rekall.plugins.renderers.windows

1 # Rekall Memory Forensics 2 # Copyright 2014 Google Inc. All Rights Reserved. 3 # 4 # This program is free software; you can redistribute it and/or modify 5 # it under the terms of the GNU General Public License as published by 6 # the Free Software Foundation; either version 2 of the License, or (at 7 # your option) any later version. 8 # 9 # This program is distributed in the hope that it will be useful, but 10 # WITHOUT ANY WARRANTY; without even the implied warranty of 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 # General Public License for more details. 13 # 14 # You should have received a copy of the GNU General Public License 15 # along with this program; if not, write to the Free Software 16 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 # 18 19 """This module implements renderers specific to windows structures.""" 20 21 from rekall.ui import text 22 from rekall.ui import json_renderer 23 from rekall.plugins.renderers import data_export 24 from rekall_lib import utils 25 26

27 -class EPROCESSDataExport(data_export.DataExportBaseObjectRenderer):

28 renders_type = "_EPROCESS" 29

30 - def EncodeToJsonSafe(self, task, **_):

31 result = super(EPROCESSDataExport, self).EncodeToJsonSafe(task) 32 process_params = task.Peb.ProcessParameters 33 result["Cybox"] = dict( 34 type=u"ProcessObj:ProcessObjectType", 35 Name=task.name, 36 PID=task.pid, 37 Creation_Time=task.CreateTime, 38 Parent_PID=task.InheritedFromUniqueProcessId, 39 Image_Info=dict( 40 type=u"ProcessObj:ImageInfoType", 41 Path=process_params.ImagePathName, 42 Command_Line=process_params.CommandLine, 43 TrustedPath=task.FullPath, 44 File_Name=task.SeAuditProcessCreationInfo.ImageFileName.Name, 45 ) 46 ) 47 48 res = json_renderer.JsonObjectRenderer.EncodeToJsonSafe(self, result) 49 return res

50

51 - def Summary(self, item, **_):

52 return "%s (%s)" % (item.get("Cybox", {}).get("Name", ""), 53 item.get("Cybox", {}).get("PID", ""))

54 55

56 -class UNICODE_STRING_Text(text.TextObjectRenderer):

57 renders_type = "_UNICODE_STRING" 58 renderers = ["TextRenderer", "TestRenderer", "WideTextRenderer"] 59

60 - def render_compact(self, target, width=None, **_):

61 return text.Cell(unicode(target), width=width)

62 63

64 -class SID_Text(UNICODE_STRING_Text):

65 renders_type = "_SID"

66 67

68 -class UNICODE_STRINGDataExport(data_export.DataExportBaseObjectRenderer):

69 renders_type = "_UNICODE_STRING" 70

71 - def EncodeToJsonSafe(self, item, **_):

72 return unicode(item)

73 74

75 -class STRINGDataExport(UNICODE_STRINGDataExport):

76 renders_type = "String" 77

78 - def EncodeToJsonSafe(self, item, **_):

79 return utils.SmartStr(item)

80 81

82 -class EPROCESS_TextObjectRenderer(text.TextObjectRenderer):

83 renders_type = "_EPROCESS" 84 renderers = ["TextRenderer", "TestRenderer"] 85

86 - def __init__(self, *args, **options):

87 """We make a sub table for rendering the _EPROCESS.""" 88 self.name = options.pop("name", "_EPROCESS") 89 90 super(EPROCESS_TextObjectRenderer, self).__init__(*args, **options) 91 92 # pstree requests light output so we ovverride the style 93 self.output_style = options.pop("style", self.output_style) 94 95 if self.output_style == "full": 96 self.table = text.TextTable( 97 columns=[ 98 dict(name=self.name, 99 formatstring="[addrpad]"), 100 dict(name="name", width=20), 101 dict(name="fullpath", width=60), 102 dict(name="pid", width=5, align="r"), 103 dict(name="ppid", width=5, align="r")], 104 renderer=self.renderer, 105 session=self.session) 106 else: 107 self.table = text.TextTable( 108 columns=[ 109 dict(name=self.name, 110 formatstring="[addrpad]"), 111 dict(name="name", width=20), 112 dict(name="pid", width=5, align="r")], 113 renderer=self.renderer, 114 session=self.session)

115

116 - def render_header(self, **options):

117 if self.output_style in ["full", "concise"]: 118 return self.table.render_header() 119 else: 120 result = text.Cell(self.name, width=40) 121 result.append_line("-" * result.width) 122 123 return result

124

125 - def render_row(self, target, **options):

126 if self.output_style == "full": 127 return self.table.get_row( 128 target.obj_offset, target.name, target.FullPath, target.pid, 129 target.InheritedFromUniqueProcessId) 130 elif self.output_style == "concise": 131 return self.table.get_row(target.obj_offset, target.name, 132 target.pid) 133 else: 134 return text.Cell(u"%s %s (%d)" % ( 135 self.format_address(target.obj_offset), 136 target.name, target.pid))

137 138

139 -class EPROCESS_WideTextObjectRenderer(EPROCESS_TextObjectRenderer):

140 renders_type = "_EPROCESS" 141 renderers = ["WideTextRenderer"] 142

143 - def render_row(self, target, **_):

144 return text.Cell( 145 self.formatter.format(u"{0:s} Pid: {1:s} (@{2:#x})", 146 target.name, target.pid, target))

147 148

149 -class MMVAD_FLAGS_TextRenderer(text.TextObjectRenderer):

150 renders_type = ("_MMVAD_FLAGS", "_MMVAD_FLAGS2", "_MMSECTION_FLAGS") 151 renderers = ["TextRenderer", "TestRenderer"] 152

153 - def render_compact(self, target, **_):

154 result = [] 155 for name in sorted(target.members): 156 if name.endswith("Enum"): 157 continue 158 159 try: 160 attribute = getattr(target, name) 161 if attribute.v(): 162 result.append(u"%s: %s" % (name, attribute)) 163 except AttributeError: 164 pass 165 166 return text.Cell(", ".join(result))

167

Source Code for Module rekall.plugins.renderers.windows