Source Code for Module rekall.plugins.response.interpolators

  1  # Rekall Memory Forensics 
  2  # Copyright 2016 Google Inc. All Rights Reserved. 
  3  # 
  4  # This program is free software; you can redistribute it and/or modify 
  5  # it under the terms of the GNU General Public License as published by 
  6  # the Free Software Foundation; either version 2 of the License, or (at 
  7  # your option) any later version. 
  8  # 
  9  # This program is distributed in the hope that it will be useful, but 
 10  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 12  # General Public License for more details. 
 13  # 
 14  # You should have received a copy of the GNU General Public License 
 15  # along with this program; if not, write to the Free Software 
 16  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 17  # 
 18   
 19  """This module defines interpolators for the common OSs. 
 20   
 21  Globs and Artifacts may expand interpolations from the KnowledgeBase. This 
 22  module provides a live, on demand, KnowledgeBase. 
 23  """ 
 24  import os 
 25  import re 
 26  import platform 
 27   
 28  from rekall import kb 
 29  from rekall_lib import registry 
 30   
 31   
 32 -class KnowledgeBase(object): 
 33   
 34 -    def __init__(self, session): 
 35          self.session = session 
 36   
 37 -    def expand(self, variable): 
 38          return [] 
 39   
 40   
 41 -class LinuxKnowledgeBase(KnowledgeBase): 
 42      @registry.memoize 
 43 -    def _get_users_homedir(self): 
 44          homedirs = [] 
 45   
 46          for user in open("/etc/passwd"): 
 47              user = user.strip() 
 48              homedirs.append(user.split(":")[5]) 
 49   
 50          return homedirs 
 51   
 52 -    def expand(self, variable): 
 53          if variable == "%%users.homedir%%": 
 54              return self._get_users_homedir() 
 55   
 56          self.session.logging.warn("Unable to interpolate %s", variable) 
 57          return [] 
 58   
 59   
 60 -class WindowsKnowledgeBase(KnowledgeBase): 
 61      @registry.memoize 
 62 -    def _get_sids(self): 
 63          result = [] 
 64          for hit in self.session.plugins.glob( 
 65                  r"HKEY_USERS\*", filesystem="Reg", root="\\", 
 66                  path_sep="\\").collect(): 
 67              path = hit["path"] 
 68              m = re.search( 
 69                  r"(S-(\d+-)+\d+)$", path.filename.name or "", re.I) 
 70              if m: 
 71                  result.append(m.group(1)) 
 72   
 73          return result 
 74   
 75      @registry.memoize 
 76 -    def _get_homedirs(self): 
 77          """On windows the homedirs are the paths of the user's profile.""" 
 78          result = [] 
 79          for artifact_hit in self.session.plugins.artifact_collector( 
 80                  "WindowsRegistryProfiles"): 
 81              for hit_result in artifact_hit.get("result", []): 
 82                  profile_path = hit_result.get("value") 
 83                  if profile_path: 
 84                      result.append(profile_path) 
 85   
 86          return result 
 87   
 88 -    def expand(self, variable): 
 89          if variable == "%%users.sid%%": 
 90              return self._get_sids() 
 91   
 92          if variable == "%%users.homedir%%": 
 93              return self._get_homedirs() 
 94   
 95          if variable == "%%environ_systemroot%%": 
 96              return [os.environ["systemroot"]] 
 97   
 98          return [] 
 99   
100   
101 -class KnowledgeBaseHook(kb.ParameterHook): 
102      name = "knowledge_base" 
103   
104 -    def calculate(self): 
105          if platform.system() == "Linux": 
106              return LinuxKnowledgeBase(self.session) 
107          elif platform.system() == "Windows": 
108              return WindowsKnowledgeBase(self.session) 
109