Source Code for Module rekall.plugins.windows.privileges

 1  #!/usr/bin/python 
 2   
 3  # Rekall Memory Forensics 
 4  # Copyright 2013 Google Inc. All Rights Reserved. 
 5  # 
 6  # This program is free software; you can redistribute it and/or modify 
 7  # it under the terms of the GNU General Public License as published by 
 8  # the Free Software Foundation; either version 2 of the License, or (at 
 9  # your option) any later version. 
10  # 
11  # This program is distributed in the hope that it will be useful, but 
12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
14  # General Public License for more details. 
15  # 
16  # You should have received a copy of the GNU General Public License 
17  # along with this program; if not, write to the Free Software 
18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
19  # 
20   
21  """Inspect the privileges in each process's tokens. 
22   
23  These sets of plugins are designed around the blog post "Windows Access Tokens - 
24  !token and _TOKEN":: 
25  https://bsodtutorials.wordpress.com/2014/08/09/windows-access-tokens-token-and-_token/ 
26  """ 
27   
28  __author__ = "Michael Cohen <scudette@gmail.com>" 
29   
30  from rekall import plugin 
31  from rekall.plugins.windows import common 
32   
33   
34 -class PrivilegesHook(common.AbstractWindowsParameterHook): 
35      """Fetch the PrivilegesHook table. 
36   
37      In Windows, privilege values are not constant, they are actually stored in 
38      kernel globals. We can see this kind of privilege check: 
39   
40      0xf800027b4e10 mov rcx, qword ptr [rip + 0x3a42a1] 0x7 nt!SeTcbPrivilege 
41      0xf800027b4e17 call 0xf80002956a58                 nt!SeSinglePrivilegeCheck 
42   
43      Demonstrating that the kernel reads the values in these locations (i.e. they 
44      are not hard coded). Although in reality they are never changed in runtime 
45      and probably do not really change between systems or versions. 
46   
47      This hook collects these values from the image. 
48      """ 
49      name = "privilege_table" 
50   
51 -    def calculate(self): 
52          result = {} 
53          for symbol in self.session.address_resolver.search_symbol( 
54                  "nt!Se*Privilege"): 
55   
56              value = self.session.address_resolver.get_constant_object( 
57                  symbol, "unsigned int") 
58   
59              if value != None and value < 100: 
60                  result[int(value)] = symbol.split("!")[-1] 
61   
62          return result 
63   
64   
65 -class Privileges(common.WinProcessFilter): 
66      """Prints process privileges.""" 
67   
68      name = "privileges" 
69   
70      table_header = [ 
71          dict(name="Process", type="_EPROCESS"), 
72          dict(name="Value", width=3, align="r"), 
73          dict(name="Privileges", width=40), 
74          dict(name="Attributes", type="list") 
75      ] 
76   
77 -    def collect(self): 
78          privilege_table = self.session.GetParameter("privilege_table") 
79   
80          for task in self.filter_processes(): 
81              for value, flags in task.Token.GetPrivileges(): 
82                  # By default skip the privileges that are not present. 
83                  if self.plugin_args.verbosity <= 1 and "Present" not in flags: 
84                      continue 
85   
86                  yield (task, 
87                         value, 
88                         privilege_table.get(value), 
89                         flags) 
90