Skip to content

[linux.malware.malfind] Allow dumping enumerated VMAs/pages#1966

Merged
ikelos merged 1 commit intovolatilityfoundation:developfrom
Abyss-W4tcher:issue_1965_linux_malfind
Apr 2, 2026
Merged

[linux.malware.malfind] Allow dumping enumerated VMAs/pages#1966
ikelos merged 1 commit intovolatilityfoundation:developfrom
Abyss-W4tcher:issue_1965_linux_malfind

Conversation

@Abyss-W4tcher
Copy link
Copy Markdown
Contributor

@Abyss-W4tcher Abyss-W4tcher commented Mar 23, 2026
edited
Loading

Hi,

This PR adjusts the Linux malfind code to handle dumping the enumerated regions and pages. It removes calls to vm_area_struct.get_malicious_pages and vm_area_struct.is_malicious in favor of internal helpers instead. This allows adjusting malfind's behaviour without affecting the framework version.

The --dump-page option was inexact and not actually dumping pages as expected, but only listing/showing dirty pages inside VMAs.

Previous help options:

options:
  -h, --help            show this help message and exit
  --pid [PID ...]       Filter on specific process IDs
  --dump-size DUMP-SIZE
                        Amount of bytes to dump for each dirty region/page found - Default 64 bytes
  --dump-page           Dump each dirty page and content - Default off

New help options:

options:
  -h, --help            show this help message and exit
  --pid [PID ...]       Filter on specific process IDs
  --hexdump-size HEXDUMP-SIZE
                        Amount of bytes to show for each region/page found - Default 64 bytes
  --show-all-dirty-pages
                        Show all dirty pages in a VMA if at least one dirty page is found - Default off
  --dump-regions        Dump each suspicious memory region in output. All dirty pages will be dumped if --show-all-dirty-pages is enabled.
  --dump-maxsize DUMP-MAXSIZE
                        Maximum size for dumped memory regions (all the bigger regions will be ignored) - Default 1 GB

I've bumped the plugin's minor version as some parameters were renamed / rearranged.

Closes #1965.

@Abyss-W4tcher Abyss-W4tcher mentioned this pull request Mar 23, 2026
Closed
@halpomeranz
Copy link
Copy Markdown

halpomeranz commented Mar 23, 2026

Yes, this looks like the functionality I wanted. Thanks very much!

@halpomeranz
Copy link
Copy Markdown

halpomeranz commented Mar 23, 2026
edited
Loading

Could I suggest a wording change on the --dump-pages help text?

--dump-pages          Dump each dirty page in output. All dirty pages will be dumped if  
                      --show-all-dirty-pages is enabled. - Default off

@Abyss-W4tcher Abyss-W4tcher force-pushed the issue_1965_linux_malfind branch from 5225152 to e3f6c41 Compare March 23, 2026 16:06
@Abyss-W4tcher
Copy link
Copy Markdown
Contributor Author

Abyss-W4tcher commented Mar 23, 2026

I've updated the wording to:

Dump each suspicious memory region in output. All dirty pages will be dumped if --show-all-dirty-pages is enabled.

@Abyss-W4tcher Abyss-W4tcher force-pushed the issue_1965_linux_malfind branch from e3f6c41 to 2120aae Compare March 23, 2026 16:11
@Abyss-W4tcher
Copy link
Copy Markdown
Contributor Author

Abyss-W4tcher commented Mar 23, 2026
edited
Loading

I've also renamed --dump-pages to --dump-regions as it can dump both VMAs and pages.

@Abyss-W4tcher Abyss-W4tcher force-pushed the issue_1965_linux_malfind branch from 2120aae to f693021 Compare March 23, 2026 16:16
ikelos
ikelos approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks. 5:)

@ikelos ikelos merged commit 9424c3a into volatilityfoundation:develop Apr 2, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikelos ikelos ikelos approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

linux.malware.malfind --dump-page produces no output

3 participants

@Abyss-W4tcher @halpomeranz @ikelos