Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package linux :: Module lsmod
[frames] | no frames]

Source Code for Module rekall.plugins.linux.lsmod

  1  # Rekall Memory Forensics 
  2  # 
  3  # Copyright 2013 Google Inc. All Rights Reserved. 
  4  # 
  5  # This program is free software; you can redistribute it and/or modify 
  6  # it under the terms of the GNU General Public License as published by 
  7  # the Free Software Foundation; either version 2 of the License, or (at 
  8  # your option) any later version. 
  9  # 
 10  # This program is distributed in the hope that it will be useful, but 
 11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 13  # General Public License for more details. 
 14  # 
 15  # You should have received a copy of the GNU General Public License 
 16  # along with this program; if not, write to the Free Software 
 17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 18   
 19  """ 
 20  @author:       Andrew Case 
 21  @license:      GNU General Public License 2.0 or later 
 22  @contact:      atcuno@gmail.com 
 23  @organization: Digital Forensics Solutions 
 24  """ 
 25  from rekall.plugins.linux import common 
 26   
 27   
 28   

 29 -class Lsmod(common.LinuxPlugin): 

 30      '''Gathers loaded kernel modules.''' 
 31      name = "lsmod" 
 32   
 33      table_header = [ 
 34          dict(name="virtual", style="address"), 
 35          dict(name="start", style="address"), 
 36          dict(name="size", width=10), 
 37          dict(name="name", width=20) 
 38      ] 
 39   

 40 -    def get_module_list(self): 

 41          modules = self.profile.get_constant_object( 
 42              "modules", target="list_head", vm=self.kernel_address_space) 
 43   
 44          # walk the modules list 
 45          for module in modules.list_of_type("module", "list"): 
 46              yield module 

 47   

 48 -    def collect(self): 

 49          for module in self.get_module_list(): 
 50              yield (module.obj_offset, 
 51                     module.base, 
 52                     module.size, 
 53                     module.name) 

 54   
 55   

 56 -class LsmodSections(common.LinuxPlugin): 

 57      """Display all the ELF sections of kernel modules.""" 
 58   
 59      name = "lsmod_sections" 
 60   
 61      table_header = [ 
 62          dict(name="name", width=20), 
 63          dict(name="section", width=30), 
 64          dict(name="address", style="address") 
 65      ] 
 66   

 67 -    def get_module_sections(self, module): 

 68          num_sects = module.sect_attrs.nsections 
 69          for i in range(num_sects): 
 70              section_attr = module.sect_attrs.attrs[i] 
 71              yield section_attr 

 72   

 73 -    def collect(self): 

 74          lsmod = self.session.plugins.lsmod() 
 75          for module in lsmod.get_module_list(): 
 76              for section_attr in self.get_module_sections(module): 
 77                  yield (module.name, section_attr.name.deref(), 
 78                         section_attr.address) 

 79   

 80 -class Lsmod_parameters(common.LinuxPlugin): 

 81      """Display parameters for all kernel modules.""" 
 82      name = "lsmod_parameters" 
 83   
 84      _arg_lookuptable = { 
 85          "linux!param_get_bool": ("bool", {}), 
 86          "linux!param_get_byte": ("char", {}), 
 87          "linux!param_get_charp": ("Pointer", dict(target="String")), 
 88          "linux!param_get_int": ("int", {}), 
 89          "linux!param_get_invbool": ("byte", {}), 
 90          "linux!param_get_long": ("long", {}), 
 91          "linux!param_get_short": ("short", {}), 
 92          "linux!param_get_uint": ("unsigned int", {}), 
 93          "linux!param_get_ulong": ("unsigned long", {}), 
 94          "linux!param_get_ushort": ("unsigned short", {}), 
 95      } 
 96   
 97      table_header = [ 
 98          dict(name="name", width=20), 
 99          dict(name="key", width=40), 
100          dict(name="value", width=20) 
101      ] 
102   

103 -    def __init__(self, *args, **kwargs): 

