rekall.plugins.renderers.virtualization

1 # Rekall Memory Forensics 2 # Copyright 2014 Google Inc. All Rights Reserved. 3 # 4 # This program is free software; you can redistribute it and/or modify 5 # it under the terms of the GNU General Public License as published by 6 # the Free Software Foundation; either version 2 of the License, or (at 7 # your option) any later version. 8 # 9 # This program is distributed in the hope that it will be useful, but 10 # WITHOUT ANY WARRANTY; without even the implied warranty of 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 # General Public License for more details. 13 # 14 # You should have received a copy of the GNU General Public License 15 # along with this program; if not, write to the Free Software 16 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 # 18 19 """This module implements renderers specific to virtualization.""" 20 21 from rekall.ui import text 22 from rekall.ui import json_renderer 23 from rekall.plugins import hypervisors 24 from rekall.plugins.renderers import data_export 25 from rekall.plugins.renderers import json_storage 26 27

28 -class VTxPagedMemoryObjectRenderer( 29 json_storage.BaseAddressSpaceObjectRenderer):

30 renders_type = "VTxPagedMemory" 31

32 - def GetState(self, item, **options):

33 state = super(VTxPagedMemoryObjectRenderer, self).GetState( 34 item, **options) 35 state["dtb"] = item.dtb 36 state["ept"] = item.ept 37 38 return state

39

40 -class VirtualMachine_DataExportRenderer(data_export.DataExportObjectRenderer):

41 renders_type = "VirtualMachine" 42

43 - def EncodeToJsonSafe(self, vm, **options):

44 result = super(VirtualMachine_DataExportRenderer, 45 self).EncodeToJsonSafe(vm) 46 result["ept"] = vm.ept 47 result["host_rip"] = vm.host_rip 48 result["name"] = vm.name 49 result["_quick"] = options.pop("quick", False) 50 result["guest_arch"] = vm.guest_arch 51 result["num_cores"] = vm.num_cores 52 # The VMCSs are stored in a set. 53 result["vmcss"] = list(vm.vmcss) 54 result["virtual_machines"] = list(vm.virtual_machines) 55 56 return json_renderer.JsonObjectRenderer.EncodeToJsonSafe(self, result)

57

58 - def Summary(self, vm, **_):

59 if vm.get("_quick"): 60 return "VM [?? vCORE(s), {1}]".format(vm.get("guest_arch")) 61 else: 62 return "VM [{0} vCORE(s), {1}]".format( 63 vm.get("num_cores"), vm.get("guest_arch"))

64 65

66 -class VirtualMachine_JsonObjectRenderer(json_renderer.StateBasedObjectRenderer):

67 renders_type = "VirtualMachine" 68

69 - def DecodeFromJsonSafe(self, state, options):

70 super_obj = super(VirtualMachine_JsonObjectRenderer, self) 71 state = super_obj.DecodeFromJsonSafe(state, options) 72 73 vm = hypervisors.VirtualMachine(host_rip=state.get("host_rip"), 74 ept=state.get("ept"), 75 parent=state.get("parent"), 76 name=state.get("name"), 77 session=state.get("base_session")) 78 79 vm.vmcss = state.get("vmcss", []) 80 vm.vmcs_validation = state.get("vmcs_validation", {}) 81 82 # Decode each nested VirtualMachine 83 for vm in state.get("virtual_machines", []): 84 unserialized_vm = self.DecodeFromJsonSafe(vm, options) 85 unserialized_vm.parent = vm 86 vm.virtual_machines.update([unserialized_vm]) 87 return vm

88

89 - def GetState(self, item, **options):

90 state = super(VirtualMachine_JsonObjectRenderer, self).GetState( 91 item, **options) 92 state["_quick"] = options.pop("quick", False) 93 state["ept"] = item.ept 94 state["host_rip"] = item.host_rip 95 state["name"] = item.name 96 state["base_session"] = item.base_session 97 # The validation state is stored as a dict of vmcs:state pairs. 98 state["vmcs_validation"] = item.vmcs_validation 99 # The VMCSs are stored in a set. 100 state["vmcss"] = list(item.vmcss) 101 state["virtual_machines"] = list(item.virtual_machines) 102 return state

103 104

105 -class VirtualizationNode_TextObjectRenderer(text.TextObjectRenderer):

106 """Virtualization nodes can be Hypervisors, VirtualMachine or VMCS.""" 107 renders_type = "VirtualizationNode" 108 renderers = ["TextRenderer", "WebConsoleRenderer", "TestRenderer"] 109

110 - def __init__(self, *args, **options):

111 self.quick = options.pop("quick", False) 112 super(VirtualizationNode_TextObjectRenderer, self).__init__( 113 *args, **options) 114 115 self.table = text.TextTable( 116 columns=[ 117 dict(name="description"), 118 dict(name="name", width=20), 119 dict(name="valid", type="bool"), 120 dict(name="ept")], 121 renderer=self.renderer, 122 session=self.session)

123

124 - def render_header(self, **options):

125 result = text.Cell("Description", width=40) 126 result.append_line("-" * result.width) 127 128 return result

129

130 - def render_row(self, target, **options):

131 if isinstance(target, hypervisors.VirtualMachine): 132 return text.Cell("VM [{0:s} vCORE(s), {1:s}]".format( 133 (self.quick and "??") or str(target.num_cores), 134 target.guest_arch)) 135 elif "VMCS" in target.__class__.__name__: 136 return text.Cell("VMCS @ {0:08X} vCORE {1:x}".format( 137 target.obj_offset, target.m("VPID")))

138

Source Code for Module rekall.plugins.renderers.virtualization