Ejemplo n.º 1
0
    def _load_yml(self, yml_path):
        with open(yml_path) as fp:
            data = self.pmem_metadata = yaml_utils.decode(fp.read())

        self.session.SetCache("dtb", data["meta"]["dtb_off"])
        self.session.SetCache("vm_kernel_slide", data["meta"]["kaslr_slide"])

        for run in self._get_readable_runs(data["records"]):
            self.runs.insert(run)
Ejemplo n.º 2
0
    def _load_yml(self, yml_path):
        with open(yml_path) as fp:
            data = self.pmem_metadata = yaml_utils.decode(fp.read())

        self.session.SetCache("dtb", data["meta"]["dtb_off"])
        self.session.SetCache("vm_kernel_slide", data["meta"]["kaslr_slide"])

        for run in self._get_readable_runs(data["records"]):
            self.runs.insert(run)
Ejemplo n.º 3
0
    def _parse_physical_memory_metadata(self, session, image_urn):
        try:
            with self.resolver.AFF4FactoryOpen(image_urn.Append("information.yaml")) as fd:
                metadata = yaml_utils.decode(fd.read(10e6))
                # Allow the user to override the AFF4 file.
                if not session.HasParameter("dtb"):
                    session.SetCache("dtb", metadata.get("Registers", {}).get("CR3"), volatile=False)

                if not session.HasParameter("kernel_base"):
                    session.SetCache("kernel_base", metadata.get("KernBase"), volatile=False)
        except IOError:
            session.logging.info("AFF4 volume does not contain %s/information.yaml" % image_urn)
Ejemplo n.º 4
0
    def _parse_physical_memory_metadata(self, session, image_urn):
        try:
            with self.resolver.AFF4FactoryOpen(
                    image_urn.Append("information.yaml")) as fd:
                metadata = yaml_utils.decode(fd.read(10e6))
                # Allow the user to override the AFF4 file.
                if not session.HasParameter("dtb"):
                    session.SetCache("dtb",
                                     metadata.get("Registers", {}).get("CR3"),
                                     volatile=False)

                if not session.HasParameter("kernel_base"):
                    session.SetCache("kernel_base",
                                     metadata.get("KernBase"),
                                     volatile=False)
        except IOError:
            session.logging.info(
                "AFF4 volume does not contain %s/information.yaml" % image_urn)
Ejemplo n.º 5
0
    def _parse_physical_memory_metadata(self, session, image_urn):
        try:
            with self.resolver.AFF4FactoryOpen(
                    image_urn.Append("information.yaml")) as fd:
                metadata = yaml_utils.decode(fd.read(10000000))
                for session_param, info_para in self._parameter:
                    # Allow the user to override the AFF4 file.
                    if session.HasParameter(session_param):
                        continue

                    tmp = metadata
                    value = None
                    for key in info_para.split("."):
                        value = tmp.get(key)
                        if value is None:
                            break

                        tmp = value

                    if value is not None:
                        session.SetCache(session_param, value, volatile=False)
        except IOError:
            session.logging.info(
                "AFF4 volume does not contain %s/information.yaml" % image_urn)
Ejemplo n.º 6
0
Archivo: aff4.py Proyecto: Mr19/rekall
    def _parse_physical_memory_metadata(self, session, image_urn):
        try:
            with self.resolver.AFF4FactoryOpen(
                    image_urn.Append("information.yaml")) as fd:
                metadata = yaml_utils.decode(fd.read(10000000))
                for session_param, info_para in self._parameter:
                    # Allow the user to override the AFF4 file.
                    if session.HasParameter(session_param):
                        continue

                    tmp = metadata
                    value = None
                    for key in info_para.split("."):
                        value = tmp.get(key)
                        if value is None:
                            break

                        tmp = value

                    if value is not None:
                        session.SetCache(session_param, value, volatile=False)
        except IOError:
            session.logging.info(
                "AFF4 volume does not contain %s/information.yaml" % image_urn)
Ejemplo n.º 7
0
    def _load_yml(self, yml_path):
        with open(yml_path) as fp:
            data = self.pmem_metadata = yaml_utils.decode(fp.read())

        for run in self._get_readable_runs(data["records"]):
            self.add_run(*run)
Ejemplo n.º 8
0
    def _load_yml(self, yml_path):
        with open(yml_path) as fp:
            data = self.pmem_metadata = yaml_utils.decode(fp.read())

        for run in self._get_readable_runs(data["records"]):
            self.add_run(*run)
Ejemplo n.º 9
0
 def Decoder(self, raw_data):
     return yaml_utils.decode(raw_data)