Source Code for Module rekall.plugins.common.inspection

 1  # Rekall Memory Forensics 
 2  # Copyright 2015 Google Inc. All Rights Reserved. 
 3  # 
 4  # This program is free software; you can redistribute it and/or modify 
 5  # it under the terms of the GNU General Public License as published by 
 6  # the Free Software Foundation; either version 2 of the License, or (at 
 7  # your option) any later version. 
 8  # 
 9  # This program is distributed in the hope that it will be useful, but 
10  # WITHOUT ANY WARRANTY; without even the implied warranty of 
11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
12  # General Public License for more details. 
13  # 
14  # You should have received a copy of the GNU General Public License 
15  # along with this program; if not, write to the Free Software 
16  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
17  # 
18   
19  """This module implements some general purpose plugins for inspecting the 
20  state of memory images. 
21  """ 
22   
23  __author__ = "Michael Cohen <scudette@google.com>" 
24   
25  from rekall import plugin 
26   
27   
28 -class MemoryTranslation(plugin.KernelASMixin, 
29                          plugin.PhysicalASMixin, 
30                          plugin.TypedProfileCommand, 
31                          plugin.Command): 
32      """Inspect the mapping of a virtual address.""" 
33   
34      name = "inspect_vaddr" 
35   
36      __args = [ 
37          dict(name="address", required=True, type="SymbolAddress", 
38               positional=True, help="Virtual address to inspect.") 
39      ] 
40   
41      table_header = [ 
42          dict(name="Address Space", width=30), 
43          dict(name="Offset", style="address", padding="0"), 
44          dict(name="Base AS", width=30), 
45          dict(name="Base AS Offset", style="address", padding="0"), 
46      ] 
47   
48 -    def _GetASName(self, address_space): 
49          if address_space is None: 
50              return "" 
51   
52          if address_space.name: 
53              return address_space.name 
54          return address_space.__class__.__name__ 
55   
56 -    def collect(self): 
57          address_space = self.session.GetParameter("default_address_space") 
58          address = self.plugin_args.address 
59   
60          # Traverse the address space stack and report each address space. 
61          while address_space is not None: 
62              run = address_space.vtop_run(address) 
63   
64              if address_space == run.address_space: 
65                  break 
66   
67              yield (self._GetASName(address_space), 
68                     address, 
69                     self._GetASName(run.address_space), 
70                     run.file_offset) 
71   
72              address_space = run.address_space 
73              address = run.file_offset 
74