Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package darwin :: Module lsof
[frames] | no frames]

Source Code for Module rekall.plugins.darwin.lsof

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # This program is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License as published by 
 7  # the Free Software Foundation; either version 2 of the License, or (at 
 8  # your option) any later version. 
 9  # 
10  # This program is distributed in the hope that it will be useful, but 
11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
13  # General Public License for more details. 
14  # 
15  # You should have received a copy of the GNU General Public License 
16  # along with this program; if not, write to the Free Software 
17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
18   
19  __author__ = "Michael Cohen <scudette@google.com>" 
20   
21  from rekall import plugin 
22  from rekall.plugins.darwin import common 
23   
24   

25 -class DarwinHandles(common.ProcessFilterMixin, common.AbstractDarwinProducer): 

26      """Walks open files of each proc and collects the fileproc. 
27   
28      This is the same algorithm as lsof, but aimed at just collecting the 
29      fileprocs, without doing anything with them, or sorting. 
30      """ 
31   
32      name = "handles" 
33      type_name = "fileproc" 
34   

35 -    def collect(self): 

36          for proc in self.filter_processes(): 
37              for _, fileproc, _ in proc.get_open_files(): 
38                  yield [fileproc] 

39   
40   

41 -class DarwinLsof(common.AbstractDarwinCommand): 

42      """Walks open files of each proc in order and prints PID, FD and the handle. 
43   
44      Each process has an array of pointers to fileproc structs - the offset into 
45      the array is the file descriptor and each fileproc struct represents a 
46      handle on some resource. A type field in the fileproc determines the type 
47      of the resource pointed to from the fileproc (e.g. vnode, socket, pipe...). 
48      """ 
49   
50      name = "lsof" 
51   
52      table_header = [ 
53          dict(name="proc", type="proc", 
54               columns=[ 
55                   dict(name="command", width=16), 
56                   dict(name="pid", width=8), 
57                   dict(name="p_uid", width=8) 
58               ]), 
59          dict(name="fd", width=5), 
60          dict(name="fileproc", type="fileproc") 
61      ] 
62   

63 -    def collect(self): 

64          procs = self.session.plugins.collect("proc").collect() 
65   
66          for proc in sorted(procs, key=lambda proc: proc.pid): 
67              for fd, fileproc, _ in proc.get_open_files(): 
68                  yield (proc, fd, fileproc) 

69

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:37 2017 http://epydoc.sourceforge.net