Volatility3 upgrade

plugins/CMakeLists.txt

@@ -70,4 +70,4 @@ add_subdirectory(callstack)
 add_subdirectory(apicall_tracer)
 add_subdirectory(memory_regions)
 add_subdirectory(pmemdump)
-#add_subdirectory(volatility)
+add_subdirectory(volatility)

plugins/volatility/CMakeLists.txt

@@ -2,7 +2,7 @@ set(PANDA_PLUGIN_NAME "volatility")
 set(PLUGIN_TARGET "panda_${PANDA_PLUGIN_NAME}")
 
 # The volatility plugin requires linking against python
-find_package(PythonLibs 2.7 REQUIRED) 
+find_package(PythonLibs 3.8 REQUIRED) 
 if (NOT PYTHONLIBS_FOUND)
 	message(FATAL_ERROR "Could not find python libraries. Is python-dev installed?")
 endif()

plugins/volatility/README.md

@@ -6,10 +6,10 @@ either co-located with the plugin library. Results are stored as an `avro` recor
 
 This plugin takes in a PANDA recording and outputs an avro record file,`volatility.panda` containing a list of processes information (process hashes, socket information, etc)
 
-* A sample filter inupt file is require, it can be crafted as follows:
+* A sample filter input file is required, it can be crafted as follows:
 ```
 {
-  "threads": [
+  "thread_whitelist": [
     [
       pid,
       tid1,
@@ -30,10 +30,10 @@ This plugin takes in a PANDA recording and outputs an avro record file,`volatili
 ## Usage
 
 ### Running manually
-`volatility` plugin takes two arguments, `-os`, which asks for the type of operating system that the recording is used, and `--panda-arg filter=FILE.txt` to pass in the filter file to plugin. An example invocation: (NOTE: you need to have `RECORDING-rr-nondet.log`, `RECORDING-rr-snp`, and `filter.txt` in the path)
+`volatility` plugin takes two arguments, `-os`, which asks for the type of operating system that the recording is used, and `--panda-arg filter:file=filter.json` to pass in the filter file to plugin. An example invocation:
 
 ```bash
-panda-system-i386 -m 2048 -replay /path/to/RECORDING -panda 'volatility' -os windows-32-7sp1 --panda-arg filter:file=filter.txt
+panda-system-i386 -m 2048 -replay /path/to/RECORDING -panda 'volatility' -os windows-32-7sp1 --panda-arg filter:file=filter.json
 ```
 
 * To view the result avro record, we can use `jq` (a command line JSON processor for better visualization)

plugins/volatility/filter.cc

@@ -23,7 +23,7 @@ InstrumentationFilter::InstrumentationFilter(const char* filter_file)
     filter_document.ParseStream(is);
 
     // threads (pid, tid, asid)
-    rapidjson::Value::ConstMemberIterator itr = filter_document.FindMember("threads");
+    rapidjson::Value::ConstMemberIterator itr = filter_document.FindMember("thread_whitelist");
 
     if (itr != filter_document.MemberEnd()) {
         assert(itr->value.IsArray());

plugins/volatility/memory-server.cc

@@ -28,6 +28,19 @@ extern "C" {
 #define SUCCESS_CODE 0x79
 #define FAILURE_CODE 0x77
 
+#include <stdio.h>
+
+int file_exists_access(const char *filename) {
+    // F_OK tests for existence of the file
+    if (access(filename, F_OK) == 0) {
+        return 1; // File exists
+    } else {
+        fprintf(stderr, "Error checking file existence: %s (errno: %d)\n", filename, errno);
+        return 0; // File does not exist or an error occurred
+    }
+}
+
+
 struct __attribute__((__packed__)) request {
     uint64_t type;    // {QUIT, READ, QUERY_SIZE}_MESSAGE, ... rest reserved
     uint64_t address; // address to read from
@@ -299,6 +312,15 @@ static int setup_socket(char* path, struct sockaddr_un* address,
         fprintf(stderr, "[%s] QemuMemoryAccess: bind failed\n", __FILE__);
         return -2;
     }
+    if (!file_exists_access(path)) {
+        fprintf(stdout, "%s not exists\n", path);
+        exit(1);
+    }
+    if (chmod(path, 0777) != 0) {
+        fprintf(stderr, "Failed to set permissions for %s\n", path);
+        exit(1);
+    }
+
     if (listen(socket_fd, 0) != 0) {
         fprintf(stderr, "[%s] QemuMemoryAccess: listen failed\n", __FILE__);
         return -3;