Merge pull request #1369 from gcmoreira/logging_producer_information

Linux/Mac: Log producer metadata information
volatilityfoundation · Nov 29, 2024 · ba98b08 · ba98b08
2 parents 393db10 + 77778ee
commit ba98b08
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 13 deletions.
diff --git a/volatility3/framework/automagic/symbol_finder.py b/volatility3/framework/automagic/symbol_finder.py
@@ -142,11 +142,11 @@ def _banner_scan(
             )
 
         for _, banner in banner_list:
-            vollog.debug(f"Identified banner: {repr(banner)}")
-            symbol_files = self.banners.get(banner, None)
-            if symbol_files:
-                isf_path = symbol_files
-                vollog.debug(f"Using symbol library: {symbol_files}")
+            vollog.debug(f"Identified banner: {banner!r}")
+            symbols_file = self.banners.get(banner, None)
+            if symbols_file:
+                isf_path = symbols_file
+                vollog.debug(f"Using symbol library: {symbols_file}")
                 clazz = self.symbol_class
                 # Set the discovered options
                 path_join = interfaces.configuration.path_join
@@ -160,8 +160,31 @@ def _banner_scan(
                     path_join(config_path, requirement.name, "symbol_mask")
                 ] = layer.address_mask
 
+                # Keep track of the existing table names so we know which ones were added
+                old_table_names = set(context.symbol_space)
+
                 # Construct the appropriate symbol table
                 requirement.construct(context, config_path)
+
+                new_table_names = set(context.symbol_space) - old_table_names
+                # It should add only one symbol table. Ignore the next steps if it doesn't
+                if len(new_table_names) == 1:
+                    new_table_name = new_table_names.pop()
+                    symbol_table = context.symbol_space[new_table_name]
+                    producer_metadata = symbol_table.producer
+                    vollog.debug(
+                        f"producer_name: {producer_metadata.name}, producer_version: {producer_metadata.version_string}"
+                    )
+
+                    symbol_metadata = symbol_table.metadata
+                    vollog.debug("Types:")
+                    for types_source_dict in symbol_metadata.get_types_sources():
+                        vollog.debug(f"\t{types_source_dict}")
+
+                    vollog.debug("Symbols:")
+                    for symbol_source_dict in symbol_metadata.get_symbols_sources():
+                        vollog.debug(f"\t{symbol_source_dict}")
+
                 break
             else:
                 vollog.debug(f"Symbol library path not found for: {banner}")

diff --git a/volatility3/framework/symbols/intermed.py b/volatility3/framework/symbols/intermed.py
@@ -738,10 +738,17 @@ class Version6Format(Version5Format):
     @property
     def metadata(self) -> Optional[interfaces.symbols.MetadataInterface]:
         """Returns a MetadataInterface object."""
-        if self._json_object.get("metadata", {}).get("windows"):
-            return metadata.WindowsMetadata(self._json_object["metadata"]["windows"])
-        if self._json_object.get("metadata", {}).get("linux"):
-            return metadata.LinuxMetadata(self._json_object["metadata"]["linux"])
+        if "metadata" not in self._json_object:
+            return None
+
+        json_metadata = self._json_object["metadata"]
+        if "windows" in json_metadata:
+            return metadata.WindowsMetadata(json_metadata["windows"])
+        if "linux" in json_metadata:
+            return metadata.LinuxMetadata(json_metadata["linux"])
+        if "mac" in json_metadata:
+            return metadata.MacMetadata(json_metadata["mac"])
+
         return None
 
 

diff --git a/volatility3/framework/symbols/metadata.py b/volatility3/framework/symbols/metadata.py
@@ -4,8 +4,7 @@
 
 import datetime
 import logging
-from typing import Optional, Tuple, Union
-
+from typing import Optional, Tuple, Union, List, Dict
 from volatility3.framework import constants, interfaces
 
 vollog = logging.getLogger(__name__)
@@ -18,10 +17,17 @@ class ProducerMetadata(interfaces.symbols.MetadataInterface):
     def name(self) -> Optional[str]:
         return self._json_data.get("name", None)
 
+    @property
+    def version_string(self) -> str:
+        """Returns the ISF file producer's version as a string.
+        If no version is present, an empty string is returned.
+        """
+        return self._json_data.get("version", "")
+
     @property
     def version(self) -> Optional[Tuple[int]]:
         """Returns the version of the ISF file producer"""
-        version = self._json_data.get("version", None)
+        version = self.version_string()
         if not version:
             return None
         if all(x in "0123456789." for x in version):
@@ -79,5 +85,21 @@ def pdb_age(self) -> Optional[int]:
         return self._json_data.get("pdb", {}).get("age", None)
 
 
-class LinuxMetadata(interfaces.symbols.MetadataInterface):
+class PosixMetadata(interfaces.symbols.MetadataInterface):
+    """Base class to handle metadata of Posix-based ISF sources"""
+
+    def get_types_sources(self) -> List[Optional[Dict]]:
+        """Returns the types sources metadata"""
+        return self._json_data.get("types", [])
+
+    def get_symbols_sources(self) -> List[Optional[Dict]]:
+        """Returns the symbols sources metadata"""
+        return self._json_data.get("symbols", [])
+
+
+class LinuxMetadata(PosixMetadata):
     """Class to handle the metadata from a Linux symbol table."""
+
+
+class MacMetadata(PosixMetadata):
+    """Class to handle the metadata from a Mac symbol table."""