Source Code for Module rekall.plugins.common.pfn

  1  # Rekall Memory Forensics 
  2  # 
  3  # Copyright 2015 Google Inc. All Rights Reserved. 
  4  # 
  5  # This program is free software; you can redistribute it and/or modify 
  6  # it under the terms of the GNU General Public License as published by 
  7  # the Free Software Foundation; either version 2 of the License, or (at 
  8  # your option) any later version. 
  9  # 
 10  # This program is distributed in the hope that it will be useful, but 
 11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 13  # General Public License for more details. 
 14  # 
 15  # You should have received a copy of the GNU General Public License 
 16  # along with this program; if not, write to the Free Software 
 17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 18  # 
 19   
 20   
 21   
 22 -class PhysicalAddressContext(object): 
 23      """A lazy evaluator for context information around physical addresses.""" 
 24   
 25 -    def __init__(self, session, address): 
 26          self.session = session 
 27          self.address = address 
 28   
 29 -    def summary(self): 
 30          rammap_plugin = self.session.plugins.rammap( 
 31              start=self.address, end=self.address+1) 
 32          for row in rammap_plugin.collect(): 
 33              return row 
 34   
 35 -    def __str__(self): 
 36          rammap_plugin = self.session.plugins.rammap( 
 37              start=self.address, end=self.address+1) 
 38          if rammap_plugin != None: 
 39              return rammap_plugin.summary()[0] 
 40   
 41          return "Phys: %#x" % self.address 
 42   
 43   
 44 -class VADMapMixin(object): 
 45      """A plugin to display information about virtual address pages.""" 
 46   
 47      name = "vadmap" 
 48   
 49      __args = [ 
 50          dict(name="start", default=0, type="IntParser", 
 51               help="Start reading from this page."), 
 52   
 53          dict(name="end", default=2**63, type="IntParser", 
 54               help="Stop reading at this offset."), 
 55      ] 
 56   
 57      table_header = [ 
 58          dict(name='_EPROCESS', type="_EPROCESS", hidden=True), 
 59          dict(name="Divider", type="Divider"), 
 60          dict(name="VAddr", style="address"), 
 61          dict(name="PAddr", style="address", hidden=True), 
 62          dict(name="length", style="address"), 
 63          dict(name="type", width=20), 
 64          dict(name="comment"), 
 65      ] 
 66   
 67 -    def FormatMetadata(self, type, metadata, offset=None): 
 68          result = "" 
 69          if not metadata: 
 70              result = "Invalid PTE " 
 71   
 72          if "filename" in metadata: 
 73              result += "%s " % metadata["filename"] 
 74   
 75          if "number" in metadata: 
 76              result = "PF %s " % metadata["number"] 
 77   
 78          if type == "Valid" or type == "Transition": 
 79              result += "PhysAS " 
 80   
 81          if offset: 
 82              result += "@ %#x " % offset 
 83   
 84          if "ProtoType" in metadata: 
 85              result += "(P) " 
 86   
 87          return result 
 88   
 89 -    def GeneratePageMetatadata(self, task): 
 90          """A Generator of vaddr, metadata for each page.""" 
 91          _ = task 
 92          return [] 
 93   
 94 -    def collect(self): 
 95          for task in self.filter_processes(): 
 96              yield dict(_EPROCESS=task, 
 97                         Divider="Pid: {0} {1}\n".format(task.pid, task.name)) 
 98   
 99              with self.session.plugins.cc() as cc: 
100                  cc.SwitchProcessContext(task) 
101   
102                  old_offset = 0 
103                  old_vaddr = 0 
104                  length = 0x1000 
105                  old_metadata = {} 
106                  for vaddr, metadata in self.GeneratePageMetatadata(task): 
107                      # Remove the offset so we can merge on identical 
108                      # metadata (offset will change for each page). 
109                      offset = metadata.pop("offset", None) 
110   
111                      # Coalesce similar rows. 
112                      if ((offset is None or old_offset is None or 
113                           self.plugin_args.verbosity < 5 or 
114                           offset == old_offset + length) and 
115                              metadata == old_metadata and 
116                              vaddr == old_vaddr + length): 
117                          length += 0x1000 
118                          continue 
119   
120                      type = old_metadata.get("type", None) 
121                      if type: 
122                          comment = self.FormatMetadata(type, old_metadata, 
123                                                        vaddr) 
124   
125                          yield dict(VAddr=vaddr, PAddr=offset, length=length, 
126                                     type=type, comment=comment) 
127   
128                      old_metadata = metadata 
129                      old_vaddr = vaddr 
130                      old_offset = offset 
131                      length = 0x1000 
132   
133              if old_metadata: 
134                  comment = self.FormatMetadata(type, old_metadata, vaddr) 
135                  yield dict(VAddr=vaddr, PAddr=offset, length=length, 
136                             type=type, comment=comment) 
137