1# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
2# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
3#
4"""A module containing a collection of plugins that produce data typically
5found in Linux's /proc file system."""
6import logging
7from typing import List
8
9from volatility.framework import renderers, interfaces, constants
10from volatility.framework.automagic import linux
11from volatility.framework.configuration import requirements
12from volatility.framework.interfaces import plugins
13from volatility.framework.objects import utility
14from volatility.plugins.linux import pslist
15
16vollog = logging.getLogger(__name__)
17
18
19class Lsof(plugins.PluginInterface):
20    """Lists all memory maps for all processes."""
21
22    @classmethod
23    def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
24        return [
25            requirements.TranslationLayerRequirement(name = 'primary',
26                                                     description = 'Memory layer for the kernel',
27                                                     architectures = ["Intel32", "Intel64"]),
28            requirements.SymbolTableRequirement(name = "vmlinux", description = "Linux kernel symbols"),
29            requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (1, 0, 0))
30        ]
31
32    def _generator(self, tasks):
33        symbol_table = None
34        for task in tasks:
35            if symbol_table is None:
36                if constants.BANG not in task.vol.type_name:
37                    raise ValueError("Task is not part of a symbol table")
38                symbol_table = task.vol.type_name.split(constants.BANG)[0]
39
40            name = utility.array_to_string(task.comm)
41            pid = int(task.pid)
42
43            for fd_num, _, full_path in linux.LinuxUtilities.files_descriptors_for_process(
44                    self.context, symbol_table, task):
45                yield (0, (pid, name, fd_num, full_path))
46
47    def run(self):
48        linux.LinuxUtilities.aslr_mask_symbol_table(self.context, self.config['vmlinux'], self.config['primary'])
49
50        filter_func = pslist.PsList.create_pid_filter([self.config.get('pid', None)])
51
52        return renderers.TreeGrid([("PID", int), ("Process", str), ("FD", int), ("Path", str)],
53                                  self._generator(
54                                      pslist.PsList.list_tasks(self.context,
55                                                               self.config['primary'],
56                                                               self.config['vmlinux'],
57                                                               filter_func = filter_func)))
58