def __init__(self, filename=None, **kwargs):
super(AFF4AddressSpace, self).__init__(**kwargs)
self.as_assert(self.base == None,
"Must stack on another address space")
path = filename or self.session.GetParameter("filename")
self.as_assert(path != None, "Filename must be specified")
self.image = None
self.phys_base = self
self.resolver = data_store.MemoryDataStore()
try:
volume_path, stream_path = self._LocateAFF4Volume(path)
except IOError:
raise addrspace.ASAssertionError("Unable to open AFF4 volume")
# filename is a volume, and there is no stream specified, just autoload
# the stream if possible.
if not stream_path:
try:
self._AutoLoadAFF4Volume(volume_path)
return
except IOError:
raise addrspace.ASAssertionError("Unable to open AFF4 volume")
# If the user asked for a specific stream just load that one. Note that
# you can still load the pagefile manually using the --pagefile
# parameter.
with zip.ZipFile.NewZipFile(self.resolver, volume_path) as volume:
self._LoadMemoryImage(volume.urn.Append(stream_path))
def __init__(self, filename=None, **kwargs):
super(AFF4AddressSpace, self).__init__(**kwargs)
self.as_assert(self.base == None,
"Must stack on another address space")
path = filename or self.session.GetParameter("filename")
self.as_assert(path != None, "Filename must be specified")
self.image = None
self.resolver = data_store.MemoryDataStore()
# If we have a cache directory, configure AFF4 to use it.
try:
cache_dir = cache.GetCacheDir(self.session)
if cache_dir:
self.resolver.Set(lexicon.AFF4_CONFIG_CACHE_DIR,
lexicon.AFF4_FILE_NAME,
rdfvalue.XSDString(
os.path.join(cache_dir, "aff4_cache")))
except IOError:
pass
# A map between the filename and the offset it is mapped into the
# address space.
self.mapped_files = {}
try:
volume_path, stream_path = self._LocateAFF4Volume(path)
except IOError as e:
self.session.logging.debug("Unable to open AFF4 image %s", e)
raise addrspace.ASAssertionError("Unable to open AFF4 volume")
# filename is a volume, and there is no stream specified, just autoload
# the stream if possible.
if not stream_path:
try:
self._AutoLoadAFF4Volume(volume_path)
return
except IOError as e:
raise addrspace.ASAssertionError(
"Unable to open AFF4 volume: %s" % e)
# If the user asked for a specific stream just load that one. Note that
# you can still load the pagefile manually using the --pagefile
# parameter.
try:
image_urn = volume_path.Append(stream_path)
self._LoadMemoryImage(image_urn)
except IOError as e:
raise addrspace.ASAssertionError(
"Unable to open AFF4 stream %s: %s" % (
stream_path, e))
def __init__(self, base=None, filename=None, session=None, **kwargs):
self.as_assert(base == None, 'Must be first Address Space')
self.session = session
path = filename or (session and session.GetParameter("filename"))
self.as_assert(
path, "Filename must be specified in session (e.g. "
"session.SetParameter('filename', 'MyFile.raw').")
self.name = os.path.basename(path)
self.fname = os.path.abspath(path)
self.mode = 'rb'
if path.startswith(r"\\\\.\\"):
raise RuntimeError(
"Unable to open a device without the win32file package "
"installed.")
try:
fhandle = open(self.fname, self.mode)
except (IOError, OSError) as e:
raise addrspace.ASAssertionError("%s" % e)
self._closer = weakref.ref(self, lambda x: fhandle.close())
super(FileAddressSpace, self).__init__(fhandle=fhandle,
session=session,
**kwargs)
def __init__(self, ept=None, **kwargs):
# A dummy DTB is passed to the base class so the DTB checks on
# IA32PagedMemory don't bail out. We require the DTB to never be used
# for page translation outside of get_pml4e.
try:
super(VTxPagedMemory, self).__init__(dtb=0xFFFFFFFF, **kwargs)
except TypeError:
raise addrspace.ASAssertionError()
# Reset the DTB, in case a plugin or AS relies on us providing one.
self.dtb = None
ept_list = ept or self.session.GetParameter("ept")
if not isinstance(ept_list, (list, tuple)):
ept_list = [ept_list]
self.as_assert(ept_list, "No EPT specified")
this_ept = None
if isinstance(self.base, VTxPagedMemory):
# Find our EPT, which will be the next one after the base one.
base_idx = ept_list.index(self.base._ept)
try:
this_ept = ept_list[base_idx + 1]
except IndexError:
pass
else:
this_ept = ept_list[0]
self.as_assert(this_ept != None, "No more EPTs specified")
self._ept = this_ept
self.name = "VTxPagedMemory@%#x" % self._ept
def __init__(self, base=None, filename=None, session=None, **kwargs):
self.as_assert(base == None, 'Must be first Address Space')
path = filename or session.GetParameter("filename")
self.as_assert(path.startswith("\\\\"),
"Filename does not look like a device.")
super(WinPmemAddressSpace, self).__init__(filename=filename,
session=session,
**kwargs)
try:
# First open for write in case the driver is in write mode.
fhandle = self._OpenFileForWrite(path)
except IOError:
fhandle = self._OpenFileForRead(path)
self.fhandle_as = Win32FileWrapper(fhandle)
try:
self.ParseMemoryRuns(fhandle)
except Exception:
raise addrspace.ASAssertionError(
"This is not a WinPmem based driver.")
