Source Code for Module rekall.plugins.addrspaces.mmap_address_space

  1  # Rekall Memory Forensics 
  2  # Copyright (C) 2012 
  3  # Copyright 2013 Google Inc. All Rights Reserved. 
  4  # 
  5  # Authors: 
  6  # Michael Cohen <scudette@users.sourceforge.net> 
  7  # 
  8  # This program is free software; you can redistribute it and/or modify 
  9  # it under the terms of the GNU General Public License as published by 
 10  # the Free Software Foundation; either version 2 of the License, or (at 
 11  # your option) any later version. 
 12  # 
 13  # This program is distributed in the hope that it will be useful, but 
 14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 16  # General Public License for more details. 
 17  # 
 18  # You should have received a copy of the GNU General Public License 
 19  # along with this program; if not, write to the Free Software 
 20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 21  # 
 22   
 23  """ These are standard address spaces supported by Rekall Memory Forensics """ 
 24   
 25  import mmap 
 26  import os 
 27   
 28  from rekall import addrspace 
 29   
 30   
 31 -class MmapFileAddressSpace(addrspace.BaseAddressSpace): 
 32      """ This is an AS which uses an mmap of a file. 
 33   
 34      For this AS to be instantiated, we need 
 35   
 36      1) A valid config.LOCATION (starting with file://) 
 37   
 38      2) no one else has picked the AS before us 
 39   
 40      3) base == self (we dont operate on anyone else so we need to be 
 41      right at the bottom of the AS stack.) 
 42      """ 
 43      # We should be the AS of last resort but before the FileAddressSpace 
 44      order = 110 
 45      __image = True 
 46   
 47 -    def __init__(self, filename=None, **kwargs): 
 48          super(MmapFileAddressSpace, self).__init__(**kwargs) 
 49          self.as_assert(self.base is self, 'Must be first Address Space') 
 50   
 51          path = self.session.GetParameter("filename") or filename 
 52          self.as_assert(path and os.path.exists(path), 
 53                         'Filename must be specified and exist') 
 54   
 55          self.fname = self.name = os.path.abspath(path) 
 56          self.mode = 'rb' 
 57          if self.session.GetParameter("writable_physical_memory"): 
 58              self.mode += '+' 
 59   
 60          self.fhandle = open(self.fname, self.mode) 
 61          self.fhandle.seek(0, 2) 
 62          self.fsize = self.fhandle.tell() 
 63          self.offset = 0 
 64   
 65          # On 64 bit architectures we can just map the entire image into our 
 66          # process. Its probably not worth the effort to make it work on 32 bit 
 67          # systems, which should just fall back to the slightly slower 
 68          # FileAddressSpace. 
 69          try: 
 70              self.map = mmap.mmap(self.fhandle.fileno(), self.fsize, 
 71                                   access=mmap.ACCESS_READ) 
 72          except Exception as e: 
 73              raise addrspace.ASAssertionError("Unable to mmap: %s" % e) 
 74   
 75 -    def read(self, addr, length): 
 76          result = "" 
 77          if addr != None: 
 78              result = self.map[addr:addr + length] 
 79   
 80          return result + addrspace.ZEROER.GetZeros(length - len(result)) 
 81   
 82 -    def get_mappings(self, start=0, end=2**64): 
 83          yield addrspace.Run(start=0, 
 84                              end=self.fsize, file_offset=0, 
 85                              address_space=self.base) 
 86   
 87 -    def is_valid_address(self, addr): 
 88          if addr == None: 
 89              return False 
 90          return addr < self.fsize - 1 
 91   
 92 -    def close(self): 
 93          self.map.close() 
 94          self.fhandle.close() 
 95   
 96 -    def write(self, addr, data): 
 97          try: 
 98              self.map[addr:addr + len(data)] = data 
 99          except IOError: 
100              return 0 
101   
102          return len(data) 
103   
104 -    def __eq__(self, other): 
105          return (self.__class__ == other.__class__ 
106                  and self.fname == other.fname) 
107