Linux Plugins
Support for Linux analysis.
address_resolver
View SourceA Linux specific address resolver plugin.
Plugin Arguments
symbol | List of symbols to lookup (type: ArrayString)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
arp
View Sourceprint the ARP table.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
arp returns the list of IPv4 network neighbour entries in the kernel cache.
Rekall uses the neigh_tables kernel symbol and walks the neighbour tables to
show the entries.
Sample output
Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 12:09:00> arp
-----------------------------------------------------------------------> arp()
IP Address MAC Device
--------------------------------------------- -------------------- ---------------
ff02::1:ff57:f719 33:33:ff:57:f7:19 eth0
ff02::16 33:33:00:00:00:16 eth0
192.168.239.2 00:50:56:e5:38:b6 eth0
192.168.239.254 00:50:56:f7:25:d0 eth0
banner
View SourcePrints the Linux banner information.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
banner output provides the same information as running uname -a on the host.
Sample output
Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 12:17:38> banner
-----------------------------------------------------------------------> banner()
Banner
--------------------------------------------------------------------------------
Linux version 3.11.0-12-generic (buildd@allspice) (gcc version 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu7) ) #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 (Ubuntu 3.11.0-12.19-generic 3.11.3)
bash
View SourceScan the bash process for history.
Based on original algorithm by Andrew Case.
Plugin Arguments
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | The processes we should examine. (type: RegEx)
|
scan_entire_address_space | Scan the entire process address space, not only the heap. (type: Boolean) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The Bourne Again Shell maintains a history a history of all commands that
have been executed in the current session in memory. bash is a plugin that
provides a chronologically ordered list of commands executed by each bash
process, grouped by pid.
Notes
- Only commands executed in each bash session are stored in memory. So if you’re looking for commands for exitted bash sessions you may be more lucky by looking at the disk .bash_history file if logging wasn’t disabled.
Sample output
Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 12:27:35> bash
-----------------------------------------------------------------------> bash()
Pid Name Timestamp Command
------ -------------------- ------------------------ --------------------
1335 bash 2014-03-04 17:16:31+0000 uname -a
check_afinfo
View SourceVerifies the operation function pointers of network protocols.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The plugin identifies the location of each function pointer of different network protocols. If located within the kernel or a loaded module, rekall will give such information as well as its kernel-space address.
If malware dynamically allocates memory and copies code there to handle these functions, the Module column will appear as Unknown.
Sample output
Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 13:51:35> check_afinfo
-----------------------------------------------------------------------> check_afinfo()
Constant Name Member Address Module
------------------------------ ------------------------------ -------------- --------------------
tcp4_seq_afinfo seq_fops.llseek 0xffff811c9250 Kernel
tcp4_seq_afinfo seq_fops.read 0xffff811c9460 Kernel
tcp4_seq_afinfo seq_fops.release 0xffff812157d0 Kernel
udplite6_seq_afinfo seq_ops.show 0xffff816a1300 Kernel
udplite6_seq_afinfo seq_fops.llseek 0xffff811c9250 Kernel
udplite6_seq_afinfo seq_fops.read 0xffff811c9460 Kernel
udplite6_seq_afinfo seq_fops.release 0xffff812157d0 Kernel
udp6_seq_afinfo seq_ops.show 0xffff816a1300 Kernel
udp6_seq_afinfo seq_fops.llseek 0xffff811c9250 Kernel
udp6_seq_afinfo seq_fops.read 0xffff811c9460 Kernel
udp6_seq_afinfo seq_fops.release 0xffff812157d0 Kernel
udplite4_seq_afinfo seq_ops.show 0xffff8164f9e0 Kernel
udplite4_seq_afinfo seq_fops.llseek 0xffff811c9250 Kernel
udplite4_seq_afinfo seq_fops.read 0xffff811c9460 Kernel
udplite4_seq_afinfo seq_fops.release 0xffff812157d0 Kernel
udp4_seq_afinfo seq_ops.show 0xffff8164f9e0 Kernel
udp4_seq_afinfo seq_fops.llseek 0xffff811c9250 Kernel
udp4_seq_afinfo seq_fops.read 0xffff811c9460 Kernel
udp4_seq_afinfo seq_fops.release 0xffff812157d0 Kernel
check_creds
View SourceChecks if any processes are sharing credential structures
Plugin Arguments
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
In order for rootkits to elevate the privileges of a given process, they need to alter the current effective identifier of a process. Before kernel 2.6, this was done by setting a couple of integers in the process task to the desired ID.
After 2.6, credentials are handled internally via the task_struct->cred
member. Likely due to laziness or a poor attempt at remaining stealth, some
rootkits simply reuse the cred member of tasks that have the desired
credentials (most often ID 0: root).
This plugin reports the location of the cred member of each task. When this
structure is being reused, you’ll see more than one line of output with the
same cred address.
Sample output
Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 15:40:12> check_creds
-----------------------------------------------------------------------> check_creds()
Cred PID Command
-------------- -------- --------------------
0x88003b86c900 966 dbus-daemon
0x88003c766480 1031 systemd-logind
0x88003c1a7380 1056 getty
0x88003c1d2180 1103 irqbalance
0x88003c1d23c0 1290 kauditd
0x88003c1a6c00 1058 getty
0x880036b2e840 1132 atd
0x88003b96d080 1055 getty
0x88003c767440 1335 bash
0x88003c1a6cc0 1074 sshd
0x88003c1d2c00 1131 cron
0x88003cbc0900 1160 login
0x88003c183140 1081 acpid
0x88003b9ded80 1042 getty
0x88003b9dee40 1049 getty
0x88003c1a78c0 1176 whoopsie
0x88003c69a480 1486 dnsmasq
0x88003cbc1440 1199 libvirtd
check_idt
View SourceChecks if the IDT has been altered
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin tries to identify the symbol name or location of each entry in the Interrupt Descriptor Table.
The IDT holds a list of gate descriptors. These descriptor can be task, trap or interrupt descriptors.
- Interrupt Gates are invoked via the
intinstruction. System calls, for example, can be invoked in Linux with anint 0x80instruction. - Trap Gates are also invoked via the
intinstruction but don’t modify the IF flag in the EFLAGS register. - Task Gates were originally intended to facilitate task switching but are mostly not used nowadays.
The plugin provides 6 columns as output:
- Index: The gate number.
- Address: The kernel address of the gate handler.
- Type: Whether this is an int/trap/task gate.
- Present: If the gate descriptor is present.
- DPL: Descriptor Privilege Level. The highest ring that is allowed to call this gate.
- Symbol: The kernel symbol that the address points to. If it’s unknown
but within the kernel image, it will be
Kernel. Otherwise,Unknown.
Notes
- A value of
Kernelin the Symbol column means “as part of the kernel image”, not that it’s anywhere in the kernel address space. - Rekall currently only validates the IDT at the address pointed by the kernel
symbol
idt_table. Note that on a running system, the current IDT may be different as it can be changed via the x86lidtinstruction. - Entries 0x00 to 0x1F are reserved by Intel for processor exceptions.
