LEFT | RIGHT |
1 # Rekall Memory Forensics | 1 # Rekall Memory Forensics |
2 # | 2 # |
3 # Copyright 2013 Google Inc. All Rights Reserved. | 3 # Copyright 2013 Google Inc. All Rights Reserved. |
4 # | 4 # |
5 # This program is free software; you can redistribute it and/or modify | 5 # This program is free software; you can redistribute it and/or modify |
6 # it under the terms of the GNU General Public License as published by | 6 # it under the terms of the GNU General Public License as published by |
7 # the Free Software Foundation; either version 2 of the License, or (at | 7 # the Free Software Foundation; either version 2 of the License, or (at |
8 # your option) any later version. | 8 # your option) any later version. |
9 # | 9 # |
10 # This program is distributed in the hope that it will be useful, but | 10 # This program is distributed in the hope that it will be useful, but |
11 # WITHOUT ANY WARRANTY; without even the implied warranty of | 11 # WITHOUT ANY WARRANTY; without even the implied warranty of |
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
13 # General Public License for more details. | 13 # General Public License for more details. |
14 # | 14 # |
15 # You should have received a copy of the GNU General Public License | 15 # You should have received a copy of the GNU General Public License |
16 # along with this program; if not, write to the Free Software | 16 # along with this program; if not, write to the Free Software |
17 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | 17 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
18 | 18 |
19 """ | 19 """ |
20 @author: Andrew Case | 20 @author: Andrew Case |
21 @license: GNU General Public License 2.0 or later | 21 @license: GNU General Public License 2.0 or later |
22 @contact: atcuno@gmail.com | 22 @contact: atcuno@gmail.com |
23 @organization: Digital Forensics Solutions | 23 @organization: Digital Forensics Solutions |
24 """ | 24 """ |
25 import logging | 25 import logging |
26 import re | 26 import re |
27 | 27 import struct |
| 28 |
| 29 from rekall import addrspace |
28 from rekall import kb | 30 from rekall import kb |
29 from rekall import obj | 31 from rekall import obj |
30 from rekall import plugin | 32 from rekall import plugin |
31 from rekall import scan | 33 from rekall import scan |
32 from rekall import utils | 34 from rekall import utils |
33 | 35 |
34 from rekall.plugins import core | 36 from rekall.plugins import core |
35 | 37 |
36 | 38 |
37 class AbstractLinuxCommandPlugin(plugin.PhysicalASMixin, | 39 class AbstractLinuxCommandPlugin(plugin.PhysicalASMixin, |
(...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
178 # Try to verify the profile by checking the linux_proc_banner. | 180 # Try to verify the profile by checking the linux_proc_banner. |
179 # This is to discard kernel version strings found in memory we may | 181 # This is to discard kernel version strings found in memory we may |
180 # know about but that don't really work with the current image. | 182 # know about but that don't really work with the current image. |
181 linux_banner = address_space.session.profile.get_constant_object( | 183 linux_banner = address_space.session.profile.get_constant_object( |
182 "linux_proc_banner", "String", vm=address_space) | 184 "linux_proc_banner", "String", vm=address_space) |
183 if unicode(linux_banner).startswith(u"%s version %s"): | 185 if unicode(linux_banner).startswith(u"%s version %s"): |
184 return address_space | 186 return address_space |
185 | 187 |
186 logging.debug("Failed to verify dtb @ %#x" % dtb) | 188 logging.debug("Failed to verify dtb @ %#x" % dtb) |
187 | 189 |
| 190 def GetAddressSpaceImplementation(self): |
| 191 """Returns the correct address space class for this profile.""" |
| 192 # The virtual address space implementation is chosen by the profile. |
| 193 architecture = self.profile.metadata("arch") |
| 194 if architecture == "AMD64": |
| 195 p2m_top_p = (self.profile.get_constant("p2m_top", False) |
| 196 - self.GetPageOffset(self.profile)) |
| 197 p2m_top = struct.unpack("<Q", |
| 198 self.physical_address_space.read( |
| 199 p2m_top_p, 8))[0] |
| 200 if p2m_top: |
| 201 logging.debug("Detected paravirtualized XEN guest.") |
| 202 impl = "XenParaVirtAMD64PagedMemory" |
| 203 as_class = addrspace.BaseAddressSpace.classes[impl] |
| 204 return as_class |
| 205 return super(LinuxFindDTB, self).GetAddressSpaceImplementation() |
| 206 |
188 def dtb_hits(self): | 207 def dtb_hits(self): |
189 """Tries to locate the DTB.""" | 208 """Tries to locate the DTB.""" |
190 PAGE_OFFSET = self.GetPageOffset(self.profile) | 209 PAGE_OFFSET = self.GetPageOffset(self.profile) |
191 if self.profile.metadata("arch") == "I386": | 210 if self.profile.metadata("arch") == "I386": |
192 yield self.profile.get_constant("swapper_pg_dir") - PAGE_OFFSET | 211 yield self.profile.get_constant("swapper_pg_dir") - PAGE_OFFSET |
193 | 212 |
194 elif self.profile.metadata("arch") == "MIPS": | 213 elif self.profile.metadata("arch") == "MIPS": |
195 yield self.profile.get_constant("swapper_pg_dir") - PAGE_OFFSET | 214 yield self.profile.get_constant("swapper_pg_dir") - PAGE_OFFSET |
196 | 215 |
197 else: | 216 else: |
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
436 if nodename != None: | 455 if nodename != None: |
437 if domainname == default_hostname: | 456 if domainname == default_hostname: |
438 hostname = nodename | 457 hostname = nodename |
439 else: | 458 else: |
440 hostname = "%s.%s" % (nodename, domainname) | 459 hostname = "%s.%s" % (nodename, domainname) |
441 return hostname | 460 return hostname |
442 | 461 |
443 def render(self, renderer): | 462 def render(self, renderer): |
444 renderer.table_header([("Hostname", "hostname", "80")]) | 463 renderer.table_header([("Hostname", "hostname", "80")]) |
445 renderer.table_row(self.get_hostname()) | 464 renderer.table_row(self.get_hostname()) |
LEFT | RIGHT |