Feature: Multiple REMOTE_ISF_URLs

doc/source/getting-started-linux-tutorial.rst

@@ -40,7 +40,7 @@ For plugin requests, please create an issue with a description of the requested
         linux.check_creds.Check_creds
         linux.check_idt.Check_idt
 
-.. note:: Here the the command is piped to grep and head to provide the start of the list of linux plugins.
+.. note:: Here the command is piped to grep and head to provide the start of the list of linux plugins.
 
 
 Using plugins

doc/source/getting-started-mac-tutorial.rst

@@ -37,7 +37,7 @@ For plugin requests, please create an issue with a description of the requested
         mac.check_sysctl.Check_sysctl
         mac.check_trap_table.Check_trap_table
 
-.. note:: Here the the command is piped to grep and head to provide the start of the list of macOS plugins.
+.. note:: Here the command is piped to grep and head to provide the start of the list of macOS plugins.
 
 
 Using plugins

doc/source/getting-started-windows-tutorial.rst

@@ -27,7 +27,7 @@ For plugin requests, please create an issue with a description of the requested
         windows.crashinfo.Crashinfo
         windows.dlllist.DllList
 
-.. note:: Here the the command is piped to grep and head to provide the start of a list of the available windows plugins.
+.. note:: Here the command is piped to grep and head to provide the start of a list of the available windows plugins.
 
 Using plugins
 -------------
@@ -97,7 +97,7 @@ windows.pstree
 
 ``windows.pstree`` helps to display the parent-child relationships between processes.
 
-.. note:: Here the the command is piped to head to provide smaller output, here listing only the first 20.
+.. note:: Here the command is piped to head to provide smaller output, here listing only the first 20.
 