Sample output
$ python rekall/rekal.py --de -f ~/projects/actaeon64/memory_images/Windows7_VMware\(Win7x64+Ubuntu686\,Ubuntu64\)_VBox\(XPSP3x86\).ram --profile_path ../rekall-profiles/ --profile_path ../my-profiles/ --ept 0x17725001E check_idt
Index Address Type Present DPL Symbol
----- -------------- ------------------ ------- --- ------------------------------
0x0 0xffff816f6970 32-bit Int Gate 1 0 divide_error
0x1 0xffff816ecc80 32-bit Int Gate 1 0 Kernel
0x2 0xffff816ed0b0 32-bit Int Gate 1 0 nmi
0x3 0xffff816eccc0 32-bit Int Gate 1 3 int3
0x4 0xffff816f69a0 32-bit Int Gate 1 3 overflow
0x5 0xffff816f69d0 32-bit Int Gate 1 0 bounds
0x6 0xffff816f6a00 32-bit Int Gate 1 0 invalid_op
0x7 0xffff816f6a30 32-bit Int Gate 1 0 device_not_available
0x8 0xffff816f6a60 32-bit Int Gate 1 0 double_fault
0x9 0xffff816f6a90 32-bit Int Gate 1 0 coprocessor_segment_overrun
0xa 0xffff816f6ac0 32-bit Int Gate 1 0 invalid_TSS
0xb 0xffff816f6af0 32-bit Int Gate 1 0 segment_not_present
0xc 0xffff816ecd00 32-bit Int Gate 1 0 stack_segment
0xd 0xffff816ecdc0 32-bit Int Gate 1 0 general_protection
0xe 0xffff816ecdf0 32-bit Int Gate 1 0 page_fault
0xf 0xffff816f6b20 32-bit Int Gate 1 0 spurious_interrupt_bug
0x10 0xffff816f6b50 32-bit Int Gate 1 0 coprocessor_error
0x11 0xffff816f6b80 32-bit Int Gate 1 0 alignment_check
0x12 0xffff816ece50 32-bit Int Gate 1 0 machine_check
0x13 0xffff816f6bb0 32-bit Int Gate 1 0 simd_coprocessor_error
0x14 0xffff81d260b4 32-bit Int Gate 1 0 Unknown
0x15 0xffff81d260bd 32-bit Int Gate 1 0 Unknown
0x16 0xffff81d260c6 32-bit Int Gate 1 0 Unknown
0x17 0xffff81d260cf 32-bit Int Gate 1 0 Unknown
0x18 0xffff81d260d8 32-bit Int Gate 1 0 Unknown
0x19 0xffff81d260e1 32-bit Int Gate 1 0 Unknown
0x1a 0xffff81d260ea 32-bit Int Gate 1 0 Unknown
0x1b 0xffff81d260f3 32-bit Int Gate 1 0 Unknown
0x1c 0xffff81d260fc 32-bit Int Gate 1 0 Unknown
0x1d 0xffff81d26105 32-bit Int Gate 1 0 Unknown
0x1e 0xffff81d2610e 32-bit Int Gate 1 0 Unknown
0x1f 0xffff81d26117 32-bit Int Gate 1 0 Unknown
0x20 0xffff816f5e00 32-bit Int Gate 1 0 irq_move_cleanup_interrupt
0x21 0xffff816f5a04 32-bit Int Gate 1 0 Kernel
0x22 0xffff816f5a08 32-bit Int Gate 1 0 Kernel
0x23 0xffff816f5a0c 32-bit Int Gate 1 0 Kernel
0x24 0xffff816f5a10 32-bit Int Gate 1 0 Kernel
0x25 0xffff816f5a14 32-bit Int Gate 1 0 Kernel
0x26 0xffff816f5a18 32-bit Int Gate 1 0 Kernel
0x27 0xffff816f5a20 32-bit Int Gate 1 0 Kernel
0x28 0xffff816f5a24 32-bit Int Gate 1 0 Kernel
0x29 0xffff816f5a28 32-bit Int Gate 1 0 Kernel
0x2a 0xffff816f5a2c 32-bit Int Gate 1 0 Kernel
0x2b 0xffff816f5a30 32-bit Int Gate 1 0 Kernel
0x2c 0xffff816f5a34 32-bit Int Gate 1 0 Kernel
0x2d 0xffff816f5a38 32-bit Int Gate 1 0 Kernel
0x2e 0xffff816f5a40 32-bit Int Gate 1 0 Kernel
0x2f 0xffff816f5a44 32-bit Int Gate 1 0 Kernel
0x30 0xffff816f5a48 32-bit Int Gate 1 0 Kernel
0x31 0xffff816f5a4c 32-bit Int Gate 1 0 Kernel
0x32 0xffff816f5a50 32-bit Int Gate 1 0 Kernel
0x33 0xffff816f5a54 32-bit Int Gate 1 0 Kernel
0x34 0xffff816f5a58 32-bit Int Gate 1 0 Kernel
0x35 0xffff816f5a60 32-bit Int Gate 1 0 Kernel
0x36 0xffff816f5a64 32-bit Int Gate 1 0 Kernel
0x37 0xffff816f5a68 32-bit Int Gate 1 0 Kernel
0x38 0xffff816f5a6c 32-bit Int Gate 1 0 Kernel
0x39 0xffff816f5a70 32-bit Int Gate 1 0 Kernel
0x3a 0xffff816f5a74 32-bit Int Gate 1 0 Kernel
0x3b 0xffff816f5a78 32-bit Int Gate 1 0 Kernel
0x3c 0xffff816f5a80 32-bit Int Gate 1 0 Kernel
0x3d 0xffff816f5a84 32-bit Int Gate 1 0 Kernel
0x3e 0xffff816f5a88 32-bit Int Gate 1 0 Kernel
0x3f 0xffff816f5a8c 32-bit Int Gate 1 0 Kernel
0x40 0xffff816f5a90 32-bit Int Gate 1 0 Kernel
0x41 0xffff816f5a94 32-bit Int Gate 1 0 Kernel
0x42 0xffff816f5a98 32-bit Int Gate 1 0 Kernel
0x43 0xffff816f5aa0 32-bit Int Gate 1 0 Kernel
0x44 0xffff816f5aa4 32-bit Int Gate 1 0 Kernel
0x45 0xffff816f5aa8 32-bit Int Gate 1 0 Kernel
0x46 0xffff816f5aac 32-bit Int Gate 1 0 Kernel
0x47 0xffff816f5ab0 32-bit Int Gate 1 0 Kernel
0x48 0xffff816f5ab4 32-bit Int Gate 1 0 Kernel
0x49 0xffff816f5ab8 32-bit Int Gate 1 0 Kernel
0x4a 0xffff816f5ac0 32-bit Int Gate 1 0 Kernel
0x4b 0xffff816f5ac4 32-bit Int Gate 1 0 Kernel
0x4c 0xffff816f5ac8 32-bit Int Gate 1 0 Kernel
0x4d 0xffff816f5acc 32-bit Int Gate 1 0 Kernel
0x4e 0xffff816f5ad0 32-bit Int Gate 1 0 Kernel
0x4f 0xffff816f5ad4 32-bit Int Gate 1 0 Kernel
0x50 0xffff816f5ad8 32-bit Int Gate 1 0 Kernel
0x51 0xffff816f5ae0 32-bit Int Gate 1 0 Kernel
0x52 0xffff816f5ae4 32-bit Int Gate 1 0 Kernel
0x53 0xffff816f5ae8 32-bit Int Gate 1 0 Kernel
0x54 0xffff816f5aec 32-bit Int Gate 1 0 Kernel
0x55 0xffff816f5af0 32-bit Int Gate 1 0 Kernel
0x56 0xffff816f5af4 32-bit Int Gate 1 0 Kernel
0x57 0xffff816f5af8 32-bit Int Gate 1 0 Kernel
0x58 0xffff816f5b00 32-bit Int Gate 1 0 Kernel
0x59 0xffff816f5b04 32-bit Int Gate 1 0 Kernel
0x5a 0xffff816f5b08 32-bit Int Gate 1 0 Kernel
0x5b 0xffff816f5b0c 32-bit Int Gate 1 0 Kernel
0x5c 0xffff816f5b10 32-bit Int Gate 1 0 Kernel
