Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Package gui :: Module sessions
[frames] | no frames]

Source Code for Module rekall.plugins.windows.gui.sessions

  1  # Rekall Memory Forensics 
  2  # Copyright (C) 2007,2008 Volatile Systems 
  3  # Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.ligh@mnin.org> 
  4  # Copyright 2013 Google Inc. All Rights Reserved. 
  5  # 
  6  # This program is free software; you can redistribute it and/or modify 
  7  # it under the terms of the GNU General Public License as published by 
  8  # the Free Software Foundation; either version 2 of the License, or (at 
  9  # your option) any later version. 
 10  # 
 11  # This program is distributed in the hope that it will be useful, but 
 12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 14  # General Public License for more details. 
 15  # 
 16  # You should have received a copy of the GNU General Public License 
 17  # along with this program; if not, write to the Free Software 
 18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 19  # 
 20   
 21  # pylint: disable=protected-access 
 22   
 23  # References: 
 24  # http://volatility-labs.blogspot.ch/2012/09/movp-11-logon-sessions-processes-and.html 
 25  # Windows Internals 5th Edition. Chapter 9. 
 26   
 27  from rekall import obj 
 28  from rekall.ui import text 
 29  from rekall.plugins.windows import common 
 30   
 31   

 32 -class Sessions(common.WinProcessFilter): 

 33      """List details on _MM_SESSION_SPACE (user logon sessions). 
 34   
 35      Windows uses sessions in order to separate processes. Sessions are used to 
 36      separate the address spaces of windows processes. 
 37   
 38      Note that this plugin traverses the ProcessList member of the session object 
 39      to list the processes - yet another list _EPROCESS objects are on. 
 40      """ 
 41   
 42      __name = "sessions" 
 43   
 44      table_header = [ 
 45          dict(name="divider", type="Divider"), 
 46          dict(name="session_id", hidden=True), 
 47          dict(name="process", width=40), 
 48          dict(name="image"), 
 49      ] 
 50   

 51 -    def session_spaces(self): 

 52          """Generates unique _MM_SESSION_SPACE objects. 
 53   
 54          Generates unique _MM_SESSION_SPACE objects referenced by active 
 55          processes. 
 56   
 57          Yields: 
 58            _MM_SESSION_SPACE instantiated from the session space's address space. 
 59          """ 
 60          # Dedup based on sessions. 
 61          seen = set() 
 62          for proc in self.filter_processes(): 
 63              ps_ad = proc.get_process_address_space() 
 64   
 65              session = proc.Session 
 66              # Session pointer is invalid (e.g. for System process). 
 67              if not session: 
 68                  continue 
 69   
 70              if session in seen: 
 71                  continue 
 72   
 73              seen.add(session) 
 74   
 75              yield proc.Session.deref(vm=ps_ad) 

 76   

 77 -    def find_session_space(self, session_id): 

 78          """Get a _MM_SESSION_SPACE object by its ID. 
 79   
 80          Args: 
 81            session_id: the session ID to find. 
 82   
 83          Returns: 
 84            _MM_SESSION_SPACE instantiated from the session space's address space. 
 85          """ 
 86          for session in self.session_spaces(): 
 87              if session.SessionId == session_id: 
 88                  return session 
 89   
 90          return obj.NoneObject("Cannot locate a session %s", session_id) 

 91   

 92 -    def collect(self): 

 93          for session in self.session_spaces(): 
 94              processes = list(session.ProcessList.list_of_type( 
 95                  "_EPROCESS", "SessionProcessLinks")) 
 96   
 97              yield dict(divider=("_MM_SESSION_SPACE: {0:#x} ID: {1} " 
 98                                  "Processes: {2}".format( 
 99                                      session.obj_offset, 
100                                      session.SessionId, 
101                                      len(processes)))) 
102   
103              for process in processes: 
104                  yield dict(session_id=session.SessionId, 
105                             process=process) 
106   
107              # Follow the undocumented _IMAGE_ENTRY_IN_SESSION list to find the 
108              # kernel modules loaded in this session. 
109              for image in session.ImageIterator: 
110   
111                  yield dict( 
112                      session_id=session.SessionId, 
113                      image=image) 

114   
115   

116 -class ImageInSessionTextObjectRenderer(text.TextObjectRenderer): 

117      renders_type = "_IMAGE_ENTRY_IN_SESSION" 
118   

119 -    def render_row(self, target, **options): 

120          try: 
121              module_name = self.session.address_resolver.format_address( 
122                  target.ImageBase)[0].split("!")[0] 
123          except IndexError: 
124              module_name = "?" 
125   
126          return text.Cell(u"%s (%#x-%#x)" % ( 
127              module_name, 
128              target.ImageBase, target.LastAddress.v())) 

129

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:54 2017 http://epydoc.sourceforge.net