Source Code for Module rekall.ipython_support

  1  #!/usr/bin/python 
  2   
  3  # Rekall Memory Forensics 
  4  # Copyright 2013 Google Inc. All Rights Reserved. 
  5  # 
  6  # This program is free software; you can redistribute it and/or modify 
  7  # it under the terms of the GNU General Public License as published by 
  8  # the Free Software Foundation; either version 2 of the License, or (at 
  9  # your option) any later version. 
 10  # 
 11  # This program is distributed in the hope that it will be useful, but 
 12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 14  # General Public License for more details. 
 15  # 
 16  # You should have received a copy of the GNU General Public License 
 17  # along with this program; if not, write to the Free Software 
 18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 19  # 
 20   
 21  """Support IPython 4.0.""" 
 22   
 23  # pylint: disable=protected-access 
 24   
 25  __author__ = "Michael Cohen <scudette@gmail.com>" 
 26  import logging 
 27  import re 
 28  import time 
 29   
 30  import readline 
 31   
 32  from pygments.token import Token 
 33  from pygments import styles 
 34   
 35  import IPython 
 36  from IPython.core import page 
 37  from IPython.core import oinspect 
 38  from IPython.core.interactiveshell import InteractiveShell 
 39  from IPython.terminal import embed 
 40  from IPython.terminal import prompts 
 41   
 42  try: 
 43      from traitlets.config.loader import Config 
 44  except ImportError: 
 45      from IPython.config.loader import Config 
 46   
 47  from rekall import constants 
 48  from rekall import config 
 49  from rekall import session as session_module 
 50  from rekall_lib import utils 
 51   
 52   
 53  config.DeclareOption( 
 54      "--highlighting_style", default="monokai", type="Choices", 
 55      choices=list(styles.get_all_styles()), 
 56      help="Highlighting style for interactive console.") 
 57   
 58   
 59 -def RekallCompleter(self, text): 
 60      """Sophisticated command line completer for Rekall.""" 
 61      try: 
 62          command_parts = self.line_buffer.split(" ") 
 63          command = command_parts[0] 
 64   
 65          if command.startswith("plugins."): 
 66              command = command[len("plugins."):] 
 67   
 68          global_matches = set(self.global_matches(command)) 
 69   
 70          # Complete strings which look like symbol names. 
 71          m = re.match("\"([^!]+![^\"]*)$", command_parts[-1]) 
 72          if m: 
 73              session = self.namespace.get("session") 
 74   
 75              # If this is the only match, close the quotes to save typing. 
 76              result = session.address_resolver.search_symbol(m.group(1) + "*") 
 77              if len(result) == 1: 
 78                  result = [result[0] + "\""] 
 79   
 80              result = [utils.SmartUnicode(x.split("!", 1)[1]) for x in result] 
 81              return result 
 82   
 83          # Only complete if there is exactly one object which matches and a space 
 84          # was typed after it. e.g.: pslist <cursor> 
 85          if (command in global_matches and len(command_parts) > 1): 
 86              # Get the object and ask it about the list of args that it supports. 
 87              obj = self.namespace.get(command) 
 88              if obj: 
 89                  try: 
 90                      matches = [ 
 91                          "%s=" % x["name"] for x in obj.Metadata()["arguments"]] 
 92                      return [utils.SmartUnicode(x) 
 93                              for x in matches if x.startswith(text)] 
 94                  except Exception: 
 95                      pass 
 96   
 97          return [] 
 98   
 99      # Wide exception is necessary here because otherwise the completer will 
100      # swallow all errors. 
101      except Exception as e: 
102          logging.debug(e) 
103   
104      return [] 
105   
106   
107 -class RekallObjectInspector(oinspect.Inspector): 
108      """Rekall specific object inspector. 
109   
110      Rekall populates the environment with "plugin runners" which are proxies of 
111      the actual plugin that will be invoked. The exact plugin will be invoked 
112      depending on the profile availability. 
113   
114      In order to make ipython's ? and ?? operators work, we need to implement 
115      specialized inspection to present the doc strings and arg list of the actual 
116      plugin. 
117      """ 
118   
119 -    def _format_parameter(self, displayfields, arg): 
120          desc = arg["help"] 
121          try: 
122              type = arg["type"] 
123              if type in ["Choices", "ChoiceArray"] and arg["choices"]: 
124                  desc += " (type: %s: %s)" % (type, ", ".join(arg["choices"])) 
125              else: 
126                  desc += " (type: %s)" % type 
127   
128          except KeyError: 
129              pass 
130   
131          displayfields.append(("  " + arg["name"], desc)) 
132   
133 -    def format_parameters(self, plugin_class, positional=True): 
134          displayfields = [] 
135          command_metadata = config.CommandMetadata(plugin_class).Metadata() 
136   
137          # First format positionals: 
138          for arg in command_metadata["arguments"]: 
139              if arg.get("hidden"): 
140                  continue 
141   
142              if arg.get("positional", False) == positional: 
143                  self._format_parameter(displayfields, arg) 
144   
145          if displayfields: 
146              return self._format_fields(displayfields) 
147   
148          return "" 
149   
150 -    def plugin_pinfo(self, runner, detail_level=0): 
151          """Generate info dict for a plugin from a plugin runner.""" 
