def from_stat(cls, filespec, session=None):
filespec = FileSpec(filespec)
result = FileInformation(filename=filespec, session=session)
try:
s = os.stat(filespec.os_path())
except (IOError, OSError) as e:
return obj.NoneObject("Unable to stat %s", e)
result.st_mode = Permissions(s.st_mode)
result.st_ino = s.st_ino
result.st_size = s.st_size
result.st_dev = s.st_dev
result.st_nlink = s.st_nlink
result.st_uid = User.from_uid(s.st_uid)
result.st_gid = Group.from_gid(s.st_gid)
result.st_mtime = basic.UnixTimeStamp(name="st_mtime",
value=s.st_mtime,
session=session)
result.st_atime = basic.UnixTimeStamp(name="st_atime",
value=s.st_atime,
session=session)
result.st_ctime = basic.UnixTimeStamp(name="st_ctime",
value=s.st_ctime,
session=session)
return result
def from_stat(cls, filename, session=None):
filename = FileSpec(filename)
if filename.filesystem != "API":
raise RuntimeError("Unsupported file spec type %s" %
filename.filesystem)
result = cls(filename=filename, session=session)
try:
s = os.stat(result.filename.name)
except (IOError, OSError) as e:
return obj.NoneObject("Unable to stat %s", e)
result.st_mode = Permissions(s.st_mode)
result.st_ino = s.st_ino
result.st_size = s.st_size
result.st_dev = s.st_dev
result.st_nlink = s.st_nlink
result.st_uid = User.from_uid(s.st_uid)
result.st_gid = Group.from_gid(s.st_gid)
result.st_mtime = basic.UnixTimeStamp(
name="st_mtime", value=s.st_mtime, session=session)
result.st_atime = basic.UnixTimeStamp(
name="st_atime", value=s.st_atime, session=session)
result.st_ctime = basic.UnixTimeStamp(
name="st_ctime", value=s.st_ctime, session=session)
return result
def collect(self):
dir_path = self.plugin_args.dir_path
partition = self.session.GetParameter("partition_context")
try:
for entry in partition.filesystem.get_fs_entry_by_path(dir_path):
yield dict(
name=entry.name,
inode=entry.tsk_file.info.meta.addr,
type=entry.type,
size=entry.size,
ctime=basic.UnixTimeStamp(
session=self.session,
name="ctime",
value=entry.tsk_file.info.meta.ctime),
mtime=basic.UnixTimeStamp(
session=self.session,
name="mtime",
value=entry.tsk_file.info.meta.mtime),
atime=basic.UnixTimeStamp(
session=self.session,
name="atime",
value=entry.tsk_file.info.meta.atime),
)
except IOError as e:
raise plugin.PluginError(e)
def list(self):
if self.st_mode == stat.S_IFREG:
return
# We represent the virtual root of all hives.
if self._hive_handle is None:
for name in dir(_winreg):
if name.startswith("HKEY_"):
yield RegistryKeyInformation(filename=name,
session=self.session)
return
try:
with OpenKey(self._hive_handle, self.key_name) as key:
(number_of_keys, number_of_values,
last_modified) = QueryInfoKey(key)
st_mtime = basic.UnixTimeStamp(
name="st_mtime",
value=(old_div(last_modified, 10000000) -
WIN_UNIX_DIFF_MSECS),
session=self.session)
# First keys - These will look like directories.
for i in range(number_of_keys):
name = EnumKey(key, i)
key_name = "\\".join((self.hive, self.key_name, name))
try:
subkey = RegistryKeyInformation(filename=key_name,
session=self.session)
subkey.st_mtime = st_mtime
yield subkey
except WindowsError:
pass
# Now Values - These will look like files.
for i in range(number_of_values):
name, _, _ = EnumValue(key, i)
key_name = "\\".join((self.hive, self.key_name, name))
try:
subkey = RegistryKeyInformation(filename=key_name,
session=self.session)
subkey.st_mtime = st_mtime
yield subkey
except WindowsError:
pass
except WindowsError as e:
raise IOError("Unable to list key %s: %s" % (self.key_name, e))
def __init__(self, proc, session=None):
"""Construct a representation of the live process.
Args:
proc: The psutil.Process instance.
"""
# Hold on to the original psutil object.
self._proc = proc
self.session = session
super(_LiveProcess, self).__init__()
self.start_time = basic.UnixTimeStamp(
name="create_time", value=self.create_time, session=self.session)
def collect(self):
kuser_shared = self.session.address_resolver.get_constant_object(
"nt!KI_USER_SHARED_DATA", "_KUSER_SHARED_DATA")
seconds_since_boot = self.session.plugins.imageinfo().GetBootTime(
kuser_shared)
kernel_time = kuser_shared.SystemTime
boot_timestamp = basic.UnixTimeStamp(
value=kernel_time - seconds_since_boot,
session=self.session)
yield [utils.AttributeDict(now=kernel_time, boot=boot_timestamp,
uptime=seconds_since_boot)]
def _get_scopes(self):
"""Builds the scopes for this query."""
scopes = helpers.EFILTER_SCOPES.copy()
scopes["timestamp"] = api.user_func(
lambda x, **_: basic.UnixTimeStamp(value=x, session=self.session),
arg_types=[float, int, long])
# This function is used to indicate that the string represents
# a filename. This will cause the agent to upload it if the
# user requested uploading files.
# > select file(path.filename.name).filename.name from glob("/*")
scopes["file"] = api.user_func(
lambda x: common.FileInformation(session=self.session, filename=x),
arg_types=[unicode, str])
return scopes
def collect(self):
collection = interrogate.ClientStatisticsCollection.load_from_location(
self._config.server.client_db_for_server(), session=self.session)
conditions = {}
if self.plugin_args.client_id:
conditions["client_id"] = self.plugin_args.client_id
if self.plugin_args.hostname:
conditions["fqdn like ?"] = ("%" + self.plugin_args.hostname + "%")
for row in collection.query(limit=self.plugin_args.limit,
**conditions):
yield dict(
client_id=row["client_id"],
hostname=row["fqdn"],
os="%s %s" % (row["system"], row["architecture"]),
last_time=basic.UnixTimeStamp(session=self.session,
value=row["agent_start_time"]))
def _get_scope(self):
"""Builds the scope for this query.
We add some useful functions to be available to the query:
timestamp(): Wrap an int or float in a UnixTimeStamp so it
gets rendered properly.
substr(): Allows a string to be substringed.
file(): Marks a string as a file name. The Rekall Agent will
then potentially upload this file.
"""
scope = helpers.EFILTER_SCOPES.copy()
scope["timestamp"] = api.user_func(
lambda x, **_: basic.UnixTimeStamp(value=x, session=self.session),
arg_types=[float, int, long])
# This function is used to indicate that the string represents
# a filename. This will cause the agent to upload it if the
# user requested uploading files.
# > select file(path.filename.name).filename.name from glob("/*")
scope["file"] = api.scalar_function(
lambda x: common.FileInformation(session=self.session, filename=x),
arg_types=(string.IString,))
scope["substr"] = api.scalar_function(
lambda x, start, end: utils.SmartUnicode(x)[int(start):int(end)],
arg_types=(string.IString, number.INumber, number.INumber))
scope["hex"] = api.scalar_function(
lambda x: hex(int(x)),
arg_types=(number.INumber,))
scope["deref"] = api.scalar_function(
lambda x: x.deref(),
arg_types=(obj.Pointer,))
return scope
