rekall.plugins.renderers.data

1 # Rekall Memory Forensics 2 # Copyright (C) 2014 Michael Cohen 3 # Copyright 2014 Google Inc. All Rights Reserved. 4 # 5 # This program is free software; you can redistribute it and/or modify 6 # it under the terms of the GNU General Public License as published by 7 # the Free Software Foundation; either version 2 of the License, or (at 8 # your option) any later version. 9 # 10 # This program is distributed in the hope that it will be useful, but 11 # WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 # General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 # 19 20 """This module implements the data export renderer. 21 22 The data export renderer is a way of exporting structured data from Rekall. The 23 renderer is based on the JsonRenderer but has a different goal - while the 24 JsonRenderer is designed to be able to exactly recreate the objects in the 25 future the data export renderer aims to include useful information about 26 exported objects. 27 28 For example, in order to decode the JsonRenderer output one must have access to 29 the original image, since the decoder will generate the exact BaseObject() 30 instances that the encoder used. 31 32 Not so with the data exporter - the exported data contains a lot of additional 33 information about the exported objects. The exported data also omits information 34 which is not relevant without access to the original image. 35 """ 36 37 import datetime 38 import pytz 39 40 from rekall.ui import renderer 41 from rekall.ui import json_renderer 42 43 from rekall.plugins.renderers import json_storage 44 45 from rekall_lib import utils 46 47 48 49 # Copy many of the normal json object renderers. 50 renderer.CopyObjectRenderers(( 51 json_renderer.StringRenderer, 52 json_storage.ArrowObjectRenderer, 53 json_storage.AttributeDictObjectRenderer, 54 json_storage.BaseAddressSpaceObjectRenderer, 55 json_storage.FileAddressSpaceObjectRenderer, 56 json_storage.IA32PagedMemoryObjectRenderer, 57 json_storage.JsonAttributedStringRenderer, 58 json_storage.JsonEnumerationRenderer, 59 json_storage.JsonFormattedAddress, 60 json_storage.JsonHexdumpRenderer, 61 json_storage.JsonInstructionRenderer, 62 json_storage.NoneObjectRenderer, 63 json_storage.ProfileObjectRenderer, 64 json_storage.SessionObjectRenderer, 65 json_storage.SetObjectRenderer, 66 json_storage.SlottedObjectObjectRenderer, 67 json_storage.UnixTimestampJsonObjectRenderer, 68 ), renderer="DataExportRenderer") 69 70

71 -class DataExportRenderer(json_renderer.JsonRenderer):

72 """An exporter for data.""" 73 74 name = "data" 75

76 - def table_row(self, *args, **options):

77 # Encode the options and merge them with the table row. This allows 78 # plugins to send additional data about the row in options. 79 result = self.encoder.Encode(options) 80 for i, arg in enumerate(args): 81 column_spec = self.table.column_specs[i].copy() 82 column_spec.update(options) 83 84 object_renderer = self.object_renderers[i] 85 if object_renderer is not None: 86 column_spec["type"] = object_renderer 87 88 column_name = column_spec["name"] 89 if column_name: 90 result[column_name] = self.encoder.Encode( 91 arg, **column_spec) 92 93 self.SendMessage(["r", result])

94 95

96 -class NativeDataExportObjectRenderer(json_renderer.JsonObjectRenderer):

97 """This is the fallback for all objects without a dedicated renderer.""" 98 renderers = ["DataExportRenderer"] 99

100 - def Summary(self, item, formatstring=None, header=False, **options):

101 """Returns a short summary of the object. 102 103 The summary is a short human readable string, describing the object. 104 """ 105 try: 106 if formatstring == "[addrpad]" and not header: 107 return "%#014x" % item 108 except TypeError: 109 pass 110 111 # Since we are the default renderer we must ensure this works. 112 return utils.SmartStr(item)

113 114

115 -class DataExportObjectRenderer(json_renderer.StateBasedObjectRenderer):

116 renderers = ["DataExportRenderer"]

117 118

119 -class DataExportTimestampObjectRenderer(DataExportObjectRenderer):

120 renders_type = "datetime" 121 renderers = ["DataExportRenderer"] 122 123 EPOCH = datetime.datetime(1970, 1, 1, 0, 0, 0, 0, pytz.UTC) 124

125 - def GetState(self, item, **_):

126 return dict(epoch=(item - self.EPOCH).total_seconds(), 127 string_value=item.strftime("%Y-%m-%d %H:%M:%S%z"))

128 129

130 -class DataExportBaseObjectRenderer(DataExportObjectRenderer):

131 renders_type = "BaseObject" 132

133 - def GetState(self, item, **options):

134 result = super(DataExportBaseObjectRenderer, self).GetState( 135 item, **options) 136 137 result.update(offset=item.obj_offset, 138 type_name=unicode(item.obj_type), 139 name=unicode(item.obj_name), 140 vm=unicode(item.obj_vm)) 141 142 return result

143 144

145 -class DataExportPointerObjectRenderer(DataExportBaseObjectRenderer):

146 renders_type = "Pointer" 147

148 - def Summary(self, item, **options):

149 """Returns the object formatted according to the column_spec.""" 150 item = item["target"] 151 return self.FromEncoded(item, "DataExportRenderer")( 152 self.renderer).Summary(item, **options)

153

154 - def GetState(self, item, **options):

155 result = super(DataExportPointerObjectRenderer, self).GetState( 156 item, **options) 157 158 result["target"] = item.v() 159 160 # Also encode the target object. 161 target_obj = item.deref() 162 target_obj_renderer = self.DelegateObjectRenderer(target_obj) 163 result["target_obj"] = target_obj_renderer.EncodeToJsonSafe(target_obj) 164 165 return result

166 167

168 -class DataExportNativeTypeRenderer(DataExportObjectRenderer):

169 renders_type = "NativeType" 170

171 - def EncodeToJsonSafe(self, item, **_):

172 return item.v()

173 174

175 -class DataExportTupleRenderer(DataExportObjectRenderer):

176 renders_type = "tuple" 177

178 - def EncodeToJsonSafe(self, item, **_):

179 if hasattr(item, "_fields"): 180 result = {} 181 for field in item._fields: 182 member = getattr(item, field) 183 target_obj_renderer = self.DelegateObjectRenderer(member) 184 result[field] = target_obj_renderer.EncodeToJsonSafe(member) 185 186 return result 187 188 result = [] 189 for member in item: 190 target_obj_renderer = self.DelegateObjectRenderer(member) 191 result.append(target_obj_renderer.EncodeToJsonSafe(member)) 192 193 return result

194 195

196 -class DataExportRDFValueObjectRenderer(DataExportBaseObjectRenderer):

197 renders_type = "RDFValue" 198

199 - def Summary(self, item, **_):

200 return utils.SmartStr(item.get("str", ""))

201

202 - def GetState(self, item, **options):

203 return dict(str=item.SerializeToString())

204 205

206 -class DataExportPhysicalAddressContextObjectRenderer( 207 DataExportRDFValueObjectRenderer):

208 renders_type = "PhysicalAddressContext" 209

210 - def Summary(self, item, **_):

211 return utils.SmartStr(item.get("str", ""))

212

213 - def GetState(self, item, **options):

214 return item.summary()

215

Source Code for Module rekall.plugins.renderers.data_export