152          plugin_class = getattr( 
153              runner.session.plugins, runner.plugin_name)._target 
154   
155          display_fields = [ 
156              ("file", oinspect.find_file(plugin_class)), 
157              ("Plugin", "%s (%s)" % (plugin_class.__name__, plugin_class.name))] 
158          if getattr(plugin_class, "table_header", None): 
159              display_fields.append( 
160                  ("", "This is a Typed Plugin.")) 
161   
162          display_fields += [ 
163              ("Positional Args", 
164               self.format_parameters(plugin_class, True)), 
165              ("Keyword Args", 
166               self.format_parameters(plugin_class, False)), 
167              ("Docstring", oinspect.getdoc(plugin_class) or ""), 
168              ("Link", ( 
169                  "http://www.rekall-forensic.com/epydocs/%s.%s-class.html" % ( 
170                      plugin_class.__module__, plugin_class.__name__))), 
171          ] 
172   
173          # Include the source if required. 
174          if detail_level > 0: 
175              info = self.info(plugin_class, detail_level=detail_level) 
176              display_fields.append(("source", self.format(info["source"]))) 
177   
178          return self._format_fields(display_fields) 
179   
180 -    def pinfo(self, obj, oname='', formatter=None, info=None, 
181                detail_level=0, **kw): 
182          if isinstance(obj, session_module.PluginRunner): 
183              # Delegate info generation for PluginRunners. 
184              result = self.plugin_pinfo(obj, detail_level=detail_level) 
185              if result: 
186                  page.page(result) 
187   
188          else: 
189              oinspect.Inspector.pinfo( 
190                  self, obj, oname=oname, formatter=formatter, 
191                  info=info, detail_level=detail_level) 
192   
193   
194 -class RekallShell(embed.InteractiveShellEmbed): 
195      banner = display_banner = constants.BANNER 
196   
197 -    def atexit_operations(self): 
198          self.user_module.session.Flush() 
199   
200 -    def init_inspector(self): 
201          super(RekallShell, self).init_inspector() 
202   
203          # This is a hack but seems the only way to make get_ipython() work 
204          # properly. 
205          InteractiveShell._instance = self 
206          ipython_version = IPython.__version__ 
207   
208          # IPython 5 (4 should work too) is the one we standardize on right 
209          # now. This means we support earlier ones but turn off the bells and 
210          # whistles. 
211          if "4.0.0" <= ipython_version < "6.0.0": 
212              self.inspector = RekallObjectInspector() 
213   
214          else: 
215              self.user_ns.session.logging.warn( 
216                  "Warning: IPython version %s not fully supported. " 
217                  "We recommend installing IPython version 5.", 
218                  ipython_version) 
219   
220   
221  REGISTERED_MAGICS = [] 
222   
223 -class RekallPrompt(prompts.Prompts): 
224 -    def in_prompt_tokens(self, cli=None): 
225          session = self.shell.user_module.session 
226          style = session.GetParameter("highlighting_style") 
227          old_style = self.shell.highlighting_style 
228          if style != old_style: 
229              try: 
230                  self.shell.highlighting_style = style 
231              except Exception: 
232                  self.shell.highlighting_style = old_style 
233                  session.logging.error( 
234                      "Style %s not valid. Valid styles are %s" % 
235                      (style, list(styles.get_all_styles()))) 
236   
237          return [ 
238              (Token.Prompt, "["), 
239              (Token.Name.Variable, str(session.session_id)), 
240              (Token.Prompt, "] "), 
241              (Token.Name.Class, str(session.session_name)), 
242              (Token.Prompt, " "), 
243              (Token.Comment, time.strftime("%H:%M:%S")), 
244              (Token.Prompt, "> "), 
245          ] 
246   
247 -    def out_prompt_tokens(self): 
248          return [ 
249              (Token.OutPrompt, 'Out<'), 
250              (Token.Comment, time.strftime("%H:%M:%S")), 
251              (Token.OutPrompt, '> '), 
252          ] 
253   
254   
255 -def Shell(user_session): 
256      # This should bring back the old autocall behaviour. e.g.: 
257      # In [1]: pslist 
258      cfg = Config() 
259      cfg.InteractiveShellEmbed.autocall = 2 
260      cfg.TerminalInteractiveShell.prompts_class = RekallPrompt 
261      cfg.InteractiveShell.separate_in = '' 
262      cfg.InteractiveShell.separate_out = '' 
263      cfg.InteractiveShell.separate_out2 = '' 
264   
265      shell = RekallShell(config=cfg, user_ns=user_session.locals) 
266   
267      shell.Completer.merge_completions = False 
268      shell.exit_msg = constants.GetQuote() 
269      shell.set_custom_completer(RekallCompleter, 0) 
270   
271      # Do we need to pre-run something? 
272      if user_session.run != None: 
273          execfile(user_session.run, user_session.locals) 
274   
275      user_session.shell = shell 
276   
277      # Set known delimeters for the completer. This varies by OS so we need to 
278      # set it to ensure consistency. 
279      readline.set_completer_delims(' \t\n`!@#$^&*()=+[{]}\\|;:\'",<>?') 
280   
281      for magic in REGISTERED_MAGICS: 
282          shell.register_magics(magic) 
283   
284      shell(module=user_session.locals, ) 
285   
286      return True 
287