Trees | Indices | Help |
|
---|
|
1 # Rekall Memory Forensics 2 # Copyright (C) 2007,2008 Volatile Systems 3 # Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.ligh@mnin.org> 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; either version 2 of the License, or (at 9 # your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, but 12 # WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 # General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 # 20 21 # pylint: disable=protected-access 22 23 # References: 24 # http://volatility-labs.blogspot.ch/2012/09/movp-11-logon-sessions-processes-and.html 25 # Windows Internals 5th Edition. Chapter 9. 26 27 from rekall import obj 28 from rekall.ui import text 29 from rekall.plugins.windows import common 30 3133 """List details on _MM_SESSION_SPACE (user logon sessions). 34 35 Windows uses sessions in order to separate processes. Sessions are used to 36 separate the address spaces of windows processes. 37 38 Note that this plugin traverses the ProcessList member of the session object 39 to list the processes - yet another list _EPROCESS objects are on. 40 """ 41 42 __name = "sessions" 43 44 table_header = [ 45 dict(name="divider", type="Divider"), 46 dict(name="session_id", hidden=True), 47 dict(name="process", width=40), 48 dict(name="image"), 49 ] 50114 11552 """Generates unique _MM_SESSION_SPACE objects. 53 54 Generates unique _MM_SESSION_SPACE objects referenced by active 55 processes. 56 57 Yields: 58 _MM_SESSION_SPACE instantiated from the session space's address space. 59 """ 60 # Dedup based on sessions. 61 seen = set() 62 for proc in self.filter_processes(): 63 ps_ad = proc.get_process_address_space() 64 65 session = proc.Session 66 # Session pointer is invalid (e.g. for System process). 67 if not session: 68 continue 69 70 if session in seen: 71 continue 72 73 seen.add(session) 74 75 yield proc.Session.deref(vm=ps_ad)7678 """Get a _MM_SESSION_SPACE object by its ID. 79 80 Args: 81 session_id: the session ID to find. 82 83 Returns: 84 _MM_SESSION_SPACE instantiated from the session space's address space. 85 """ 86 for session in self.session_spaces(): 87 if session.SessionId == session_id: 88 return session 89 90 return obj.NoneObject("Cannot locate a session %s", session_id)9193 for session in self.session_spaces(): 94 processes = list(session.ProcessList.list_of_type( 95 "_EPROCESS", "SessionProcessLinks")) 96 97 yield dict(divider=("_MM_SESSION_SPACE: {0:#x} ID: {1} " 98 "Processes: {2}".format( 99 session.obj_offset, 100 session.SessionId, 101 len(processes)))) 102 103 for process in processes: 104 yield dict(session_id=session.SessionId, 105 process=process) 106 107 # Follow the undocumented _IMAGE_ENTRY_IN_SESSION list to find the 108 # kernel modules loaded in this session. 109 for image in session.ImageIterator: 110 111 yield dict( 112 session_id=session.SessionId, 113 image=image)117 renders_type = "_IMAGE_ENTRY_IN_SESSION" 118129120 try: 121 module_name = self.session.address_resolver.format_address( 122 target.ImageBase)[0].split("!")[0] 123 except IndexError: 124 module_name = "?" 125 126 return text.Cell(u"%s (%#x-%#x)" % ( 127 module_name, 128 target.ImageBase, target.LastAddress.v()))
Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:54 2017 | http://epydoc.sourceforge.net |