OLD | NEW |
1 # Rekall Memory Forensics | 1 # Rekall Memory Forensics |
2 # | 2 # |
3 # Copyright 2013 Google Inc. All Rights Reserved. | 3 # Copyright 2013 Google Inc. All Rights Reserved. |
4 # | 4 # |
5 # This program is free software; you can redistribute it and/or modify | 5 # This program is free software; you can redistribute it and/or modify |
6 # it under the terms of the GNU General Public License as published by | 6 # it under the terms of the GNU General Public License as published by |
7 # the Free Software Foundation; either version 2 of the License, or (at | 7 # the Free Software Foundation; either version 2 of the License, or (at |
8 # your option) any later version. | 8 # your option) any later version. |
9 # | 9 # |
10 # This program is distributed in the hope that it will be useful, but | 10 # This program is distributed in the hope that it will be useful, but |
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
128 __name = "find_dtb" | 128 __name = "find_dtb" |
129 | 129 |
130 @classmethod | 130 @classmethod |
131 def GetPageOffset(cls, profile): | 131 def GetPageOffset(cls, profile): |
132 """Gets the expected page offset without taking KASLR into account.""" | 132 """Gets the expected page offset without taking KASLR into account.""" |
133 if profile.metadata("arch") == "I386": | 133 if profile.metadata("arch") == "I386": |
134 return (profile.get_constant("_text", False) - | 134 return (profile.get_constant("_text", False) - |
135 profile.get_constant("phys_startup_32", False)) | 135 profile.get_constant("phys_startup_32", False)) |
136 | 136 |
137 elif profile.metadata("arch") == "AMD64": | 137 elif profile.metadata("arch") == "AMD64": |
138 return (profile.get_constant("_text", False) - | 138 phys_startup_64 = (profile.get_constant("phys_startup_64", False) or |
139 profile.get_constant("phys_startup_64", False)) | 139 0x1000000) |
| 140 return (profile.get_constant("_text", False) - phys_startup_64) |
140 | 141 |
141 elif profile.metadata("arch") == "MIPS": | 142 elif profile.metadata("arch") == "MIPS": |
142 return 0x80000000 | 143 return 0x80000000 |
143 | 144 |
144 else: | 145 else: |
145 raise RuntimeError("No profile architecture set.") | 146 raise RuntimeError("No profile architecture set.") |
146 | 147 |
147 def VerifyHit(self, dtb): | 148 def VerifyHit(self, dtb): |
148 """Returns a valid address_space if the dtb is valid.""" | 149 """Returns a valid address_space if the dtb is valid.""" |
| 150 |
| 151 self.session.SetParameter("page_offset", obj.Pointer.integer_to_address( |
| 152 self.GetPageOffset(self.profile))) |
| 153 |
149 address_space = super(LinuxFindDTB, self).VerifyHit(dtb) | 154 address_space = super(LinuxFindDTB, self).VerifyHit(dtb) |
150 if address_space: | 155 if address_space: |
151 # Try to verify the profile by checking the linux_proc_banner. | 156 # Try to verify the profile by checking the linux_proc_banner. |
152 # This is to discard kernel version strings found in memory we may | 157 # This is to discard kernel version strings found in memory we may |
153 # know about but that don't really work with the current image. | 158 # know about but that don't really work with the current image. |
154 linux_banner = address_space.session.profile.get_constant_object( | 159 linux_banner = address_space.session.profile.get_constant_object( |
155 "linux_proc_banner", "String", vm=address_space) | 160 "linux_proc_banner", "String", vm=address_space) |
156 if unicode(linux_banner).startswith(u"%s version %s"): | 161 if unicode(linux_banner).startswith(u"%s version %s"): |
157 return address_space | 162 return address_space |
158 | 163 |
159 logging.debug("Failed to verify dtb @ %#x" % dtb) | 164 logging.debug("Failed to verify dtb @ %#x" % dtb) |
160 | 165 |
161 def dtb_hits(self): | 166 def dtb_hits(self): |
162 """Tries to locate the DTB.""" | 167 """Tries to locate the DTB.""" |
163 PAGE_OFFSET = self.GetPageOffset(self.profile) | 168 PAGE_OFFSET = self.GetPageOffset(self.profile) |
164 if self.profile.metadata("arch") == "I386": | 169 if self.profile.metadata("arch") == "I386": |
165 yield self.profile.get_constant("swapper_pg_dir") - PAGE_OFFSET | 170 yield self.profile.get_constant("swapper_pg_dir") - PAGE_OFFSET |
166 | 171 |
167 elif self.profile.metadata("arch") == "MIPS": | 172 elif self.profile.metadata("arch") == "MIPS": |
168 yield self.profile.get_constant("swapper_pg_dir") - PAGE_OFFSET | 173 yield self.profile.get_constant("swapper_pg_dir") - PAGE_OFFSET |
169 | 174 |
170 else: | 175 else: |
171 yield (self.profile.get_constant("init_level4_pgt", True) - | 176 yield (self.profile.get_constant("init_level4_pgt", False) - |
172 PAGE_OFFSET) | 177 PAGE_OFFSET) |
173 | 178 |
174 def render(self, renderer): | 179 def render(self, renderer): |
175 renderer.table_header([("DTB", "dtv", "[addrpad]"), | 180 renderer.table_header([("DTB", "dtv", "[addrpad]"), |
176 ("Valid", "valid", "")]) | 181 ("Valid", "valid", "")]) |
177 | 182 |
178 for dtb in self.dtb_hits(): | 183 for dtb in self.dtb_hits(): |
179 renderer.table_row(dtb, self.VerifyHit(dtb) != None) | 184 renderer.table_row(dtb, self.VerifyHit(dtb) != None) |
180 | 185 |
181 | 186 |
(...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
409 if nodename != None: | 414 if nodename != None: |
410 if domainname == default_hostname: | 415 if domainname == default_hostname: |
411 hostname = nodename | 416 hostname = nodename |
412 else: | 417 else: |
413 hostname = "%s.%s" % (nodename, domainname) | 418 hostname = "%s.%s" % (nodename, domainname) |
414 return hostname | 419 return hostname |
415 | 420 |
416 def render(self, renderer): | 421 def render(self, renderer): |
417 renderer.table_header([("Hostname", "hostname", "80")]) | 422 renderer.table_header([("Hostname", "hostname", "80")]) |
418 renderer.table_row(self.get_hostname()) | 423 renderer.table_row(self.get_hostname()) |
OLD | NEW |