# Key: lower cased filename, value: offset where it is mapped.
self.mapped_files = {}
self.filesystems = {}
def __init__(self, base=None, filename=None, **kwargs):
super(MacPmemAddressSpace, self).__init__(**kwargs)
self.as_assert(base == None,
"Must be mapped directly over a raw device.")
self.fname = filename or (self.session
and self.session.GetParameter("filename"))
self.as_assert(self.fname, "Filename must be specified.")
# Open as read-only even if writes are supported and allowed, because
# permissions may be set up such that opening for writing would be
# disallowed.
try:
self.fd = open(self.fname, "r")
except (OSError, IOError):
raise addrspace.ASAssertionError(
"Filename does not exist or can not be opened.")
self.fname_info = "%s_info" % self.fname
self.as_assert(
path.exists(self.fname_info),
"MacPmem would declare a YML device at %s" % self.fname_info)
self._load_yml(self.fname_info)
def __init__(self, filename=None, **kwargs):
super(MmapFileAddressSpace, self).__init__(**kwargs)
self.as_assert(self.base is self, 'Must be first Address Space')
path = self.session.GetParameter("filename") or filename
self.as_assert(path and os.path.exists(path),
'Filename must be specified and exist')
self.fname = self.name = os.path.abspath(path)
self.mode = 'rb'
if self.session.GetParameter("writable_physical_memory"):
self.mode += '+'
self.fhandle = open(self.fname, self.mode)
self.fhandle.seek(0, 2)
self.fsize = self.fhandle.tell()
self.offset = 0
# On 64 bit architectures we can just map the entire image into our
# process. Its probably not worth the effort to make it work on 32 bit
# systems, which should just fall back to the slightly slower
# FileAddressSpace.
try:
self.map = mmap.mmap(self.fhandle.fileno(),
self.fsize,
access=mmap.ACCESS_READ)
except Exception as e:
raise addrspace.ASAssertionError("Unable to mmap: %s" % e)
def __init__(self, base=None, filename=None, **kwargs):
self.as_assert(base == None,
"Must be mapped directly over a raw device.")
super(PmemAddressSpace, self).__init__(**kwargs)
self.phys_base = self
path = filename or (self.session
and self.session.GetParameter("filename"))
self.as_assert(path, "Filename must be specified.")
self.fname = path
# See if the device is writable.
self.write_enabled = False
try:
self.fd = open(path, "rw")
self.write_enabled = True
except IOError:
self.fd = open(path, "r")
# Reading from some offsets in the device can crash the system.
# Let's make sure we don't do that.
try:
for offset, pages, efi_type in pmem_parse_mmap(self.fd):
if efi_type_readable(efi_type):
self.runs.insert((offset, offset, pages * 0x1000))
except IOError:
# Apparently we're not dealing with Pmem.
raise addrspace.ASAssertionError(
"File at %s is not a pmem device." % path)
def __init__(self, filename=None, **kwargs):
super(AFF4AddressSpace, self).__init__(**kwargs)
self.as_assert(self.base == None,
"Must stack on another address space")
path = filename or self.session.GetParameter("filename")
self.as_assert(path != None, "Filename must be specified")
self.image = None
self.resolver = data_store.MemoryDataStore()
# A map between the filename and the offset it is mapped into the
# address space.
self.mapped_files = {}
try:
volume_path, stream_path = self._LocateAFF4Volume(path)
except IOError:
raise addrspace.ASAssertionError("Unable to open AFF4 volume")
# filename is a volume, and there is no stream specified, just autoload
# the stream if possible.
if not stream_path:
try:
self._AutoLoadAFF4Volume(volume_path)
return
except IOError as e:
raise addrspace.ASAssertionError(
"Unable to open AFF4 volume: %s" % e)
# If the user asked for a specific stream just load that one. Note that
# you can still load the pagefile manually using the --pagefile
# parameter.
try:
image_urn = volume_path.Append(stream_path)
self._LoadMemoryImage(image_urn)
except IOError as e:
raise addrspace.ASAssertionError(
"Unable to open AFF4 stream %s: %s" % (stream_path, e))
def __init__(self, filename=None, **kwargs):
super(AFF4AddressSpace, self).__init__(**kwargs)
self.as_assert(self.base == None,
"Must stack on another address space")
path = filename or self.session.GetParameter("filename")
self.as_assert(path != None, "Filename must be specified")
self.image = None
self.phys_base = self
try:
self._LoadAFF4Volume(path)
except IOError:
raise addrspace.ASAssertionError("Unable to open AFF4 volume")
def __init__(self, base=None, filename=None, **kwargs):
self.as_assert(base == None, 'Must be first Address Space')
super(Win32FileAddressSpace, self).__init__(**kwargs)
self.phys_base = self
path = filename or self.session.GetParameter("filename")
self.as_assert(
path, "Filename must be specified in session (e.g. "
"session.SetParameter('filename', 'MyFile.raw').")
self.fname = path
# The file is just a regular file, we open for reading.
self._OpenFileForRead(path)
# If we can not get the file size it means this is not a regular file -
# maybe a device.
try:
self.runs.insert((0, 0, win32file.GetFileSize(self.fhandle)))
except pywintypes.error:
raise addrspace.ASAssertionError("Not a regular file.")
