rekall.plugins.windows.taskmods

1 # Rekall Memory Forensics 2 # Copyright (C) 2007-2011 Volatile Systems 3 # Copyright 2013 Google Inc. All Rights Reserved. 4 # 5 # Additional Authors: 6 # Michael Cohen <scudette@users.sourceforge.net> 7 # Mike Auty <mike.auty@gmail.com> 8 # 9 # This program is free software; you can redistribute it and/or modify 10 # it under the terms of the GNU General Public License as published by 11 # the Free Software Foundation; either version 2 of the License, or (at 12 # your option) any later version. 13 # 14 # This program is distributed in the hope that it will be useful, but 15 # WITHOUT ANY WARRANTY; without even the implied warranty of 16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 # General Public License for more details. 18 # 19 # You should have received a copy of the GNU General Public License 20 # along with this program; if not, write to the Free Software 21 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 # 23 24 # pylint: disable=protected-access 25 26 from rekall import testlib 27 from rekall_lib import utils 28 29 from rekall.plugins.common import memmap 30 from rekall.plugins.windows import common 31 32

33 -class WinPsList(common.WinProcessFilter):

34 """List processes for windows.""" 35 36 __name = "pslist" 37 38 eprocess = None 39 40 table_header = [ 41 dict(type="_EPROCESS", name="_EPROCESS"), 42 dict(name="ppid", width=6, align="r"), 43 dict(name="thread_count", width=6, align="r"), 44 dict(name="handle_count", width=8, align="r"), 45 dict(name="session_id", width=6, align="r"), 46 dict(name="wow64", width=6), 47 dict(name="process_create_time", width=24), 48 dict(name="process_exit_time", width=24) 49 ] 50

51 - def column_types(self):

52 result = self._row(self.session.profile._EPROCESS()) 53 result["handle_count"] = result["ppid"] 54 result["session_id"] = result["ppid"] 55 56 return result

57

58 - def _row(self, task):

59 return dict(_EPROCESS=task, 60 ppid=task.InheritedFromUniqueProcessId, 61 thread_count=task.ActiveThreads, 62 handle_count=task.ObjectTable.m("HandleCount"), 63 session_id=task.SessionId, 64 wow64=task.IsWow64, 65 process_create_time=task.CreateTime, 66 process_exit_time=task.ExitTime)

67

68 - def collect(self):

69 for task in self.filter_processes(): 70 yield self._row(task)

71 72

73 -class WinDllList(common.WinProcessFilter):

74 """Prints a list of dll modules mapped into each process.""" 75 76 __name = "dlllist" 77 78 table_header = [ 79 dict(name="divider", type="Divider"), 80 dict(name="_EPROCESS", hidden=True), 81 dict(name="base", style="address"), 82 dict(name="size", style="address"), 83 dict(name="reason", width=30), 84 dict(name="dll_path"), 85 ] 86

87 - def collect(self):

88 for task in self.filter_processes(): 89 pid = task.UniqueProcessId 90 91 divider = "{0} pid: {1:6}\n".format(task.ImageFileName, pid) 92 93 if task.Peb: 94 divider += u"Command line : {0}\n".format( 95 task.Peb.ProcessParameters.CommandLine) 96 97 divider += u"{0}\n\n".format(task.Peb.CSDVersion) 98 yield dict(divider=divider) 99 100 for m in task.get_load_modules(): 101 yield dict(base=m.DllBase, 102 size=m.SizeOfImage, 103 reason=m.LoadReason, 104 dll_path=m.FullDllName, 105 _EPROCESS=task) 106 else: 107 yield dict(divider="Unable to read PEB for task.\n")

108 109

110 -class WinMemMap(memmap.MemmapMixIn, common.WinProcessFilter):

111 """Calculates the memory regions mapped by a process.""" 112 __name = "memmap" 113

114 - def _get_highest_user_address(self):

115 return self.profile.get_constant_object( 116 "MmHighestUserAddress", "Pointer").v()

117 118

119 -class Threads(common.WinProcessFilter):

120 """Enumerate threads.""" 121 name = "threads" 122 123 table_header = [ 124 dict(name="_ETHREAD", style="address"), 125 dict(name="pid", align="r", width=6), 126 dict(name="tid", align="r", width=6), 127 dict(name="start", style="address"), 128 dict(name="start_symbol", width=30), 129 dict(name="Process", width=16), 130 dict(name="win32_start", style="address"), 131 dict(name="win32_start_symb") 132 ] 133

134 - def collect(self):

135 cc = self.session.plugins.cc() 136 with cc: 137 for task in self.filter_processes(): 138 # Resolve names in the process context. 139 cc.SwitchProcessContext(process=task) 140 141 for thread in task.ThreadListHead.list_of_type( 142 "_ETHREAD", "ThreadListEntry"): 143 144 yield dict(_ETHREAD=thread, 145 pid=thread.Cid.UniqueProcess, 146 tid=thread.Cid.UniqueThread, 147 start=thread.StartAddress, 148 start_symbol=utils.FormattedAddress( 149 self.session.address_resolver, 150 thread.StartAddress), 151 Process=task.ImageFileName, 152 win32_start=thread.Win32StartAddress, 153 win32_start_symb=utils.FormattedAddress( 154 self.session.address_resolver, 155 thread.Win32StartAddress, 156 ))

157 158

159 -class WinMemDump(memmap.MemDumpMixin, common.WinProcessFilter):

160 """Dump windows processes."""

161 162

163 -class TestWinMemDump(testlib.HashChecker):

164 """Test the pslist module.""" 165 166 PARAMETERS = dict( 167 commandline="memdump %(pids)s --dump_dir %(tempdir)s", 168 pid=2624)

169 170

171 -class TestMemmap(testlib.SimpleTestCase):

172 """Test the pslist module.""" 173 174 PARAMETERS = dict( 175 commandline="memmap %(pids)s", 176 pid=2624)

177 178

179 -class TestMemmapCoalesce(testlib.SimpleTestCase):

180 """Make sure that memmaps are coalesced properly.""" 181 182 PARAMETERS = dict(commandline="memmap %(pids)s --coalesce", 183 pid=2624)

184

Source Code for Module rekall.plugins.windows.taskmods