Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package linux :: Module proc_maps
[frames] | no frames]

Source Code for Module rekall.plugins.linux.proc_maps

  1  # Rekall Memory Forensics 
  2  # 
  3  # Copyright 2013 Google Inc. All Rights Reserved. 
  4  # 
  5  # This program is free software; you can redistribute it and/or modify 
  6  # it under the terms of the GNU General Public License as published by 
  7  # the Free Software Foundation; either version 2 of the License, or (at 
  8  # your option) any later version. 
  9  # 
 10  # This program is distributed in the hope that it will be useful, but 
 11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 13  # General Public License for more details. 
 14  # 
 15  # You should have received a copy of the GNU General Public License 
 16  # along with this program; if not, write to the Free Software 
 17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 18   
 19  """ 
 20  @author:       Andrew Case 
 21  @license:      GNU General Public License 2.0 or later 
 22  @contact:      atcuno@gmail.com 
 23  @organization: Digital Forensics Solutions 
 24  """ 
 25  from rekall import testlib 
 26  from rekall_lib import utils 
 27  from rekall.plugins import core 
 28  from rekall.plugins.addrspaces import intel 
 29  from rekall.plugins.common import pfn 
 30  from rekall.plugins.linux import common 
 31   
 32   

 33 -class ProcMaps(common.LinProcessFilter): 

 34      """Gathers process maps for linux.""" 
 35   
 36      __name = "maps" 
 37   
 38      table_header = [ 
 39          dict(name="divider", type="Divider"), 
 40          dict(name="task", hidden=True), 
 41          dict(name="start", style="address"), 
 42          dict(name="end", style="address"), 
 43          dict(name="flags", width=6), 
 44          dict(name="pgoff", style="address"), 
 45          dict(name="major", width=6), 
 46          dict(name="minor", width=6), 
 47          dict(name="inode", width=13), 
 48          dict(name="file_path"), 
 49      ] 
 50   
 51   

 52 -    def collect(self): 

 53          for task in self.filter_processes(): 
 54              if not task.mm: 
 55                  continue 
 56   
 57              yield dict(divider="Proc %s (%s)" % (task.name, task.pid)) 
 58   
 59              for vma in task.mm.mmap.walk_list("vm_next"): 
 60                  if vma.vm_file: 
 61                      inode = vma.vm_file.dentry.d_inode 
 62                      major, minor = inode.i_sb.major, inode.i_sb.minor 
 63                      ino = inode.i_ino 
 64                      pgoff = vma.vm_pgoff << 12 
 65                      fname = task.get_path(vma.vm_file) 
 66                  else: 
 67                      (major, minor, ino, pgoff) = [0] * 4 
 68   
 69                      if (vma.vm_start <= task.mm.start_brk and 
 70                              vma.vm_end >= task.mm.brk): 
 71                          fname = "[heap]" 
 72                      elif (vma.vm_start <= task.mm.start_stack and 
 73                            vma.vm_end >= task.mm.start_stack): 
 74                          fname = "[stack]" 
 75                      else: 
 76                          fname = "" 
 77   
 78                  yield dict(task=task, 
 79                             start=vma.vm_start, 
 80                             end=vma.vm_end, 
 81                             flags=vma.vm_flags, 
 82                             pgoff=pgoff, 
 83                             major=major, 
 84                             minor=minor, 
 85                             inode=ino, 
 86                             file_path=fname) 

 87   
 88   

 89 -class TestProcMaps(testlib.SimpleTestCase): 

 90      PARAMETERS = dict( 
 91          commandline="maps --proc_regex %(proc_name)s", 
 92          proc_name="bash" 
 93          ) 

 94   
 95   

 96 -class LinVadDump(core.DirectoryDumperMixin, common.LinProcessFilter): 

 97      """Dump the VMA memory for a process.""" 
 98   
 99      __name = "vaddump" 
100   

101 -    def render(self, renderer): 

102          for task in self.filter_processes(): 
103              if not task.mm: 
104                  continue 
105   
106              renderer.format("Pid: {0:6}\n", task.pid) 
107   
108              # Get the task and all process specific information 
109              task_space = task.get_process_address_space() 
110              name = task.comm 
111   
112              for vma in task.mm.mmap.walk_list("vm_next"): 
113                  if not vma.vm_file: 
114                      continue 
115   
116                  filename = "{0}.{1}.{2:08x}-{3:08x}.dmp".format( 
117                      name, task.pid, vma.vm_start, vma.vm_end) 
118   
119                  renderer.format(u"Writing {0}, pid {1} to {2}\n", 
120                                  task.comm, task.pid, filename) 
121   
122                  with renderer.open(directory=self.dump_dir, 
123                                     filename=filename, 
124                                     mode='wb') as fd: 
125                      self.CopyToFile(task_space, vma.vm_start, vma.vm_end, fd) 

126   
127   

128 -class TestLinVadDump(testlib.HashChecker): 

129      mode = "mode_linux_memory" 
130   
131      PARAMETERS = dict( 
132          commandline="vaddump --proc_regex %(proc_name)s --dump_dir %(tempdir)s", 
133          proc_name="bash" 
134          ) 

135   
136   
137   

138 -class LinuxVADMap(pfn.VADMapMixin, common.LinProcessFilter): 

139      """Inspect each page in the VAD and report its status. 
140   
141      This allows us to see the address translation status of each page in the 
142      VAD. 
143      """ 
144   

145 -    def _CreateMetadata(self, collection): 

146          metadata = {} 
147          for descriptor_cls, args, kwargs in reversed(collection.descriptors): 
148              if issubclass(descriptor_cls, intel.PhysicalAddressDescriptor): 
149                  metadata["offset"] = kwargs["address"] 
150                  metadata.setdefault("type", "Valid") 
151   
152              elif issubclass(descriptor_cls, intel.InvalidAddress): 
153                  metadata["type"] = "Invalid" 
154   
155          return metadata 

156   

157 -    def GeneratePageMetatadata(self, task): 

158          address_space = self.session.GetParameter("default_address_space") 
159   
160          for vma in task.mm.mmap.walk_list("vm_next"): 
161              start = vma.vm_start 
162              end = vma.vm_end 
163   
164              # Skip the entire region. 
165              if end < self.plugin_args.start: 
166                  continue 
167   
168              # Done. 
169              if start > self.plugin_args.end: 
170                  break 
171   
172              for vaddr in utils.xrange(start, end, 0x1000): 
173                  if self.plugin_args.start <= vaddr <= self.plugin_args.end: 
174                      yield vaddr, self._CreateMetadata( 
175                          address_space.describe_vtop(vaddr)) 

176

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:52 2017 http://epydoc.sourceforge.net