Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package linux :: Module dmesg
[frames] | no frames]

Source Code for Module rekall.plugins.linux.dmesg

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # This program is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License as published by 
 7  # the Free Software Foundation; either version 2 of the License, or (at 
 8  # your option) any later version. 
 9  # 
10  # This program is distributed in the hope that it will be useful, but 
11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
13  # General Public License for more details. 
14  # 
15  # You should have received a copy of the GNU General Public License 
16  # along with this program; if not, write to the Free Software 
17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
18   
19  """ 
20  @author:       Andrew Case 
21  @license:      GNU General Public License 2.0 or later 
22  @contact:      atcuno@gmail.com 
23  @organization: Digital Forensics Solutions 
24  """ 
25   
26  from rekall.plugins.linux import common 
27   
28   

29 -class LinuxDmesg(common.LinuxPlugin): 

30      '''Gathers dmesg buffer.''' 
31   
32      __name = "dmesg" 
33   
34      table_header = [ 
35          dict(name="timestamp", width=16), 
36          dict(name="facility", width=2), 
37          dict(name="level", width=2), 
38          dict(name="message", width=80) 
39      ] 
40   

41 -    def collect(self): 

42          if self.profile.get_obj_size("log"): 
43              # Linux 3.x uses a log struct to keep log messages. In this case the 
44              # log is a pointer to a variable length array of log messages. 
45              dmesg = self.profile.get_constant_object( 
46                  "log_buf", 
47                  vm=self.kernel_address_space, 
48                  target="Pointer", 
49                  target_args=dict( 
50                      target="ListArray", 
51                      target_args=dict( 
52                          target="log", 
53                          maximum_size=self.profile.get_constant("log_buf_len") 
54                          ) 
55                      ) 
56                  ) 
57   
58              for message in dmesg: 
59                  yield (message.ts_nsec / 1e9, message.facility, message.level, 
60                         message.message) 
61   
62          else: 
63              # Older kernels just use the area as a single unicode string. 
64              dmesg = self.profile.get_constant_object( 
65                  "log_buf", 
66                  vm=self.kernel_address_space, 
67                  target="Pointer", 
68                  target_args=dict( 
69                      target="UnicodeString", 
70                      target_args=dict( 
71                          length=int(self.profile.get_constant_object( 
72                              "log_buf_len", target="unsigned int")) 
73                          ) 
74                      ) 
75                  ) 
76   
77              yield dict(message=dmesg.deref()) 

78

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:49 2017 http://epydoc.sourceforge.net