PR comments

Author: tvanegro

volatility3/framework/plugins/linux/malware/malfind.py

@@ -61,12 +61,7 @@ def _list_injections(
 
         proc_layer = self.context.layers[proc_layer_name]
 
-        # Allowing a dump_size of 0 (no dump)
-        dump_size = (
-            self.config.get("dump-size")
-            if self.config.get("dump-size") is not None
-            else 64
-        )
+        dump_size = self.config.get("dump-size", None) or 64
 
         # Dumping page defaults to off, as in case a whole r-xp region is dirty
         # this would likely dump 1000's of pages which might not always be wise nor necessary

volatility3/framework/symbols/linux/extensions/__init__.py

@@ -1273,10 +1273,20 @@ def get_name(self, context, task) -> Optional[str]:
         except exceptions.InvalidAddressException:
             return None
 
-    def get_malicious_pages(self, proclayer=None):
-        """
-        This function will return a list of all malicious pages inside a given dirty region
+    def get_malicious_pages(self, proclayer) -> List[int]:
+        """Identifies and returns a list of potentially malicious memory pages.
+
+        A page is considered malicious if it is:
+            - Executable (protection flags match 'r-x')
+            - Dirty (modified since process start, according to proclayer.is_dirty())
+
+        Args:
+            proclayer: The process's memory layer
+
+        Returns:
+            List[int]: A list of virtual addresses for pages flagged as potentially malicious.
         """
+
         malicious_pages = []
         flags_str = self.get_protection()