104          super(Lsmod_parameters, self).__init__(*args, **kwargs) 
105          self.arg_lookuptable = {} 
106          resolver = self.session.address_resolver 
107          for x, y in self._arg_lookuptable.items(): 
108              try: 
109                  address = resolver.get_constant_object( 
110                      x, "Function").obj_offset 
111                  self.arg_lookuptable[address] = y 
112              except ValueError: 
113                  pass 

114   

115 -    def get_module_parameters(self, module): 

116          for kernel_param in module.m("kp"): 
117              getter_function = self.profile.Function( 
118                  offset=kernel_param.getter_addr, 
119                  vm=self.kernel_address_space) 
120   
121              value = None 
122              lookup = self.arg_lookuptable.get(kernel_param.getter_addr) 
123              if lookup: 
124                  type, args = lookup 
125   
126                  # The arg type is a pointer to a basic type. 
127                  value = kernel_param.m("u1").arg.dereference_as( 
128                      target=type, target_args=args) 
129   
130              elif getter_function == self.profile.get_constant_object( 
131                      "param_get_string", target="Function", 
132                      vm=self.kernel_address_space): 
133   
134                  value = kernel_param.m("u1").str.deref().v() 
135   
136              #It is an array of values. 
137              elif getter_function == self.profile.get_constant_object( 
138                      "param_array_get", target="Function", 
139                      vm=self.kernel_address_space): 
140   
141                  array = kernel_param.m("u1").arr 
142   
143                  getter_function = self.profile.Function( 
144                      offset=array.getter_addr, vm=self.kernel_address_space) 
145   
146                  # Is this a known getter function? 
147                  lookup = self.arg_lookuptable.get(getter_function) 
148                  if lookup and array.elemsize: 
149   
150                      # Decode according to this function. 
151                      type, args = lookup 
152                      result = [] 
153                      offset = array.elem.deref().obj_offset 
154                      number_of_elements = array.num.deref() or array.max 
155                      while len(result) < number_of_elements: 
156                          result.append( 
157                              self.profile.Object(type, offset=offset, 
158                                                  vm=self.kernel_address_space)) 
159                          offset += array.elemsize 
160   
161                      value = ",".join([str(x) for x in result]) 
162              else: 
163                  self.session.logging.debug("Unknown function getter %r", 
164                                             getter_function) 
165                  value = self.session.address_resolver.format_address( 
166                               getter_function) 
167   
168              yield kernel_param.name.deref(), value 

169   

170 -    def collect(self): 

171          lsmod = self.session.plugins.lsmod() 
172          for module in lsmod.get_module_list(): 
173              for key, value in self.get_module_parameters(module): 
174                  yield (module.name, key, value) 

175   
176   

177 -class Moddump(common.LinuxPlugin): 

178      '''Dumps loaded kernel modules.''' 
179      __name = "moddump" 
180   
181      __args = [ 
182          dict(name="dump_dir", help="Dump directory.", 
183               required=True), 
184   
185          dict(name="regexp", default=None, type="RegEx", 
186               help="Regexp on the module name.") 
187      ] 
188   

189 -    def dump_module(self, module): 

190          module_start = int(module.base) 
191          return module.obj_vm.read(module_start, module.size) 

192   

193 -    def render(self, renderer): 

194          lsmod_plugin = self.session.plugins.lsmod(session=self.session) 
195          for module in lsmod_plugin.get_module_list(): 
196              if self.plugin_args.regexp: 
197                  if not module.name: 
198                      continue 
199   
200                  if not self.plugin_args.regexp.search(module.name): 
201                      continue 
202   
203              file_name = "{0}.{1:#x}.lkm".format(module.name, 
204                                                  module.base) 
205              with renderer.open(directory=self.plugin_args.dump_dir, 
206                                 filename=file_name, 
207                                 mode="wb") as mod_file: 
208   
209                  mod_data = self.dump_module(module) 
210                  mod_file.write(mod_data) 
211                  renderer.format("Wrote {0} bytes to {1}\n", 
212                                  module.size, file_name) 

213

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:37 2017 http://epydoc.sourceforge.net