0x5d 0xffff816f5b14 32-bit Int Gate 1 0 Kernel
0x5e 0xffff816f5b18 32-bit Int Gate 1 0 Kernel
0x5f 0xffff816f5b20 32-bit Int Gate 1 0 Kernel
0x60 0xffff816f5b24 32-bit Int Gate 1 0 Kernel
0x61 0xffff816f5b28 32-bit Int Gate 1 0 Kernel
0x62 0xffff816f5b2c 32-bit Int Gate 1 0 Kernel
0x63 0xffff816f5b30 32-bit Int Gate 1 0 Kernel
0x64 0xffff816f5b34 32-bit Int Gate 1 0 Kernel
0x65 0xffff816f5b38 32-bit Int Gate 1 0 Kernel
0x66 0xffff816f5b40 32-bit Int Gate 1 0 Kernel
0x67 0xffff816f5b44 32-bit Int Gate 1 0 Kernel
0x68 0xffff816f5b48 32-bit Int Gate 1 0 Kernel
0x69 0xffff816f5b4c 32-bit Int Gate 1 0 Kernel
0x6a 0xffff816f5b50 32-bit Int Gate 1 0 Kernel
0x6b 0xffff816f5b54 32-bit Int Gate 1 0 Kernel
0x6c 0xffff816f5b58 32-bit Int Gate 1 0 Kernel
0x6d 0xffff816f5b60 32-bit Int Gate 1 0 Kernel
0x6e 0xffff816f5b64 32-bit Int Gate 1 0 Kernel
0x6f 0xffff816f5b68 32-bit Int Gate 1 0 Kernel
0x70 0xffff816f5b6c 32-bit Int Gate 1 0 Kernel
0x71 0xffff816f5b70 32-bit Int Gate 1 0 Kernel
0x72 0xffff816f5b74 32-bit Int Gate 1 0 Kernel
0x73 0xffff816f5b78 32-bit Int Gate 1 0 Kernel
0x74 0xffff816f5b80 32-bit Int Gate 1 0 Kernel
0x75 0xffff816f5b84 32-bit Int Gate 1 0 Kernel
0x76 0xffff816f5b88 32-bit Int Gate 1 0 Kernel
0x77 0xffff816f5b8c 32-bit Int Gate 1 0 Kernel
0x78 0xffff816f5b90 32-bit Int Gate 1 0 Kernel
0x79 0xffff816f5b94 32-bit Int Gate 1 0 Kernel
0x7a 0xffff816f5b98 32-bit Int Gate 1 0 Kernel
0x7b 0xffff816f5ba0 32-bit Int Gate 1 0 Kernel
0x7c 0xffff816f5ba4 32-bit Int Gate 1 0 Kernel
0x7d 0xffff816f5ba8 32-bit Int Gate 1 0 Kernel
0x7e 0xffff816f5bac 32-bit Int Gate 1 0 Kernel
0x7f 0xffff816f5bb0 32-bit Int Gate 1 0 Kernel
0x80 0xffff816f72e0 32-bit Int Gate 1 3 ia32_syscall
0x81 0xffff816f5bb8 32-bit Int Gate 1 0 Kernel
0x82 0xffff816f5bc0 32-bit Int Gate 1 0 Kernel
0x83 0xffff816f5bc4 32-bit Int Gate 1 0 Kernel
0x84 0xffff816f5bc8 32-bit Int Gate 1 0 Kernel
0x85 0xffff816f5bcc 32-bit Int Gate 1 0 Kernel
0x86 0xffff816f5bd0 32-bit Int Gate 1 0 Kernel
0x87 0xffff816f5bd4 32-bit Int Gate 1 0 Kernel
0x88 0xffff816f5bd8 32-bit Int Gate 1 0 Kernel
0x89 0xffff816f5be0 32-bit Int Gate 1 0 Kernel
0x8a 0xffff816f5be4 32-bit Int Gate 1 0 Kernel
0x8b 0xffff816f5be8 32-bit Int Gate 1 0 Kernel
0x8c 0xffff816f5bec 32-bit Int Gate 1 0 Kernel
0x8d 0xffff816f5bf0 32-bit Int Gate 1 0 Kernel
0x8e 0xffff816f5bf4 32-bit Int Gate 1 0 Kernel
0x8f 0xffff816f5bf8 32-bit Int Gate 1 0 Kernel
0x90 0xffff816f5c00 32-bit Int Gate 1 0 Kernel
0x91 0xffff816f5c04 32-bit Int Gate 1 0 Kernel
0x92 0xffff816f5c08 32-bit Int Gate 1 0 Kernel
0x93 0xffff816f5c0c 32-bit Int Gate 1 0 Kernel
0x94 0xffff816f5c10 32-bit Int Gate 1 0 Kernel
0x95 0xffff816f5c14 32-bit Int Gate 1 0 Kernel
0x96 0xffff816f5c18 32-bit Int Gate 1 0 Kernel
0x97 0xffff816f5c20 32-bit Int Gate 1 0 Kernel
0x98 0xffff816f5c24 32-bit Int Gate 1 0 Kernel
0x99 0xffff816f5c28 32-bit Int Gate 1 0 Kernel
0x9a 0xffff816f5c2c 32-bit Int Gate 1 0 Kernel
0x9b 0xffff816f5c30 32-bit Int Gate 1 0 Kernel
0x9c 0xffff816f5c34 32-bit Int Gate 1 0 Kernel
0x9d 0xffff816f5c38 32-bit Int Gate 1 0 Kernel
0x9e 0xffff816f5c40 32-bit Int Gate 1 0 Kernel
0x9f 0xffff816f5c44 32-bit Int Gate 1 0 Kernel
0xa0 0xffff816f5c48 32-bit Int Gate 1 0 Kernel
0xa1 0xffff816f5c4c 32-bit Int Gate 1 0 Kernel
0xa2 0xffff816f5c50 32-bit Int Gate 1 0 Kernel
0xa3 0xffff816f5c54 32-bit Int Gate 1 0 Kernel
0xa4 0xffff816f5c58 32-bit Int Gate 1 0 Kernel
0xa5 0xffff816f5c60 32-bit Int Gate 1 0 Kernel
0xa6 0xffff816f5c64 32-bit Int Gate 1 0 Kernel
0xa7 0xffff816f5c68 32-bit Int Gate 1 0 Kernel
0xa8 0xffff816f5c6c 32-bit Int Gate 1 0 Kernel
0xa9 0xffff816f5c70 32-bit Int Gate 1 0 Kernel
0xaa 0xffff816f5c74 32-bit Int Gate 1 0 Kernel
0xab 0xffff816f5c78 32-bit Int Gate 1 0 Kernel
0xac 0xffff816f5c80 32-bit Int Gate 1 0 Kernel
0xad 0xffff816f5c84 32-bit Int Gate 1 0 Kernel
0xae 0xffff816f5c88 32-bit Int Gate 1 0 Kernel
0xaf 0xffff816f5c8c 32-bit Int Gate 1 0 Kernel
0xb0 0xffff816f5c90 32-bit Int Gate 1 0 Kernel
0xb1 0xffff816f5c94 32-bit Int Gate 1 0 Kernel
0xb2 0xffff816f5c98 32-bit Int Gate 1 0 Kernel
0xb3 0xffff816f5ca0 32-bit Int Gate 1 0 Kernel
0xb4 0xffff816f5ca4 32-bit Int Gate 1 0 Kernel
0xb5 0xffff816f5ca8 32-bit Int Gate 1 0 Kernel
0xb6 0xffff816f5cac 32-bit Int Gate 1 0 Kernel
0xb7 0xffff816f5cb0 32-bit Int Gate 1 0 Kernel
0xb8 0xffff816f5cb4 32-bit Int Gate 1 0 Kernel
0xb9 0xffff816f5cb8 32-bit Int Gate 1 0 Kernel
0xba 0xffff816f5cc0 32-bit Int Gate 1 0 Kernel
0xbb 0xffff816f5cc4 32-bit Int Gate 1 0 Kernel
0xbc 0xffff816f5cc8 32-bit Int Gate 1 0 Kernel
0xbd 0xffff816f5ccc 32-bit Int Gate 1 0 Kernel
0xbe 0xffff816f5cd0 32-bit Int Gate 1 0 Kernel
0xbf 0xffff816f5cd4 32-bit Int Gate 1 0 Kernel
0xc0 0xffff816f5cd8 32-bit Int Gate 1 0 Kernel
0xc1 0xffff816f5ce0 32-bit Int Gate 1 0 Kernel
0xc2 0xffff816f5ce4 32-bit Int Gate 1 0 Kernel
0xc3 0xffff816f5ce8 32-bit Int Gate 1 0 Kernel
0xc4 0xffff816f5cec 32-bit Int Gate 1 0 Kernel
