Source Code for Module rekall.plugins.darwin.sessions

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2014 Google Inc. All Rights Reserved. 
 4  # 
 5  # This program is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License as published by 
 7  # the Free Software Foundation; either version 2 of the License, or (at 
 8  # your option) any later version. 
 9  # 
10  # This program is distributed in the hope that it will be useful, but 
11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
13  # General Public License for more details. 
14  # 
15  # You should have received a copy of the GNU General Public License 
16  # along with this program; if not, write to the Free Software 
17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
18  # 
19   
20  """ 
21  Darwin Session collectors and plugins. 
22  """ 
23  __author__ = "Adam Sindelar <adamsh@google.com>" 
24   
25  from rekall import plugin 
26   
27  from rekall.plugins.darwin import common 
28   
29   
30 -class DarwinSessions(common.AbstractDarwinProducer): 
31      """Finds sessions by walking their global hashtable.""" 
32   
33      name = "sessions" 
34      type_name = "session" 
35   
36 -    def collect(self): 
37          session_hash_table_size = self.profile.get_constant_object( 
38              "_sesshash", "unsigned long") 
39   
40          # The hashtable is an array to session list heads. 
41          session_hash_table = self.profile.get_constant_object( 
42              "_sesshashtbl", 
43              target="Pointer", 
44              target_args=dict( 
45                  target="Array", 
46                  target_args=dict( 
47                      target="sesshashhead", 
48                      count=session_hash_table_size.v()))) 
49   
50          # We iterate over the table and then over each list. 
51          for sesshashhead in session_hash_table: 
52              for session in sesshashhead.lh_first.walk_list("s_hash.le_next"): 
53                  yield [session] 
54   
55   
56 -class DarwinTerminals(common.AbstractDarwinCommand): 
57      """Lists open ttys.""" 
58   
59      name = "terminals" 
60   
61      table_header = [ 
62          dict(type="session", name="session", 
63               columns=[dict(name="s_sid")]), 
64          dict(type="tty", name="tty") 
65      ] 
66   
67 -    def collect(self): 
68          for session in self.session.plugins.sessions().produce(): 
69              if session.s_ttyp: 
70                  yield dict(session=session, 
71                             tty=session.s_ttyp) 
72