Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Module kpcr
[frames] | no frames]

Source Code for Module rekall.plugins.windows.kpcr

  1  # Rekall Memory Forensics 
  2  # 
  3  # Copyright 2013 Google Inc. All Rights Reserved. 
  4  # 
  5  # Authors: 
  6  # Michael Cohen <scudette@gmail.com> 
  7  # 
  8  # This program is free software; you can redistribute it and/or modify 
  9  # it under the terms of the GNU General Public License as published by 
 10  # the Free Software Foundation; either version 2 of the License, or (at 
 11  # your option) any later version. 
 12  # 
 13  # This program is distributed in the hope that it will be useful, but 
 14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 16  # General Public License for more details. 
 17  # 
 18  # You should have received a copy of the GNU General Public License 
 19  # along with this program; if not, write to the Free Software 
 20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 21  # 
 22   
 23  """This plugin is used for displaying information about the Kernel Processor 
 24  Control Blocks. 
 25  """ 
 26   
 27  # pylint: disable=protected-access 
 28  from rekall import obj 
 29  from rekall.plugins.windows import common 
 30   
 31   

 32 -class KPCR(common.WindowsCommandPlugin): 

 33      """A plugin to print all KPCR blocks.""" 
 34      __name = "kpcr" 
 35   

 36 -    def kpcr(self): 

 37          """A generator of KPCR objects (one for each CPU).""" 
 38          # On windows 7 the KPCR is just stored in a symbol. 
 39          initial_pcr = self.profile.get_constant_object( 
 40              "KiInitialPCR", 
 41              "_KPCR") 
 42   
 43          # Validate the PCR through the self member. 
 44          self_Pcr = initial_pcr.m("SelfPcr") or initial_pcr.m("Self") 
 45          if self_Pcr.v() == initial_pcr.obj_offset: 
 46              return initial_pcr 
 47   
 48          # On windows XP the KPCR is hardcoded to 0xFFDFF000 
 49          pcr = self.profile._KPCR(0xFFDFF000) 
 50          if pcr.SelfPcr.v() == pcr.obj_offset: 
 51              return pcr 
 52   
 53          return obj.NoneObject("Unknown KPCR") 

 54   

 55 -    def render(self, renderer): 

 56          kpcr = self.kpcr() 
 57   
 58          renderer.section() 
 59   
 60          renderer.table_header([("Property", "property", "<30"), 
 61                                 ("Value", "value", "<")]) 
 62   
 63          renderer.table_row("Offset (V)", "%#x" % kpcr.obj_offset) 
 64          renderer.table_row("KdVersionBlock", kpcr.KdVersionBlock, style="full") 
 65   
 66          renderer.table_row("IDT", "%#x" % kpcr.IDT) 
 67          renderer.table_row("GDT", "%#x" % kpcr.GDT) 
 68   
 69          current_thread = kpcr.ProcessorBlock.CurrentThread 
 70          idle_thread = kpcr.ProcessorBlock.IdleThread 
 71          next_thread = kpcr.ProcessorBlock.NextThread 
 72   
 73          if current_thread: 
 74              renderer.format("{0:<30}: {1:#x} TID {2} ({3}:{4})\n", 
 75                              "CurrentThread", 
 76                              current_thread, current_thread.Cid.UniqueThread, 
 77                              current_thread.owning_process().ImageFileName, 
 78                              current_thread.Cid.UniqueProcess, 
 79                             ) 
 80   
 81          if idle_thread: 
 82              renderer.format("{0:<30}: {1:#x} TID {2} ({3}:{4})\n", 
 83                              "IdleThread", 
 84                              idle_thread, idle_thread.Cid.UniqueThread, 
 85                              idle_thread.owning_process().ImageFileName, 
 86                              idle_thread.Cid.UniqueProcess, 
 87                             ) 
 88   
 89          if next_thread: 
 90              renderer.format("{0:<30}: {1:#x} TID {2} ({3}:{4})\n", 
 91                              "NextThread", 
 92                              next_thread, 
 93                              next_thread.Cid.UniqueThread, 
 94                              next_thread.owning_process().ImageFileName, 
 95                              next_thread.Cid.UniqueProcess, 
 96                             ) 
 97   
 98          renderer.format("{0:<30}: CPU {1} ({2} @ {3} MHz)\n", 
 99                          "Details", 
100                          kpcr.ProcessorBlock.Number, 
101                          kpcr.ProcessorBlock.VendorString, 
102                          kpcr.ProcessorBlock.MHz) 
103   
104          renderer.format( 
105              "{0:<30}: {1:#x}\n", "CR3/DTB", 
106              kpcr.ProcessorBlock.ProcessorState.SpecialRegisters.Cr3) 

107

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:36 2017 http://epydoc.sourceforge.net