Source Code for Module rekall.plugins.windows.network

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2014 Google Inc. All Rights Reserved. 
 4  # 
 5  # This program is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License as published by 
 7  # the Free Software Foundation; either version 2 of the License, or (at 
 8  # your option) any later version. 
 9  # 
10  # This program is distributed in the hope that it will be useful, but 
11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
13  # General Public License for more details. 
14  # 
15  # You should have received a copy of the GNU General Public License 
16  # along with this program; if not, write to the Free Software 
17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
18  # 
19   
20  """This module extracts network information using kernel object inspection. 
21   
22  The netscan plugins use pool tags to scan for objects, while this file directly 
23  examines kernel data structures. 
24  """ 
25   
26  __author__ = "Michael Cohen <scudette@google.com>" 
27   
28   
29  from rekall.plugins.windows import common 
30  from rekall.plugins.overlays.windows import tcpip_vtypes 
31   
32   
33   
34 -class WinNetstat(tcpip_vtypes.TcpipPluginMixin, common.WindowsCommandPlugin): 
35      """Enumerate image for connections and sockets""" 
36   
37      __name = "netstat" 
38   
39      table_header = [ 
40          dict(name="offset", style="address"), 
41          dict(name="protocol", width=8), 
42          dict(name="local_addr", width=20), 
43          dict(name="remote_addr", width=20), 
44          dict(name="state", width=16), 
45          dict(name="pid", width=5, align="r"), 
46          dict(name="owner", width=14), 
47          dict(name="created", width=7) 
48      ] 
49   
50      @classmethod 
51 -    def is_active(cls, session): 
52          # This plugin works with the _TCP_ENDPOINT interfaces. This interface 
53          # uses the new HashTable entry in ntoskernl.exe. 
54          return (super(WinNetstat, cls).is_active(session) and 
55                  session.profile.get_constant('RtlEnumerateEntryHashTable')) 
56   
57 -    def collect(self): 
58          # First list established endpoints (TcpE pooltags). 
59          partition_table = self.tcpip_profile.get_constant_object( 
60              "PartitionTable", 
61              target="Pointer", 
62              target_args=dict( 
63                  target="PARTITION_TABLE", 
64                  ) 
65              ) 
66   
67          for partition in partition_table.Partitions: 
68              for first_level in partition: 
69                  for second_level in first_level.SecondLevel: 
70                      for endpoint in second_level.list_of_type( 
71                              "_TCP_ENDPOINT", "ListEntry"): 
72   
73                          lendpoint = "{0}:{1}".format( 
74                              endpoint.LocalAddress(), 
75                              endpoint.LocalPort) 
76   
77                          rendpoint = "{0}:{1}".format( 
78                              endpoint.RemoteAddress(), 
79                              endpoint.RemotePort) 
80   
81                          yield dict(offset=endpoint, 
82                                     protocol=None, 
83                                     local_addr=lendpoint, 
84                                     remote_addr=rendpoint, 
85                                     state=endpoint.State, 
86                                     pid=endpoint.Owner.pid, 
87                                     owner=endpoint.Owner.name, 
88                                     created=endpoint.CreateTime) 
89