Source Code for Module rekall.plugins.overlays.windows.tokens

 1  # Rekall Memory Forensics 
 2  # Copyright 2016 Google Inc. All Rights Reserved. 
 3  # 
 4  # This program is free software; you can redistribute it and/or modify 
 5  # it under the terms of the GNU General Public License as published by 
 6  # the Free Software Foundation; either version 2 of the License, or (at 
 7  # your option) any later version. 
 8  # 
 9  # This program is distributed in the hope that it will be useful, but 
10  # WITHOUT ANY WARRANTY; without even the implied warranty of 
11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
12  # General Public License for more details. 
13  # 
14  # You should have received a copy of the GNU General Public License 
15  # along with this program; if not, write to the Free Software 
16  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
17  # 
18   
19  """Classes around handling tokens, privileges etc.""" 
20   
21  __author__ = "Michael Cohen <scudette@gmail.com>" 
22   
23  from rekall import obj 
24   
25   
26  # In XP the privileges are simple arrays in the _TOKEN object. 
27  xp_style_overlays = { 
28      "_TOKEN": [None, { 
29          'Privileges': [None, ['Pointer', dict( 
30              target='Array', 
31              target_args=dict( 
32                  count=lambda x: x.PrivilegeCount, 
33                  target='_LUID_AND_ATTRIBUTES' 
34              ) 
35          )]], 
36      }], 
37  } 
38   
39   
40 -class XP_TOKEN(obj.Struct): 
41      """XP Style privileges are just an array.""" 
42   
43 -    def GetPrivileges(self): 
44          """Enumerates all privileges in this token. 
45   
46          Yields: 
47            value, flags 
48          """ 
49          for privilege in self.Privileges: 
50              flags = ["Present"] 
51              if privilege.Attributes & 2: 
52                  flags.append("Enabled") 
53   
54              if privilege.Attributes & 1: 
55                  flags.append("Default") 
56   
57              yield privilege.Luid.v(), flags 
58   
59   
60 -class VISTA_TOKEN(obj.Struct): 
61      """A Vista Style _TOKEN object.""" 
62   
63 -    def GetPrivileges(self): 
64          """Enumerates all privileges in this token.""" 
65   
66          privilege_table = self.obj_session.GetParameter("privilege_table") 
67          present = self.Privileges.Present.v() 
68          enabled = self.Privileges.Enabled.v() 
69          default = self.Privileges.EnabledByDefault.v() 
70   
71          for i in range(0, 64): 
72              if i not in privilege_table: 
73                  continue 
74   
75              mask = 1 << i 
76   
77              flags = [] 
78              if mask & present: 
79                  flags.append("Present") 
80              if mask & enabled: 
81                  flags.append("Enabled") 
82   
83              if mask & default: 
84                  flags.append("Default") 
85   
86              yield i, flags 
87   
88   
89 -def InitializeTokenProfiles(profile): 
90      if profile.get_obj_offset("_TOKEN", "PrivilegeCount") != None: 
91          # Uses XP Style Privilege array. 
92          profile.add_overlay(xp_style_overlays) 
93          profile.add_classes(_TOKEN=XP_TOKEN) 
94   
95      elif profile.get_obj_offset("_SEP_TOKEN_PRIVILEGES", "Present") != None: 
96          # Uses Vista style Present, Enabled, Default bitfields. 
97          profile.add_classes(_TOKEN=VISTA_TOKEN) 
98