Source Code for Module rekall.plugins.linux.check_tty

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # Rekall Memory Forensics is free software; you can redistribute it and/or 
 6  # modify it under the terms of the GNU General Public License Version 2 as 
 7  # published by the Free Software Foundation.  You may not use, modify or 
 8  # distribute this program under any other version of the GNU General Public 
 9  # License. 
10  # 
11  # Rekall Memory Forensics is distributed in the hope that it will be useful, 
12  # but WITHOUT ANY WARRANTY; without even the implied warranty of 
13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
14  # GNU General Public License for more details. 
15  # 
16  # You should have received a copy of the GNU General Public License along with 
17  # Rekall Memory Forensics.  If not, see <http://www.gnu.org/licenses/>. 
18  # 
19   
20  """ 
21  @author:       Joe Sylve 
22  @license:      GNU General Public License 2.0 
23  @contact:      joe.sylve@gmail.com 
24  @organization: 504ENSICS Labs 
25  """ 
26   
27  from rekall.plugins.linux import common 
28   
29   
30 -class CheckTTY(common.LinuxPlugin): 
31      """Checks tty devices for hooks. 
32   
33      Some malware insert a hook into the ops struct of the tty driver. This 
34      plugin enumerates all tty_struct objects and checks if their ops handlers 
35      have been subverted. 
36      """ 
37      __name = "check_ttys" 
38   
39      table_header = [ 
40          dict(name="name", width=16), 
41          dict(name="address", style="address"), 
42          dict(name="symbol", width=30) 
43      ] 
44   
45      @classmethod 
46 -    def is_active(cls, session): 
47          # Older versions of linux do not have the ldisc.ops member. 
48          return (super(CheckTTY, cls).is_active(session) and 
49                  session.profile.Object("tty_ldisc").m("ops")) 
50   
51 -    def CheckTTYs(self): 
52          drivers_list = self.profile.get_constant_object( 
53              "tty_drivers", target="list_head", vm=self.kernel_address_space) 
54   
55          resolver = self.session.address_resolver 
56          for driver in drivers_list.list_of_type("tty_driver", "tty_drivers"): 
57              for tty in driver.ttys: 
58                  if not tty: 
59                      continue 
60   
61                  # This is the method which receives input. It should be present 
62                  # inside the tty driver. 
63                  recv_buf = tty.ldisc.ops.receive_buf 
64   
65                  yield dict( 
66                      name=tty.name, 
67                      address=recv_buf, 
68                      symbol=resolver.format_address(recv_buf)) 
69   
70 -    def collect(self): 
71          for name, call_addr, sym_name in self.CheckTTYs(): 
72              yield dict(name=name, address=call_addr, 
73                         symbol=sym_name or "Unknown", 
74                         highlight=None if sym_name else "important") 
75