1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 """
20 @author: Andrew Case
21 @license: GNU General Public License 2.0 or later
22 @contact: atcuno@gmail.com
23 @organization: Digital Forensics Solutions
24 """
25 from rekall.plugins.linux import common
26
27
28
29 -class Lsmod(common.LinuxPlugin):
30 '''Gathers loaded kernel modules.'''
31 name = "lsmod"
32
33 table_header = [
34 dict(name="virtual", style="address"),
35 dict(name="start", style="address"),
36 dict(name="size", width=10),
37 dict(name="name", width=20)
38 ]
39
47
49 for module in self.get_module_list():
50 yield (module.obj_offset,
51 module.base,
52 module.size,
53 module.name)
54
55
57 """Display all the ELF sections of kernel modules."""
58
59 name = "lsmod_sections"
60
61 table_header = [
62 dict(name="name", width=20),
63 dict(name="section", width=30),
64 dict(name="address", style="address")
65 ]
66
68 num_sects = module.sect_attrs.nsections
69 for i in range(num_sects):
70 section_attr = module.sect_attrs.attrs[i]
71 yield section_attr
72
79
81 """Display parameters for all kernel modules."""
82 name = "lsmod_parameters"
83
84 _arg_lookuptable = {
85 "linux!param_get_bool": ("bool", {}),
86 "linux!param_get_byte": ("char", {}),
87 "linux!param_get_charp": ("Pointer", dict(target="String")),
88 "linux!param_get_int": ("int", {}),
89 "linux!param_get_invbool": ("byte", {}),
90 "linux!param_get_long": ("long", {}),
91 "linux!param_get_short": ("short", {}),
92 "linux!param_get_uint": ("unsigned int", {}),
93 "linux!param_get_ulong": ("unsigned long", {}),
94 "linux!param_get_ushort": ("unsigned short", {}),
95 }
96
97 table_header = [
98 dict(name="name", width=20),
99 dict(name="key", width=40),
100 dict(name="value", width=20)
101 ]
102
114
116 for kernel_param in module.m("kp"):
117 getter_function = self.profile.Function(
118 offset=kernel_param.getter_addr,
119 vm=self.kernel_address_space)
120
121 value = None
122 lookup = self.arg_lookuptable.get(kernel_param.getter_addr)
123 if lookup:
124 type, args = lookup
125
126
127 value = kernel_param.m("u1").arg.dereference_as(
128 target=type, target_args=args)
129
130 elif getter_function == self.profile.get_constant_object(
131 "param_get_string", target="Function",
132 vm=self.kernel_address_space):
133
134 value = kernel_param.m("u1").str.deref().v()
135
136
137 elif getter_function == self.profile.get_constant_object(
138 "param_array_get", target="Function",
139 vm=self.kernel_address_space):
140
141 array = kernel_param.m("u1").arr
142
143 getter_function = self.profile.Function(
144 offset=array.getter_addr, vm=self.kernel_address_space)
145
146
147 lookup = self.arg_lookuptable.get(getter_function)
148 if lookup and array.elemsize:
149
150
151 type, args = lookup
152 result = []
153 offset = array.elem.deref().obj_offset
154 number_of_elements = array.num.deref() or array.max
155 while len(result) < number_of_elements:
156 result.append(
157 self.profile.Object(type, offset=offset,
158 vm=self.kernel_address_space))
159 offset += array.elemsize
160
161 value = ",".join([str(x) for x in result])
162 else:
163 self.session.logging.debug("Unknown function getter %r",
164 getter_function)
165 value = self.session.address_resolver.format_address(
166 getter_function)
167
168 yield kernel_param.name.deref(), value
169
175
176
178 '''Dumps loaded kernel modules.'''
179 __name = "moddump"
180
181 __args = [
182 dict(name="dump_dir", help="Dump directory.",
183 required=True),
184
185 dict(name="regexp", default=None, type="RegEx",
186 help="Regexp on the module name.")
187 ]
188
190 module_start = int(module.base)
191 return module.obj_vm.read(module_start, module.size)
192
213