1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 from rekall import testlib
24
25 from rekall.plugins.windows import common
26 from rekall_lib import utils
27
28
29 -class Handles(common.WinProcessFilter):
30 """Print list of open handles for each process"""
31
32 __name = "handles"
33
34 __args = [
35 dict(name="object_types", type="ArrayStringParser",
36 help="Types of objects to show."),
37 dict(name="named_only", type="Boolean",
38 help="Output only handles with a name ."),
39 ]
40
41 table_header = [
42 dict(name="_OBJECT_HEADER", style="address"),
43 dict(name="_EPROCESS", type="_EPROCESS"),
44 dict(name="handle", style="address"),
45 dict(name="access", style="address"),
46 dict(name="obj_type", width=16),
47 dict(name="details")
48 ]
49
51 return dict(
52 offset_v=self.session.profile._OBJECT_HEADER(),
53 _EPROCESS=self.session.profile._EPROCESS(),
54 handle=utils.HexInteger(0),
55 access=utils.HexInteger(0),
56 obj_type="",
57 details="")
58
60 if task.ObjectTable.HandleTableList:
61 for handle in task.ObjectTable.handles():
62 name = u""
63 object_type = handle.get_object_type(self.kernel_address_space)
64
65 if object_type == None:
66 continue
67
68 if (self.plugin_args.object_types and
69 object_type not in self.plugin_args.object_types):
70 continue
71
72 elif object_type == "File":
73 file_obj = handle.dereference_as("_FILE_OBJECT")
74 name = file_obj.file_name_with_device()
75 elif object_type == "Key":
76 key_obj = handle.dereference_as("_CM_KEY_BODY")
77 name = key_obj.full_key_name()
78 elif object_type == "Process":
79 proc_obj = handle.dereference_as("_EPROCESS")
80 name = u"{0}({1})".format(
81 utils.SmartUnicode(proc_obj.ImageFileName),
82 proc_obj.UniqueProcessId)
83
84 elif object_type == "Thread":
85 thrd_obj = handle.dereference_as("_ETHREAD")
86 name = u"TID {0} PID {1}".format(
87 thrd_obj.Cid.UniqueThread,
88 thrd_obj.Cid.UniqueProcess)
89
90 elif handle.NameInfo.Name == None:
91 name = u""
92 else:
93 name = handle.NameInfo.Name
94
95 if not name and self.plugin_args.named_only:
96 continue
97
98 yield handle, object_type, name
99
101 for task in self.filter_processes():
102 for count, (handle, object_type, name) in enumerate(
103 self.enumerate_handles(task)):
104
105 self.session.report_progress("%s: %s handles" % (
106 task.ImageFileName, count))
107
108 yield dict(_OBJECT_HEADER=handle,
109 _EPROCESS=task,
110 handle=utils.HexInteger(handle.HandleValue),
111 access=utils.HexInteger(handle.GrantedAccess),
112 obj_type=object_type,
113 details=utils.SmartUnicode(name))
114
115
120