0xc5 0xffff816f5cf0 32-bit Int Gate 1 0 Kernel
0xc6 0xffff816f5cf4 32-bit Int Gate 1 0 Kernel
0xc7 0xffff816f5cf8 32-bit Int Gate 1 0 Kernel
0xc8 0xffff816f5d00 32-bit Int Gate 1 0 Kernel
0xc9 0xffff816f5d04 32-bit Int Gate 1 0 Kernel
0xca 0xffff816f5d08 32-bit Int Gate 1 0 Kernel
0xcb 0xffff816f5d0c 32-bit Int Gate 1 0 Kernel
0xcc 0xffff816f5d10 32-bit Int Gate 1 0 Kernel
0xcd 0xffff816f5d14 32-bit Int Gate 1 0 Kernel
0xce 0xffff816f5d18 32-bit Int Gate 1 0 Kernel
0xcf 0xffff816f5d20 32-bit Int Gate 1 0 Kernel
0xd0 0xffff816f5d24 32-bit Int Gate 1 0 Kernel
0xd1 0xffff816f5d28 32-bit Int Gate 1 0 Kernel
0xd2 0xffff816f5d2c 32-bit Int Gate 1 0 Kernel
0xd3 0xffff816f5d30 32-bit Int Gate 1 0 Kernel
0xd4 0xffff816f5d34 32-bit Int Gate 1 0 Kernel
0xd5 0xffff816f5d38 32-bit Int Gate 1 0 Kernel
0xd6 0xffff816f5d40 32-bit Int Gate 1 0 Kernel
0xd7 0xffff816f5d44 32-bit Int Gate 1 0 Kernel
0xd8 0xffff816f5d48 32-bit Int Gate 1 0 Kernel
0xd9 0xffff816f5d4c 32-bit Int Gate 1 0 Kernel
0xda 0xffff816f5d50 32-bit Int Gate 1 0 Kernel
0xdb 0xffff816f5d54 32-bit Int Gate 1 0 Kernel
0xdc 0xffff816f5d58 32-bit Int Gate 1 0 Kernel
0xdd 0xffff816f5d60 32-bit Int Gate 1 0 Kernel
0xde 0xffff816f5d64 32-bit Int Gate 1 0 Kernel
0xdf 0xffff816f5d68 32-bit Int Gate 1 0 Kernel
0xe0 0xffff816f5d6c 32-bit Int Gate 1 0 Kernel
0xe1 0xffff816f5d70 32-bit Int Gate 1 0 Kernel
0xe2 0xffff816f5d74 32-bit Int Gate 1 0 Kernel
0xe3 0xffff816f5d78 32-bit Int Gate 1 0 Kernel
0xe4 0xffff816f5d80 32-bit Int Gate 1 0 Kernel
0xe5 0xffff816f5d84 32-bit Int Gate 1 0 Kernel
0xe6 0xffff816f5d88 32-bit Int Gate 1 0 Kernel
0xe7 0xffff816f5d8c 32-bit Int Gate 1 0 Kernel
0xe8 0xffff816f5d90 32-bit Int Gate 1 0 Kernel
0xe9 0xffff816f5d94 32-bit Int Gate 1 0 Kernel
0xea 0xffff816f5d98 32-bit Int Gate 1 0 Kernel
0xeb 0xffff816f5da0 32-bit Int Gate 1 0 Kernel
0xec 0xffff816f5da4 32-bit Int Gate 1 0 Kernel
0xed 0xffff816f5da8 32-bit Int Gate 1 0 Kernel
0xee 0xffff816f5dac 32-bit Int Gate 1 0 Kernel
0xef 0xffff816f5ef0 32-bit Int Gate 1 0 apic_timer_interrupt
0xf0 0xffff816f5db4 32-bit Int Gate 1 0 Kernel
0xf1 0xffff816f5db8 32-bit Int Gate 1 0 Kernel
check_modules
View SourceCompares module list to sysfs info, if available.
Sysfs contains a kset objects for a number of kernel objects (kobjects). One of the ksets is the “module_kset” which holds references to all loaded kernel modules.
Each struct module object holds within it a kobj struct for reference counting. This object is referenced both from the struct module and the sysfs kset.
This plugin traverses the kset and resolves the kobj back to its containing object (which is the struct module itself). We then compare the struct module with the list of known modules (which is obtained by traversing the module’s list member). So if a module were to simply unlink itself from the list, it would still be found by its reference from sysfs.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
check_proc_fops
View SourceChecks the proc filesystem for hooked f_ops.
Plugin Arguments
all | Specify to see all the fops, even if they are known. (type: Boolean) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
check_proc_fops checks the file operations pointers of each open file in the
proc filesystem. Some rootkits hook these operations in order to implement
process hiding.
In order to determine if an operation pointer is hooked, rekall checks that the pointer resides within a known module or the kernel image.
If a pointer is found outside of these bounds, it will be reported.
Notes
- To obtain a list of all checked function pointers, use the
--allparameter.
Sample output
Expect blank output on clean systems.
pmem 15:44:30> check_proc_fops
-------------> check_proc_fops()
DirEntry Path Member Address Module
-------------- -------------------------------------------------- -------------------- -------------- --------------------
pmem 15:44:35>
check_syscall
View SourceChecks if the system call table has been altered.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
check_syscall checks if every syscall handler points to a known symbol in the
profile. All the default syscall handlers for a given kernel should be exported
along with the profile and if this handler is changed, Rekall will detect it.
Notes
- Unknown symbols are reported as
Unknown. - Only the handler pointers are checked. If the original handler is still being used but it has been patched in memory, no hook detection will be done.
Sample output
check_task_fops
View SourceCheck open files in tasks for f_ops modifications.
Plugin Arguments
all | Specify to see all the fops, even if they are known. (type: Boolean) |
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
check_task_fops checks the file operations pointers of each running process’
open files. Rootkits may hook these function pointers in order to control
operation of specific tasks.
