Source Code for Module rekall.plugins.linux.check_modules

 1  # Rekall Memory Forensics 
 2  # Copyright (C) 2007-2013 Volatility Foundation 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # This file is part of Rekall Memory Forensics. 
 6  # 
 7  # Rekall Memory Forensics is free software; you can redistribute it and/or 
 8  # modify it under the terms of the GNU General Public License Version 2 as 
 9  # published by the Free Software Foundation.  You may not use, modify or 
10  # distribute this program under any other version of the GNU General Public 
11  # License. 
12  # 
13  # Rekall Memory Forensics is distributed in the hope that it will be useful, 
14  # but WITHOUT ANY WARRANTY; without even the implied warranty of 
15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
16  # GNU General Public License for more details. 
17  # 
18  # You should have received a copy of the GNU General Public License along with 
19  # Rekall Memory Forensics.  If not, see <http://www.gnu.org/licenses/>. 
20   
21  """ 
22  @author:       Andrew Case 
23  @license:      GNU General Public License 2.0 
24  @contact:      atcuno@gmail.com 
25  @organization: 
26  """ 
27   
28  from rekall.plugins.overlays import basic 
29  from rekall.plugins.linux import common 
30   
31   
32 -class CheckModules(common.LinuxPlugin): 
33      """Compares module list to sysfs info, if available. 
34   
35      Sysfs contains a kset objects for a number of kernel objects (kobjects). One 
36      of the ksets is the "module_kset" which holds references to all loaded 
37      kernel modules. 
38   
39      Each struct module object holds within it a kobj struct for reference 
40      counting. This object is referenced both from the struct module and the 
41      sysfs kset. 
42   
43      This plugin traverses the kset and resolves the kobj back to its containing 
44      object (which is the struct module itself). We then compare the struct 
45      module with the list of known modules (which is obtained by traversing the 
46      module's list member). So if a module were to simply unlink itself from the 
47      list, it would still be found by its reference from sysfs. 
48      """ 
49   
50      __name = "check_modules" 
51   
52      table_header = [ 
53          dict(name="module", style="address"), 
54          dict(name="mod_name", width=30), 
55          dict(name="ref_count", width=10, align="c"), 
56          dict(name="known"), 
57      ] 
58   
59      @classmethod 
60 -    def is_active(cls, config): 
61          if super(CheckModules, cls).is_active(config): 
62              return config.profile.get_constant("module_kset", False) 
63   
64 -    def get_kset_modules(self): 
65          module_kset = self.profile.get_constant_object( 
66              "module_kset", target="kset", vm=self.kernel_address_space) 
67   
68          for kobj in module_kset.list.list_of_type("kobject", "entry"): 
69              if kobj.name: 
70                  yield kobj 
71   
72 -    def collect(self): 
73          lsmod = self.session.plugins.lsmod(session=self.session) 
74   
75          # We check the container module for membership so we do not get fulled 
76          # by simple name clashes. 
77          modules = set(lsmod.get_module_list()) 
78   
79          for kobj in self.get_kset_modules(): 
80              ref_count = kobj.kref.refcount.counter 
81   
82              # Real modules have at least 3 references in sysfs. 
83              if ref_count < 3: 
84                  continue 
85   
86              container_module = basic.container_of(kobj, "module", "mkobj") 
87   
88              yield dict(module=container_module, mod_name=container_module.name, 
89                         ref_count=ref_count, known=container_module in modules) 
90