rekall.plugins.renderers.darwin

1 # Rekall Memory Forensics 2 # Copyright 2015 Google Inc. All Rights Reserved. 3 # 4 # This program is free software; you can redistribute it and/or modify 5 # it under the terms of the GNU General Public License as published by 6 # the Free Software Foundation; either version 2 of the License, or (at 7 # your option) any later version. 8 # 9 # This program is distributed in the hope that it will be useful, but 10 # WITHOUT ANY WARRANTY; without even the implied warranty of 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 # General Public License for more details. 13 # 14 # You should have received a copy of the GNU General Public License 15 # along with this program; if not, write to the Free Software 16 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 # 18 19 """This module implements renderers specific to darwin structures.""" 20 21 from rekall.ui import json_renderer 22 23 from rekall.ui import text 24 from rekall.plugins.renderers import base_objects 25 from rekall.plugins.renderers import data_export 26 27

28 -class ProcDataExport(data_export.DataExportBaseObjectRenderer):

29 renders_type = "proc" 30

31 - def EncodeToJsonSafe(self, task, **_):

32 result = super(ProcDataExport, self).EncodeToJsonSafe(task) 33 result["Cybox"] = dict( 34 type=u"ProcessObj:ProcessObjectType", 35 Name=task.name, 36 PID=task.pid, 37 Creation_Time=task.p_start, 38 Parent_PID=task.p_ppid, 39 Image_Info=dict( 40 type=u"ProcessObj:ImageInfoType", 41 Path=task.p_comm, 42 Command_Line=task.p_comm, 43 File_Name=task.p_comm)) 44 45 res = json_renderer.JsonObjectRenderer.EncodeToJsonSafe(self, result) 46 return res

47

48 - def Summary(self, item, **_):

49 return "%s (%s)" % (item.get("Cybox", {}).get("Name", ""), 50 item.get("Cybox", {}).get("PID", ""))

51 52

53 -class Fileproc_TextObjectRenderer(base_objects.StructTextRenderer):

54 renders_type = "fileproc" 55 56 COLUMNS = [ 57 dict(name="human_type", width=15), 58 dict(name="human_name", width=40) 59 ]

60 61

62 -class Vnode_TextObjectRenderer(base_objects.StructTextRenderer):

63 renders_type = "vnode" 64 65 COLUMNS = [ 66 dict(name="obj_offset", style="address"), 67 dict(name="full_path", width=40, nowrap=True) 68 ]

69 70

71 -class Clist_TextObjectRenderer(base_objects.StructTextRenderer):

72 renders_type = "clist" 73 74 COLUMNS = [ 75 dict(name="obj_offset", style="address"), 76 dict(name="recovered_contents", width=34) 77 ]

78 79

80 -class Tty_TextObjectRenderer(base_objects.StructTextRenderer):

81 renders_type = "tty" 82 83 COLUMNS = [ 84 dict(style="address", name="obj_offset"), 85 dict(type="vnode", name="vnode"), 86 dict(type="clist", name="input_buffer", 87 columns=[dict(name="recovered_contents", 88 width=34)]), 89 dict(type="clist", name="output_buffer", 90 columns=[dict(name="recovered_contents", 91 width=34)]) 92 ]

93 94

95 -class Session_TextObjectRenderer(base_objects.StructTextRenderer):

96 renders_type = "session" 97 98 COLUMNS = [ 99 dict(name="obj_offset", style="address"), 100 dict(name="s_sid"), 101 dict(name="s_leader", type="proc", 102 columns=[dict(name="pid"), 103 dict(name="command", width=30)]), 104 dict(name="s_login", width=20, nowrap=True) 105 ]

106 107

108 -class Socket_TextObjectRenderer(base_objects.StructTextRenderer):

109 renders_type = "socket" 110 111 COLUMNS = [ 112 dict(name="obj_offset", style="address"), 113 dict(name="last_pid", width=10), 114 dict(name="human_type", width=20), 115 dict(name="human_name", width=60) 116 ]

117 118

119 -class Rtentry_TextObjectRenderer(base_objects.StructTextRenderer):

120 renders_type = "rtentry" 121 122 COLUMNS = [ 123 dict(name="source_ip", type="sockaddr", width=18), 124 dict(name="dest_ip", type="sockaddr", width=18), 125 dict(name="name", align="c"), 126 dict(name="sent", width=8, align="r"), 127 dict(name="rx", width=8, align="r"), 128 dict(name="base_calendartime", width=30, align="c"), 129 dict(name="rt_expire", align="r"), 130 dict(name="delta", align="r") 131 ]

132 133

134 -class Sockaddr_TextObjectRenderer(text.TextObjectRenderer):

135 renders_type = "sockaddr" 136

137 - def render_full(self, target, **_):

138 return text.Cell(target.address)

139 140

141 -class Zone_TextObjectRenderer(base_objects.StructTextRenderer):

142 renders_type = "zone" 143 COLUMNS = [ 144 dict(name="name", width=20), 145 dict(name="count_active", width=12), 146 dict(name="count_free", width=12), 147 dict(name="elem_size", width=12), 148 dict(name="tracks_pages", width=12), 149 dict(name="allows_foreign", width=12) 150 ]

151 152

153 -class Ifnet_TextObjectRenderer(base_objects.StructTextRenderer):

154 renders_type = "ifnet" 155 COLUMNS = [ 156 dict(name="name", width=12), 157 dict(name="l2_addr", width=18), 158 dict(name="ipv4_addr", width=16), 159 dict(name="ipv6_addr", width=40) 160 ]

161 162

163 -class Proc_TextObjectRenderer(base_objects.StructTextRenderer):

164 renders_type = "proc" 165 COLUMNS = [ 166 dict(style="address", name="obj_offset"), 167 dict(width=20, align="l", name="name"), 168 dict(width=5, align="r", name="pid") 169 ]

170

Source Code for Module rekall.plugins.renderers.darwin