rekall.rekal

Source Code for Module rekall.rekal

1 #!/usr/bin/env python 2 3 # Rekall 4 # Copyright (C) 2012 Michael Cohen <scudette@gmail.com> 5 # Copyright 2013 Google Inc. All Rights Reserved. 6 # 7 # This program is free software; you can redistribute it and/or modify 8 # it under the terms of the GNU General Public License as published by 9 # the Free Software Foundation; either version 2 of the License, or (at 10 # your option) any later version. 11 # 12 # This program is distributed in the hope that it will be useful, but 13 # WITHOUT ANY WARRANTY; without even the implied warranty of 14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 # General Public License for more details. 16 # 17 # You should have received a copy of the GNU General Public License 18 # along with this program; if not, write to the Free Software 19 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 # 21 22 __author__ = "Michael Cohen <scudette@gmail.com>" 23 24 # pylint: disable=protected-access 25 26 import logging 27 import pdb 28 import sys 29 30 import rekall 31 from rekall import args 32 from rekall import config 33 from rekall import constants 34 from rekall import plugin 35 from rekall import session 36 from rekall import quotas 37 38 from pkg_resources import iter_entry_points 39 for entry_point in iter_entry_points(group='rekall.plugins', name=None): 40 entry_point.load() 41 42 # Load all the plugins. 43 from rekall import plugins # pylint: disable=unused-import 44 45 46 config.DeclareOption( 47 "--version", default=False, type="Boolean", 48 help="Prints the Rekall version and exits.")

49 50 51 -class Run(plugin.PrivilegedMixIn, plugin.Command):

52 """A plugin which runs its argument (using eval). 53 54 Note: This plugin is only defined and available when using the main entry 55 point. It is not available when Rekall is used as a library since it allows 56 arbitrary code execution. 57 """ 58 59 name = "run" 60 61 @classmethod

62 - def args(cls, parser):

63 super(Run, cls).args(parser) 64 parser.add_argument("script", default="print 'hello!'", 65 help="The script to evaluate") 66 67 parser.add_argument("--run", default=None, 68 help="A file name to run.")

69

70 - def __init__(self, script, run=None, **kwargs):

71 super(Run, self).__init__(**kwargs) 72 if run is not None: 73 script = open(run).read() 74 75 exec script in self.session.locals

76

77 78 -def main(argv=None):

79 # New user interactive session (with extra bells and whistles). 80 user_session = session.InteractiveSession() 81 user_session.session_list.append(user_session) 82 83 # Alow all special plugins to run. 84 user_session.privileged = True 85 86 def global_arg_cb(global_flags, _): 87 if global_flags.version: 88 print "This is Rekall Version %s (%s)" % ( 89 constants.VERSION, constants.CODENAME) 90 91 print rekall.get_versions() 92 sys.exit(0)

93 94 plugin_cls, flags = args.parse_args( 95 argv=argv, global_arg_cb=global_arg_cb, 96 user_session=user_session) 97 98 # Install any quotas the user requested. 99 user_session = quotas.wrap_session(user_session) 100 try: 101 # Run the plugin with plugin specific args. 102 user_session.RunPlugin(plugin_cls, **config.RemoveGlobalOptions(flags)) 103 except Exception as e: 104 logging.fatal("%s. Try --debug for more information." % e) 105 if getattr(flags, "debug", None): 106 pdb.post_mortem(sys.exc_info()[2]) 107 raise 108 finally: 109 user_session.Flush() 110 111 if __name__ == '__main__': 112 main() 113