Merge pull request #1740 from volatilityfoundation/lkm_extraction

Add module extraction API. Add plugin to directly extract modules. Ho…

Author: ikelos

volatility3/framework/constants/linux/__init__.py

@@ -484,3 +484,28 @@ class TaintFlag:
     - taint_flag kernel struct
     - taint_flags kernel constant
 """
+
+## ELF related constants
+
+# Elf Symbol Bindings
+STB_LOCAL = 0
+STB_GLOBAL = 1
+
+# Elf Symbol Types
+STT_NOTYPE = 0
+STT_OBJECT = 1
+STT_FUNC = 2
+STT_SECTION = 3
+
+# Elf Section Types
+SHT_NULL = 0
+SHT_PROGBITS = 1
+SHT_SYMTAB = 2
+SHT_STRTAB = 3
+SHT_RELA = 4
+SHT_NOTE = 7
+
+# Elf Section Attributes
+SHF_WRITE = 1
+SHF_ALLOC = 2
+SHF_EXECINSTR = 4

volatility3/framework/plugins/linux/check_modules.py

@@ -18,7 +18,7 @@
 class Check_modules(plugins.PluginInterface):
     """Compares module list to sysfs info, if available"""
 
-    _version = (3, 0, 0)
+    _version = (3, 0, 1)
     _required_framework_version = (2, 0, 0)
 
     @classmethod
@@ -46,17 +46,12 @@ def compare_kset_and_lsmod(
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
         return [
-            requirements.ModuleRequirement(
-                name="kernel",
-                description="Linux kernel",
-                architectures=["Intel32", "Intel64"],
-            ),
             requirements.VersionRequirement(
                 name="linux_utilities_modules_module_display_plugin",
                 component=linux_utilities_modules.ModuleDisplayPlugin,
                 version=(1, 0, 0),
             ),
-        ]
+        ] + linux_utilities_modules.ModuleDisplayPlugin.get_requirements()
 
     @classmethod
     @deprecation.deprecated_method(

volatility3/framework/plugins/linux/hidden_modules.py

@@ -7,7 +7,6 @@
     modules as linux_utilities_modules,
 )
 from volatility3.framework import interfaces, exceptions, deprecation
-from volatility3.framework.constants import architectures
 from volatility3.framework.configuration import requirements
 from volatility3.framework.symbols.linux import extensions
 from volatility3.framework.interfaces import plugins
@@ -19,7 +18,7 @@ class Hidden_modules(plugins.PluginInterface):
     """Carves memory to find hidden kernel modules"""
 
     _required_framework_version = (2, 10, 0)
-    _version = (3, 0, 0)
+    _version = (3, 0, 1)
 
     @classmethod
     def get_hidden_modules(
@@ -62,17 +61,12 @@ def get_hidden_modules(
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
         return [
-            requirements.ModuleRequirement(
-                name="kernel",
-                description="Linux kernel",
-                architectures=architectures.LINUX_ARCHS,
-            ),
             requirements.VersionRequirement(
                 name="linux_utilities_modules_module_display_plugin",
                 component=linux_utilities_modules.ModuleDisplayPlugin,
                 version=(1, 0, 0),
             ),
-        ]
+        ] + linux_utilities_modules.ModuleDisplayPlugin.get_requirements()
 
     @staticmethod
     @deprecation.deprecated_method(

volatility3/framework/plugins/linux/lsmod.py

@@ -18,7 +18,7 @@ class Lsmod(plugins.PluginInterface):
     """Lists loaded kernel modules."""
 
     _required_framework_version = (2, 0, 0)
-    _version = (3, 0, 0)
+    _version = (3, 0, 1)
 
     run = linux_utilities_modules.ModuleDisplayPlugin.run
     _generator = linux_utilities_modules.ModuleDisplayPlugin.generator
@@ -27,22 +27,12 @@ class Lsmod(plugins.PluginInterface):
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
         return [
-            requirements.ModuleRequirement(
-                name="kernel",
-                description="Linux kernel",
-                architectures=["Intel32", "Intel64"],
-            ),
-            requirements.VersionRequirement(
-                name="linux_utilities_modules",
-                component=linux_utilities_modules.Modules,
-                version=(3, 0, 0),
-            ),
             requirements.VersionRequirement(
                 name="linux_utilities_modules_module_display_plugin",
                 component=linux_utilities_modules.ModuleDisplayPlugin,
                 version=(1, 0, 0),
             ),
-        ]
+        ] + linux_utilities_modules.ModuleDisplayPlugin.get_requirements()
 
