Package rekall :: Package plugins :: Package linux :: Module dmesg
[frames] | no frames]

Source Code for Module rekall.plugins.linux.dmesg

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # This program is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License as published by 
 7  # the Free Software Foundation; either version 2 of the License, or (at 
 8  # your option) any later version. 
 9  # 
10  # This program is distributed in the hope that it will be useful, but 
11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
13  # General Public License for more details. 
14  # 
15  # You should have received a copy of the GNU General Public License 
16  # along with this program; if not, write to the Free Software 
17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
18   
19  """ 
20  @author:       Andrew Case 
21  @license:      GNU General Public License 2.0 or later 
22  @contact:      atcuno@gmail.com 
23  @organization: Digital Forensics Solutions 
24  """ 
25   
26  from rekall.plugins.linux import common 
27   
28   
29 -class LinuxDmesg(common.LinuxPlugin):
30 '''Gathers dmesg buffer.''' 31 32 __name = "dmesg" 33 34 table_header = [ 35 dict(name="timestamp", width=16), 36 dict(name="facility", width=2), 37 dict(name="level", width=2), 38 dict(name="message", width=80) 39 ] 40
41 - def collect(self):
42 if self.profile.get_obj_size("log"): 43 # Linux 3.x uses a log struct to keep log messages. In this case the 44 # log is a pointer to a variable length array of log messages. 45 dmesg = self.profile.get_constant_object( 46 "log_buf", 47 vm=self.kernel_address_space, 48 target="Pointer", 49 target_args=dict( 50 target="ListArray", 51 target_args=dict( 52 target="log", 53 maximum_size=self.profile.get_constant("log_buf_len") 54 ) 55 ) 56 ) 57 58 for message in dmesg: 59 yield (message.ts_nsec / 1e9, message.facility, message.level, 60 message.message) 61 62 else: 63 # Older kernels just use the area as a single unicode string. 64 dmesg = self.profile.get_constant_object( 65 "log_buf", 66 vm=self.kernel_address_space, 67 target="Pointer", 68 target_args=dict( 69 target="UnicodeString", 70 target_args=dict( 71 length=int(self.profile.get_constant_object( 72 "log_buf_len", target="unsigned int")) 73 ) 74 ) 75 ) 76 77 yield dict(message=dmesg.deref())
78