Source Code for Module rekall.plugins.linux.check_afinfo

  1  # Rekall Memory Forensics 
  2  # 
  3  # This file is part of Rekall Memory Forensics. 
  4  # Copyright 2013 Google Inc. All Rights Reserved. 
  5  # 
  6  # Rekall Memory Forensics is free software; you can redistribute it and/or 
  7  # modify it under the terms of the GNU General Public License Version 2 as 
  8  # published by the Free Software Foundation.  You may not use, modify or 
  9  # distribute this program under any other version of the GNU General Public 
 10  # License. 
 11  # 
 12  # Rekall Memory Forensics is distributed in the hope that it will be useful, 
 13  # but WITHOUT ANY WARRANTY; without even the implied warranty of 
 14  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 15  # GNU General Public License for more details. 
 16  # 
 17  # You should have received a copy of the GNU General Public License along with 
 18  # Rekall Memory Forensics.  If not, see <http://www.gnu.org/licenses/>. 
 19  # 
 20   
 21  """ 
 22  @author:       Michael Cohen (Based on original code by Andrew Case). 
 23  @license:      GNU General Public License 2.0 
 24  @contact:      scudette@gmail.com 
 25  """ 
 26  from rekall.plugins.linux import common 
 27   
 28   
 29 -class CheckAFInfo(common.LinuxPlugin): 
 30      """Verifies the operation function pointers of network protocols.""" 
 31   
 32      __name = "check_afinfo" 
 33   
 34      table_header = [ 
 35          dict(name="symbol", width=30), 
 36          dict(name="member", width=30), 
 37          dict(name="address", style="address"), 
 38          dict(name="module") 
 39      ] 
 40   
 41 -    def CreateChecks(self): 
 42          """Builds the sequence of function checks we need to look at. 
 43   
 44          We support multiple kernels by adding a bunch of function names which 
 45          may not exisit on the current kernel. This is expected as the code 
 46          simply ignores struct members which are not defined on this kernel. 
 47          """ 
 48          # Older kernels have the operations in the structs. 
 49          members = sorted(self.profile.file_operations().members.keys()) 
 50          if self.profile.has_type("seq_operations"): 
 51              # Newer kernels use seq_ops struct. 
 52              members.extend(["seq_ops.%s" % x 
 53                              for x in self.profile.seq_operations().members]) 
 54   
 55          if self.profile.has_type("file_operations"): 
 56              # Newer kernels use seq_ops struct. 
 57              members.extend(["seq_fops.%s" % x 
 58                              for x in self.profile.file_operations().members]) 
 59   
 60          return [ 
 61              dict(name="tcp", 
 62                   constant_type="tcp_seq_afinfo", 
 63                   global_vars=[ 
 64                       "tcp6_seq_afinfo", 
 65                       "tcp4_seq_afinfo" 
 66                   ], 
 67                   members=members, 
 68                  ), 
 69   
 70              dict(name="udp", 
 71                   constant_type="udp_seq_afinfo", 
 72                   global_vars=[ 
 73                       "udplite6_seq_afinfo", 
 74                       "udp6_seq_afinfo", 
 75                       "udplite4_seq_afinfo", 
 76                       "udp4_seq_afinfo" 
 77                   ], 
 78                   members=members, 
 79                  ), 
 80              ] 
 81   
 82 -    def check_members(self, struct, members): 
 83          """Yields struct members which are not known to exist in any module.""" 
 84          for member in members: 
 85              ptr = struct.m(member) 
 86              if not ptr: 
 87                  continue 
 88   
 89              # This is really a function pointer. 
 90              func = ptr.dereference_as(target="Function", 
 91                                        target_args=dict(name=member)) 
 92   
 93              yield member, func 
 94   
 95 -    def check_functions(self, checks): 
 96          """Apply the checks to the kernel and yields the results.""" 
 97          for check in checks: 
 98              for variable in check["global_vars"]: 
 99                  var_ptr = self.profile.get_constant_object( 
100                      variable, target=check["constant_type"], 
101                      vm=self.kernel_address_space) 
102   
103                  for member, func in self.check_members( 
104                          var_ptr, check["members"]): 
105                      yield variable, member, func 
106   
107 -    def collect(self): 
108          checks = self.CreateChecks() 
109          for variable, member, func in self.check_functions(checks): 
110              location = ", ".join( 
111                  self.session.address_resolver.format_address( 
112                      func.obj_offset)) 
113   
114              # Point out suspicious constants. 
115              highlight = None if location else "important" 
116   
117              yield dict(symbol=variable, member=member, address=func, 
118                         module=location, highlight=highlight) 
119