| Trees | Indices | Help |
|
|---|
|
|
1 # Rekall Memory Forensics 2 # Copyright (C) 2007-2013 Volatility Foundation 3 # Copyright 2013 Google Inc. All Rights Reserved. 4 # 5 # This file is part of Rekall Memory Forensics. 6 # 7 # Rekall Memory Forensics is free software; you can redistribute it and/or 8 # modify it under the terms of the GNU General Public License Version 2 as 9 # published by the Free Software Foundation. You may not use, modify or 10 # distribute this program under any other version of the GNU General Public 11 # License. 12 # 13 # Rekall Memory Forensics is distributed in the hope that it will be useful, 14 # but WITHOUT ANY WARRANTY; without even the implied warranty of 15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 # GNU General Public License for more details. 17 # 18 # You should have received a copy of the GNU General Public License along with 19 # Rekall Memory Forensics. If not, see <http://www.gnu.org/licenses/>. 20 # 21 22 """ 23 @author: Andrew Case 24 @license: GNU General Public License 2.0 25 @contact: atcuno@gmail.com 26 @organization: 27 """ 28 from rekall import testlib 29 from rekall.plugins.linux import common 30 3133 """ Checks if the IDT has been altered """ 34 35 __name = "check_idt" 36 37 table_header = [ 38 dict(name="index", style="address"), 39 dict(name="address", style="address"), 40 dict(name="type", width=18, align="r"), 41 dict(name="present", width=7, align="r"), 42 dict(name="dpl", width=3, align="r"), 43 dict(name="symbol") 44 ] 45101 102 10547 """Given an IDT table yields information about all its entries. 48 49 Args: 50 table: An IDT table object (gate_struct64 or desc_struct). 51 check_indexes: A list of indexes to check. If not set we do 0:255. 52 53 Yields: 54 slot, address, function or module containing this function. 55 """ 56 if check_indexes is None: 57 check_indexes = range(256) 58 59 for i in check_indexes: 60 entry = table[i] 61 yield i, entry6264 """ 65 This works by walking the IDT table for the entries that Linux uses 66 and verifies that each is a symbol in the kernel 67 """ 68 # arch/x86/include/asm/desc_defs.h 69 # hw handlers + system call 70 if self.profile.metadata('arch') == "I386": 71 idt_type = "desc_struct" 72 else: 73 idt_type = "gate_struct64" 74 75 # idt_table is defined in arch/x86/kernel/traps.c for 32-bit kernels 76 # and in arch/x86/kernel/head_64.S on 64-bit kernels. 77 # idt_table entries are set via the set_*_gate set of functions in 78 # arch/x86/include/asm/desc.h. 79 idt_table = self.profile.get_constant_object( 80 "idt_table", 81 target="Array", 82 target_args=dict( 83 target=idt_type, 84 count=256) 85 ) 86 87 return self.CheckTable(idt_table)8890 for (i, entry) in self.CheckIDTTables(): 91 symbol = ", ".join( 92 self.session.address_resolver.format_address( 93 entry.address)) 94 95 # Point out suspicious constants. 96 highlight = None if symbol.startswith("linux") else "important" 97 98 yield dict(index=i, address=entry.address, type=entry.gate_type, 99 present=entry.present, dpl=entry.dpl, symbol=symbol, 100 highlight=highlight)
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:48 2017 | http://epydoc.sourceforge.net |