Source Code for Module rekall.plugins.linux.address_resolver

 1  # Rekall Memory Forensics 
 2  # Copyright 2014 Google Inc. All Rights Reserved. 
 3  # 
 4  # This program is free software; you can redistribute it and/or modify 
 5  # it under the terms of the GNU General Public License as published by 
 6  # the Free Software Foundation; either version 2 of the License, or (at 
 7  # your option) any later version. 
 8  # 
 9  # This program is distributed in the hope that it will be useful, but 
10  # WITHOUT ANY WARRANTY; without even the implied warranty of 
11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
12  # General Public License for more details. 
13  # 
14  # You should have received a copy of the GNU General Public License 
15  # along with this program; if not, write to the Free Software 
16  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
17  # 
18   
19  """The module implements the linux specific address resolution plugin.""" 
20   
21  __author__ = "Michael Cohen <scudette@gmail.com>" 
22  from rekall import obj 
23  from rekall.plugins.common import address_resolver 
24  from rekall.plugins.linux import common 
25   
26 -class LKMModule(address_resolver.Module): 
27      """A Linux kernel module.""" 
28   
29 -    def __init__(self, module, **kwargs): 
30          self.module = module 
31          super(LKMModule, self).__init__( 
32              name=unicode(module.name), 
33              start=module.base, 
34              end=module.end, 
35              **kwargs) 
36   
37   
38 -class MapModule(address_resolver.Module): 
39      """A module representing a memory mapping.""" 
40   
41   
42 -class KernelModule(address_resolver.Module): 
43      """A Fake object which makes the kernel look like a module. 
44   
45      This removes the need to treat kernel addresses any different from module 
46      addresses, and allows them to be resolved by this module. 
47      """ 
48   
49 -    def __init__(self, session=None, **kwargs): 
50          super(KernelModule, self).__init__( 
51              # Check if the address appears in the kernel binary. 
52              start=obj.Pointer.integer_to_address( 
53                  session.profile.get_constant("_text")), 
54              end=session.profile.get_constant("_end"), 
55              name="linux", 
56              profile=session.profile, 
57              session=session, **kwargs) 
58   
59   
60 -class LinuxAddressResolver(address_resolver.AddressResolverMixin, 
61                             common.LinuxPlugin): 
62      """A Linux specific address resolver plugin.""" 
63   
64 -    def _EnsureInitialized(self): 
65          if self._initialized: 
66              return 
67   
68          # Insert a psuedo module for the kernel 
69          self.AddModule(KernelModule(session=self.session)) 
70   
71          # Add LKMs. 
72          for kmod in self.session.plugins.lsmod().get_module_list(): 
73              self.AddModule(LKMModule(kmod, session=self.session)) 
74   
75          task = self.session.GetParameter("process_context") 
76   
77          for vma in task.mm.mmap.walk_list("vm_next"): 
78              start = vma.vm_start 
79              end = vma.vm_end 
80              self.AddModule(MapModule( 
81                  name="map_%#x" % start, 
82                  start=start, end=end, session=self.session)) 
83   
84          self._initialized = True 
85