| Trees | Indices | Help |
|
|---|
|
|
1 # Rekall Memory Forensics 2 # 3 # Copyright 2015 Google Inc. All Rights Reserved. 4 # 5 # This program is free software; you can redistribute it and/or modify 6 # it under the terms of the GNU General Public License as published by 7 # the Free Software Foundation; either version 2 of the License, or (at 8 # your option) any later version. 9 # 10 # This program is distributed in the hope that it will be useful, but 11 # WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 # General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 """Miscelaneous information gathering plugins.""" 19 20 __author__ = "Michael Cohen <scudette@google.com>" 21 22 import hashlib 23 from rekall import obj 24 from rekall.plugins import core 25 from rekall.plugins.linux import common 26 30 31 34 3537 """The highest address for user mode/kernel mode division.""" 38 39 name = "highest_usermode_address" 4052 5342 """Returns TASK_SIZE_MAX.""" 43 arch = self.session.profile.metadata("arch") 44 if arch == "I386" or arch == "ARM": 45 return self.session.GetParameter("linux_page_offset") 46 elif arch == "AMD64": 47 # #define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE) 48 return (1 << 47) - 0x1000 49 else: 50 self.session.logging.warn("Set TASK_SIZE_MAX for arch %s", arch) 51 return 2**6455 """Fingerprint the current image. 56 57 This parameter tries to get something unique about the image quickly. The 58 idea is that two different images (even of the same system at different 59 points in time) will have very different fingerprints. The fingerprint is 60 used as a key to cache persistent information about the system. 61 62 Live systems can not have a stable fingerprint and so return a NoneObject() 63 here. 64 65 We return a list of tuples: 66 (physical_offset, expected_data) 67 68 The list uniquely identifies the image. If one were to read all physical 69 offsets and find the expected_data at these locations, then we have a very 70 high level of confidence that the image is unique and matches the 71 fingerprint. 72 """ 73 name = "image_fingerprint" 7410776 if not self.session.physical_address_space: 77 return None 78 79 if self.session.physical_address_space.volatile: 80 return obj.NoneObject("No fingerprint for volatile image.") 81 82 result = [] 83 profile = self.session.profile 84 address_space = self.session.GetParameter("default_address_space") 85 86 banner = profile.get_constant_object("linux_banner", "String") 87 result.append((address_space.vtop(banner.obj_offset), banner.v())) 88 89 # Current system tick count. 90 jiffies = profile.get_constant_object("jiffies", "String", 91 dict(length=8, term=None)) 92 result.append((address_space.vtop(jiffies.obj_offset), jiffies.v())) 93 94 # List of processes should also be pretty unique. 95 for task in self.session.plugins.pslist().filter_processes(): 96 name = task.name.cast("String", length=30) 97 task_name_offset = address_space.vtop(name.obj_offset) 98 99 # Read the raw data for the task name. Usually the task name is 100 # encoded in utf8 but then we might not be able to compare it 101 # exactly - we really want bytes here. 102 result.append((task_name_offset, name.v())) 103 104 return dict( 105 hash=hashlib.sha1(unicode(result).encode("utf8")).hexdigest(), 106 tests=result)
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:41 2017 | http://epydoc.sourceforge.net |