Source Code for Module rekall.plugins.overlays.darwin.macho

  1  # Rekall Memory Forensics 
  2  # 
  3  # Copyright 2016 Google Inc. All Rights Reserved. 
  4  # 
  5  # This program is free software; you can redistribute it and/or modify 
  6  # it under the terms of the GNU General Public License as published by 
  7  # the Free Software Foundation; either version 2 of the License, or (at 
  8  # your option) any later version. 
  9  # 
 10  # This program is distributed in the hope that it will be useful, but 
 11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 13  # General Public License for more details. 
 14  # 
 15  # You should have received a copy of the GNU General Public License 
 16  # along with this program; if not, write to the Free Software 
 17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 18   
 19   
 20  """This profile is for the Mach-O file format. 
 21   
 22  References: 
 23   
 24  https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html 
 25  http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/EXTERNAL_HEADERS/Mach-O/loader.h 
 26  https://github.com/llvm-mirror/llvm/blob/release_34/include/llvm/Support/MachO.h 
 27  https://github.com/opensource-apple/xnu/blob/10.9/EXTERNAL_HEADERS/Mach-O/loader.h 
 28  """ 
 29   
 30  __author__ = ("Michael Cohen <scudette@gmail.com>", 
 31                "Adam Sindelar <adamsh@google.com") 
 32   
 33  from rekall.plugins.overlays import basic 
 34   
 35   
 36  macho_vtypes = { 
 37      'mach_header_64': [0x20, { 
 38          'cputype': [None, ['Enumeration', dict( 
 39              choices={ 
 40                  1: 'VAX', 
 41                  6: 'MC680x0', 
 42                  7: 'i386', 
 43                  8: 'MIPS', 
 44                  10: 'MC98000', 
 45                  11: 'HPPA', 
 46                  12: 'ARM', 
 47                  13: 'MC88000', 
 48                  14: 'SPARC', 
 49                  15: 'i860', 
 50                  16: 'Alpha', 
 51                  18: 'PowerPC', 
 52                  (0x01000000 | 7): 'X86_64', 
 53                  (0x01000000 | 18): 'PowerPC_64', 
 54              }, 
 55              target="unsigned int", 
 56          )]], 
 57          'filetype': [None, ['Enumeration', dict( 
 58              choices={ 
 59                  0x1: 'MH_OBJECT',  # relocatable object file 
 60                  0x2: "MH_EXECUTE",  # demand paged executable file 
 61                  0x3: "MH_FVMLIB",  # fixed VM shared library file 
 62                  0x4: 'MH_CORE',    # core file 
 63                  0x5: 'MH_PRELOAD',  # preloaded executable file 
 64                  0x6: 'MH_DYLIB',   # dynamicly bound shared library file 
 65                  0x7: 'MH_DYLINKER',  # dynamic link editor 
 66                  0x8: 'MH_BUNDLE',  # dynamicly bound bundle file 
 67              }, 
 68              target="unsigned int", 
 69          )]], 
 70          'flags': [None, ['Flags', dict(maskmap={ 
 71              'MH_NOUNDEFS': 0x1, 
 72              'MH_INCRLINK': 0x2, 
 73              'MH_DYLDLINK': 0x4, 
 74              'MH_BINDATLOAD': 0x8, 
 75              'MH_PREBOUND': 0x10, 
 76          })]], 
 77          'segments': [lambda x: x.obj_size, ['Array', dict( 
 78              target="segment_command_64", 
 79              count=lambda x: x.ncmds)]], 
 80      }], 
 81   
 82      'segment_command_64': [0x48, { 
 83          'cmd': [None, ['Enumeration', dict( 
 84              choices={ 
 85                  0x1: 'LC_SEGMENT', 
 86                  0x2: 'LC_SYMTAB', 
 87                  0x3: 'LC_SYMSEG', 
 88                  0x4: 'LC_THREAD', 
 89                  0x5: 'LC_UNIXTHREAD', 
 90                  0x6: 'LC_LOADFVMLIB', 
 91                  0x7: 'LC_IDFVMLIB', 
 92                  0x8: 'LC_IDENT', 
 93                  0x9: 'LC_FVMFILE', 
 94                  0xa: 'LC_PREPAGE', 
 95                  0xb: 'LC_DYSYMTAB', 
 96                  0xc: 'LC_LOAD_DYLIB', 
 97                  0xd: 'LC_ID_DYLIB', 
 98                  0xe: 'LC_LOAD_DYLINKER', 
 99                  0xf: 'LC_ID_DYLINKER', 
100                  0x10: 'LC_PREBOUND_DYLIB', 
101                  0x11: 'LC_ROUTINES', 
102                  0x12: 'LC_SUB_FRAMEWORK', 
103                  0x13: 'LC_SUB_UMBRELLA', 
104                  0x14: 'LC_SUB_CLIENT', 
105                  0x15: 'LC_SUB_LIBRARY', 
106                  0x16: 'LC_TWOLEVEL_HINTS', 
107                  0x17: 'LC_PREBIND_CKSUM', 
108                  0x80000000 | 0x18: 'LC_LOAD_WEAK_DYLIB', 
109                  0x19: 'LC_SEGMENT_64', 
110                  0x1a: 'LC_ROUTINES_64', 
111                  0x1b: 'LC_UUID', 
112                  0x80000000 | 0x1c: 'LC_RPATH', 
113                  0x1d: 'LC_CODE_SIGNATURE', 
114                  0x1e: 'LC_SEGMENT_SPLIT_INFO', 
115                  0x80000000 | 0x1f: 'LC_REEXPORT_DYLIB', 
116                  0x20: 'LC_LAZY_LOAD_DYLIB', 
117                  0x21: 'LC_ENCRYPTION_INFO', 
118                  0x22: 'LC_DYLD_INFO', 
119                  0x80000000 | 0x22: 'LC_DYLD_INFO_ONLY', 
120              }, 
121              target="unsigned int")]], 
122          'segname': [None, ['String', dict(length=16)]], 
123      }], 
124  } 
125   
126   
127 -class MachoProfile(basic.ProfileLP64, basic.BasicClasses): 
128      """A profile for Mach-O files. 
129   
130      This profile contains types for both 32 and 64bit Mach-O files, although 
131      only the latter is actually in use by anyone (including Apple). 
132      """ 
133   
134      @classmethod 
135 -    def Initialize(cls, profile): 
136          super(MachoProfile, cls).Initialize(profile) 
137          profile.add_overlay(macho_vtypes) 
138