Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package darwin :: Module hooks
[frames] | no frames]

Source Code for Module rekall.plugins.darwin.hooks

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # This program is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License as published by 
 7  # the Free Software Foundation; either version 2 of the License, or (at 
 8  # your option) any later version. 
 9  # 
10  # This program is distributed in the hope that it will be useful, but 
11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
13  # General Public License for more details. 
14  # 
15  # You should have received a copy of the GNU General Public License 
16  # along with this program; if not, write to the Free Software 
17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
18   
19  __author__ = "Michael Cohen <scudette@google.com>" 
20   
21  from rekall.plugins.darwin import common 
22   
23   

24 -class DarwinNotifiers(common.AbstractDarwinCommand): 

25      """Detects hooks in I/O Kit IONotify objects.""" 
26   
27      __name = "notifiers" 
28   

29 -    def render(self, renderer): 

30          renderer.table_header([ 
31              ("Notify Type", "notify_type", "25"), 
32              ("Handler", "handler", "[addrpad]"), 
33              ("Match Key", "match_key", "20"), 
34              ("Match Value", "match_value", "30"), 
35              ("Symbol", "symbol", ""), 
36          ]) 
37   
38          gnotifications = self.profile.get_constant_cpp_object( 
39              "gNotifications", 
40              target="Pointer", 
41              target_args=dict( 
42                  target="OSDictionary" 
43              ) 
44          ) 
45   
46          if not gnotifications: 
47              self.session.logging.error("Could not find the gNotifications " 
48                                         "object. The profile %r could be " 
49                                         "incomplete." % self.profile) 
50              return 
51   
52          resolver = self.session.address_resolver 
53          # The notification dictionary contains sets of _IOServiceNotifier 
54          # handlers. 
55          for key, value in gnotifications.items("OSOrderedSet"): 
56              for notifier in value.list_of_type("_IOServiceNotifier"): 
57                  symbol = resolver.format_address(notifier.handler) 
58   
59                  for match_key, match_value in notifier.matching.items( 
60                          "OSString"): 
61                      renderer.table_row( 
62                          key, notifier.handler, 
63                          match_key, match_value.value, 
64                          symbol) 

65

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:46 2017 http://epydoc.sourceforge.net