Source Code for Module rekall.plugins.imagecopy

  1  # Rekall Memory Forensics 
  2  # 
  3  # Copyright 2013 Google Inc. All Rights Reserved. 
  4  # 
  5  # Authors: 
  6  # Mike Auty <mike.auty@gmail.com> 
  7  # Michael Cohen <scudette@gmail.com> 
  8  # 
  9  # This program is free software; you can redistribute it and/or modify 
 10  # it under the terms of the GNU General Public License as published by 
 11  # the Free Software Foundation; either version 2 of the License, or (at 
 12  # your option) any later version. 
 13  # 
 14  # This program is distributed in the hope that it will be useful, but 
 15  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 16  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 17  # General Public License for more details. 
 18  # 
 19  # You should have received a copy of the GNU General Public License 
 20  # along with this program; if not, write to the Free Software 
 21  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 22  # 
 23   
 24  import os 
 25   
 26  from rekall import plugin 
 27  from rekall import testlib 
 28  from rekall_lib import utils 
 29   
 30   
 31 -class ImageCopy(plugin.PhysicalASMixin, plugin.Command): 
 32      """Copies a physical address space out as a raw DD image""" 
 33   
 34      __name = "imagecopy" 
 35   
 36      @classmethod 
 37 -    def args(cls, parser): 
 38          super(ImageCopy, cls).args(parser) 
 39   
 40          parser.add_argument("-O", "--output-image", default=None, 
 41                              help="Filename to write output image.") 
 42   
 43 -    def __init__(self, output_image=None, address_space=None, **kwargs): 
 44          """Dumps the address_space into the output file. 
 45   
 46          Args: 
 47            output_image: The output filename. 
 48   
 49            address_space: The address space to dump. If not specified, we use the 
 50            physical address space. 
 51          """ 
 52          super(ImageCopy, self).__init__(**kwargs) 
 53          self.output_image = output_image 
 54          if address_space is None: 
 55              # Use the physical address space. 
 56              if self.session.physical_address_space is None: 
 57                  self.session.plugins.load_as() 
 58   
 59              address_space = self.session.physical_address_space 
 60   
 61          if address_space is None: 
 62              raise plugin.PluginError("No valid address space was found.") 
 63   
 64          self.address_space = address_space 
 65   
 66 -    def human_readable(self, value): 
 67          for i in ['B', 'KB', 'MB', 'GB']: 
 68              if value < 800: 
 69                  return "{0:0.2f} {1:s}".format(value, i) 
 70              value = value / 1024.0 
 71   
 72          return "{0:0.2f} TB".format(value) 
 73   
 74 -    def render(self, renderer): 
 75          """Renders the file to disk""" 
 76          if self.output_image is None: 
 77              raise plugin.PluginError("Please provide an output-image filename") 
 78   
 79          if (os.path.exists(self.output_image) and 
 80                  os.path.getsize(self.output_image) > 1): 
 81              raise plugin.PluginError("Refusing to overwrite an existing file, " 
 82                                       "please remove it before continuing") 
 83   
 84          blocksize = 1024 * 1024 * 5 
 85          with renderer.open(filename=self.output_image, mode="wb") as fd: 
 86              for run in self.address_space.get_mappings(): 
 87                  renderer.format("Range {0:#x} - {1:#x}\n", run.start, 
 88                                  run.length) 
 89   
 90                  for offset in utils.xrange( 
 91                          run.start, run.end, blocksize): 
 92                      to_read = min(blocksize, run.end - offset) 
 93                      data = self.address_space.read(offset, to_read) 
 94   
 95                      fd.seek(offset) 
 96                      fd.write(data) 
 97   
 98                      renderer.RenderProgress( 
 99                          "Writing offset %s" % self.human_readable(offset)) 
100   
101   
102 -class TestImageCopy(testlib.HashChecker): 
103      PARAMETERS = dict(commandline="imagecopy -O %(tempdir)s/output_image.raw") 
104