volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Add new resident data displaying plugin. Scan in correct layer. Condense code and remove duplication. Fix bugs

Open atcuno opened this issue 1 year ago • 7 comments

This MR performs a number of tasks related to the mftscan file and MFT-related functionatlity:

  1. Fixes bugs, such as incorrect instantiation of absent values

  2. Creates a unified and inheritable code flow for plugins that want to parse MFT records and their attributes.

  3. Previously, ADSscan and MFTScan scanned in the kernel virtual address space, which is incorrect and caused in many samples over half the entries to be missed. These scans should occur in the physical address space.

  4. Stops printing a disassembly of ADS data, which makes no sense anyway and made the output strange.

  5. Adds a new plugin, ResidentData, in the file that hexdumps all of the resident data of a file (the first $DATA attribute). This inherits and uses a combined implementation of $DATA attribute access from the ADS plugin, which displays the second (and third and fourth ..., if present) $DATA attribute. Volatility 2 displayed resident data inline with the regular MFTscan type output, but this was confusing and would break grep results.

atcuno avatar Jun 19 '24 23:06 atcuno

I am going to rewrite this a bit based on discussion from this weekend and what you said in this ticket, but I did want to point out early that each plugin does have its own run already based on the columns it produces.

atcuno avatar Jul 22 '24 17:07 atcuno

That's fine. This only has a run but calls a generator from a child. The problem is pulling some bits from one plugin but redefining other bits itself, which makes an easily missed dependency between the two. If you're going to make it so that changes in a parent can't easily break the child without the user getting a nice message telling them about the problem, then that would be ideal...

ikelos avatar Jul 22 '24 21:07 ikelos

ok @ikelos I reworked all of this to match where we have the staticmethods and classmethods and each plugin has its own run and generator.. removing the inheritance lets the flag about which $DATA to display be part of the parameters and also the callbacks have consistent columns in their return data sets.

atcuno avatar Jul 22 '24 21:07 atcuno

Still waiting on a couple of minor things then it should be fine to go in...

ikelos avatar Jul 30 '24 21:07 ikelos

If you get this past the black formatting, it can be merged now, thanks for the changes...

ikelos avatar Jul 31 '24 20:07 ikelos

If you get this past the black formatting, it can be merged now, thanks for the changes...

fixed now

atcuno avatar Sep 02 '24 19:09 atcuno

Feedback addressed @ikelos . I added yield from anywhere feasible plus the primary layer name passing.

atcuno avatar Oct 15 '24 19:10 atcuno

this is ready for merge @ikelos

atcuno avatar Dec 09 '24 19:12 atcuno