rekall.plugins.addrspaces.standard

1 # Rekall Memory Forensics 2 # Copyright (C) 2007,2008 Volatile Systems 3 # Copyright (C) 2004,2005,2006 4tphi Research 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # Authors: 7 # {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) 8 # Michael Cohen <scudette@users.sourceforge.net> 9 # Mike Auty <mike.auty@gmail.com> 10 # 11 # This program is free software; you can redistribute it and/or modify 12 # it under the terms of the GNU General Public License as published by 13 # the Free Software Foundation; either version 2 of the License, or (at 14 # your option) any later version. 15 # 16 # This program is distributed in the hope that it will be useful, but 17 # WITHOUT ANY WARRANTY; without even the implied warranty of 18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 19 # General Public License for more details. 20 # 21 # You should have received a copy of the GNU General Public License 22 # along with this program; if not, write to the Free Software 23 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 24 # 25 26 """ These are standard address spaces supported by Rekall Memory Forensics """ 27 import StringIO 28 import struct 29 import os 30 import weakref 31 32 from rekall import addrspace 33 from rekall import config 34 35 36 config.DeclareOption( 37 "-o", "--file_offset", 38 type="IntParser", help="A Relative offset for image file.") 39 40

41 -class FDAddressSpace(addrspace.BaseAddressSpace):

42 """An address space which operated on a file like object.""" 43 44 __name = "filelike" 45 46 # We should be first. 47 order = 0 48

49 - def __init__(self, base=None, fhandle=None, **kwargs):

50 self.as_assert(base == None, "Base passed to FDAddressSpace.") 51 self.as_assert(fhandle is not None, 'file handle must be provided') 52 53 self.fhandle = fhandle 54 try: 55 self.fhandle.seek(0, 2) 56 self.fsize = self.fhandle.tell() 57 except IOError: 58 # We failed to seek to the end - this is usual with devices so we 59 # assume they are volatile to be safe. 60 self.fsize = 0 61 self.volatile = True 62 self.session.logging.warn( 63 "Unable to determine file size, assuming file is volatile.") 64 65 self.offset = 0 66 67 super(FDAddressSpace, self).__init__(**kwargs)

68

69 - def read(self, addr, length):

70 length = int(length) 71 addr = int(addr) 72 try: 73 self.fhandle.seek(addr) 74 data = self.fhandle.read(length) 75 76 return data + addrspace.ZEROER.GetZeros(length - len(data)) 77 except IOError: 78 return addrspace.ZEROER.GetZeros(length)

79

80 - def read_long(self, addr):

81 string = self.read(addr, 4) 82 (longval,) = struct.unpack('=I', string) 83 return longval

84

85 - def get_mappings(self, start=0, end=2**64):

86 _ = end 87 yield addrspace.Run(start=0, end=self.fsize, 88 file_offset=0, address_space=self)

89

90 - def is_valid_address(self, addr):

91 if addr == None: 92 return False 93 return True

94

95 - def close(self):

96 self.fhandle.close()

97

98 - def __eq__(self, other):

99 return (self.__class__ == other.__class__ and 100 self.fname == other.fname)

101 102

103 -class FileAddressSpace(FDAddressSpace):

104 """ This is a direct file AS. 105 106 For this AS to be instantiated, we need 107 108 1) A valid config.filename 109 110 2) no one else has picked the AS before us 111 112 3) base == None (we dont operate on anyone else so we need to be 113 right at the bottom of the AS stack.) 114 """ 115 116 __name = "file" 117 118 # We should be the AS of last resort 119 order = 100 120 121 # This address space handles images. 122 __image = True 123

124 - def __init__(self, base=None, filename=None, session=None, **kwargs):

125 self.as_assert(base == None, 'Must be first Address Space') 126 127 self.session = session 128 path = filename or (session and session.GetParameter("filename")) 129 self.as_assert(path, "Filename must be specified in session (e.g. " 130 "session.SetParameter('filename', 'MyFile.raw').") 131 132 self.name = os.path.basename(path) 133 self.fname = os.path.abspath(path) 134 self.mode = 'rb' 135 136 if path.startswith(r"\\\\.\\"): 137 raise RuntimeError( 138 "Unable to open a device without the win32file package " 139 "installed.") 140 141 try: 142 fhandle = open(self.fname, self.mode) 143 except (IOError, OSError) as e: 144 raise addrspace.ASAssertionError("%s" % e) 145 146 self._closer = weakref.ref(self, lambda x: fhandle.close()) 147 148 super(FileAddressSpace, self).__init__( 149 fhandle=fhandle, session=session, **kwargs)

150 151

152 -class GlobalOffsetAddressSpace(addrspace.RunBasedAddressSpace):

153 """An address space to add a constant offset.""" 154 155 __image = True 156 157 # Must come after all other address space. 158 order = 120 159

160 - def __init__(self, **kwargs):

161 super(GlobalOffsetAddressSpace, self).__init__(**kwargs) 162 self.file_offset = self.session.GetParameter("file_offset") 163 164 self.as_assert(self.file_offset, "File offset not specified.") 165 self.as_assert(self.base.__class__ is not GlobalOffsetAddressSpace, 166 "Can not stack on GlobalOffsetAddressSpace") 167 168 self.add_run(0, self.file_offset, self.base.end())

169 170

171 -class WritableAddressSpaceMixIn(object):

172 """This address space can be used to create new files. 173 174 NOTE: This does not participate in voting or gets automatically 175 selected. It can only be instantiated directly. 176 """ 177

178 - def write(self, addr, data):

179 self.fhandle.seek(addr) 180 self.fhandle.write(data) 181 self.fhandle.flush() 182 183 return len(data)

184

185 - def is_valid_address(self, unused_addr):

186 # All addresses are valid, we just grow the file there. 187 return True

188

189 - def end(self):

190 self.fhandle.seek(0, 2) 191 return self.fhandle.tell()

192

193 - def read(self, addr, length):

194 # Just null pad the file - even if we read past the end. 195 self.fhandle.seek(addr) 196 data = self.fhandle.read(length) 197 198 if len(data) < length: 199 data += addrspace.ZEROER.GetZeros(length - len(data)) 200 201 return data

202 203

204 -class WritableAddressSpace(WritableAddressSpaceMixIn, FDAddressSpace):

205

206 - def __init__(self, filename=None, mode="w+b", **kwargs):

207 self.as_assert(filename, "Filename must be specified.") 208 self.name = os.path.abspath(filename) 209 self.fname = self.name 210 self.mode = mode 211 212 fhandle = open(self.fname, self.mode) 213 self._closer = weakref.ref(self, lambda x: fhandle.close()) 214 215 super(WritableAddressSpace, self).__init__(fhandle=fhandle, **kwargs)

216 217

218 -class WritableFDAddressSpace(WritableAddressSpaceMixIn, FDAddressSpace):

219 """An address space which can be initialized from a file handle. 220 221 Note that file handle must be writable. 222 """

223 224

225 -class DummyAddressSpace(WritableAddressSpaceMixIn, FDAddressSpace):

226 """An AS which always returns nulls.""" 227 __name = 'dummy' 228

229 - def __init__(self, size=10 * 1024, session=None, **_):

230 super(DummyAddressSpace, self).__init__( 231 session=session, 232 fhandle=StringIO.StringIO(size * "\x00"))

233

234 - def getvalue(self):

235 """Dump the entire address space as a byte string.""" 236 return self.fhandle.getvalue()

237

Source Code for Module rekall.plugins.addrspaces.standard