 windows.hashdump
 ~~~~~~~~~~~~~~~~

volatility3/cli/__init__.py

@@ -244,11 +244,12 @@ def run(self):
         )
         isf_group.add_argument(
             "-u",
-            "--remote-isf-url",
+            "--remote-isf-urls",
             metavar="URL",
             help="Search online for ISF json files",
-            default=constants.REMOTE_ISF_URL,
+            default=constants.REMOTE_ISF_URLs,
             type=str,
+            nargs="*",
         )
         parser.add_argument(
             "--filters",
@@ -330,8 +331,8 @@ def run(self):
 
         if partial_args.offline:
             constants.OFFLINE = partial_args.offline
-        elif partial_args.remote_isf_url:
-            constants.REMOTE_ISF_URL = partial_args.remote_isf_url
+        elif partial_args.remote_isf_urls:
+            constants.REMOTE_ISF_URLs = partial_args.remote_isf_urls
 
         # Do the initialization
         ctx = contexts.Context()  # Construct a blank context

volatility3/cli/volshell/__init__.py

@@ -168,11 +168,12 @@ def run(self):
         )
         isf_group.add_argument(
             "-u",
-            "--remote-isf-url",
+            "--remote-isf-urls",
             metavar="URL",
             help="Search online for ISF json files",
-            default=constants.REMOTE_ISF_URL,
+            default=constants.REMOTE_ISF_URLs,
             type=str,
+            nargs="*",
         )
 
         # Volshell specific flags
@@ -245,8 +246,8 @@ def run(self):
 
         if partial_args.offline:
             constants.OFFLINE = partial_args.offline
-        elif partial_args.remote_isf_url:
-            constants.REMOTE_ISF_URL = partial_args.remote_isf_url
+        elif partial_args.remote_isf_urls:
+            constants.REMOTE_ISF_URLs = partial_args.remote_isf_urls
 
         # Do the initialization
         ctx = contexts.Context()  # Construct a blank context

volatility3/framework/automagic/symbol_cache.py

@@ -425,28 +425,35 @@ def update(self, progress_callback=None):
 
         # Remote Entries
 
-        if not constants.OFFLINE and constants.REMOTE_ISF_URL:
-            progress_callback(0, "Reading remote ISF list")
-            cursor = self._database.cursor()
-            cursor.execute(
-                f"SELECT cached FROM cache WHERE local = 0 and cached < datetime('now', '{self.cache_period}')"
-            )
-            remote_identifiers = RemoteIdentifierFormat(constants.REMOTE_ISF_URL)
-            progress_callback(50, "Reading remote ISF list")
-            for operating_system in constants.OS_CATEGORIES:
-                identifiers = remote_identifiers.process(
-                    {}, operating_system=operating_system
+        if not constants.OFFLINE and constants.REMOTE_ISF_URLs:
+            length = len(constants.REMOTE_ISF_URLs)
+            # Reverse to ensure first item has the highest priority
+            for index, remote_isf_url in enumerate(reversed(constants.REMOTE_ISF_URLs)):
+                progress_callback(index / length * 100, "Reading remote ISF list")
+                cursor = self._database.cursor()
+                cursor.execute(
+                    f"SELECT cached FROM cache WHERE local = 0 and cached < datetime('now', '{self.cache_period}')"
+                )
+                remote_identifiers = RemoteIdentifierFormat(remote_isf_url)
+                progress_callback(
+                    (index + 0.5) / length * 100, "Reading remote ISF list"
                 )
-                for identifier, location in identifiers:
-                    identifier = identifier.rstrip()
-                    identifier = (
-                        identifier[:-1] if identifier.endswith(b"\x00") else identifier
-                    )  # Linux banners dumped by dwarf2json end with "\x00\n". If not stripped, the banner cannot match.
-                    cursor.execute(
-                        "INSERT OR REPLACE INTO cache(identifier, location, operating_system, local, cached) VALUES (?, ?, ?, ?, datetime('now'))",
-                        (identifier, location, operating_system, False),
+                for operating_system in constants.OS_CATEGORIES:
+                    identifiers = remote_identifiers.process(
+                        {}, operating_system=operating_system
                     )
-            progress_callback(100, "Reading remote ISF list")
+                    for identifier, location in identifiers:
+                        identifier = identifier.rstrip()
+                        identifier = (
+                            identifier[:-1]
+                            if identifier.endswith(b"\x00")
+                            else identifier
+                        )  # Linux banners dumped by dwarf2json end with "\x00\n". If not stripped, the banner cannot match.
+                        cursor.execute(
+                            "INSERT OR REPLACE INTO cache(identifier, location, operating_system, local, cached) VALUES (?, ?, ?, ?, datetime('now'))",
+                            (identifier, location, operating_system, False),
+                        )
+                progress_callback((index + 1) / length * 100, "Reading remote ISF list")
             self._database.commit()
 
     def get_identifier_dictionary(

volatility3/framework/constants/__init__.py

@@ -115,8 +115,8 @@ class Parallelism(enum.IntEnum):
 OFFLINE = False
 """Whether to go online to retrieve missing/necessary JSON files"""
 
-REMOTE_ISF_URL = None  # 'http://localhost:8000/banners.json'
-"""Remote URL to query for a list of ISF addresses"""
+REMOTE_ISF_URLs = []  # ['http://localhost:8000/banners.json']
+"""Remote URLs to query for a list of ISF addresses"""
 
 ###
 # DEPRECATED VALUES

volatility3/framework/plugins/mac/pslist.py

@@ -131,7 +131,7 @@ def list_tasks_allproc(
 
         Args:
             context: The context to retrieve required elements (layers, symbol tables) from
-            kernel_module_name: The name of the the kernel module on which to operate
+            kernel_module_name: The name of the kernel module on which to operate
             filter_func: A function which takes a process object and returns True if the process should be ignored/filtered
 
         Returns:
@@ -176,7 +176,7 @@ def list_tasks_tasks(
 
         Args:
             context: The context to retrieve required elements (layers, symbol tables) from
-            kernel_module_name: The name of the the kernel module on which to operate
+            kernel_module_name: The name of the kernel module on which to operate
             filter_func: A function which takes a task object and returns True if the task should be ignored/filtered
 
         Returns:
@@ -220,7 +220,7 @@ def list_tasks_sessions(
 
         Args:
             context: The context to retrieve required elements (layers, symbol tables) from
-            kernel_module_name: The name of the the kernel module on which to operate
+            kernel_module_name: The name of the kernel module on which to operate
             filter_func: A function which takes a task object and returns True if the task should be ignored/filtered
 
         Returns:
@@ -255,7 +255,7 @@ def list_tasks_process_group(
 
         Args:
             context: The context to retrieve required elements (layers, symbol tables) from
-            kernel_module_name: The name of the the kernel module on which to operate
+            kernel_module_name: The name of the kernel module on which to operate
             filter_func: A function which takes a task object and returns True if the task should be ignored/filtered
 
         Returns:
@@ -293,7 +293,7 @@ def list_tasks_pid_hash_table(
 
         Args:
             context: The context to retrieve required elements (layers, symbol tables) from
-            kernel_module_name: The name of the the kernel module on which to operate
+            kernel_module_name: The name of the kernel module on which to operate
             filter_func: A function which takes a task object and returns True if the task should be ignored/filtered
 
         Returns:

volatility3/framework/symbols/linux/extensions/__init__.py

@@ -1521,7 +1521,7 @@ def is_equal(self, vfsmount_ptr) -> bool:
             exceptions.VolatilityException: If vfsmount_ptr is not a 'vfsmount \\*'
 
         Returns:
-            bool: 'True' if the given argument points to the the same 'vfsmount'
+            bool: 'True' if the given argument points to the same 'vfsmount'
             as 'self'.
         """
         if isinstance(vfsmount_ptr, objects.Pointer):