In order to determine if an operation pointer is hooked, rekall checks that the pointer resides within a known module or the kernel image.
If a pointer is found outside of these bounds, it will be reported.
Notes
- To obtain a list of all checked function pointers, use the
--allparameter.
Sample output
Expect blank output on clean systems.
pmem 15:44:30> check_task_fops
-------------> check_proc_fops()
DirEntry Path Member Address Module
-------------- -------------------------------------------------- -------------------- -------------- --------------------
pmem 15:44:35>
check_ttys
View SourceChecks tty devices for hooks.
Some malware insert a hook into the ops struct of the tty driver. This plugin enumerates all tty_struct objects and checks if their ops handlers have been subverted.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
cpuinfo
View SourcePrints information about each active processor.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Sample output
[1] Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 16:07:43> cpuinfo
---------------------------------------------------------------------------> cpuinfo()
CPU Vendor Model
---- -------------------- --------------------------------------------------------------------------------
0 GenuineIntel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz
1 GenuineIntel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz
2 GenuineIntel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz
3 GenuineIntel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz
dmesg
View SourceGathers dmesg buffer.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Sample output
[1] Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 16:07:44> dmesg
---------------------------------------------------------------------------> dmesg()
Timestamp Facility Level Message
--------- -------- ----- --------------------------------------------------------------------------------
0.00 0 LOG_INFO Initializing cgroup subsys cpuset
0.00 0 LOG_INFO Initializing cgroup subsys cpu
0.00 0 LOG_INFO Initializing cgroup subsys cpuacct
0.00 0 LOG_INFO Linux version 3.11.0-12-generic (buildd@allspice) (gcc version 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu7) ) #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 (Ubuntu 3.11.0-12.19-generic 3.11.3)
0.00 0 LOG_INFO Command line: BOOT_IMAGE=/vmlinuz-3.11.0-12-generic root=/dev/mapper/ubuntu--vmware--vg-root ro
0.00 0 LOG_INFO KERNEL supported cpus:
0.00 0 LOG_INFO Intel GenuineIntel
0.00 0 LOG_INFO AMD AuthenticAMD
0.00 0 LOG_INFO Centaur CentaurHauls
0.00 0 LOG_INFO Disabled fast string operations
0.00 0 LOG_INFO e820: BIOS-provided physical RAM map:
0.00 0 LOG_CRIT BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable
0.00 0 LOG_CRIT BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved
0.00 0 LOG_CRIT BIOS-e820: [mem 0x00000000000ca000-0x00000000000cbfff] reserved
0.00 0 LOG_CRIT BIOS-e820: [mem 0x00000000000dc000-0x00000000000fffff] reserved
0.00 0 LOG_CRIT BIOS-e820: [mem 0x0000000000100000-0x000000003fedffff] usable
0.00 0 LOG_CRIT BIOS-e820: [mem 0x000000003fee0000-0x000000003fefefff] ACPI data
0.00 0 LOG_CRIT BIOS-e820: [mem 0x000000003feff000-0x000000003fefffff] ACPI NVS
0.00 0 LOG_CRIT BIOS-e820: [mem 0x000000003ff00000-0x000000003fffffff] usable
0.00 0 LOG_CRIT BIOS-e820: [mem 0x00000000f0000000-0x00000000f7ffffff] reserved
0.00 0 LOG_CRIT BIOS-e820: [mem 0x00000000fec00000-0x00000000fec0ffff] reserved
0.00 0 LOG_CRIT BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
0.00 0 LOG_CRIT BIOS-e820: [mem 0x00000000fffe0000-0x00000000ffffffff] reserved
0.00 0 LOG_INFO NX (Execute Disable) protection: active
0.00 0 LOG_INFO SMBIOS 2.4 present.
0.00 0 LOG_INFO DMI: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
0.00 0 LOG_INFO Hypervisor detected: VMware
0.00 0 LOG_CRIT e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
0.00 0 LOG_CRIT e820: remove [mem 0x000a0000-0x000fffff] usable
0.00 0 LOG_INFO
find_dtb
View SourceA scanner for DTB values. Handles both 32 and 64 bits.
The plugin also autodetects when the guest is running as a XEN ParaVirtualized guest and returns a compatible address space.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
hostname
View SourceA mixin for those plugins requiring a physical address space.
Args: physical_address_space: The physical address space to use. If not specified we use the following options:
1) session.physical_address_space,
2) Guess using the load_as() plugin,
3) Use session.kernel_address_space.base.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
ifconfig
View SourceGathers active interfaces.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Sample output
[1] Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 16:12:17> ifconfig
---------------------------------------------------------------------------> ifconfig()
Interface Ipv4Address MAC Flags
---------------- -------------------- ------------------ --------------------
lo 127.0.0.1 00:00:00:00:00:00 IFF_LOOPBACK, IFF_UP
eth0 192.168.239.129 00:0C:29:57:F7:19 IFF_BROADCAST, IFF_MULTICAST, IFF_UP
iomem
View Sourcemimics /proc/iomem.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Sample output
[1] Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 16:22:13> iomem
---------------------------------------------------------------------------> iomem()
Resource Start End Name
-------------- -------------- -------------- ----
0xffff81c3abc0 0x000000000000 0x00ffffffffff
0x88003fff9b00 . 0x000000000000 0x000000000fff reserved
0x88003fff9b38 . 0x000000001000 0x00000009ebff System RAM
0x88003fff9b70 . 0x00000009ec00 0x00000009ffff reserved
0x88003d112200 . 0x0000000a0000 0x0000000bffff PCI Bus 0000:00
0xffff81c1aac0 . 0x0000000c0000 0x0000000c7fff Video ROM
0x88003fff9ba8 . 0x0000000ca000 0x0000000cbfff reserved
0xffff81c1ab00 .. 0x0000000ca000 0x0000000cafff Adapter ROM
0x88003d112238 . 0x0000000d0000 0x0000000d3fff PCI Bus 0000:00
0x88003d112270 . 0x0000000d4000 0x0000000d7fff PCI Bus 0000:00
0x88003d1122a8 . 0x0000000d8000 0x0000000dbfff PCI Bus 0000:00
0x88003fff9be0 . 0x0000000dc000 0x0000000fffff reserved
0xffff81c1aca0 .. 0x0000000f0000 0x0000000fffff System ROM
0x88003fff9c18 . 0x000000100000 0x00003fedffff System RAM
0xffff81c1a6a0 .. 0x000001000000 0x0000016f9945 Kernel code
0xffff81c1a6e0 .. 0x0000016f9946 0x000001d0e7ff Kernel data
0xffff81c1a660 .. 0x000001e6d000 0x000001fcffff Kernel bss
0x88003fff9c50 . 0x00003fee0000 0x00003fefefff ACPI Tables
0x88003fff9c88 . 0x00003feff000 0x00003fefffff ACPI Non-volatile Storage
0x88003fff9cc0 . 0x00003ff00000 0x00003fffffff System RAM
0x88003d1122e0 . 0x0000c0000000 0x0000febfffff PCI Bus 0000:00
0x88003d1a0488 .. 0x0000c0000000 0x0000c0007fff 0000:00:0f.0
0x88003d1a1488 .. 0x0000c0008000 0x0000c000bfff 0000:00:10.0
0x88003d202680 .. 0x0000e5b00000 0x0000e5bfffff
0x88003d1da680 .. 0x0000e5c00000 0x0000e5cfffff PCI Bus 0000:1a
0x88003d1d2680 .. 0x0000e5d00000 0x0000e5dfffff PCI Bus 0000:12
0x88003d1ca680 .. 0x0000e5e00000 0x0000e5efffff
0x88003d201680 .. 0x000000000000 0x000000000000 -
0x88003fff9d30 . 0x0000fec00000 0x0000fec0ffff reserved
0x88003fff9e00 .. 0x0000fec00000 0x0000fec003ff IOAPIC 0
0x88003fff9e80 . 0x0000fed00000 0x0000fed003ff HPET 0
0x88003d2ca500 .. 0x0000fed00000 0x0000fed003ff pnp 00:07
0xffff81c25cc0 . 0x0000fee00000 0x0000fee00fff Local APIC
0x88003fff9d68 .. 0x0000fee00000 0x0000fee00fff reserved
0x88003fff9da0 . 0x0000fffe0000 0x0000ffffffff reserved
lsmod
View SourceGathers loaded kernel modules.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Rekall walks the list at kernel symbol modules to provide the list of modules.
