1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 __author__ = "Michael Cohen <scudette@google.com>"
24
25 """A plugin to install relevant kernel modules to enable live analysis.
26
27 The intention is to allow the user to launch:
28
29 rekall live
30
31 and have Rekall install the right kernel module and connect to the driver on all
32 supported operating systems.
33 """
34 import os
35 import subprocess
36 import tarfile
37
38 from rekall import plugin
39 from rekall import obj
40 from rekall import resources
41 from rekall import session
42 from rekall import utils
43
44 from rekall.plugins.addrspaces import pmem
45
46
47 -class Live(plugin.TypedProfileCommand,
48 plugin.ProfileCommand):
49 """Launch a Rekall shell for live analysis on the current system."""
50
51 name = "live"
52
53 PROFILE_REQUIRED = False
54
55 __args = [
56 dict(name="mode", default="Memory", type="Choices",
57 choices=session.LIVE_MODES,
58 help="Mode for live analysis."),
59
60 dict(name="driver_path",
61 help="Driver file to load"),
62
63 dict(name="device", default=r"/dev/pmem",
64 help="Device name to use"),
65
66 dict(name="unload", type="Boolean",
67 help="Just unload the driver and exit."),
68
69 dict(name="load", type="Boolean",
70 help="Just load the driver and exit."),
71 ]
72
73 table_header = [
74 dict(name="Message")
75 ]
76
92
94 """Unpack and load the driver."""
95 tarfile_handle = tarfile.open(self.driver_path)
96
97
98 with utils.TempDirectory() as tmp_name:
99 self.session.logging.info("Unpacking driver to %s", tmp_name)
100 tarfile_handle.extractall(tmp_name)
101
102
103
104 for root, files, dirs in os.walk(tmp_name):
105 for f in files:
106 os.chown(os.path.join(root, f), 0, 0)
107
108 for d in dirs:
109 os.chown(os.path.join(root, d), 0, 0)
110
111 for member_name in tarfile_handle.getnames():
112 if member_name.endswith(".kext"):
113 self.member_name = member_name.lstrip("/")
114 full_driver_path = os.path.join(tmp_name,
115 self.member_name)
116 self.session.logging.info(
117 "Loading driver from %s", full_driver_path)
118 res = subprocess.check_call(
119 ["kextload", full_driver_path])
120
121 if res != 0:
122 raise plugin.PluginError(
123 "Failed to load driver. Are you root?")
124
145
147 tarfile_handle = tarfile.open(self.driver_path)
148
149 for member_name in tarfile_handle.getnames():
150 if not member_name.endswith(".kext"):
151 continue
152
153 self.member_name = member_name.lstrip("/")
154
155
156 with utils.TempDirectory() as tmp_name:
157 tarfile_handle.extractall(tmp_name)
158 full_driver_path = os.path.join(tmp_name,
159 self.member_name)
160 self.session.logging.info(
161 "Unloading driver from %s", full_driver_path)
162 try:
163 subprocess.check_call(
164 ["kextunload",
165 os.path.join(tmp_name, self.member_name)])
166 except Exception as e:
167
168 self.session.logging.debug(
169 "Unable to unload driver: %s" % e)
170
174
187
189 self.live()
190 return self
191
192 - def __exit__(self, exc_type, exc_value, trace):
194