Source Code for Module rekall.plugins.tools.json_tools

  1  #!/usr/bin/env python2 
  2   
  3  # Rekall Memory Forensics 
  4  # Copyright 2014 Google Inc. All Rights Reserved. 
  5  # 
  6  # Author: Michael Cohen scudette@google.com 
  7  # 
  8  # This program is free software; you can redistribute it and/or modify 
  9  # it under the terms of the GNU General Public License as published by 
 10  # the Free Software Foundation; either version 2 of the License, or (at 
 11  # your option) any later version. 
 12  # 
 13  # This program is distributed in the hope that it will be useful, but 
 14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 16  # General Public License for more details. 
 17  # 
 18  # You should have received a copy of the GNU General Public License 
 19  # along with this program; if not, write to the Free Software 
 20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 21  # 
 22   
 23  """Tools for manipulating json output. 
 24   
 25  When decoding json output, the decoder may not have access to the original 
 26  image. Therefore we can not simply recreate the original encoded objects 
 27  (because they will need to read from the original image). We must therefore 
 28  create a standin for these objects which looks similar to the original but is 
 29  able to be used directly - i.e. without reading the original image. 
 30  """ 
 31   
 32  __author__ = "Michael Cohen <scudette@google.com>" 
 33   
 34  import json 
 35  from rekall import plugin 
 36  from rekall import testlib 
 37   
 38  from rekall.ui import json_renderer 
 39   
 40   
 41 -class JSONParser(plugin.TypedProfileCommand, plugin.Command): 
 42      """Renders a json rendering file, as produced by the JsonRenderer. 
 43   
 44      The output of any plugin can be stored to a JSON file using: 
 45   
 46      rekall -f img.dd --format json plugin_name --output test.json 
 47   
 48      Then it can be rendered again using: 
 49   
 50      rekall json_render test.json 
 51   
 52      This plugin implements the proper decoding of the JSON encoded output. 
 53      """ 
 54   
 55      name = "json_render" 
 56   
 57      __args = [ 
 58          dict(name="file", positional=True, required=True, 
 59               help="The filename to parse.") 
 60      ] 
 61   
 62 -    def RenderStatement(self, statement, renderer): 
 63          """Renders one json decoded data command at a time.""" 
 64          command = statement[0] 
 65          options = {} 
 66          if command == "l": 
 67              self.json_renderer.decoder.SetLexicon(statement[1]) 
 68   
 69          elif command == "m": 
 70              renderer.section("Plugin %s" % statement[1]["plugin_name"]) 
 71   
 72          elif command == "s": 
 73              renderer.section( 
 74                  **self.json_renderer.decoder.Decode(statement[1], options)) 
 75   
 76          elif command == "e": 
 77              renderer.report_error(statement[1]) 
 78   
 79          elif command == "f": 
 80              args = [self.json_renderer.decoder.Decode(x, options) 
 81                      for x in statement[1:]] 
 82              renderer.format(*args) 
 83   
 84          elif command == "t": 
 85              renderer.table_header(columns=statement[1]) 
 86   
 87          elif command == "r": 
 88              row = [self.json_renderer.decoder.Decode(x, options) 
 89                     for x in statement[1]] 
 90              renderer.table_row(*row, **options) 
 91   
 92 -    def render(self, renderer): 
 93          """Renders the stored JSON file using the default renderer. 
 94   
 95          To decode the json file we replay the statements into the renderer after 
 96          decompressing them. 
 97          """ 
 98          # Make a json renderer to decode the json stream with. 
 99          self.json_renderer = json_renderer.JsonRenderer(session=self.session) 
100   
101          self.fd = renderer.open(filename=self.plugin_args.file, mode="rb") 
102          data = json.load(self.fd) 
103   
104          for statement in data: 
105              self.RenderStatement(statement, renderer) 
106   
107   
108 -class TestJSONParser(testlib.SimpleTestCase): 
109      """Test the JSON renderer/parser.""" 
110      PLUGIN = "json_render" 
111   
112      PARAMETERS = dict( 
113          # The plugin to test json rendering with. 
114          commandline="pslist" 
115          ) 
116   
117   
118 -    def BuildBaselineData(self, config_options): 
119          # We want to actually run the plugin first with JsonRenderer, then run 
120          # json_render on its json output - That will be the baseline. 
121          config_options["commandline"] = ( 
122              "--format json -v --output %(tempdir)s_output.json " + 
123              config_options["commandline"]) 
124   
125          baseline = super(TestJSONParser, self).BuildBaselineData(config_options) 
126   
127          output_file = self.temp_directory + "_output.json" 
128          config_options["commandline"] = "json_render %s" % output_file 
129   
130          baseline = super(TestJSONParser, self).BuildBaselineData(config_options) 
131          return baseline 
132