Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package addrspaces :: Module pagefile
[frames] | no frames]

Source Code for Module rekall.plugins.addrspaces.pagefile

 1  # Rekall Memory Forensics 
 2  # Copyright 2014 Google Inc. All Rights Reserved. 
 3  # 
 4  # This program is free software; you can redistribute it and/or modify 
 5  # it under the terms of the GNU General Public License as published by 
 6  # the Free Software Foundation; either version 2 of the License, or (at 
 7  # your option) any later version. 
 8  # 
 9  # This program is distributed in the hope that it will be useful, but 
10  # WITHOUT ANY WARRANTY; without even the implied warranty of 
11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
12  # General Public License for more details. 
13  # 
14  # You should have received a copy of the GNU General Public License 
15  # along with this program; if not, write to the Free Software 
16  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
17  # 
18   
19  """This address space overlays a pagefile into the physical address space. 
20   
21  This essentially implements the --pagefile parameter. Note that for images taken 
22  with winpmem there is no need to specify the pagefile specifically since it is 
23  already detected by the Elf64CoreDump class. 
24  """ 
25   
26  __author__ = "Michael Cohen <scudette@gmail.com>" 
27   
28  from rekall import addrspace 
29  from rekall import config 
30  from rekall import session 
31   
32   
33  config.DeclareOption( 
34      "--pagefile", type="ArrayStringParser", default=[], 
35      help="A pagefile to load into the image.") 
36   
37   

38 -class PagefilePhysicalAddressSpace(addrspace.RunBasedAddressSpace): 

39      __image = True 
40      name = "pagefile" 
41      order = 200 
42   

43 -    def __init__(self, **kwargs): 

44          super(PagefilePhysicalAddressSpace, self).__init__(**kwargs) 
45          pagefile_names = self.session.GetParameter("pagefile") 
46   
47          self.as_assert(pagefile_names, "Pagefile not specified") 
48          self.as_assert(self.base.__class__ is not self.__class__) 
49   
50          # Copy the base's runs to our runs and pass them through. 
51          for run in self.base.get_mappings(): 
52              self.add_run(run.start, run.start, run.length, self.base) 
53   
54          vaddr = self.base.end() + 0x10000 
55   
56          # FIXME: Properly support multiple pagefiles. 
57          load_as = self.session.plugins.load_as(session=session.Session()) 
58          for pagefile_name in pagefile_names: 
59              pagefile_as = load_as.GuessAddressSpace(filename=pagefile_name) 
60   
61              if pagefile_as: 
62                  self.pagefile_offset = vaddr 
63                  vaddr += pagefile_as.end() 
64                  self.pagefile_end = vaddr 
65                  self.add_run(vaddr, 0, pagefile_as.end(), pagefile_as) 

66

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:43 2017 http://epydoc.sourceforge.net