Source Code for Module rekall.plugins.modes

  1  # Rekall Memory Forensics 
  2  # Copyright 2016 Google Inc. All Rights Reserved. 
  3  # 
  4  # This program is free software; you can redistribute it and/or modify 
  5  # it under the terms of the GNU General Public License as published by 
  6  # the Free Software Foundation; either version 2 of the License, or (at 
  7  # your option) any later version. 
  8  # 
  9  # This program is distributed in the hope that it will be useful, but 
 10  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 12  # General Public License for more details. 
 13  # 
 14  # You should have received a copy of the GNU General Public License 
 15  # along with this program; if not, write to the Free Software 
 16  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 17  # 
 18   
 19  """Declares all the modes Rekall can be in. 
 20   
 21  The Rekall session can exist in several modes at the same time. Modes are just 
 22  simple True/False flags that represent certain aspects of the Rekall 
 23  session. For example, a session may be in "mode_image" if it is dealing with an 
 24  image. 
 25   
 26  Plugins can then activate depending on the current mode vector. For example, a 
 27  plugin may declare that it is active if all these modes are set 
 28  "mode_image,mode_windows_memory" Which means it is only active if a windows 
 29  memory image is used. 
 30  """ 
 31   
 32   
 33  from rekall import kb 
 34   
 35  from rekall.plugins.filesystems import ntfs 
 36  from rekall.plugins.filesystems import tsk 
 37   
 38   
 39 -class NTFSMode(kb.ParameterHook): 
 40      name = "mode_ntfs" 
 41   
 42 -    def calculate(self): 
 43          return isinstance(self.session.profile, ntfs.NTFSProfile) 
 44   
 45   
 46   
 47 -class TSKMode(kb.ParameterHook): 
 48      name = "mode_tsk" 
 49   
 50 -    def calculate(self): 
 51          return isinstance(self.session.profile, tsk.TSKProfile) 
 52   
 53   
 54   
 55 -class WinXPMode(kb.ParameterHook): 
 56      name = "mode_xp" 
 57   
 58 -    def calculate(self): 
 59          return self.session.profile.metadata("major") == 5 
 60   
 61   
 62 -class AMD64Mode(kb.ParameterHook): 
 63      name = "mode_amd64" 
 64   
 65 -    def calculate(self): 
 66          return self.session.profile.metadata("arch") == "AMD64" 
 67   
 68   
 69 -class WinMode(kb.ParameterHook): 
 70      name = "mode_windows" 
 71   
 72 -    def calculate(self): 
 73          return self.session.profile.metadata("os") == "windows" 
 74   
 75   
 76 -class LinMode(kb.ParameterHook): 
 77      name = "mode_linux" 
 78   
 79 -    def calculate(self): 
 80          return self.session.profile.metadata("os") == "linux" 
 81   
 82   
 83 -class DarwinMode(kb.ParameterHook): 
 84      name = "mode_darwin" 
 85   
 86 -    def calculate(self): 
 87          return self.session.profile.metadata("os") == "darwin" 
 88   
 89   
 90 -class LiveMode(kb.ParameterHook): 
 91      name = "mode_live" 
 92   
 93 -    def calculate(self): 
 94          return bool(self.session.GetParameter("live_mode")) 
 95   
 96   
 97   
 98 -class LiveMemoryMode(kb.ParameterHook): 
 99      name = "mode_live_memory" 
100   
101 -    def calculate(self): 
102          return self.session.GetParameter("live_mode") == "Memory" 
103   
104   
105 -class LiveAPIMode(kb.ParameterHook): 
106      name = "mode_live_api" 
107   
108 -    def calculate(self): 
109          return self.session.GetParameter("live_mode") == "API" 
110   
111   
112 -class ImageMode(kb.ParameterHook): 
113      """Determines if we are reading from an image.""" 
114      name = "mode_image" 
115   
116 -    def calculate(self): 
117          # If there is no physical address space but a filename was specified we 
118          # try to load the physical_address_space from the filename. 
119          if (not self.session.physical_address_space and 
120              self.session.GetParameter("filename")): 
121              self.session.plugins.load_as().GetPhysicalAddressSpace() 
122   
123          return (self.session.physical_address_space and 
124                  self.session.physical_address_space.metadata("image")) 
125   
126   
127 -class VistaMode(kb.ParameterHook): 
128      name = "mode_vista_plus" 
129   
130 -    def calculate(self): 
131          return self.session.profile.metadata("major") >= 6 
132   
133   
134 -class WinMemoryMode(kb.ParameterHook): 
135      """Windows memory image or live windows.""" 
136      name = "mode_windows_memory" 
137   
138 -    def calculate(self): 
139          return (self.session.GetParameter("mode_live_memory") or 
140                  self.session.GetParameter("mode_image")) and ( 
141                      self.session.GetParameter("mode_windows")) 
142   
143   
144 -class LinMemoryMode(kb.ParameterHook): 
145      """Windows memory image or live windows.""" 
146      name = "mode_linux_memory" 
147   
148 -    def calculate(self): 
149          return (self.session.GetParameter("mode_live_memory") or 
150                  self.session.GetParameter("mode_image")) and ( 
151                      self.session.GetParameter("mode_linux")) 
152   
153   
154 -class DarwinMemoryMode(kb.ParameterHook): 
155      """Windows memory image or live windows.""" 
156      name = "mode_darwin_memory" 
157   
158 -    def calculate(self): 
159          return (self.session.GetParameter("mode_live_memory") or 
160                  self.session.GetParameter("mode_image")) and ( 
161                      self.session.GetParameter("mode_darwin")) 
162   
163   
164 -class MountainLionMode(kb.ParameterHook): 
165      """Windows memory image or live windows.""" 
166      name = "mode_darwin_mountain_lion_plus" 
167   
168 -    def calculate(self): 
169          return (self.session.profile.get_constant("_BootPML4", False) and 
170                  self.session.GetParameter("mode_darwin_memory")) 
171