rekall.plugins.response.windows

1 """Windows specific response plugins.""" 2 import itertools 3 import re 4 import win32api 5 import pythoncom 6 import win32com.client 7 8 from rekall import plugin 9 from rekall import obj 10 from rekall_lib import utils 11 from rekall.plugins.common import address_resolver 12 from rekall.plugins.response import common 13 from rekall.plugins.windows import address_resolver as win_address_resolver

14 15 16 -def get_drives():

17 """List all the drives on this system.""" 18 drives = win32api.GetLogicalDriveStrings() 19 return [x.rstrip("\\") for x in drives.split('\000') if x]

20

21 22 -class WmiResult(utils.AttributeDict):

23 """Represent WMI result.""" 24 25 # Properties to remove from results sent to the server. 26 # These properties are included with nearly every WMI object and use space. 27 IGNORE_PROPS = ["CSCreationClassName", "CreationClassName", "OSName", 28 "OSCreationClassName", "WindowsVersion", "CSName", 29 "__NAMESPACE", "__SERVER", "__PATH"] 30

31 - def __init__(self, result):

32 super(WmiResult, self).__init__() 33 for prop in itertools.chain( 34 result.Properties_, 35 # On some systems this does not exist. 36 getattr(result, "SystemProperties_", [])): 37 if prop.Name not in self.IGNORE_PROPS: 38 self[prop.Name] = prop.Value

39

40 41 -class Wmi(common.AbstractIRCommandPlugin):

42 """Executes a WMI query and returns results.""" 43 name = "wmi" 44 45 __args = [ 46 dict(name="query", positional=True, 47 help="WMI query to execute"), 48 dict(name="baseobj", default=r"winmgmts:\root\cimv2", 49 help="The base object to query") 50 ] 51 52 table_header = [ 53 dict(name="Result") 54 ] 55

56 - def column_types(self):

57 return dict(Result=utils.AttributeDict())

58

59 - def collect(self):

60 # Needs to be called if using com from a thread. 61 pythoncom.CoInitialize() 62 63 wmi_obj = win32com.client.GetObject(self.plugin_args.baseobj) 64 65 # This allows our WMI to do some extra things, in particular 66 # it gives it access to find the executable path for all processes. 67 wmi_obj.Security_.Privileges.AddAsString("SeDebugPrivilege") 68 69 # Run query 70 try: 71 query_results = wmi_obj.ExecQuery(self.plugin_args.query) 72 except pythoncom.com_error as e: 73 raise plugin.PluginError( 74 "Failed to run WMI query \'%s\' err was %s" % ( 75 self.plugin_args.query, e)) 76 77 # Extract results from the returned COMObject and return dicts. 78 try: 79 for result in query_results: 80 yield dict(Result=WmiResult(result)) 81 82 except pythoncom.com_error as e: 83 raise plugin.PluginError( 84 "WMI query data error on query \'%s\' err was %s" % 85 (e, self.plugin_args.query))

86

87 88 -class WindowsRootFileInformation(common.FileInformation):

89 """A special FileInformation class to handle windows drives. 90 91 In windows the root directory (/) is not real, it contains a 92 listing of drive letters. So listing the "/" directory should 93 return a list of FileInformation("/c:"), FileInformation("/d:") 94 etc. 95 """ 96

97 - def __init__(self, **kwargs):

98 super(WindowsRootFileInformation, self).__init__(**kwargs) 99 # The fake root is like a directory. 100 self.st_mode = common.Permissions(040755)

101

102 - def open(self):

103 return obj.NoneObject("Not set")

104

105 - def list_names(self):

106 return get_drives()

107

108 - def list(self):

109 for drive in get_drives(): 110 yield self.from_stat( 111 common.FileSpec( 112 filename=drive, 113 path_sep=self.filename.path_sep, 114 filesystem=self.filename.filesystem), 115 session=self.session)

116

117 118 -class WindowsFileInformation(common.FileInformation):

119 @classmethod

120 - def from_stat(cls, filespec, session=None):

121 filespec = common.FileSpec(filespec) 122 123 # The root path. 124 if filespec.name == filespec.path_sep: 125 return WindowsRootFileInformation( 126 session=session, filename=filespec) 127 128 return super(WindowsFileInformation, cls).from_stat( 129 filespec, session=session)

130 131 132 # Register a specialized implementation of FileInformation 133 common.FILE_SPEC_DISPATCHER["API"] = WindowsFileInformation

134 135 136 -class LiveModule(win_address_resolver.PEModule):

137 """Address resolver modules accessed through APIs.""" 138

139 - def __init__(self, vad=None, session=None):

140 name = "vad_%#x" % vad.start 141 self.filename = vad.filename 142 if self.filename: 143 name = WinAPIAddressResponse.NormalizeModuleName(self.filename) 144 145 self.vad = vad 146 147 super(LiveModule, self).__init__(name=name, 148 start=vad.start, 149 end=vad.end, 150 session=session)

151

152 153 -class WinAPIAddressResponse(address_resolver.AddressResolverMixin, 154 common.AbstractAPICommandPlugin):

155 """Address resolver for windows API access.""" 156 157 @staticmethod

158 - def NormalizeModuleName(module_name):

159 result = unicode(module_name) 160 result = re.split(r"[/\\]", result)[-1] 161 162 # Drop the file extension. 163 result = result.split(".")[0] 164 165 return result.lower()

166

167 - def _EnsureInitialized(self):

168 """Initialize the address resolver. 169 170 In windows we populate the virtual address space map from kernel modules 171 and VAD mapped files (dlls). 172 """ 173 if self._initialized: 174 return 175 176 try: 177 process_context = self.session.GetParameter("process_context") 178 if process_context != None: 179 # Now use the vad. 180 for vad in self.session.plugins.vad().merge_ranges( 181 process_context.pid): 182 self.AddModule(LiveModule(vad=vad, session=self.session)) 183 184 finally: 185 self._initialized = True

186

Source Code for Module rekall.plugins.response.windows