Sample output
[1] Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 16:22:54> lsmod
---------------------------------------------------------------------------> lsmod()
******************** Overview ********************
Virtual Core Start Total Size Name
-------------- -------------- ---------- --------------------
0xffffa038d120 0xffffa038b000 12880 ipt_MASQUERADE
0xffffa0383180 0xffffa0381000 13011 iptable_nat
lsof
View SourceLists open files.
Plugin Arguments
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Rekall walks the process table and dereferences each of the task.files.fds for each
kernel task.
Sample output
$ python rekall/rekal.py -f ~/memory_images/Windows7_VMware\(Win7x64+Ubuntu686,Ubuntu64\)_VBox\(XPSP3x86\).ram --ept 0x00017725001e - lsof
[...]
libvirtd 1199 0 13 - 0 - -
libvirtd 1199 0 14 0 0 0 socket:/NETLINK[0]
libvirtd 1199 0 15 0 0 12987 socket:/UNIX[12987]
libvirtd 1199 0 16 - 0 - proc
libvirtd 1199 0 17 0 0 0 socket:/NETLINK[0]
libvirtd 1199 0 18 0 0 8902 /run/libvirt/network/nwfilter.leases
libvirtd 1199 0 19 0 0 7861 -
bash 1335 0 0 - 0 - -
bash 1335 0 1 - 0 - -
bash 1335 0 2 - 0 - -
bash 1335 0 255 - 0 - -
maps
View SourceGathers process maps for linux.
Plugin Arguments
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Sample output
[1] Windows7_VMware(Win7x64+Ubuntu686,Ubuntu64)_VBox(XPSP3x86).ram 17:18:41> maps
---------------------------------------------------------------------------> maps()
Pid Start End Flags Pgoff Major Minor Inode File Path
-------- -------------- -------------- ------ -------------- ------ ------ ------------- --------------------------------------------------------------------------------
966 0x000000000000 0x000000000000 --- 0x000000000000 0 0 0
1031 0x000000400000 0x00000043a000 r-x 0x000000000000 - - - -
1031 0x000000639000 0x00000063a000 r-- 0x000000039000 - - - -
1031 0x00000063a000 0x00000063b000 rw- 0x00000003a000 - - - -
1031 0x0000012be000 0x0000012df000 rw- 0x000000000000 0 0 0 [heap]
1031 0x000000000000 0x000000000000 --- 0x000000000000 0 0 0
1042 0x000000000000 0x000000000000 --- 0x000000000000 0 0 0
1056 0x000000400000 0x000000407000 r-x 0x000000000000 - - 0 /sbin/getty
1056 0x000000606000 0x000000607000 r-- 0x000000006000 - - 0 /sbin/getty
1056 0x000000607000 0x000000608000 rw- 0x000000007000 - - 0 /sbin/getty
1056 0x000000608000 0x00000060a000 rw- 0x000000000000 0 0 0
1056 0x000000000000 0x000000000000 --- 0x000000000000 0 0 0
1058 0x000000400000 0x000000407000 r-x 0x000000000000 - - 0 /sbin/getty
1058 0x000000606000 0x000000607000 r-- 0x000000006000 - - 0 /sbin/getty
1058 0x000000607000 0x000000608000 rw- 0x000000007000 - - 0 /sbin/getty
1058 0x000000608000 0x00000060a000 rw- 0x000000000000 0 0 0
1058 0x00000194c000 0x00000196d000 rw- 0x000000000000 0 0 0 [heap]
1058 0x7f44e0f56000 0x7f44e1493000 r-- 0x000000000000 252 0 660935 /usr/lib/locale/locale-archive
1058 0x000000000000 0x000000000000 --- 0x000000000000 0 0 0
1074 0x7f8f09279000 0x7f8f09285000 r-x 0x000000000000 - - 0 /lib/x86_64-linux-gnu/libnss_files-2.17.so
1074 0x7f8f09285000 0x7f8f09484000 --- 0x00000000c000 - - 0 /lib/x86_64-linux-gnu/libnss_files-2.17.so
1074 0x7f8f09484000 0x7f8f09485000 r-- 0x00000000b000 - - 0 /lib/x86_64-linux-gnu/libnss_files-2.17.so
1074 0x7f8f09485000 0x7f8f09486000 rw- 0x00000000c000 - - 0 /lib/x86_64-linux-gnu/libnss_files-2.17.so
1074 0x7f8f09486000 0x7f8f09491000 r-x 0x000000000000 - - - -
1074 0x7f8f09491000 0x7f8f09690000 --- 0x00000000b000 - - - -
1074 0x7f8f09690000 0x7f8f09691000 r-- 0x00000000a000 - - - -
1074 0x7f8f09691000 0x7f8f09692000 rw- 0x00000000b000 - - - -
[...]
mcat
View SourceReturns the contents available in memory for a given file.
Ranges of the file that are not present in memory are returned blank.
Plugin Arguments
device | Name of the device to match. (type: String) |
dump_dir | Path suitable for dumping files. (type: String) |
path | Path to the file. (type: String)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
You can find the list of files in memory by using the mls plugin.
memdump
View SourceDump the addressable memory for a process.
Plugin Arguments
all | Use the entire range of address space. (type: Boolean)
|
coalesce | Merge contiguous pages into larger ranges. (type: Boolean)
|
dump_dir | Path suitable for dumping files. (type: String) |
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
memmap
View SourceDumps the memory map for linux tasks.
Plugin Arguments
all | Use the entire range of address space. (type: Boolean)
|
coalesce | Merge contiguous pages into larger ranges. (type: Boolean)
|
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
mfind
View SourceFinds a file by name in memory.
Plugin Arguments
device | Name of the device to match. (type: String) |
path | Path to the file. (type: String)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
mfind can and will find multiple files if more than one file potentially matches the path.
You can use the --device parameter to filter out by device name if you want to target a specific mountpoint.
Sample output
[1] Linux-3.2.0-4-686-pae.E01 12:56:58> mfind "/etc/passd"
--------------------------------------> mfind("/etc/passd")
[1] Linux-3.2.0-4-686-pae.E01 12:58:00> mfind "/etc/passwd"
--------------------------------------> mfind("/etc/passwd")
Files on device /dev/disk/by-uuid/55bda481-150f-442e-b781-231a904cebd1 mounted at /.
