Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package darwin :: Module maps
[frames] | no frames]

Source Code for Module rekall.plugins.darwin.maps

 1  # Rekall Memory Forensics 
 2  # Authors: 
 3  # Michael Cohen <scudette@gmail.com> 
 4  # 
 5  # This program is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License as published by 
 7  # the Free Software Foundation; either version 2 of the License, or (at 
 8  # your option) any later version. 
 9  # 
10  # This program is distributed in the hope that it will be useful, but 
11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
13  # General Public License for more details. 
14  # 
15  # You should have received a copy of the GNU General Public License 
16  # along with this program; if not, write to the Free Software 
17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
18   
19   
20  # pylint: disable=protected-access 
21  from rekall.plugins.addrspaces import intel 
22  from rekall.plugins.common import pfn 
23  from rekall.plugins.darwin import common 
24  from rekall_lib import utils 
25   
26   

27 -class DarwinVADMap(pfn.VADMapMixin, common.ProcessFilterMixin, 
28                     common.AbstractDarwinCommand): 

29      """Inspect each page in the VAD and report its status. 
30   
31      This allows us to see the address translation status of each page in the 
32      VAD. 
33      """ 
34   

35 -    def _CreateMetadata(self, collection): 

36          metadata = {} 
37          for descriptor_cls, _, kwargs in reversed(collection.descriptors): 
38              if issubclass(descriptor_cls, intel.PhysicalAddressDescriptor): 
39                  metadata["offset"] = kwargs["address"] 
40                  metadata.setdefault("type", "Valid") 
41   
42              elif issubclass(descriptor_cls, intel.InvalidAddress): 
43                  metadata["type"] = "Invalid" 
44   
45          return metadata 

46   

47 -    def GeneratePageMetatadata(self, proc): 

48          address_space = self.session.GetParameter("default_address_space") 
49   
50          for map in proc.task.map.hdr.walk_list( 
51                  "links.next", include_current=False): 
52   
53              start = map.links.start 
54              end = map.links.end 
55   
56              # Skip the entire region. 
57              if end < self.plugin_args.start: 
58                  continue 
59   
60              # Done. 
61              if start > self.plugin_args.end: 
62                  break 
63   
64              for vaddr in utils.xrange(start, end, 0x1000): 
65                  if self.plugin_args.start <= vaddr <= self.plugin_args.end: 
66                      yield vaddr, self._CreateMetadata( 
67                          address_space.describe_vtop(vaddr)) 

68

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:50 2017 http://epydoc.sourceforge.net