rekall.plugins.tools.ipython

1 #!/usr/bin/env python2 2 3 # Rekall Memory Forensics 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # Author: Michael Cohen scudette@google.com 7 # 8 # This program is free software; you can redistribute it and/or modify 9 # it under the terms of the GNU General Public License as published by 10 # the Free Software Foundation; either version 2 of the License, or (at 11 # your option) any later version. 12 # 13 # This program is distributed in the hope that it will be useful, but 14 # WITHOUT ANY WARRANTY; without even the implied warranty of 15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 # General Public License for more details. 17 # 18 # You should have received a copy of the GNU General Public License 19 # along with this program; if not, write to the Free Software 20 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 # 22 23 __author__ = "Michael Cohen <scudette@google.com>" 24 25 import os 26 import site 27 28 from rekall import constants 29 from rekall import plugin 30 from rekall import kb 31 from rekall import testlib 32 from rekall.plugins import core 33 from rekall.ui import text as text_renderer 34 35 try: 36 from rekall import ipython_support 37 except ImportError: 38 ipython_support = None

39 40 41 -def IPython012Support(user_session):

42 """Launch the ipython session for post 0.12 versions. 43 44 Returns: 45 False if we failed to use IPython. True if the session was run and exited. 46 """ 47 if ipython_support: 48 # This must be run here because the IPython shell messes with our user 49 # namespace above (by adding its own help function). 50 user_session.PrepareLocalNamespace() 51 52 return ipython_support.Shell(user_session)

53

54 55 -def NativePythonSupport(user_session):

56 """Launch the rekall session using the native python interpreter. 57 58 Returns: 59 False if we failed to use IPython. True if the session was run and exited. 60 """ 61 # If the ipython shell is not available, we can use the native python shell. 62 import code 63 64 # Try to enable tab completion 65 try: 66 import rlcompleter, readline # pylint: disable=unused-variable 67 readline.parse_and_bind("tab: complete") 68 except ImportError: 69 pass 70 71 # Prepare the session for running within the native python interpreter. 72 user_session.PrepareLocalNamespace() 73 code.interact(banner=constants.BANNER, local=user_session.locals)

74

75 76 -class BaseSessionCommand(plugin.Command):

77 """Base class for all session management plugins.""" 78 interactive = True 79 80 @classmethod

81 - def args(cls, parser):

82 super(BaseSessionCommand, cls).args(parser) 83 84 parser.add_argument("session_id", 85 help="The session id to change to")

86

87 - def __init__(self, session_id=None, **kwargs):

88 session = kwargs.pop("session") 89 super(BaseSessionCommand, self).__init__(session=session) 90 self.kwargs = kwargs 91 self.session_id = session_id

92

93 94 -class SessionList(BaseSessionCommand):

95 """List the sessions available.""" 96 __name = "slist" 97

98 - def render(self, renderer):

99 for session in self.session.session_list: 100 renderer.format("%s [%d] %s\n" % ( 101 "*" if (self.session == session) else " ", 102 session.session_id, session.session_name))

103

104 105 -class SessionSwitch(BaseSessionCommand):

106 """Changes the current session to the session with session_id.""" 107 __name = "sswitch" 108

109 - def render(self, renderer):

110 new_session = self.session.find_session(self.session_id) 111 if new_session: 112 self.session.locals["session"] = new_session 113 else: 114 renderer.format("Invalid session specified.\n")

115

116 117 -class SessionNew(BaseSessionCommand):

118 """Creates a new session by cloning the current one.""" 119 __name = "snew" 120

121 - def render(self, renderer):

122 new_session = self.session.add_session(**self.kwargs) 123 124 # Switch to the new session. 125 self.session.plugins.sswitch(new_session.session_id).render(renderer) 126 127 renderer.format("Created session [{0:s}] {1:s}\n", 128 new_session.session_id, new_session.session_name)

129

130 131 -class SessionDelete(SessionSwitch):

