Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

macOS : plugins updates, for recent kernels support #1116

Draft
wants to merge 23 commits into
base: develop
Choose a base branch
from
Draft

macOS : plugins updates, for recent kernels support #1116

wants to merge 23 commits into from
+206 −63

Conversation

Abyss-W4tcher
Copy link
Contributor

@Abyss-W4tcher Abyss-W4tcher commented Mar 23, 2024
edited

Hi 👋,

This Pull Request provides updates to existing macOS plugins, for compatibility with recent kernels. It indirectly depends on the work produced in #1115. It is marked as "Draft" for now, but is available for anyone to try !

Instead of opening one PR for each change, I thought it would be easier to track down the global update here.

Changes are mostly small fixes on types and structures naming changes, while keeping the compatibility for older kernels. A couple reworks were necessary for some plugins, and extensions.

Tested on kernels :

  • 10.9.3_build-13D65
  • 10.12.6_build-16G29
  • 10.15.7_build-19H15
  • 12.0.1_build-21A559
  • 13.6.4_build-22G513
  • 14.0_build-23A5257q

Plugins version haven't been bumped for now.

Details

Here are the justifications, in the form of a before/after on kernel structures :

volatility3/framework/symbols/mac/init.py

filedesc :

fileproc :

fileglob :

vnode :

mac.pslist

bsd_info :

mac.kevents

mac.list_files

Recursive logic was updated to an iterative one, as "maximum recursion depth exceeded in comparison" were encountered when deep recursion occured.

volatility3/framework/symbols/mac/extensions/init.py

proc (impacts mac.pslist) :

mac.malfind

Fixes #848. As vm_map_object was removed from the kernel, updates on the logic to get vm_object from a vm_map_entry were done. See :

Here is an article brieflly talking about it :

https://saaramar.github.io/kmem_guard_t_blogpost/#bookkeeping

mac.timers

/!\ 1-1 changes were done, but results don't seem really useful/accurate in recent kernels

@Abyss-W4tcher
get_task p_proc_ro attribute check
428e8a2
@Abyss-W4tcher
set type hinting for kernel module
0cff113
@Abyss-W4tcher
task.p_fd check for newer kernels
4d37db1
@Abyss-W4tcher
fileglob fp_glob check for newer kernels
507afae
@Abyss-W4tcher
handle fg_data as a uintptr_t/base type
0b27598
@Abyss-W4tcher
check task.bsd_info_ro for newer kernels
ea7c785
@Abyss-W4tcher
fileglob fp_glob check for newer kernels
82657a5
@Abyss-W4tcher
handle fg_data as a uintptr_t/base type
1de638b
@Abyss-W4tcher
temporary vm_map_object workaround
38516de
@Abyss-W4tcher
prefer iterative to recursive to avoid maximum recursion depth limit …
69e536c 
…reaching
@Abyss-W4tcher
remove fixme
307e9a2
@Abyss-W4tcher
remove hardcoded kernel module name, use introspection to get name in…
5778768 
…stead
@Abyss-W4tcher
add struct module import
683dba8
@Abyss-W4tcher
vm_pointer_unpack function
ab55018
@Abyss-W4tcher
update get_object for recent kernels
23fc9c8
@Abyss-W4tcher
add a check for older and recent kernels, on vm_object
2abf5f8
@Abyss-W4tcher
wrong object to get layer_name from
e30deeb
@Abyss-W4tcher
kernel timer structure update
4a7fffb
@Abyss-W4tcher
structures attributes update
c0e85f4
@Abyss-W4tcher
handle unknown ftype
87f950a
@Abyss-W4tcher
handle unreachable object
64ffe0d
@Abyss-W4tcher Abyss-W4tcher marked this pull request as draft March 23, 2024 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Volatility can't match the memory dump file (MacOS Monterey 12.6 build 21G115) to the symbol table created
1 participant
@Abyss-W4tcher