Source Code for Module rekall.plugins.linux.psxview

 1  # Rekall Memory Forensics 
 2  # Copyright (C) 2007-2013 Volatility Foundation 
 3  # Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh@mnin.org> 
 4  # Copyright 2014 Google Inc. All Rights Reserved. 
 5  # 
 6  # This program is free software; you can redistribute it and/or modify 
 7  # it under the terms of the GNU General Public License as published by 
 8  # the Free Software Foundation; either version 2 of the License, or (at 
 9  # your option) any later version. 
10  # 
11  # This program is distributed in the hope that it will be useful, but 
12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
14  # General Public License for more details. 
15  # 
16  # You should have received a copy of the GNU General Public License 
17  # along with this program; if not, write to the Free Software 
18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
19  # 
20   
21  # pylint: disable=protected-access 
22   
23   
24  from rekall.plugins.linux import common 
25   
26   
27 -class LinuxPsxView(common.LinProcessFilter): 
28      """Find hidden processes comparing various process listings.""" 
29   
30      __name = "psxview" 
31   
32      METHODS = common.LinProcessFilter.METHODS + [ 
33          "PidHashTable", 
34      ] 
35   
36      __args = [ 
37          dict(name="method", choices=list(METHODS), type="ChoiceArray", 
38               default=list(METHODS), help="Method to list processes.", 
39               override=True), 
40      ] 
41   
42 -    def render(self, renderer): 
43          headers = [('Offset(V)', 'virtual_offset', '[addrpad]'), 
44                     ('Name', 'name', '<20'), 
45                     ('PID', 'pid', '>12'), 
46                    ] 
47   
48          for method in self.plugin_args.method: 
49              headers.append((method, method, "%s" % len(method))) 
50   
51          renderer.table_header(headers) 
52   
53          for process in self.filter_processes(): 
54              row = [process.obj_offset, process.comm, process.pid] 
55   
56              for method in self.plugin_args.method: 
57                  row.append(process.obj_offset in 
58                             self.session.GetParameter("pslist_%s" % method)) 
59   
60              renderer.table_row(*row) 
61   
62   
63 -class PidHashTableHook(common.AbstractLinuxParameterHook): 
64      name = "pslist_PidHashTable" 
65   
66 -    def calculate(self): 
67          seen = set() 
68          pidhashtable_plugin = self.session.plugins.pidhashtable() 
69          for task in pidhashtable_plugin.filter_processes(): 
70              if task.obj_offset not in seen: 
71                  seen.add(task.obj_offset) 
72   
73          return seen 
74