What is the purpose of kernel_virtual_offset? Is set wrong for Linux.

[atcuno]

@ikelos what is the purpose of kernel_virtual_offset outside of Windows? For example, Linux sets it here.. but sets it to the ASLR shift value, which doesn't make any sense:

https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/automagic/linux.py#L97

From grep'ing the code base it only looks like this value is used for Windows, not Linux or Mac.

The current Linux automagic is really rough and fails on many samples in my test set, so I am having to rewrite it anyway so I want to set that value correctly or just not set it if it isn't needed. I see that the Windows plugins all need the offset to do then symbol lookups, but we get that for free in a different way on Linux.. so maybe its not needed.

[ikelos]

It was supposed to be the virtual address where the kernel lives. I would prefer it if the value were set right (assuming we know by that point). I'm not sure why it never got set properly, it doesn't look as though we used that value anywhere, so it should be safe to change it. I think when the kernel module is constructed, it's used as the offset for the module which means it might affect offsets returned for symbols from the module, just something to watch out for. Linux code may not have been asking for the relative address, so will just need some testing once it's put in place.