Source Code for Module rekall.plugins.darwin.address_resolver

 1  # Rekall Memory Forensics 
 2  # Copyright 2014 Google Inc. All Rights Reserved. 
 3  # 
 4  # This program is free software; you can redistribute it and/or modify 
 5  # it under the terms of the GNU General Public License as published by 
 6  # the Free Software Foundation; either version 2 of the License, or (at 
 7  # your option) any later version. 
 8  # 
 9  # This program is distributed in the hope that it will be useful, but 
10  # WITHOUT ANY WARRANTY; without even the implied warranty of 
11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
12  # General Public License for more details. 
13  # 
14  # You should have received a copy of the GNU General Public License 
15  # along with this program; if not, write to the Free Software 
16  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
17  # 
18   
19  """The module implements an OSX specific address resolution plugin.""" 
20   
21  __author__ = "Michael Cohen <scudette@gmail.com>" 
22   
23  from rekall.plugins.common import address_resolver 
24  from rekall.plugins.darwin import common 
25   
26   
27 -class KModModule(address_resolver.Module): 
28      """A darwin kernel module.""" 
29   
30 -    def __init__(self, kmod, **kwargs): 
31          self.kmod = kmod 
32          start = kmod.address.v() 
33          super(KModModule, self).__init__( 
34              name=unicode(kmod.name), 
35              start=start, 
36              end=start + kmod.size.v(), 
37              **kwargs) 
38   
39          # We currently only support the kernel's profile. In future we should 
40          # write a Mach-O parser to extract symbols from binaries. 
41          if self.name == "__kernel__": 
42              self.profile = self.session.profile 
43   
44   
45 -class MapModule(address_resolver.Module): 
46      """A module representing a memory mapping.""" 
47   
48   
49 -class DarwinAddressResolver(address_resolver.AddressResolverMixin, 
50                              common.AbstractDarwinCommand): 
51      """A Darwin specific address resolver plugin.""" 
52   
53 -    def _EnsureInitialized(self): 
54          if self._initialized: 
55              return 
56   
57          # Add kernel modules. 
58          for kmod in self.session.plugins.lsmod().get_module_list(): 
59              self.AddModule(KModModule(kmod, session=self.session)) 
60   
61          process_context = self.session.GetParameter("process_context") 
62          for map in process_context.task.map.hdr.walk_list( 
63                  "links.next", include_current=False): 
64              start = map.links.start 
65              end = map.links.end 
66   
67              self.AddModule(MapModule( 
68                  name="map_%#x" % start, 
69                  start=start, end=end, session=self.session)) 
70   
71          self._initialized = True 
72