Source Code for Module rekall.plugins.windows.interactive.profiles

 1  #!/usr/bin/env python2 
 2   
 3  # Rekall Memory Forensics 
 4  # Copyright 2015 Google Inc. All Rights Reserved. 
 5  # 
 6  # Author: Michael Cohen scudette@google.com 
 7  # 
 8  # This program is free software; you can redistribute it and/or modify 
 9  # it under the terms of the GNU General Public License as published by 
10  # the Free Software Foundation; either version 2 of the License, or (at 
11  # your option) any later version. 
12  # 
13  # This program is distributed in the hope that it will be useful, but 
14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
16  # General Public License for more details. 
17  # 
18  # You should have received a copy of the GNU General Public License 
19  # along with this program; if not, write to the Free Software 
20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
21  # 
22  from rekall import plugin 
23  from rekall.plugins.windows import common 
24   
25   
26 -class LoadWindowsProfile(common.AbstractWindowsCommandPlugin): 
27      """Loads the profile into the session. 
28   
29      If the profile does not exist in the repositories, fetch and build it from 
30      the symbol server. This plugin allows the user to change resolution of 
31      selected binaries by forcing the fetching of symbol files from the symbol 
32      server interactively. 
33      """ 
34   
35      name = "load_profile" 
36   
37      interactive = True 
38   
39      __args = [ 
40          dict(name="module_name", positional=True, required=True, 
41               help="The name of the module (without the .pdb extensilon)."), 
42   
43          dict(name="guid", help="The guid of the module.") 
44      ] 
45   
46 -    def collect(self): 
47          if self.guid is None: 
48              # Try to detect the GUID automatically. 
49              module = self.session.address_resolver.GetModuleByName( 
50                  self.module_name) 
51              if not module: 
52                  raise plugin.PluginError( 
53                      "Unknown module %s." % self.module_name) 
54   
55              profile_name = module.detect_profile_name() 
56              if not profile_name: 
57                  raise plugin.PluginError( 
58                      "Unable to determine GUID for module %s." % 
59                      self.module_name) 
60          else: 
61              profile_name = "%s/GUID/%s" % (self.module_name, self.guid) 
62   
63          profile = self.session.LoadProfile(profile_name) 
64          if profile == None: 
65              # Try to build it from the symbol serv 
66              profile = module.build_local_profile(profile_name, force=True) 
67              if profile == None: 
68                  raise plugin.PluginError( 
69                      "Unable to fetch or build %s" % profile_name) 
70   
71          if profile: 
72              module.profile = profile 
73   
74          return [] 
75