132 """Delete a session.""" 133 __name = "sdel" 134

135 - def render(self, renderer):

136 session = self.session.find_session(self.session_id) 137 if session == None: 138 renderer.format("Invalid session id.\n") 139 elif session == self.session: 140 renderer.format("You can't delete your current session.\n") 141 else: 142 self.session.session_list.remove(session)

143

144 145 -class SessionMod(plugin.Command):

146 """Modifies parameters of the current analysis session. 147 148 Any session parameters can be set here. For example: 149 150 smod colors="no", paging_limit=10, pager="less" 151 152 """ 153 __name = "smod" 154 155 interactive = True 156 157 @classmethod

158 - def args(cls, parser):

159 super(SessionMod, cls).args(parser) 160 161 parser.add_argument("--filename", 162 help="The name of the image file to analyze.") 163 164 parser.add_argument("--profile", default=None, 165 help="The name of the profile to load.") 166 167 parser.add_argument("--pager", default=None, 168 help="The name of a program to page output " 169 "(e.g. notepad or less).")

170

171 - def __init__(self, **kwargs):

172 super(SessionMod, self).__init__(session=kwargs.pop("session")) 173 self.kwargs = kwargs

174

175 - def render(self, renderer):

176 with self.session as s: 177 for k, v in self.kwargs.items(): 178 s.SetParameter(k, v) 179 180 renderer.format("Done!\n")

181

182 # This sets python's built in help command so we can use the help command in the 183 # shell. 184 185 # pylint: disable=protected-access 186 187 -class RekallHelper(site._Helper):

188 """A More useful default help function.""" 189 HELP_MESSAGE = """Welocome to Rekall Memory Forensics. 190 191 To get started: 192 193 - Initialize the Rekall session using the rekall plugin. e.g.: 194 195 Win7SP1x64:pmem 13:36:23> rekall filename=r"\\\\.\\pmem", profile="Win7SP1x64", pager="notepad" 196 197 - Select a plugin to run by tying it in. e.g.: 198 199 Win7SP1x64:pmem 13:39:26> plugins.pslist 200 201 - You can complete any command by tapping Tab twice. Useful completions include: 202 - File names on disk. 203 - Plugin names. 204 - Plugin parameters. 205 206 - Adding a ? after any plugin will print help about this plugin. 207 208 - You can get help on any module or object by typing: 209 210 help object 211 212 Some interesting topics to get you started, explaining some rekall specific 213 concepts: 214 215 help addrspace - The address space. 216 help obj - The rekall objects. 217 help profile - What are Profiles? 218 """ 219

220 - def __call__(self, item=None, **kwargs):

221 if item is None: 222 print(self.HELP_MESSAGE) 223 else: 224 print(core.Info(item=item))

225 226 site._Helper = RekallHelper

227 228 229 -class PagingLimitHook(kb.ParameterHook):

230 """If no paging_limit specified, calculate it from cursors.""" 231 name = "paging_limit" 232

233 - def calculate(self):

234 if text_renderer.curses: 235 return text_renderer.curses.tigetnum("lines") 236 237 return int(os.environ.get("ROWS", 50))

238

239 240 -class InteractiveShell(plugin.ProfileCommand):

241 """An interactive shell for Rekall.""" 242 243 name = "shell" 244 245 # The following dependencies are optional. 246 PHYSICAL_AS_REQUIRED = False 247 PROFILE_REQUIRED = False 248

249 - def render(self, renderer):

250 self.session.mode = "Interactive" 251 self.session.session_name = ( 252 self.session.GetParameter("base_filename") or 253 self.session.session_name) 254 255 # Try to launch the session using ipython or bare python. 256 if not IPython012Support(self.session): 257 NativePythonSupport(self.session)

258

259 260 -class TestInteractiveShell(testlib.DisabledTest):

261 PARAMETERS = dict(commandline="shell")

262

Source Code for Module rekall.plugins.tools.ipython