def Run(self, args): """Run.""" # This action might crash the box so we need to flush the transaction log. self.SyncTransactionLog() # Do any initialization we need to do. logging.debug("Querying device %s", args.path) fd = win32file.CreateFile( args.path, win32file.GENERIC_READ | win32file.GENERIC_WRITE, win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE, None, win32file.OPEN_EXISTING, win32file.FILE_ATTRIBUTE_NORMAL, None) data = win32file.DeviceIoControl(fd, INFO_IOCTRL, "", 1024, None) fmt_string = "QQl" cr3, _, number_of_runs = struct.unpack_from(fmt_string, data) result = rdfvalue.MemoryInformation( cr3=cr3, device=rdfvalue.PathSpec( path=args.path, pathtype=rdfvalue.PathSpec.PathType.MEMORY)) offset = struct.calcsize(fmt_string) for x in range(number_of_runs): start, length = struct.unpack_from("QQ", data, x * 16 + offset) result.runs.Append(offset=start, length=length) self.SendReply(result)
def GetMemoryInformation(self, _): reply = rdfvalue.MemoryInformation(device=rdfvalue.PathSpec( path=r"\\.\pmem", pathtype=rdfvalue.PathSpec.PathType.MEMORY)) reply.runs.Append(offset=0x1000, length=0x10000) reply.runs.Append(offset=0x20000, length=0x10000) return [reply]
def Start(self): self.SendReply(rdfvalue.MemoryInformation( device=rdfvalue.PathSpec( path=os.path.join(config_lib.CONFIG["Test.data_dir"], "auth.log"), pathtype=rdfvalue.PathSpec.PathType.OS), runs=[rdfvalue.BufferReference(length=638976, offset=5), rdfvalue.BufferReference(length=145184, offset=643074)]))
def GetMemoryInformation(self, _): """Mock out the driver loading code to pass the memory image.""" reply = rdfvalue.MemoryInformation(device=rdfvalue.PathSpec( path=image_path, pathtype=rdfvalue.PathSpec.PathType.OS)) reply.runs.Append(offset=0, length=1000000000) return [reply]
def Run(self, args): """Run.""" result = rdfvalue.MemoryInformation() # Try if we can actually open the device. with open(args.path, "rb") as fd: fd.read(5) result.device = rdfvalue.PathSpec( path=args.path, pathtype=rdfvalue.PathSpec.PathType.MEMORY) self.SendReply(result)
def Run(self, args): """Run.""" # This action might crash the box so we need to flush the transaction log. self.SyncTransactionLog() # Do any initialization we need to do. logging.debug("Querying device %s", args.path) mem_dev = open(args.path, "rb") result = rdfvalue.MemoryInformation( cr3=memory.OSXMemory.GetCR3(mem_dev), device=rdfvalue.PathSpec( path=args.path, pathtype=rdfvalue.PathSpec.PathType.MEMORY)) for start, length in memory.OSXMemory.GetMemoryMap(mem_dev): result.runs.Append(offset=start, length=length) self.SendReply(result)
def Start(self): self.SendReply( rdfvalue.MemoryInformation(device=rdfvalue.PathSpec( path=os.path.join(config_lib.CONFIG["Test.data_dir"], "auth.log"), pathtype=rdfvalue.PathSpec.PathType.OS)))