rekall.plugins.overlays.linux.elf

Source Code for Module rekall.plugins.overlays.linux.elf

1 # Rekall Memory Forensics 2 # 3 # Copyright 2013 Google Inc. All Rights Reserved. 4 # 5 # Authors: 6 # Michael Cohen <scudette@gmail.com> 7 # 8 # This program is free software; you can redistribute it and/or modify 9 # it under the terms of the GNU General Public License as published by 10 # the Free Software Foundation; either version 2 of the License, or (at 11 # your option) any later version. 12 # 13 # This program is distributed in the hope that it will be useful, but 14 # WITHOUT ANY WARRANTY; without even the implied warranty of 15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 # General Public License for more details. 17 # 18 # You should have received a copy of the GNU General Public License 19 # along with this program; if not, write to the Free Software 20 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 # 22 23 """This file implements elf file parsing. 24 25 References: 26 http://downloads.openwatcom.org/ftp/devel/docs/elf-64-gen.pdf 27 /usr/include/linux/elf.h 28 """ 29 30 from rekall import obj 31 from rekall.plugins.overlays import basic 32 33 34 # These come out of the kernel symbols but are put here so we can use them 35 # outside the linux implementation. 36 elf_vtypes = { 37 "elf64_hdr": [64, { 38 'e_ident': [0, ['array', 16, ['unsigned char']]], 39 'e_type': [16, ['short unsigned int']], 40 'e_machine': [18, ['short unsigned int']], 41 'e_version': [20, ['unsigned int']], 42 'e_entry': [24, ['long long unsigned int']], 43 'e_phoff': [32, ['long long unsigned int']], 44 'e_shoff': [40, ['long long unsigned int']], 45 'e_flags': [48, ['unsigned int']], 46 'e_ehsize': [52, ['short unsigned int']], 47 'e_phentsize': [54, ['short unsigned int']], 48 'e_phnum': [56, ['short unsigned int']], 49 'e_shentsize': [58, ['short unsigned int']], 50 'e_shnum': [60, ['short unsigned int']], 51 'e_shstrndx': [62, ['short unsigned int']], 52 }], 53 54 'elf64_phdr': [56, { 55 'p_type': [0, [u'unsigned int']], 56 'p_flags': [4, [u'unsigned int']], 57 'p_offset': [8, [u'long long unsigned int']], 58 'p_vaddr': [16, [u'long long unsigned int']], 59 'p_paddr': [24, [u'long long unsigned int']], 60 'p_filesz': [32, [u'long long unsigned int']], 61 'p_memsz': [40, [u'long long unsigned int']], 62 'p_align': [48, [u'long long unsigned int']], 63 }], 64 65 'elf64_shdr': [64, { 66 'sh_name': [0, [u'unsigned int']], 67 'sh_type': [4, [u'unsigned int']], 68 'sh_flags': [8, [u'long long unsigned int']], 69 'sh_addr': [16, [u'long long unsigned int']], 70 'sh_offset': [24, [u'long long unsigned int']], 71 'sh_size': [32, [u'long long unsigned int']], 72 'sh_link': [40, [u'unsigned int']], 73 'sh_info': [44, [u'unsigned int']], 74 'sh_addralign': [48, [u'long long unsigned int']], 75 'sh_entsize': [56, [u'long long unsigned int']], 76 }], 77 'elf64_note': [12, { 78 'n_namesz': [0, ['unsigned int']], 79 'n_descsz': [4, ['unsigned int']], 80 'n_type': [8, ['unsigned int']], 81 }], 82 } 83 84 85 # Unfortunately the kernel uses #defines for many of these rather than enums, so 86 # we need to hand overlay them :-(. 87 elf_overlays = { 88 "elf64_hdr": [None, { 89 'e_ident': [None, ['Signature', dict( 90 value="\x7fELF\x02\x01\x01" 91 )]], 92 'e_type': [None, ['Enumeration', { 93 "choices": { 94 0: 'ET_NONE', 95 1: 'ET_REL', 96 2:'ET_EXEC', 97 3:'ET_DYN', 98 4:'ET_CORE', 99 0xff00:'ET_LOPROC', 100 0xffff:'ET_HIPROC'}, 101 'target': 'unsigned char'}]], 102 'e_phoff': [None, ['Pointer', dict( 103 target='Array', 104 target_args=dict( 105 target='elf64_phdr', 106 target_size=lambda x: x.e_phentsize, 107 count=lambda x: x.e_phnum))]], 108 'e_shoff': [None, ['Pointer', dict(target='elf64_shdr')]], 109 }], 110 111 "elf64_phdr": [None, { 112 'p_type': [None, ['Enumeration', { 113 "choices": { 114 0: 'PT_NULL', 115 1: 'PT_LOAD', 116 2: 'PT_DYNAMIC', 117 3: 'PT_INTERP', 118 4: 'PT_NOTE', 119 5: 'PT_SHLIB', 120 6: 'PT_PHDR', 121 7: 'PT_TLS', 122 0x60000000 : 'PT_LOOS', 123 0x6fffffff :'PT_HIOS', 124 0x70000000 :'PT_LOPROC', 125 0x7fffffff :'PT_HIPROC', 126 0x6474e550 :'PT_GNU_EH_FRAME', 127 }, 128 "target": "unsigned int"}]], 129 "p_flags": [None, ['Flags', dict( 130 maskmap=dict( 131 PF_R=0x4, 132 PF_W=0x2, 133 PF_X=0x1, 134 ), 135 target='unsigned long')]], 136 "p_offset": [None, ["Pointer", dict(target="Void")]], 137 }], 138 "elf64_note": [None, { 139 'name': [lambda x: 12 + x.obj_offset, 140 ['String', dict(length=lambda x: x.n_namesz)]], 141 142 'desc': [lambda x: 12 + x.n_namesz + x.obj_offset, 143 ['String', dict(length=lambda x: x.n_descsz)]], 144 }], 145 }

146 147 148 -class ELFFileImplementation(obj.ProfileModification):

149 """An implementation of a parser for ELF files.""" 150 151 @classmethod

152 - def Modify(cls, profile):

153 profile.add_types(elf_vtypes) 154 profile.add_overlay(elf_overlays)

155

156 157 158 -class ELFProfile(basic.ProfileLP64, basic.BasicClasses):

159 """A profile for ELF files.""" 160

161 - def __init__(self, **kwargs):

162 super(ELFProfile, self).__init__(**kwargs) 163 ELFFileImplementation.Modify(self)

164