Add dumping dirty pages to Linux Malfind

[tvanegro]

This PR is for adding --dump-page and --dump-size options to linux.malware.Malfind plugin.

What does it do?

When supplied to Malfind, the --dump-page argument will dump each dirty page for the given process, instead of the default behaviour which will only dump the memory region inside which the dirty page(s) is/are located. Prior to this MR, Volatility will also stop at the first hit it finds, instead of looking for all dirty pages.

This allows to precisely identify the location and content of the dirty memory sections. This is helpful in scenarios for which there are only a few dirty pages out of the whole memory region.

The --dump-size argument allows to change the length of the disassembly for each page. The default is 64 bytes.
It can be set to 0 (no disassembly printed, useful for a summary view).

Why not making --dump-page default ?

In scenarios where the whole binary executable region has been made dirty, --dump-page will list 1000's of dirty pages, which is not helpful.

This PR does not change the default behaviour of the Malfind plugin:

Summary:

--dump-page supplied ?	--dump-size supplied ?	Behaviour
N	N	Dumps the first 64 bytes of the dirty memory region (default behaviour prior to this PR)
Y	N	Dumps the first 64 bytes of each dirty page of each dirty region
Y	Y	Dumps the first X bytes of each dirty pages of each dirty region (can be set to 0 to disable disassembly printout)
N	Y	Dumps the first X bytes of the dirty memory region

[ikelos]

The _list_injections method isn't shared out as class method, so changing it here is fine, but since the functionality/output changes, this needs at least a PATCH version bump, meaning this should be (1, 0, 4).

[tvanegro]

Thanks for the review, I've bumped the version to (1, 0, 4).

[ikelos]

Thanks, another few comments after another look at it. We really need to do something about how big the linux extensions file is getting, but this probably isn't the place to do it. It will need a version bump of the MINOR version of the whole framework sadly though.

[ikelos]

Adding this method to the extension needs a version number bumping, I'm just not sure which one. I think it might be the MINOR version for the whole framework unfortunately? This one file is getting out of hand (~1300 lines of code) and we should undertake to split it which might allow us to individually version off the various components, but for now, if you want people to be able to use the get_malicious_pages function, you'll need to bump the closest MINOR version for the container of this code I'm afraid.

[ikelos]

Also, please you could type the function signature? What is proclayer, what does this method return, please add a docstring and all the other good stuff like that... 5:)

[tvanegro]

Comments addressed. Thank you :)

For the framework version bump, would you mind pointing me to the right one to bump ? I am not exactly sure.

[ikelos]

Sorry for the delay. It would be in volatility3/framework/constants/_version.py which would need VERSION_MINOR bumping to 28 at the moment...

[ikelos]

I'd also like to get @atcuno or another linux dev to look over this and make sure it makes sense. I can only really review it from a code perspective, but thank you for making the changes and for bearing with us whilst we find time to look over it and get it included...

[atcuno]

this and the dump-page one should use the default parameter to the Int and Boolean requirements on 40 and 45 instead of this way of setting a default.

[atcuno]

I added a comment about how the default values are set. After these are changed, this is good to merge @ikelos

[ikelos]

As @atcuno mentioned these are the following changes, after which we can get this merged in... 5:)