Source Code for Module rekall.plugins.linux.lsof

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright (C) 2007-2013 Volatility Foundation 
 4  # Copyright 2013 Google Inc. All Rights Reserved. 
 5  # 
 6  # This file is part of Rekall Memory Forensics. 
 7  # 
 8  # Rekall Memory Forensics is free software; you can redistribute it and/or modify 
 9  # it under the terms of the GNU General Public License Version 2 as 
10  # published by the Free Software Foundation.  You may not use, modify or 
11  # distribute this program under any other version of the GNU General 
12  # Public License. 
13  # 
14  # Rekall Memory Forensics is distributed in the hope that it will be useful, 
15  # but WITHOUT ANY WARRANTY; without even the implied warranty of 
16  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
17  # GNU General Public License for more details. 
18  # 
19  # You should have received a copy of the GNU General Public License along 
20  # with Rekall Memory Forensics.  If not, see <http://www.gnu.org/licenses/>. 
21  # 
22   
23  """ 
24  @author:       Andrew Case 
25  @license:      GNU General Public License 2.0 
26  @contact:      atcuno@gmail.com 
27  @organization: 
28  """ 
29   
30  from rekall import testlib 
31  from rekall.plugins.linux import common 
32   
33   
34 -class Lsof(common.LinProcessFilter): 
35      """Lists open files.""" 
36   
37      __name = "lsof" 
38   
39      table_header = [ 
40          dict(name="divider", type="Divider"), 
41          dict(name="proc", hidden=True), 
42          dict(name="file_struct", hidden=True), 
43          dict(name="name", width=30), 
44          dict(name="pid", width=6, align="r"), 
45          dict(name="user", width=8), 
46          dict(name="fd", width=4), 
47          dict(name="size", width=12), 
48          dict(name="offset", width=12), 
49          dict(name="node", width=8), 
50          dict(name="path"), 
51      ] 
52   
53 -    def get_open_files(self, task): 
54          """List all the files open by a task.""" 
55          # The user space file descriptor is simply the offset into the fd 
56          # array. 
57          for i, file_ptr in enumerate(task.files.fds): 
58              file_struct = file_ptr.deref() 
59              if file_struct: 
60                  yield file_struct, i 
61   
62 -    def lsof(self): 
63          for task in self.filter_processes(): 
64              for file_struct, fd in self.get_open_files(task): 
65                  yield task, file_struct, fd 
66   
67 -    def collect(self): 
68          for task in self.filter_processes(): 
69              yield dict(divider=task) 
70              for file_struct, fd in self.get_open_files(task): 
71                  yield dict(proc=task, 
72                             name=task.comm, 
73                             pid=task.pid, 
74                             user=task.uid, 
75                             fd=fd, 
76                             file_struct=file_struct, 
77                             size=file_struct.m("f_path.dentry.d_inode.i_size"), 
78                             offset=file_struct.m("f_pos"), 
79                             node=file_struct.m("f_path.dentry.d_inode.i_ino"), 
80                             path=task.get_path(file_struct)) 
81   
82   
83 -class TestLsof(testlib.SimpleTestCase): 
84      @classmethod 
85 -    def is_active(cls, session): 
86          return Lsof.is_active(session) 
87   
88      PARAMETERS = dict( 
89          commandline="lsof --proc_regex %(proc_name)s", 
90          proc_name="bash" 
91          ) 
92