Source Code for Module rekall.plugins.tools.dynamic_profiles_test

  1  import mock 
  2  from rekall import testlib 
  3  from rekall.plugins.tools import dynamic_profiles 
  4   
  5   
  6 -class MockAddressResolver(object): 
  7 -    def __init__(self, name_map): 
  8          self.name_map = name_map 
  9   
 10 -    def format_address(self, address): 
 11          return self.name_map.get(address, "") 
 12   
 13   
 14 -class TestDynamicProfile(testlib.RekallBaseUnitTestCase): 
 15      """Tests the dynamic profile mechanism.""" 
 16   
 17      TEST_CASES = [ 
 18          dict( 
 19              expected={"$out": 0x20}, 
 20              mode="AMD64", 
 21              # Taken from Windows 7 x64 
 22              offset=0xf800029eb5d0, 
 23              data=('48895c240848896c24104889742418574883ec2033ff418bf08bea488bd' 
 24                    '948393975218d572833c941b848546162e80d4602004889034885c07504' 
 25                    '32c0eb49bf01000000488b1b33d2448d4228488bcbe86b27efff83630c0' 
 26                    '00bfe893bc7430880000000c743107f000000896b04e80583e9ff4885c0' 
 27                    '750a488bcbe8f0feffffebb948894320b001488b5c2430'), 
 28              example=""" 
 29  0xf800029eb63e           0x6e e80583e9ff           call 0xf80002883948                      nt!RtlpAllocateSecondLevelDir 
 30  0xf800029eb643           0x73 4885c0               test rax, rax 
 31  0xf800029eb646           0x76 750a                 jne 0xf800029eb652                       nt!RtlCreateHashTable+0x82 
 32  0xf800029eb648           0x78 488bcb               mov rcx, rbx 
 33  0xf800029eb64b           0x7b e8f0feffff           call 0xf800029eb540                      nt!RtlDeleteHashTable 
 34  0xf800029eb650           0x80 ebb9                 jmp 0xf800029eb60b                       nt!RtlCreateHashTable+0x3b 
 35  0xf800029eb652           0x82 48894320             mov qword ptr [rbx + 0x20], rax 
 36  """, 
 37              rules=[ 
 38                  {'mnemonic': 'CALL', 
 39                   'comment': 'nt!RtlpAllocateSecondLevelDir'}, 
 40   
 41                  {'mnemonic': 'MOV', 
 42                   'operands': [{'disp': "$out", 'base': '$rbx'}, 
 43                                {'type': 'REG', 'reg': 'RAX'}]}, 
 44              ], 
 45              # Used to pre-seed the address resolver with symbol names for 
 46              # testing. 
 47              name_map={ 
 48                  0xf80002883948: ["nt!RtlpAllocateSecondLevelDir"], 
 49              }, 
 50          ), 
 51   
 52   
 53          # Example from MiSessionInsertImage() 
 54          # http://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/mm/sessload.c 
 55          dict( 
 56              # Taken from Windows 8 x64 dis "nt!MiSessionInsertImage" 
 57              offset=0xf801ea55f680, 
 58              data=('48895c240848896c2410488974241857415641574883ec20498bf0488bea' 
 59                    '488bf941be5000000041b84d6d4869b900020000418bd6e856091200488b' 
 60                    'd84885c00f84fee60900458bc633d2488bc8e89d03f3ffc7433001000000' 
 61                    '4883cf0348897b20654c8b342588010000498b86b8000000488b88f00300' 
 62                    '008b41084c8db9f80b0000488d7968498bd7498bce48896b38894334e8ef' 
 63                    '16f7ff4c8b1f4c3bdf'), 
 64              rules=[ 
 65                  {'mnemonic': 'MOV', 'operands': [ 
 66                      {'type': 'REG', 'reg': '$RDI'}, 
 67                      {'type': 'REG', 'reg': 'RCX'}]}, 
 68   
 69                  {'mnemonic': 'CALL', 
 70                   'comment': 'nt!ExAllocatePoolWithTag'}, 
 71   
 72                  {'mnemonic': 'MOV', 'operands': [ 
 73                      {'type': 'REG', 'reg': '$RBX'}, 
 74                      {'type': 'REG', 'reg': 'RAX'}]}, 
 75   
 76                  # RtlZeroMemory (NewImage, sizeof(IMAGE_ENTRY_IN_SESSION)); 
 77                  {'mnemonic': 'CALL', 'comment': 'nt!memset'}, 
 78   
 79                  # NewImage->ImageCountInThisSession = 1; 
 80                  {'mnemonic': 'MOV', 'operands': [ 
 81                      {'disp': "$ImageCountInThisSession", 
 82                       'base': '$RBX', 'type': 'MEM'}, 
 83                      {'address': 1, 'type': 'IMM'}]}, 
 84   
 85                  # NewImage->Address = BaseAddress; 
 86                  {'mnemonic': 'MOV', 'operands': [ 
 87                      {'disp': "$Address", 
 88                       'base': '$RBX', 'type': 'MEM'}, 
 89                      {'type': 'REG', 'reg': '$RDI'}]}, 
 90              ], 
 91              name_map={ 
 92                  0xf801ea680010: ["nt!ExAllocatePoolWithTag"], 
 93                  0xf801ea48fa70: ["nt!memset"], 
 94              }, 
 95              expected={"$Address": 0x20, "$ImageCountInThisSession": 0x30}, 
 96          ), 
 97   
 98      ] 
 99   
100 -    def testDynamicProfile(self): 
101          for case in self.TEST_CASES: 
102              self.session = mock.Mock( 
103                  wraps=self.MakeUserSession(), 
104                  address_resolver=MockAddressResolver( 
105                      case.get("name_map", {})) 
106              ) 
107   
108              matcher = dynamic_profiles.DisassembleMatcher( 
109                  mode=case.get("mode", "AMD64"), 
110                  rules=case["rules"], 
111                  session=self.session) 
112   
113              match = matcher.Match(offset=case.get("offset", 0), 
114                                    data=case["data"].decode("hex")) 
115   
116              for k, v in case["expected"].iteritems(): 
117                  self.assertEqual(match[k], v) 
118