Package rekall :: Package plugins :: Package linux :: Module check_afinfo
[frames] | no frames]

Source Code for Module rekall.plugins.linux.check_afinfo

  1  # Rekall Memory Forensics 
  2  # 
  3  # This file is part of Rekall Memory Forensics. 
  4  # Copyright 2013 Google Inc. All Rights Reserved. 
  5  # 
  6  # Rekall Memory Forensics is free software; you can redistribute it and/or 
  7  # modify it under the terms of the GNU General Public License Version 2 as 
  8  # published by the Free Software Foundation.  You may not use, modify or 
  9  # distribute this program under any other version of the GNU General Public 
 10  # License. 
 11  # 
 12  # Rekall Memory Forensics is distributed in the hope that it will be useful, 
 13  # but WITHOUT ANY WARRANTY; without even the implied warranty of 
 14  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 15  # GNU General Public License for more details. 
 16  # 
 17  # You should have received a copy of the GNU General Public License along with 
 18  # Rekall Memory Forensics.  If not, see <http://www.gnu.org/licenses/>. 
 19  # 
 20   
 21  """ 
 22  @author:       Michael Cohen (Based on original code by Andrew Case). 
 23  @license:      GNU General Public License 2.0 
 24  @contact:      scudette@gmail.com 
 25  """ 
 26  from rekall.plugins.linux import common 
 27   
 28   
29 -class CheckAFInfo(common.LinuxPlugin):
30 """Verifies the operation function pointers of network protocols.""" 31 32 __name = "check_afinfo" 33 34 table_header = [ 35 dict(name="symbol", width=30), 36 dict(name="member", width=30), 37 dict(name="address", style="address"), 38 dict(name="module") 39 ] 40
41 - def CreateChecks(self):
42 """Builds the sequence of function checks we need to look at. 43 44 We support multiple kernels by adding a bunch of function names which 45 may not exisit on the current kernel. This is expected as the code 46 simply ignores struct members which are not defined on this kernel. 47 """ 48 # Older kernels have the operations in the structs. 49 members = sorted(self.profile.file_operations().members.keys()) 50 if self.profile.has_type("seq_operations"): 51 # Newer kernels use seq_ops struct. 52 members.extend(["seq_ops.%s" % x 53 for x in self.profile.seq_operations().members]) 54 55 if self.profile.has_type("file_operations"): 56 # Newer kernels use seq_ops struct. 57 members.extend(["seq_fops.%s" % x 58 for x in self.profile.file_operations().members]) 59 60 return [ 61 dict(name="tcp", 62 constant_type="tcp_seq_afinfo", 63 global_vars=[ 64 "tcp6_seq_afinfo", 65 "tcp4_seq_afinfo" 66 ], 67 members=members, 68 ), 69 70 dict(name="udp", 71 constant_type="udp_seq_afinfo", 72 global_vars=[ 73 "udplite6_seq_afinfo", 74 "udp6_seq_afinfo", 75 "udplite4_seq_afinfo", 76 "udp4_seq_afinfo" 77 ], 78 members=members, 79 ), 80 ]
81
82 - def check_members(self, struct, members):
83 """Yields struct members which are not known to exist in any module.""" 84 for member in members: 85 ptr = struct.m(member) 86 if not ptr: 87 continue 88 89 # This is really a function pointer. 90 func = ptr.dereference_as(target="Function", 91 target_args=dict(name=member)) 92 93 yield member, func
94
95 - def check_functions(self, checks):
96 """Apply the checks to the kernel and yields the results.""" 97 for check in checks: 98 for variable in check["global_vars"]: 99 var_ptr = self.profile.get_constant_object( 100 variable, target=check["constant_type"], 101 vm=self.kernel_address_space) 102 103 for member, func in self.check_members( 104 var_ptr, check["members"]): 105 yield variable, member, func
106
107 - def collect(self):
108 checks = self.CreateChecks() 109 for variable, member, func in self.check_functions(checks): 110 location = ", ".join( 111 self.session.address_resolver.format_address( 112 func.obj_offset)) 113 114 # Point out suspicious constants. 115 highlight = None if location else "important" 116 117 yield dict(symbol=variable, member=member, address=func, 118 module=location, highlight=highlight)
119