Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package renderers :: Module json_storage
[frames] | no frames]

Module json_storage

source code

This file implements ObjectRenderers for the JsonRenderer.

The JsonRenderer aims to serialize and recreate objects exactly at they were
upon unserializing them. This means that the environment loading the serialized
data must have access to all the necessary files (i.e. the complete memory image
file).

For example consider an _EPROCESS() instance. In memory, python merely stores
the following items in the object:

- obj_offset: The offset in the address space.
- obj_profile: The profile this object came from.
- obj_vm: The address space the object will be read from.

When the object is read, the address space is read at obj_offset, the data is
decoded and possibly other members are created using the profile. We do not know
the value of the object without reading it from the image.

Contrast this with the WebConsoleRenderer which needs to be deserialized in an
environment which does not have access to the original image. In this case we
must store all kinds of additional metadata about each object, since the decoder
is unable to directly get this information.

Example:

zeus2x4.vmem.E01 23:46:28> x = session.profile._EPROCESS(0x81e8a368)
zeus2x4.vmem.E01 23:46:32> encoder = json_renderer.JsonEncoder()
zeus2x4.vmem.E01 23:46:34> print encoder.Encode(x)
{'offset': 2179507048,
 'profile': ('*', u'nt/GUID/1B2D0DFE2FB942758D615C901BE046922'),
 'type': u'_EPROCESS,_EPROCESS,Struct,BaseAddressComparisonMixIn,BaseObject',
 'type_name': ('*', u'_EPROCESS'),
 'vm': {'base': {'filename': ('*',
    u'/home/scudette/images/zeus2x4.vmem.E01'),
   'type': u'EWFAddressSpace,CachingAddressSpaceMixIn,FDAddressSpace,BaseAddressSpace'},
  'dtb': 233472,
  'type': u'IA32PagedMemory,PagedReader,BaseAddressSpace'}}

zeus2x4.vmem.E01 23:47:25> decoder = json_renderer.JsonDecoder(session=session)
zeus2x4.vmem.E01 23:48:10> print decoder.Decode(encoder.Encode(x)).ImageFileName
alg.exe

Since the decoder is able to exactly recreate the original object, this object
can then be subsequently used to dereference the memory image - we can recover
the _EPROCESS.ImageFileName attribute and print the process name - even though
the actual name was never encoded.
Classes
  BaseAddressSpaceObjectRenderer
  FileAddressSpaceObjectRenderer
  AttributeDictObjectRenderer
  SlottedObjectObjectRenderer
  IA32PagedMemoryObjectRenderer
  SessionObjectRenderer
  ProfileObjectRenderer
  SetObjectRenderer
Encode a python set().
  NoneObjectRenderer
Encode a None Object.
  UnixTimestampJsonObjectRenderer
  ArrowObjectRenderer
  PointerObjectRenderer
Encode a Pointer.
  ArrayObjectRenderer
  JsonAttributedStringRenderer
Encode an attributed string.
  JsonHexdumpRenderer
Encode a hex dumped string.
  JsonInstructionRenderer
  JsonEnumerationRenderer
For enumerations store both their value and the enum name.
  JsonFormattedAddress
  JsonRangedCollectionObjectRenderer
Serialize RangedCollection objects.
Variables
  __package__ = 'rekall.plugins.renderers'
   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 http://epydoc.sourceforge.net