Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package tools :: Module live_linux
[frames] | no frames]

Source Code for Module rekall.plugins.tools.live_linux

  1  #!/usr/bin/env python2 
  2   
  3  # Rekall Memory Forensics 
  4  # Copyright 2015 Google Inc. All Rights Reserved. 
  5  # 
  6  # Author: Michael Cohen scudette@google.com 
  7  # 
  8  # This program is free software; you can redistribute it and/or modify 
  9  # it under the terms of the GNU General Public License as published by 
 10  # the Free Software Foundation; either version 2 of the License, or (at 
 11  # your option) any later version. 
 12  # 
 13  # This program is distributed in the hope that it will be useful, but 
 14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 16  # General Public License for more details. 
 17  # 
 18  # You should have received a copy of the GNU General Public License 
 19  # along with this program; if not, write to the Free Software 
 20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 21  # 
 22   
 23  __author__ = "Michael Cohen <scudette@google.com>" 
 24   
 25  """A plugin to install relevant kernel modules to enable live analysis. 
 26   
 27  The intention is to allow the user to launch: 
 28   
 29  rekall live 
 30   
 31  and have Rekall install the right kernel module and connect to the driver on all 
 32  supported operating systems. 
 33  """ 
 34  import os 
 35   
 36  from rekall import plugin 
 37  from rekall import session 
 38   
 39  from rekall.plugins.addrspaces import standard 
 40   
 41   

 42 -class Live(plugin.TypedProfileCommand, 
 43             plugin.ProfileCommand): 

 44      """Launch a Rekall shell for live analysis on the current system.""" 
 45   
 46      name = "live" 
 47   
 48      PROFILE_REQUIRED = False 
 49   
 50      __args = [ 
 51          dict(name="mode", default="Memory", type="Choices", 
 52               choices=session.LIVE_MODES, 
 53               help="Mode for live analysis."), 
 54      ] 
 55   

 56 -    def live(self): 

 57          if os.geteuid() != 0: 
 58              self.session.logging.error( 
 59                  "You are not root. It is likely that some operations " 
 60                  "may not be available.") 
 61   
 62          # Force timed cache for live sessions. 
 63          with self.session: 
 64              self.session.SetParameter("cache", "timed") 
 65              self.session.SetParameter("live_mode", self.plugin_args.mode) 
 66              self.session.SetParameter("session_name", "Live (%s)" % 
 67                                        self.plugin_args.mode) 
 68   
 69              if self.plugin_args.mode == "Memory": 
 70                  try: 
 71                      # Stack the address spaces by hand. 
 72                      load_as = self.session.plugins.load_as(session=self.session) 
 73                      base_as = standard.FileAddressSpace(session=self.session, 
 74                                                          filename="/proc/kcore") 
 75   
 76                      self.session.physical_address_space = ( 
 77                          load_as.GuessAddressSpace(base_as=base_as)) 
 78   
 79                      self.session.SetParameter("session_name", 
 80                                                "Live(/proc/kcore)") 
 81   
 82                  except IOError as e: 
 83                      self.session.logging.error( 
 84                          "Unable to load physical memory: %s ", e) 

 85   
 86   

 87 -    def close(self): 

 88          pass 

 89   

 90 -    def __str__(self): 

 91          # The default __str__ form will run the plugin which will drop into a 
 92          # shell! 
 93          return "Live Plugin" 

 94   

 95 -    def __enter__(self): 

 96          self.live() 
 97          return self 

 98   

 99 -    def __exit__(self, exc_type, exc_value, trace): 

100          self.close() 

101   

102 -    def collect(self, renderer): 

103          renderer.format("Launching live memory analysis\n") 
104          self.live() 
105   
106          # Launch the shell. 
107          shell = self.session.plugins.shell() 
108          shell.render(renderer) 

109

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:48 2017 http://epydoc.sourceforge.net