rekall.plugins.addrspaces.lime

1 # Rekall Memory Forensics 2 # 3 # Copyright 2015 Google Inc. All Rights Reserved. 4 5 # Authors: 6 # Michael Cohen <scudette@google.com> 7 # 8 # This program is free software; you can redistribute it and/or modify 9 # it under the terms of the GNU General Public License as published by 10 # the Free Software Foundation; either version 2 of the License, or (at 11 # your option) any later version. 12 # 13 # This program is distributed in the hope that it will be useful, but 14 # WITHOUT ANY WARRANTY; without even the implied warranty of 15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 # General Public License for more details. 17 # 18 # You should have received a copy of the GNU General Public License 19 # along with this program; if not, write to the Free Software 20 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 # 22 23 """This is an address space for the Lime file format. 24 25 Note that Lime is an ad-hoc file format produced by the Lime Linux memory 26 acquisition tool (https://github.com/504ensicsLabs/LiME). The format does not 27 really offer any advantages over the standard ELF core dump format and should 28 therefore be avoided. This address space simply allows Rekall to read images 29 produced by Lime in case you have such an image about. 30 """ 31 32 from rekall import addrspace 33 from rekall.plugins.overlays import basic 34 35

36 -class LimeProfile(basic.ProfileLP64, basic.BasicClasses):

37 """A profile for Lime files.""" 38

39 - def __init__(self, **kwargs):

40 super(LimeProfile, self).__init__(**kwargs) 41 self.add_overlay({ 42 'lime_header': [0x20, { 43 'magic': [0x0, ['String', dict(length=4)]], 44 'version': [0x4, ['unsigned int']], 45 46 # These are virtual addresses for the start and end addresses of 47 # this segment. Note that this is an inclusive range (i.e. end 48 # address is also valid). 49 'start': [0x8, ['unsigned long long']], 50 'end': [0x10, ['unsigned long long']], 51 52 # The size of this section is given by subtracting the virtual 53 # address of the last byte from the virtual address of the 54 # beginning and then adding 1, finally we add the size of the 55 # header... Wow. 56 'size': lambda x: x.end - x.start + 1, 57 58 # The next section in the file follows this header immediately. 59 'next': lambda x: x.cast( 60 "lime_header", 61 offset=x.obj_offset + x.size + x.obj_size), 62 }] 63 })

64 65

66 -class LimeAddressSpace(addrspace.RunBasedAddressSpace):

67 """An Address Space to read from lime images.""" 68 69 name = "lime" 70 __image = True 71 72 order = 50 73

74 - def __init__(self, **kwargs):

75 super(LimeAddressSpace, self).__init__(**kwargs) 76 self.as_assert(self.base, "Must be layered on another address space.") 77 78 self.as_assert(self.base.read(0, 4) == "EMiL", 79 "Invalid Lime header signature") 80 81 header = LimeProfile(session=self.session).lime_header(vm=self.base) 82 while header.magic == "EMiL": 83 self.add_run(header.start, header.obj_end, header.size) 84 header = header.next

85

86 - def vtop(self, addr):

87 """I have no idea why this is needed. 88 89 This hack is also present in the Volatility address space without 90 suitable explanation, so we just blindly add it here. 91 """ 92 smallest_address = self.runs.get_next_range_start(-1) 93 94 if addr < smallest_address: 95 addr = smallest_address + addr 96 97 return super(LimeAddressSpace, self).vtop(addr)

98

99 - def read(self, addr, length):

100 smallest_address = self.runs.get_next_range_start(-1) 101 if addr > 0 and addr < smallest_address: 102 addr = smallest_address + addr 103 104 return super(LimeAddressSpace, self).read(addr, length)

105

Source Code for Module rekall.plugins.addrspaces.lime