def render_text(self, outfd, data): """Renders the calculated data as text to outfd""" # Convert the result into a datetime object for display in local and non local format dt = data['ImageDatetime'].as_datetime() # Display the datetime in UTC as taken from the image outfd.write("Image date and time : {0}\n".format(data['ImageDatetime'])) # Display the datetime taking into account the timezone of the image itself outfd.write("Image local date and time : {0}\n".format(timefmt.display_datetime(dt, data['ImageTz'])))
def __format__(self, formatspec): """Formats the datetime according to the timefmt module""" dt = self.as_datetime() if dt != None: return format(timefmt.display_datetime(dt), formatspec) return "-"
def calculate(self): """Calculates various information about the image""" debug.info("Determining profile based on KDBG search...") profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ] bestguess = None suglist = [s for s, _ in kdbgscan.KDBGScan.calculate(self)] if suglist: bestguess = suglist[0] suggestion = ", ".join(set(suglist)) # Set our suggested profile first, then run through the list if bestguess in profilelist: profilelist = [bestguess] + profilelist chosen = 'no profile' # Save the original profile origprofile = self._config.PROFILE # Force user provided profile over others profilelist = [origprofile] + profilelist for profile in profilelist: debug.debug('Trying profile ' + profile) self._config.update('PROFILE', profile) addr_space = utils.load_as(self._config, astype='any') if hasattr(addr_space, "dtb"): chosen = profile break if bestguess != chosen: if not suggestion: suggestion = 'No suggestion' suggestion += ' (Instantiated with ' + chosen + ')' yield ('Suggested Profile(s)', str, suggestion) tmpas = addr_space count = 0 while tmpas: count += 1 yield ('AS Layer' + str(count), str, tmpas.__class__.__name__ + " (" + tmpas.name + ")") tmpas = tmpas.base if not hasattr(addr_space, "pae"): yield ('PAE type', str, "No PAE") else: yield ('PAE type', str, "PAE" if addr_space.pae else "No PAE") if hasattr(addr_space, "dtb"): yield ('DTB', