|
10 | 10 | Dict, |
11 | 11 | ) |
12 | 12 |
|
13 | | -import volatility3.framework.symbols.linux.utilities.modules as linux_utilities_modules |
14 | 13 | from volatility3 import framework |
15 | 14 | from volatility3.framework import ( |
16 | 15 | interfaces, |
17 | 16 | exceptions, |
18 | 17 | symbols, |
19 | 18 | ) |
20 | | -from volatility3.framework.configuration import requirements |
21 | 19 | from volatility3.framework.constants import linux as linux_constants |
22 | 20 | from volatility3.framework.symbols.linux import extensions |
23 | 21 |
|
|
40 | 38 | class ModuleExtract(interfaces.configuration.VersionableInterface): |
41 | 39 | """Extracts Linux kernel module structures into an analyzable ELF file""" |
42 | 40 |
|
43 | | - _version = (1, 0, 2) |
| 41 | + _version = (1, 0, 1) |
44 | 42 | _required_framework_version = (2, 25, 0) |
45 | 43 |
|
46 | 44 | framework.require_interface_version(*_required_framework_version) |
47 | 45 |
|
48 | | - @classmethod |
49 | | - def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: |
50 | | - return [ |
51 | | - requirements.VersionRequirement( |
52 | | - name="linux_utilities_modules", |
53 | | - component=linux_utilities_modules.Modules, |
54 | | - version=(3, 0, 2), |
55 | | - ), |
56 | | - ] |
57 | | - |
58 | 46 | @classmethod |
59 | 47 | def _find_section( |
60 | 48 | cls, section_lookups: List[Tuple[str, int, int, int]], sym_address: int |
@@ -249,32 +237,17 @@ def _parse_sections( |
249 | 237 | The data of .strtab is read directly off the module structure and not its section |
250 | 238 | as the section from the original module has no meaning after loading as the kernel does not reference it. |
251 | 239 | """ |
252 | | - kernel = context.modules[vmlinux_name] |
253 | | - kernel_layer = context.layers[kernel.layer_name] |
254 | | - modules_addr_min, modules_addr_max = ( |
255 | | - linux_utilities_modules.Modules.get_modules_memory_boundaries( |
256 | | - context, vmlinux_name |
257 | | - ) |
258 | | - ) |
259 | | - modules_addr_min &= kernel_layer.address_mask |
260 | | - modules_addr_max &= kernel_layer.address_mask |
261 | | - |
262 | 240 | original_sections = {} |
263 | 241 | for index, section in enumerate(module.get_sections()): |
264 | | - # Extra sanity check, to prevent OOM on heavily smeared samples at line |
265 | | - # "size = next_address - address" |
266 | | - if not ( |
267 | | - modules_addr_min |
268 | | - <= section.address & kernel_layer.address_mask |
269 | | - < modules_addr_max |
270 | | - ): |
271 | | - continue |
272 | 242 | name = section.get_name() |
273 | 243 | original_sections[section.address] = name |
274 | 244 |
|
275 | 245 | if not original_sections: |
276 | 246 | return None |
277 | 247 |
|
| 248 | + kernel = context.modules[vmlinux_name] |
| 249 | + kernel_layer = context.layers[kernel.layer_name] |
| 250 | + |
278 | 251 | if symbols.symbol_table_is_64bit(context, kernel.symbol_table_name): |
279 | 252 | sym_type = "Elf64_Sym" |
280 | 253 | elf_hdr_type = "Elf64_Ehdr" |
|
0 commit comments