Perms uid gid size mtime atime ctime inode path
----------- ---------- ---------- -------------- ------------------------ ------------------------ ------------------------ ---------- ------------------------------------------------------------
-rw-r--r-- 0 0 942 2013-12-03 12:21:50+0000 2014-11-28 10:59:14+0000 2013-12-03 12:21:50+0000 128 /etc/passwd
[1] Linux-3.2.0-4-686-pae.E01 12:58:05> mfind "/dev/pts/0"
--------------------------------------> mfind("/dev/pts/0")
[1] Linux-3.2.0-4-686-pae.E01 12:58:12> mfind "/dev/pts"
--------------------------------------> mfind("/dev/pts")
Files on device devpts mounted at /dev/pts.
Perms uid gid size mtime atime ctime inode path
----------- ---------- ---------- -------------- ------------------------ ------------------------ ------------------------ ---------- ------------------------------------------------------------
drwxr-xr-x 0 0 0 2014-11-28 11:40:08+0000 2014-11-28 11:40:08+0000 2014-11-28 11:40:08+0000 1 /dev/pts
Files on device udev mounted at /dev.
Perms uid gid size mtime atime ctime inode path
----------- ---------- ---------- -------------- ------------------------ ------------------------ ------------------------ ---------- ------------------------------------------------------------
drwxr-xr-x 0 0 40 2014-11-28 11:40:08+0000 2014-11-28 11:40:08+0000 2014-11-28 11:40:08+0000 1137 /dev/pts
mls
View SourceLists the files in a mounted filesystem.
Plugin Arguments
device | Name of the device to match. (type: String) |
path | Path to the file. (type: String)
|
recursive | Recursive listing (type: Boolean) |
unallocated | Show files that have no inode information. (type: Boolean) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Sample output
$ PYTHONPATH=. python rekall/rekal.py -f Linux-3.2.0-4-686-pae.E01 --profile_path ../my-profiles/ https://raw.githubusercontent.com/google/rekall-profiles/master/ - mls "/"
Files on device /dev/disk/by-uuid/55bda481-150f-442e-b781-231a904cebd1 mounted at /.
Perms uid gid size mtime atime ctime inode path
----------- ---------- ---------- -------------- ------------------------ ------------------------ ------------------------ ---------- ------------------------------------------------------------
--------- 0 0 0 - - - 0 /
drwxr-xr-x 0 0 4096 2013-12-03 12:18:39+0000 2012-06-01 01:12:42+0000 2013-12-03 12:18:39+0000 576 /bin
drwxr-xr-x 0 0 4096 2013-12-03 12:14:16+0000 2013-12-03 12:19:41+0000 2013-12-03 12:14:16+0000 574 /dev
drwxr-xr-x 0 0 4096 2014-11-28 11:40:10+0000 2014-11-28 11:41:27+0000 2014-11-28 11:40:10+0000 15 /etc
drwxr-xr-x 0 0 4096 2013-12-03 13:25:13+0000 2014-01-28 11:40:22+0000 2013-12-03 13:25:13+0000 247 /lib
drwxr-xr-x 0 0 4096 2013-12-03 12:12:06+0000 2013-12-03 12:15:21+0000 2013-12-03 12:12:06+0000 17 /media
drwxr-xr-x 0 0 4096 2013-10-07 15:25:28+0000 2013-10-07 15:25:28+0000 2013-12-03 12:12:10+0000 571 /proc
drwx------ 0 0 4096 2014-02-24 13:05:51+0000 2014-11-28 11:02:32+0000 2014-02-24 13:05:51+0000 570 /root
drwxr-xr-x 0 0 4096 2013-12-03 12:20:20+0000 2013-12-03 12:20:20+0000 2013-12-03 12:20:20+0000 569 /run
drwxr-xr-x 0 0 4096 2013-12-03 12:20:20+0000 2013-07-18 03:10:56+0000 2013-12-03 12:20:20+0000 230 /sbin
drwxr-xr-x 0 0 4096 2012-06-10 07:11:32+0000 2012-06-10 07:11:32+0000 2013-12-03 12:12:10+0000 734 /selinux
drwxr-xr-x 0 0 4096 2013-07-18 03:10:52+0000 2013-07-18 03:10:52+0000 2013-12-03 12:12:11+0000 568 /sys
drwxrwxrwxt 0 0 4096 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 567 /tmp
drwxr-xr-x 0 0 4096 2013-12-03 12:12:13+0000 2014-01-28 12:14:39+0000 2013-12-03 12:12:13+0000 168 /usr
drwxr-xr-x 0 0 4096 2013-12-03 12:12:13+0000 2013-12-03 12:19:03+0000 2013-12-03 12:12:13+0000 12 /var
**************************************************
Files on device devtmpfs mounted at /.
Perms uid gid size mtime atime ctime inode path
----------- ---------- ---------- -------------- ------------------------ ------------------------ ------------------------ ---------- ------------------------------------------------------------
lrwxrwxrwx 0 0 9 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 3464 /MAKEDEV
--------- 0 0 0 - - - 0 /autofs
--------- 0 0 0 - - - 0 /block
crw-------T 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3041 /btrfs-control
--------- 0 0 0 - - - 0 /bus
drwxr-xr-x 0 0 2440 2014-11-28 11:40:09+0000 2014-11-28 11:40:08+0000 2014-11-28 11:40:09+0000 1184 /char
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1037 /console
lrwxrwxrwx 0 0 11 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 3030 /core
--------- 0 0 0 - - - 0 /cpu
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1129 /cpu_dma_latency
--------- 0 0 0 - - - 0 /disk
lrwxrwxrwx 0 0 13 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 3034 /fd
crw-rw-rw- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1031 /full
--------- 0 0 0 - - - 0 /fuse
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3721 /hidraw0
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1113 /hpet
drwxr-xr-x 0 0 260 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 1114 /input
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1034 /kmsg
srw-rw-rw- 0 0 0 2014-11-28 11:40:10+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:10+0000 4761 /log
crw-------T 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3042 /loop-control
--------- 0 0 0 - - - 0 /loop0
brw-rw----T 0 6 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 4253 /loop1
brw-rw----T 0 6 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 4256 /loop2
brw-rw----T 0 6 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 4259 /loop3
brw-rw----T 0 6 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 4264 /loop4
brw-rw----T 0 6 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 4267 /loop5
brw-rw----T 0 6 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 4271 /loop6
brw-rw----T 0 6 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 4274 /loop7
--------- 0 0 0 - - - 0 /mapper
crw-r-----T 0 15 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1027 /mem
--------- 0 0 0 - - - 0 /net
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1130 /network_latency
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1131 /network_throughput
crw-rw-rw- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1028 /null
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1035 /oldmem
crw-r-----T 0 15 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1029 /port
--------- 0 0 0 - - - 0 /ppp
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1116 /psaux
crw-rw-rw- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1107 /ptmx
drwxr-xr-x 0 0 40 2014-11-28 11:40:08+0000 2014-11-28 11:40:08+0000 2014-11-28 11:40:08+0000 1137 /pts
crw-rw-rw- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1032 /random
lrwxrwxrwx 0 0 4 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 3731 /root
--------- 0 0 0 - - - 0 /rtc
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1117 /rtc0
lrwxrwxrwx 0 0 8 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3947 /shm
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1106 /snapshot
--------- 0 0 0 - - - 0 /snd
--------- 0 0 0 - - - 0 /sndstat
lrwxrwxrwx 0 0 15 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 3040 /stderr
lrwxrwxrwx 0 0 15 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 3036 /stdin
lrwxrwxrwx 0 0 15 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:09+0000 3038 /stdout
crw-rw-rw- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1036 /tty
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1038 /tty0
crw------- 0 5 0 2014-11-28 11:41:20+0000 2014-11-28 11:41:20+0000 2014-11-28 11:40:16+0000 1043 /tty1
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1052 /tty10
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1053 /tty11
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1054 /tty12
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1055 /tty13
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1056 /tty14
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1057 /tty15
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1058 /tty16
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1059 /tty17
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1060 /tty18
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1061 /tty19
crw-rw---- 0 5 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 1044 /tty2
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1062 /tty20
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1063 /tty21
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1064 /tty22
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1065 /tty23
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1066 /tty24
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1067 /tty25
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1068 /tty26
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1069 /tty27
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1070 /tty28
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1071 /tty29
crw-rw---- 0 5 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 1045 /tty3
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1072 /tty30
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1073 /tty31
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1074 /tty32
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1075 /tty33
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1076 /tty34
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1077 /tty35
