Trees | Indices | Help |
|
---|
|
1 # Rekall Memory Forensics 2 # Copyright (C) 2007-2013 Volatility Foundation 3 # Copyright 2013 Google Inc. All Rights Reserved. 4 # 5 # This file is part of Rekall Memory Forensics. 6 # 7 # Rekall Memory Forensics is free software; you can redistribute it and/or modify 8 # it under the terms of the GNU General Public License Version 2 as 9 # published by the Free Software Foundation. You may not use, modify or 10 # distribute this program under any other version of the GNU General 11 # Public License. 12 # 13 # Rekall Memory Forensics is distributed in the hope that it will be useful, 14 # but WITHOUT ANY WARRANTY; without even the implied warranty of 15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 # GNU General Public License for more details. 17 # 18 # You should have received a copy of the GNU General Public License 19 # along with Rekall Memory Forensics. If not, see <http://www.gnu.org/licenses/>. 20 # 21 22 """ 23 @author: Andrew Case 24 @license: GNU General Public License 2.0 25 @contact: atcuno@gmail.com 26 @organization: 27 """ 28 from rekall.plugins.linux import common31 """Checks if any processes are sharing credential structures""" 32 33 __name = "check_creds" 34 35 table_header = [ 36 dict(name="task", width=40), 37 dict(name="cred", style="address"), 38 ] 39 40 @classmethod6442 if super(CheckCreds, cls).is_active(config): 43 try: 44 # This only exists if the task_struct has a cred member. 45 config.profile.get_obj_offset("task_struct", "cred") 46 return True 47 48 except KeyError: 49 return False5052 creds = {} 53 for task in self.filter_processes(): 54 creds.setdefault(task.cred, []).append(task) 55 56 for cred, tasks in creds.iteritems(): 57 highlight = None 58 if len(tasks) > 1: 59 highlight = "important" 60 61 for task in tasks: 62 yield dict(cred=cred, task=task, 63 highlight=highlight)
Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:49 2017 | http://epydoc.sourceforge.net |