Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package darwin :: Module pfn
[frames] | no frames]

Source Code for Module rekall.plugins.darwin.pfn

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2015 Google Inc. All Rights Reserved. 
 4  # 
 5  # Authors: 
 6  # Michael Cohen <scudette@google.com> 
 7  # 
 8  # This program is free software; you can redistribute it and/or modify 
 9  # it under the terms of the GNU General Public License as published by 
10  # the Free Software Foundation; either version 2 of the License, or (at 
11  # your option) any later version. 
12  # 
13  # This program is distributed in the hope that it will be useful, but 
14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
16  # General Public License for more details. 
17  # 
18  # You should have received a copy of the GNU General Public License 
19  # along with this program; if not, write to the Free Software 
20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
21  # 
22   
23  from rekall.plugins.common import pfn 
24  from rekall.plugins.darwin import common 
25   
26   

27 -class DarwinVadMap(pfn.VADMapMixin, 
28                     common.DarwinProcessFilter): 

29   

30 -    def _FillMetadata(self, vaddr, metadata): 

31          address_space = self.session.GetParameter("default_address_space") 
32          for type, _, addr in address_space.describe_vtop(vaddr): 
33              if type == "pte" and addr: 
34                  metadata["type"] = "Valid" 
35                  return self.profile._MMPTE( 
36                      addr, vm=self.physical_address_space) 

37   

38 -    def GeneratePageMetatadata(self, task): 

39          for map in proc.task.map.hdr.walk_list( 
40                  "links.next", include_current=False): 
41   
42              metadata = {} 
43   
44              # Find the vnode this mapping is attached to. 
45              vnode = map.find_vnode_object() 
46              if vnode.path: 
47                  metadata["filename"] = vnode.path 
48   
49              pte_plugin = self.session.plugins.pte() 
50              offset = map.links.start 
51              end = map.links.end 
52   
53              while offset < end: 
54                  if self.start <= offset <= self.end: 
55                      pte = self._GetPTE(offset) 
56                      metadata = pte_plugin.ResolvePTE(pte, offset) 
57   
58                      yield offset, metadata 
59                      self.session.report_progress("Inspecting 0x%08X", offset) 
60   
61                  offset += 0x1000 

62

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:55 2017 http://epydoc.sourceforge.net