Source Code for Module rekall.plugins.linux.pslist

  1  # Rekall Memory Forensics 
  2  # 
  3  # Copyright 2013 Google Inc. All Rights Reserved. 
  4  # 
  5  # This program is free software; you can redistribute it and/or modify 
  6  # it under the terms of the GNU General Public License as published by 
  7  # the Free Software Foundation; either version 2 of the License, or (at 
  8  # your option) any later version. 
  9  # 
 10  # This program is distributed in the hope that it will be useful, but 
 11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 13  # General Public License for more details. 
 14  # 
 15  # You should have received a copy of the GNU General Public License 
 16  # along with this program; if not, write to the Free Software 
 17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 18   
 19  """ 
 20  @author:       Andrew Case 
 21  @license:      GNU General Public License 2.0 or later 
 22  @contact:      atcuno@gmail.com 
 23  @organization: Digital Forensics Solutions 
 24  """ 
 25   
 26  from rekall import testlib 
 27  from rekall.plugins.common import memmap 
 28  from rekall.plugins.linux import common 
 29  from rekall_lib import utils 
 30   
 31   
 32 -class LinuxPsList(common.LinProcessFilter): 
 33      """Gathers active tasks by walking the task_struct->task list. 
 34   
 35      It does not display the swapper process. If the DTB column is blank, the 
 36      item is likely a kernel thread. 
 37      """ 
 38      __name = "pslist" 
 39   
 40      table_header = [ 
 41          dict(name="proc", width=40, type="task_struct"), 
 42          dict(name="ppid", align="r", width=6), 
 43          dict(name="uid", align="r", width=6), 
 44          dict(name="gid", align="r", width=6), 
 45          dict(name="dtb", style="address"), 
 46          dict(name="start_time", align="r", width=24), 
 47          dict(name="binary") 
 48      ] 
 49   
 50 -    def column_types(self): 
 51          task = self.session.profile.task_struct() 
 52          return dict( 
 53              proc=task, 
 54              ppid=0, 
 55              uid=utils.HexInteger(0), 
 56              gid=utils.HexInteger(0), 
 57              dtb=utils.HexInteger(0), 
 58              start_time=task.task_start_time, 
 59              binary="") 
 60   
 61 -    def collect(self): 
 62          for task in self.filter_processes(): 
 63              dtb = self.kernel_address_space.vtop(task.mm.pgd) 
 64              path = task.get_path(task.mm.m("exe_file")) 
 65              yield (task, 
 66                     task.parent.pid, 
 67                     task.uid, 
 68                     task.gid, 
 69                     dtb, task.task_start_time, 
 70                     path) 
 71   
 72   
 73 -class LinMemMap(memmap.MemmapMixIn, common.LinProcessFilter): 
 74      """Dumps the memory map for linux tasks.""" 
 75      __name = "memmap" 
 76   
 77   
 78 -class LinMemDump(memmap.MemDumpMixin, common.LinProcessFilter): 
 79      """Dump the addressable memory for a process.""" 
 80   
 81   
 82 -class TestLinMemDump(testlib.HashChecker): 
 83      mode = "mode_linux_memory" 
 84   
 85      PARAMETERS = dict( 
 86          commandline="memdump --proc_regex %(proc_name)s --dump_dir %(tempdir)s", 
 87          proc_name="bash", 
 88      ) 
 89   
 90  # We only care about PIDTYPE_PID here. 
 91  # http://lxr.free-electrons.com/source/include/linux/pid.h?v=3.8#L6 
 92  # enum pid_type 
 93  # { 
 94  #         PIDTYPE_PID, 
 95  # }; 
 96  PIDTYPE_PID = 0 
 97   
 98   
 99 -class PidHashTable(LinuxPsList): 
100      """List processes by enumerating the pid hash tables.""" 
101   
102      __name = "pidhashtable" 
103   
104 -    def list_tasks(self): 
105          # According to 
106          # http://lxr.free-electrons.com/source/kernel/pid.c?v=3.8#L566, the 
107          # pid_hash table is a pointer to a dynamically allocated array of 
108          # hlist_head. 
109          pidhash_shift = self.profile.get_constant_object( 
110              "pidhash_shift", "unsigned int") 
111   
112          pidhash = self.profile.get_constant_object( 
113              "pid_hash", 
114              target="Pointer", 
115              target_args=dict( 
116                  target="Array", 
117                  target_args=dict( 
118                      count=1 << pidhash_shift, 
119                      target="hlist_head" 
120                  ) 
121              ) 
122          ) 
123   
124          seen = set() 
125   
126          # Now we iterate over all the hash slots in the hash table to retrieve 
127          # their struct upid entries. 
128          for hash_slot in pidhash: 
129              for upid in hash_slot.list_of_type("upid", "pid_chain"): 
130                  # upid structures are contained inside pid structures: 
131                  # http://lxr.free-electrons.com/source/kernel/pid.c?v=3.8#L351 
132                  # container_of(pnr, struct pid, numbers[ns->level]); 
133                  level = upid.ns.level 
134   
135                  pid = self.profile.pid( 
136                      upid.obj_offset - 
137                      self.profile.get_obj_offset("pid", "numbers") - 
138                      level * self.profile.get_obj_size("pid")) 
139   
140                  # Here we only care about regular PIDs. 
141                  for task in pid.tasks[PIDTYPE_PID].list_of_type( 
142                          "task_struct", "pids"): 
143                      if task not in seen: 
144                          yield task 
145                          seen.add(task) 
146