Linux support for x86/x86-64

[xabiugarte]

• [x] Listing processes during system boot and system operation
• [x] Monitoring individual address spaces (processes)
• [ ] Monitoring individual threads separately
• [x] Extracting module information for user processes and kernel, as well as symbols
• [ ] Extracting symbols from .dynsym (dynamic symbols) from memory.
• [ ] Add documentation on how to generate volatility profiles for linux kernels.
• [ ] Add tests for linux VMI, process and module creation/removal detection, and other relevant callback types.

[bat-serjo]

Hello there! I decided to try pyrebox a few days ago. On Linux examining Linux. Here's my setup. Host - linux ubuntu (whatever doesn't matter). Target is Debian 9.9.0 amd64. Problems:

• ps command doesn't work - shows no processes at all! However vol linux_psaux works perfectly fine!
• as ps doesn't work proc don't work, mon don't work etc.

And so debugging I went:

1. ps, proc, mon and all the rest don't work because find_procs don't work. It simply returns []
2. find_procs don't work because set<Process> processes is empty.
3. set<Process> processes is empty because the vmi_tlb_callback -> linux_vmi_tlb_callback -> initialize_init_task is not working. Lets look at initialize_init_task which seems like a ripoff from volatility rewritten in C.

• initialize_init_task is looking for specific task name - "swapper" but there is no such or it can't find it.
• it then tries the KSLR code and goes on to search for swapper/0\x00\x00\x00\x00\x00\x00 with memmem! Still doesn't find it!
• i guess the reason for this failure is because most of the shifts values are hard coded whilst volatility can take them from the profile!
• by the way the initialization of the needle array cannot be optimized by the compiler.

Is there any progress on this issue?