Address feedback

Author: atcuno

volatility3/framework/plugins/linux/tracing/ftrace.py

@@ -5,7 +5,7 @@
 # Public researches: https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf
 
 import logging
-from typing import Dict, List, Iterable, Optional
+from typing import Dict, List, Generator
 from enum import Enum
 from dataclasses import dataclass
 
@@ -67,7 +67,7 @@ class CheckFtrace(interfaces.plugins.PluginInterface):
     Investigate the ftrace infrastructure to uncover kernel attached callbacks, which can be leveraged
     to hook kernel functions and modify their behaviour."""
 
-    _version = (1, 0, 0)
+    _version = (2, 0, 0)
     _required_framework_version = (2, 19, 0)
 
     @classmethod
@@ -103,14 +103,14 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
     def extract_hash_table_filters(
         cls,
         ftrace_ops: interfaces.objects.ObjectInterface,
-    ) -> Optional[Iterable[interfaces.objects.ObjectInterface]]:
+    ) -> Generator[interfaces.objects.ObjectInterface, None, None]:
         """Wrap the process of walking to every ftrace_func_entry of an ftrace_ops.
         Those are stored in a hash table of filters that indicates the addresses hooked.
 
         Args:
             ftrace_ops: The ftrace_ops struct to walk through
 
-        Returns:
+        Return, None, None:
             An iterable of ftrace_func_entry structs
         """
 
@@ -140,7 +140,7 @@ def parse_ftrace_ops(
         known_modules: Dict[str, List[extensions.module]],
         ftrace_ops: interfaces.objects.ObjectInterface,
         run_hidden_modules: bool = True,
-    ) -> Optional[Iterable[ParsedFtraceOps]]:
+    ) -> Generator[ParsedFtraceOps, None, None]:
         """Parse an ftrace_ops struct to highlight ftrace kernel hooking.
         Iterates over embedded ftrace_func_entry entries, which point to hooked memory areas.
 
@@ -237,12 +237,10 @@ def parse_ftrace_ops(
                 formatted_ftrace_flags,
             )
 
-        return None
-
     @classmethod
     def iterate_ftrace_ops_list(
         cls, context: interfaces.context.ContextInterface, kernel_name: str
-    ) -> Optional[Iterable[interfaces.objects.ObjectInterface]]:
+    ) -> Generator[interfaces.objects.ObjectInterface, None, None]:
         """Iterate over (ftrace_ops *)ftrace_ops_list.
 
         Returns:

volatility3/framework/plugins/linux/tracing/tracepoints.py

@@ -10,7 +10,7 @@
 
 import volatility3.framework.symbols.linux.utilities.modules as linux_utilities_modules
 from volatility3.plugins.linux import hidden_modules, modxview
-from volatility3.framework import constants, exceptions, interfaces, renderers
+from volatility3.framework import constants, exceptions, interfaces
 from volatility3.framework.configuration import requirements
 from volatility3.framework.renderers import format_hints, NotAvailableValue, TreeGrid
 from volatility3.framework.symbols.linux import extensions
@@ -197,7 +197,7 @@ def parse_tracepoint(
             if hasattr(tracepoint_func, "prio"):
                 prio = tracepoint_func.prio
             else:
-                prio = renderers.NotAvailableValue()
+                prio = None
 
             yield ParsedTracepointFunc(
                 tracepoint_name,
@@ -293,7 +293,7 @@ def _generator(self):
                     format_hints.Hex(tracepoint_parsed.tracepoint_address),
                     tracepoint_parsed.probe_name or NotAvailableValue(),
                     format_hints.Hex(tracepoint_parsed.probe_address),
-                    tracepoint_parsed.probe_priority,
+                    tracepoint_parsed.probe_priority or NotAvailableValue(),
                     tracepoint_parsed.module_name or NotAvailableValue(),
                     (
                         format_hints.Hex(tracepoint_parsed.module_address)