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1078 /tty36
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1079 /tty37
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1080 /tty38
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1081 /tty39
crw-rw---- 0 5 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 1046 /tty4
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1082 /tty40
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1083 /tty41
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1084 /tty42
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1085 /tty43
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1086 /tty44
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1087 /tty45
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1088 /tty46
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1089 /tty47
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1090 /tty48
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1091 /tty49
crw-rw---- 0 5 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 1047 /tty5
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1092 /tty50
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1093 /tty51
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1094 /tty52
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1095 /tty53
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1096 /tty54
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1097 /tty55
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1098 /tty56
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1099 /tty57
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1100 /tty58
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1101 /tty59
crw-rw---- 0 5 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:10+0000 1048 /tty6
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1102 /tty60
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1103 /tty61
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1104 /tty62
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1105 /tty63
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1049 /tty7
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1050 /tty8
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1051 /tty9
crw-rw----T 0 20 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1112 /ttyS0
crw-rw----T 0 20 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1109 /ttyS1
crw-rw----T 0 20 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1110 /ttyS2
crw-rw----T 0 20 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1111 /ttyS3
--------- 0 0 0 - - - 0 /uinput
crw-rw-rw- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1033 /urandom
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1039 /vcs
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1041 /vcs1
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3897 /vcs2
--------- 0 0 0 - - - 0 /vcs3
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3907 /vcs4
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3912 /vcs5
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3917 /vcs6
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1040 /vcsa
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1042 /vcsa1
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3898 /vcsa2
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3903 /vcsa3
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3908 /vcsa4
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3913 /vcsa5
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 3918 /vcsa6
--------- 0 0 0 - - - 0 /vda
--------- 0 0 0 - - - 0 /vda1
--------- 0 0 0 - - - 0 /vda2
--------- 0 0 0 - - - 0 /vda5
crw------- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1026 /vga_arbiter
frw-r----- 0 4 0 2014-11-28 11:40:20+0000 2014-11-28 11:40:10+0000 2014-11-28 11:40:20+0000 4753 /xconsole
crw-rw-rw- 0 0 0 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 2014-11-28 11:40:09+0000 1030 /zero
**************************************************
Note that sometimes you may have to specify the right device in order to only get the data you want. Like in this example. Use the –device parameter in that case.
$ PYTHONPATH=. python rekall/rekal.py -f Linux-3.2.0-4-686-pae.E01 --profile_path ../my-profiles/ https://raw.githubusercontent.com/google/rekall-profiles/master/ - mls "/" --device="/dev/disk/by-uuid/55bda481-150f-442e-b781-231a904cebd1"
moddump
View SourceDumps loaded kernel modules.
Plugin Arguments
dump_dir | Dump directory. (type: String) |
regexp | Regexp on the module name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The list of loaded modules is obtained by running the lsmod plugin.
Sample output
$ PYTHONPATH=. python rekall/rekal.py -f Linux-3.2.0-4-686-pae.E01 --profile_path ../my-profiles/ https://raw.githubusercontent.com/google/rekall-profiles/master/ - moddump --regex ext4 --dump_dir .
Wrote 306996 bytes to ext4.0xf836a000.lkm
mount
View SourceLists the mount points.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Sample output
[1] Linux-3.2.0-4-686-pae.E01 12:56:57> mount
--------------------------------------> mount()
Device Path Type flags
-------------------------------------------------- -------------------------------------------------- -------------- --------------------
proc /proc proc rw, nodev, noexec, nosuid, relatime
devpts /dev/pts devpts rw, noexec, nosuid, relatime
tmpfs /run/lock tmpfs rw, nodev, noexec, nosuid, relatime
tmpfs /run/shm tmpfs rw, nodev, noexec, nosuid, relatime
udev /dev devtmpfs rw, relatime
tmpfs /run tmpfs rw, noexec, nosuid, relatime
rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs rw, relatime
/dev/disk/by-uuid/55bda481-150f-442e-b781-231a904cebd1 / ext4 rw, relatime
devtmpfs / devtmpfs rw, relatime
sysfs /sys sysfs rw, nodev, noexec, nosuid, relatime
notifier_chains
View SourceOutputs and verifies kernel notifier chains.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The Linux kernel can notify modules on certain events. This is done by subscribing to a notifier chain. A notifier chain is an ordered list of functions the kernel will call when an event is triggered.
Rekall analyzes the following notifier chains and shows whether there’s any callback function registered:
- The keyboard_notifier_list, which is used to notify on keyboard events and some keyloggers use.
- vt_notifier_list, which is used to notify when there’s events on a virtual terminal and could be used to assist in monitoring ttys.
Normally, no callbacks will be registered in any of these notifier chains and Rekall will produce no output.
Sample output
$ PYTHONPATH=. python rekall/rekal.py -f Linux-3.2.0-4-686-pae.E01 --profile_path ../my-profiles/ https://raw.githubusercontent.com/google/rekall-profiles/master/ - notifier_chains
Chain symbol Index Priority Address Module Symbol
------------------------- ----- -------- ---------- -------------------- ----------------------------------------
pas2vas
View SourceResolves a physical address to a virtual addrress in a process.
Plugin Arguments
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
offsets | A list of physical offsets to resolve. (type: ArrayIntParser) |
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
pidhashtable
View SourceList processes by enumerating the pid hash tables.
Plugin Arguments
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
pkt_queues
View SourceDumps the current packet queues for all known open sockets.
Plugin Arguments
dump_dir | Output directory |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
psaux
View SourceGathers processes along with full command line and start time.
Plugin Arguments
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
pslist
View SourceGathers active tasks by walking the task_struct->task list.
It does not display the swapper process. If the DTB column is blank, the item is likely a kernel thread.
Plugin Arguments
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
pstree
View SourceShows the parent/child relationship between processes.
This plugin prints a parent/child relationship tree by walking the task_struct.children and task_struct.sibling members.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
psxview
View SourceFind hidden processes comparing various process listings.
Plugin Arguments
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
vaddump
View SourceDump the VMA memory for a process.
Plugin Arguments
dump_dir | Path suitable for dumping files. (type: String) |
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
proc_regex | A regex to select a process by name. (type: RegEx) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
yarascan
View SourceScan using yara signatures.
Plugin Arguments
binary_string | A binary string (encoded as hex) to search for. e.g. 000102[1-200]0506 (type: String) |
context | Context to print after the hit. (type: IntParser)
|
hits | Quit after finding this many hits. (type: IntParser)
|
method | Method to list processes (Default uses all methods). (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser) |
pre_context | Context to print before the hit. (type: IntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
string | A verbatim string to search for. (type: String) |
task | Kernel addresses of task structs. (type: ArrayIntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
yara_expression | If provided we scan for this yara expression. (type: String) |
yara_file | The yara signature file to read. (type: String) |