volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

add linux.bash_hash and linux.bash_env plugins

Open a5hlynx opened this issue 3 years ago • 7 comments

Hello

I've just added 2 plugins, linux.bash_hash and linux.bash_env. Below are the usage examples.

$ python3 vol.py -f ../../mem/ubuntu64.lime linux.bash_hash
Volatility 3 Framework 2.4.1
Progress:  100.00               Stacking attempts finished
PID     Name    Hits    Command Full Path

1416    bash    1       sudo    /usr/bin/sudo
1416    bash    1       ls      /usr/bin/ls
1476    bash    1       insmod  /usr/sbin/insmod
1476    bash    1       rmmod   /usr/sbin/rmmod
1476    bash    2       swapoff /usr/sbin/swapoff
1476    bash    3       swapon  /usr/sbin/swapon

$ python3 vol.py -f ../../mem/ubuntu64.lime linux.bash_env
Volatility 3 Framework 2.4.1
Progress:  100.00               Stacking attempts finished
PID     Process Vars

1       systemd
2       kthreadd
3       rcu_gp
4       rcu_par_gp
5       kworker/0:0
6       kworker/0:0H
7       kworker/0:1
8       kworker/u256:0
9       mm_percpu_wq
10      ksoftirqd/0
11      rcu_sched
12      migration/0
13      idle_inject/0
14      cpuhp/0

..snip..

The former was developed based on volatility2's linux_bash_hash plugin and has the same functionality, and the latter is based on linux_bash_env. So these are more of re-implementation for volatility3 rather than new-development.

I am not quite sure if pull-request is an appropreate way to request for plugin addition like this, but if there is no problem about this, would you add these please?

a5hlynx avatar Dec 29 '22 14:12 a5hlynx

@a5hlynx would you be able to investigate the comments we've made please? It looks like you're keeping it up to date with develop, but there's been no action on the comments made...

ikelos avatar Mar 08 '23 20:03 ikelos

@a5hlynx would you be able to investigate the comments we've made please? It looks like you're keeping it up to date with develop, but there's been no action on the comments made...

Sorry for not responding. Modified some parts based upon the comments. I will modify the unresolved as soon as I address.

a5hlynx avatar Mar 09 '23 07:03 a5hlynx

Hiya @a5hlynx, you mentioned six months ago you were going to work on the comments we'd made, and we'd really like to see your code land in the tree. Would you be able to give it a look and make the changes? We can get things rolling again if you're happy to address the comments we raised?

ikelos avatar Nov 29 '23 20:11 ikelos

Sorry for my late reply.

I closed this request once. I will re-open it when I am ready.

a5hlynx avatar Dec 23 '23 09:12 a5hlynx

Sorry for my late reply.

I closed this request once. I will re-open it when I am ready.

These are important plugins to the framework's parity effort with Volatility 2. Do you know if you would have time to address the feedback within the new few weeks? If not, we will likely assign one of our developers to complete them.

atcuno avatar Feb 28 '24 22:02 atcuno

You can mark the pull request as a draft if it's not ready, but that way at least people can see it and find it easily, rather than closing it and making it look like the work in it wasn't necessarily usable?

ikelos avatar Feb 28 '24 23:02 ikelos

You can mark the pull request as a draft if it's not ready, but that way at least people can see it and find it easily, rather than closing it and making it look like the work in it wasn't necessarily usable?

Thanks for your suggestion. I marked it as draft.

a5hlynx avatar Mar 05 '24 00:03 a5hlynx