From 67017fc26f0a8baf0dfd5b978a3b91e801b01214 Mon Sep 17 00:00:00 2001
From: sk4la <sk4la.box@gmail.com>
Date: Tue, 26 Dec 2023 11:19:25 +0000
Subject: [PATCH] Add community plugins for Volatility 3

* Added community plugins for Volatility 3 in the `sk4la/volatility3` image (located in `/usr/local/share/volatility3/plugins`). These are not loaded by default. **Note that most community plugins are unmaintained and/or are simply links to the author's repository (which will most likely never be included in the image unless the Volatility Foundation adds it in the community repository).**
* Changed the path to community modules for Volatility 2 in the `sk4la/volatility:edge` image to `/usr/local/share/volatility/plugins` for consistency between images.
---
 .github/workflows/volatility-edge.yml  |  3 +++
 .github/workflows/volatility3-edge.yml |  3 +++
 .github/workflows/volatility3.yml      |  3 +++
 README.md                              | 23 ++++++++++++++++++++---
 src/dwarf2json/Dockerfile              |  2 ++
 src/volatility/Dockerfile              |  4 +++-
 src/volatility3/Dockerfile             |  9 +++++++++
 7 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/volatility-edge.yml b/.github/workflows/volatility-edge.yml
index 9fb570b..1427fc1 100644
--- a/.github/workflows/volatility-edge.yml
+++ b/.github/workflows/volatility-edge.yml
@@ -20,6 +20,8 @@ env:
   GIT_TAG_PYTHON_YARA: v4.4.0
   # No new tags/releases declared in the repository so we use the development branch.
   GIT_TAG_VOLATILITY: master
+  # No new tags/releases declared in the repository so we use the development branch.
+  GIT_TAG_VOLATILITY_COMMUNITY: master
 
 jobs:
   docker:
@@ -55,6 +57,7 @@ jobs:
             DOCKER_TAG_ALPINE=${{ env.DOCKER_TAG_ALPINE }}
             GIT_TAG_PYTHON_YARA=${{ env.GIT_TAG_PYTHON_YARA }}
             GIT_TAG_VOLATILITY=${{ env.GIT_TAG_VOLATILITY }}
+            GIT_TAG_VOLATILITY_COMMUNITY=${{ env.GIT_TAG_VOLATILITY_COMMUNITY }}
             PRODUCT_BUILD_COMMIT=${{ github.sha }}
             PRODUCT_BUILD_DATE=${{ steps.date.outputs.date }}
 
diff --git a/.github/workflows/volatility3-edge.yml b/.github/workflows/volatility3-edge.yml
index 388495d..ab7d257 100644
--- a/.github/workflows/volatility3-edge.yml
+++ b/.github/workflows/volatility3-edge.yml
@@ -21,6 +21,8 @@ env:
   GIT_TAG_JPCERT_SYMBOLS: main
   GIT_TAG_PYTHON_YARA: v4.4.0
   GIT_TAG_VOLATILITY3: develop
+  # No tags/releases declared in the repository so we use the development branch.
+  GIT_TAG_VOLATILITY3_COMMUNITY: master
 
 jobs:
   docker:
@@ -57,6 +59,7 @@ jobs:
             GIT_TAG_JPCERT_SYMBOLS=${{ env.GIT_TAG_JPCERT_SYMBOLS }}
             GIT_TAG_PYTHON_YARA=${{ env.GIT_TAG_PYTHON_YARA }}
             GIT_TAG_VOLATILITY3=${{ env.GIT_TAG_VOLATILITY3 }}
+            GIT_TAG_VOLATILITY3_COMMUNITY=${{ env.GIT_TAG_VOLATILITY3_COMMUNITY }}
             PRODUCT_BUILD_COMMIT=${{ github.sha }}
             PRODUCT_BUILD_DATE=${{ steps.date.outputs.date }}
 
