volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Incorrect Linux Paths in Plugin Outputs

Open mthbrown opened this issue 3 years ago • 1 comments

Describe the bug When running any of the Linux plugins, the paths in the output are incorrect. It repeats parts of the path for some reason. For example, it shows this:

/usr/usr/lib/usr/lib/x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/libc.so.6

instead of:

/usr/lib/x86_64-linux-gnu/libc.so.6

Other than this, the plugin(s) works fine

Context Volatility Version: Volatility 3 Framework 2.3.1 (latest from git as of today) Operating System: Ubuntu 20.04.2 LTS Python Version: 3.6.12 Suspected Operating System: Ubuntu 22.04 (memory of this machine was captured) Command:

$ python vol.py -f ~/volatility/mem/Linux64.mem linux.elfs.Elfs

...

90005   insmod  0x55cfc2fbc000  0x55cfc2fc0000  /usr/usr/bin/usr/bin/kmod
90005   insmod  0x7fc595e12000  0x7fc595e3a000  /usr/usr/lib/usr/lib/x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/libc.so.6
90005   insmod  0x7fc59603a000  0x7fc5960ec000  /usr/usr/lib/usr/lib/x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/libcrypto.so.3
90005   insmod  0x7fc59647c000  0x7fc59647f000  /usr/usr/lib/usr/lib/x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5
90005   insmod  0x7fc5964a7000  0x7fc5964b1000  /usr/usr/lib/usr/lib/x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8
90005   insmod  0x7fc59657f000  0x7fc596581000  /usr/usr/lib/usr/lib/x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
90005   insmod  0x7fc5965ab000  0x7fc5965b6000  /usr/usr/lib/usr/lib/x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
90005   insmod  0x7ffed55c0000  0x7ffed55c2000  [vdso]

Notice the paths are incorrect as parts are repeated for some reason. I ran into this with a number of plugins including:

  • linux.lsof.Lsof
  • linux.proc.Maps
  • linux.efls.Elfs

while others such as linux.psaux.PsAux show the correct path

To Reproduce

See above. This was using a custom symbols table that I created - vmlinux-5.15.0-33-generic.json.gz

Expected behavior

It should provide the correct file / path

mthbrown avatar Sep 09 '22 07:09 mthbrown

Check PR #786 for the fix.

paulkermann avatar Sep 12 '22 14:09 paulkermann

This should now have been fixed in commit 72d928fecd9fb2323c1cc4c4378cb8f13a834d67, with a little cleaning up still to be done in terms of deprecating the old variables. I'm going to mark this as closed, but please feel free to reopen if there are any continuing issues.

ikelos avatar Oct 26 '22 18:10 ikelos