Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package linux :: Module notifier_chains
[frames] | no frames]

Source Code for Module rekall.plugins.linux.notifier_chains

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2014 Google Inc. All Rights Reserved. 
 4  # 
 5  # This program is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License as published by 
 7  # the Free Software Foundation; either version 2 of the License, or (at 
 8  # your option) any later version. 
 9  # 
10  # This program is distributed in the hope that it will be useful, but 
11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
13  # General Public License for more details. 
14  # 
15  # You should have received a copy of the GNU General Public License 
16  # along with this program; if not, write to the Free Software 
17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
18   
19  from rekall.plugins.linux import common 
20   
21   

22 -class NotifierChainPlugin(common.LinuxPlugin): 

23      """Outputs and verifies kernel notifier chains.""" 
24   
25      __name = "notifier_chains" 
26      _chains = ["vt_notifier_list", 
27                 "keyboard_notifier_list", 
28                ] 
29   

30 -    def walk_chain(self, chain_symbol): 

31          chain = self.session.profile.get_constant_object( 
32              chain_symbol, 
33              target="atomic_notifier_head", 
34              vm=self.kernel_address_space) 
35   
36          return chain.head.walk_list("next") 

37   

38 -    def walk_chains(self): 

39          for chain_symbol in self._chains: 
40              for index, item in enumerate(self.walk_chain(chain_symbol)): 
41                  yield (chain_symbol, index, item) 

42   

43 -    def render(self, renderer): 

44          renderer.table_header([("Chain symbol", "symbol", ">25"), 
45                                 ("Index", "index", ">5"), 
46                                 ("Priority", "prio", ">8"), 
47                                 ("Address", "address", "[addrpad]"), 
48                                 ("Module", "module", "20"), 
49                                 ("Symbol", "symbol", "40"), 
50                                ]) 
51   
52          for symbol_name, index, notifier_block in self.walk_chains(): 
53              symbol_name = self.session.address_resolver.format_address( 
54                  notifier_block.notifier_call) 
55   
56              renderer.table_row(symbol_name, 
57                                 index, notifier_block.priority, 
58                                 notifier_block.notifier_call, 
59                                 related_module.name, symbol_name) 

60

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:36 2017 http://epydoc.sourceforge.net