diff --git a/.github/workflows/volatility3.yml b/.github/workflows/volatility3.yml
index 5e5c759..673ee2a 100644
--- a/.github/workflows/volatility3.yml
+++ b/.github/workflows/volatility3.yml
@@ -21,6 +21,8 @@ env:
   GIT_TAG_JPCERT_SYMBOLS: main
   GIT_TAG_PYTHON_YARA: v4.4.0
   GIT_TAG_VOLATILITY3: v2.5.0
+  # No tags/releases declared in the repository so we use the development branch.
+  GIT_TAG_VOLATILITY3_COMMUNITY: master
 
 jobs:
   docker:
@@ -60,6 +62,7 @@ jobs:
             GIT_TAG_JPCERT_SYMBOLS=${{ env.GIT_TAG_JPCERT_SYMBOLS }}
             GIT_TAG_PYTHON_YARA=${{ env.GIT_TAG_PYTHON_YARA }}
             GIT_TAG_VOLATILITY3=${{ env.GIT_TAG_VOLATILITY3 }}
+            GIT_TAG_VOLATILITY3_COMMUNITY=${{ env.GIT_TAG_VOLATILITY3_COMMUNITY }}
             PRODUCT_BUILD_COMMIT=${{ github.sha }}
             PRODUCT_BUILD_DATE=${{ steps.date.outputs.date }}
 
diff --git a/README.md b/README.md
index 79eaae8..71aef03 100644
--- a/README.md
+++ b/README.md
@@ -216,20 +216,37 @@ Then, build the image by executing the `docker image build --tag volatility3-ove
 
 ### Example #5: Using community plugins with Volatility 2
 
-The `sk4la/volatility` image includes all community plugins listed in the [volatilityfoundation/community](https://github.com/volatilityfoundation/community) repository. By default, those are stored in `/usr/local/lib/volatility/contrib/plugins/community`.
+The `sk4la/volatility` image includes all community plugins from the official [volatilityfoundation/community](https://github.com/volatilityfoundation/community) repository. By default, those are stored in `/usr/local/share/volatility/plugins/community`.
 
-> You can list all included plugins using the `--help` or `--info` flags (e.g. `podman run sk4la/volatility:edge --plugins=/usr/local/lib/volatility/contrib/plugins --info`). The loading order is non-deterministic and some plugins fail to load because of missing dependencies (some are just not on PyPI anymore) or because their design is not quite suitable for distribution, so you may need to run it multiple times for it to load the plugin you are looking for. I advise instead using each module individually in order to avoid loading dysfunctional plugins.
+> You can list all included plugins using the `--help` or `--info` flags (e.g. `podman run sk4la/volatility:edge --plugins=/usr/local/share/volatility/plugins --info`). The loading order is non-deterministic and some plugins fail to load because of missing dependencies (some are just not on PyPI anymore) or because their design is not quite suitable for distribution, so you may need to run it multiple times for it to load the plugin you are looking for. I advise instead using each plugin individually in order to avoid loading dysfunctional plugins.
 
 To load a specific community plugin (example with JPCERT's APT17 plugin):
 
 ```sh
-docker container run sk4la/volatility:edge --plugins /usr/local/lib/volatility/contrib/plugins/community/JPCERT apt17scan --help
+docker container run sk4la/volatility:edge --plugins /usr/local/share/volatility/plugins/community/JPCERT apt17scan --help
 ```
 
 Please note that many plugins made for Volatility 2 have not been maintained for years and might be dysfunctional.
 
 </details>
 
+<details>
+  <summary>Example #6: Using community plugins with Volatility 3</summary>
+
+### Example #6: Using community plugins with Volatility 3
+
+The `sk4la/volatility3` and `sk4la/volatility3:edge` images include all community plugins from the official [volatilityfoundation/community3](https://github.com/volatilityfoundation/community3) repository. By default, those are stored in `/usr/local/share/volatility3/plugins/community3`.
+
+> You can list all included plugins using the `--help` flag (e.g. `podman run sk4la/volatility3:edge --plugin-dirs=/usr/local/share/volatility3/plugins --help`). Please note that many of these plugins have not been maintained a while and might be dysfunctional. I advise instead using each plugin individually in order to avoid loading dysfunctional plugins.
+
+To load a specific community plugin (example with the Multi YARA plugin):
+
+```sh
+docker container run sk4la/volatility3:edge --plugin-dirs /usr/local/share/volatility3/plugins/community3/Silva_Multi_Yara/ multiyara --help
+```
+
+</details>
+
 ## Support
 