     @classmethod
     @deprecation.deprecated_method(

volatility3/framework/plugins/linux/module_extract.py

@@ -0,0 +1,87 @@
+# This file is Copyright 2025 Volatility Foundation and licensed under the Volatility Software License 1.0
+# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
+#
+import logging
+from typing import List
+
+from volatility3 import framework
+import volatility3.framework.symbols.linux.utilities.module_extract as linux_utilities_module_extract
+from volatility3.framework import interfaces, renderers
+from volatility3.framework.configuration import requirements
+from volatility3.framework.renderers import format_hints
+from volatility3.framework.objects import utility
+
+vollog = logging.getLogger(__name__)
+
+
+class ModuleExtract(interfaces.plugins.PluginInterface):
+    """Recreates an ELF file from a specific address in the kernel"""
+
+    _version = (1, 0, 0)
+    _required_framework_version = (2, 25, 0)
+
+    framework.require_interface_version(*_required_framework_version)
+
+    @classmethod
+    def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
+        # Since we're calling the plugin, make sure we have the plugin's requirements
+        return [
+            requirements.ModuleRequirement(
+                name="kernel",
+                description="Windows kernel",
+                architectures=["Intel32", "Intel64"],
+            ),
+            requirements.IntRequirement(
+                name="base",
+                description="Base virtual address to reconstruct an ELF file",
+                optional=False,
+            ),
+        ]
+
+    def _generator(self):
+        kernel = self.context.modules[self.config["kernel"]]
+
+        base_address = self.config["base"]
+
+        kernel_layer = self.context.layers[kernel.layer_name]
+
+        if not kernel_layer.is_valid(base_address):
+            vollog.error(
+                f"Given base address ({base_address:#x}) is not valid in the kernel address space. Unable to extract file."
+            )
+            return
+
+        module = kernel.object(object_type="module", offset=base_address, absolute=True)
+
+        elf_data = linux_utilities_module_extract.ModuleExtract.extract_module(
+            self.context, self.config["kernel"], module
+        )
+        if not elf_data:
+            vollog.error(
+                f"Unable to reconstruct the ELF for module struct at {base_address:#x}"
+            )
+            return
+
+        module_name = utility.array_to_string(module.name)
+        file_name = self.open.sanitize_filename(
+            f"kernel_module.{module_name}.{base_address:#x}.elf"
+        )
+
+        with self.open(file_name) as file_handle:
+            file_handle.write(elf_data)
+
+        yield 0, (
+            format_hints.Hex(base_address),
+            len(elf_data),
+            file_handle.preferred_filename,
+        )
+
+    def run(self):
+        return renderers.TreeGrid(
+            [
+                ("Base", format_hints.Hex),
+                ("File Size", int),
+                ("File output", str),
+            ],
+            self._generator(),
+        )

volatility3/framework/symbols/linux/__init__.py

@@ -52,6 +52,8 @@ def __init__(self, *args, **kwargs) -> None:
         self.set_type_class("idr", extensions.IDR)
         self.set_type_class("address_space", extensions.address_space)
         self.set_type_class("page", extensions.page)
+        self.set_type_class("module_sect_attr", extensions.module_sect_attr)
+
         # Might not exist in the current symbols
         self.optional_set_type_class("module", extensions.module)
         self.optional_set_type_class("bpf_prog", extensions.bpf_prog)
@@ -79,6 +81,7 @@ def __init__(self, *args, **kwargs) -> None:
         self.set_type_class("sock", extensions.network.sock)
         self.set_type_class("inet_sock", extensions.network.inet_sock)
         self.set_type_class("unix_sock", extensions.network.unix_sock)
+
         # Might not exist in older kernels or the current symbols
         self.optional_set_type_class("netlink_sock", extensions.network.netlink_sock)
         self.optional_set_type_class("vsock_sock", extensions.network.vsock_sock)

volatility3/framework/symbols/linux/extensions/__init__.py

@@ -3121,3 +3121,47 @@ def get_namespace(self) -> Optional[str]:
             return self._do_get_namespace()
         except exceptions.InvalidAddressException:
             return None
+
+
+class module_sect_attr(objects.StructType):
+    def get_name(self) -> Optional[str]:
+        """
+        Performs careful extraction of the section name
+        The `name` member has changed type and meaning over time
+        It also was present even in cases with `mattr` present, which
+        holds the name the kernel uses
+        """
+        if hasattr(self, "battr"):
+            try:
+                return utility.pointer_to_string(self.battr.attr.name, count=32)
+            except exceptions.InvalidAddressException:
+                # if battr is present then its name attribute needs to be valid
+                vollog.debug(f"Invalid battr name for section at {self.vol.offset:#x}")
+                return None
+
+        elif self.name.vol.type_name == "array":
+            try:
+                return utility.array_to_string(self.name, count=32)
+            except exceptions.InvalidAddressException:
+                # specifically do not return here to give `mattr` a chance
+                vollog.debug(f"Invalid direct name for section at {self.vol.offset:#x}")
+
+        elif self.name.vol.type_name == "pointer":
+            try:
+                return utility.pointer_to_string(self.name, count=32)
+            except exceptions.InvalidAddressException:
+                # specifically do not return here to give `mattr` a chance
+                vollog.debug(
+                    f"Invalid pointer name for section at {self.vol.offset:#x}"
+                )
+
+        # if everything else failed...
+        if hasattr(self, "mattr"):
+            try:
+                return utility.pointer_to_string(self.mattr.attr.name, count=32)
+            except exceptions.InvalidAddressException:
+                vollog.debug(
+                    f"Unresolvable name for for section at {self.vol.offset:#x}"
+                )
+
+        return None