threads:
-                yield from task.get_threads()
+        seen = set()
+        for forward in (True, False):
+            for task in init_task.tasks.to_list(
+                symbol_type=init_task.vol.type_name,
+                member="tasks",
+                forward=forward,
+            ):
+                if task.vol.offset in seen:
+                    continue
+                seen.add(task.vol.offset)
+
+                if not task.is_valid():
+                    continue
+
+                if filter_func(task):
+                    continue
+
+                yield task
+
+                if include_threads:
+                    yield from task.get_threads()
 
     def run(self):
         pids = self.config.get("pid")
diff --git a/volatility3/framework/plugins/windows/pslist.py b/volatility3/framework/plugins/windows/pslist.py
@@ -6,13 +6,13 @@
 import logging
 from typing import Callable, Iterator, List, Optional, Type
 
-from volatility3.framework import renderers, interfaces, layers, exceptions, constants
+from volatility3.framework import constants, exceptions, interfaces, layers, renderers
 from volatility3.framework.configuration import requirements
 from volatility3.framework.objects import utility
 from volatility3.framework.renderers import format_hints
 from volatility3.framework.symbols import intermed
-from volatility3.framework.symbols.windows.extensions import pe
 from volatility3.framework.symbols.windows import extensions
+from volatility3.framework.symbols.windows.extensions import pe
 from volatility3.plugins import timeliner
 
 vollog = logging.getLogger(__name__)
@@ -24,7 +24,7 @@ class PsList(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface):
     _required_framework_version = (2, 0, 0)
 
     # 3.0.0 - changed signature for `list_processes`
-    _version = (3, 0, 0)
+    _version = (3, 0, 1)
     PHYSICAL_DEFAULT = False
 
     @classmethod
@@ -261,9 +261,18 @@ def list_processes(
             absolute=True,
         )
 
-        for proc in eproc.ActiveProcessLinks:
-            if not filter_func(proc):
-                yield proc
+        seen = set()
+        for forward in (True, False):
+            for proc in eproc.ActiveProcessLinks.to_list(
+                symbol_type=eproc.vol.type_name,
+                member="ActiveProcessLinks",
+                forward=forward,
+            ):
+                if proc.vol.offset in seen:
+                    continue
+                seen.add(proc.vol.offset)
+                if not filter_func(proc):
+                    yield proc
 
     def _generator(self):
         kernel = self.context.modules[self.config["kernel"]]