 In case you encounter a problem or want to suggest a new feature relative to these Docker images, please [submit a ticket](https://github.com/sk4la/volatility3-docker/issues). [Pull requests](https://github.com/sk4la/volatility3-docker/pulls) are also greatly appreciated.
diff --git a/src/dwarf2json/Dockerfile b/src/dwarf2json/Dockerfile
index 8b7f8d9..afc7c25 100644
--- a/src/dwarf2json/Dockerfile
+++ b/src/dwarf2json/Dockerfile
@@ -33,6 +33,8 @@ ARG INSTALL_PREFIX="/usr/local"
 ENV LANG="C.UTF-8"
 ENV LC_ALL="C.UTF-8"
 
+VOLUME /tmp /var/tmp
+
 RUN apk add --no-cache \
         dumb-init
 
diff --git a/src/volatility/Dockerfile b/src/volatility/Dockerfile
index a4d3308..57940a8 100644
--- a/src/volatility/Dockerfile
+++ b/src/volatility/Dockerfile
@@ -41,6 +41,8 @@ ARG INSTALL_PREFIX="/usr/local"
 ENV LANG="C.UTF-8"
 ENV LC_ALL="C.UTF-8"
 
+VOLUME /tmp /var/tmp
+
 RUN addgroup -S "${INSTALL_GROUP}" && \
     adduser -DG -S "${INSTALL_USER}" -G "${INSTALL_GROUP}" -g "Unprivileged user,,,,"
 
@@ -124,7 +126,7 @@ RUN python2 setup.py install && \
 
 ENV PATH="${INSTALL_PREFIX}/bin:${PATH}"
 
-WORKDIR "${INSTALL_PREFIX}/lib/volatility/contrib/plugins"
+WORKDIR "${INSTALL_PREFIX}/share/volatility/plugins"
 
 RUN git clone --branch="${GIT_TAG_VOLATILITY_COMMUNITY}" --depth=1 --single-branch \
         https://github.com/volatilityfoundation/community.git
diff --git a/src/volatility3/Dockerfile b/src/volatility3/Dockerfile
index f45a785..6af1eed 100644
--- a/src/volatility3/Dockerfile
+++ b/src/volatility3/Dockerfile
@@ -52,6 +52,7 @@ RUN apk --purge del \
 FROM "alpine:${DOCKER_TAG_ALPINE}" AS production
 
 ARG GIT_TAG_VOLATILITY3="stable"
+ARG GIT_TAG_VOLATILITY3_COMMUNITY="master"
 
 ARG INSTALL_GROUP="ci"
 ARG INSTALL_USER="unprivileged"
@@ -60,6 +61,8 @@ ARG INSTALL_PREFIX="/usr/local"
 ENV LANG="C.UTF-8"
 ENV LC_ALL="C.UTF-8"
 
+VOLUME /tmp /var/tmp
+
 RUN addgroup -S "${INSTALL_GROUP}" && \
     adduser -DG -S "${INSTALL_USER}" -G "${INSTALL_GROUP}" -g "Unprivileged user,,,,"
 
@@ -71,6 +74,7 @@ RUN apk add --no-cache \
         py3-pefile \
         py3-pip \
         py3-pycryptodome \
+        py3-pygit2 \
         python3 && \
     apk add --no-cache --virtual=stage \
         gcc \
@@ -121,6 +125,11 @@ RUN python3 -m pip install --break-system-packages --requirement requirements.tx
 
 ENV PATH="${INSTALL_PREFIX}/bin:${PATH}"
 
+WORKDIR "${INSTALL_PREFIX}/share/volatility3/plugins"
+
+RUN git clone --branch="${GIT_TAG_VOLATILITY3_COMMUNITY}" --depth=1 --single-branch \
+        https://github.com/volatilityfoundation/community3.git
+
 RUN apk --purge del \
         stage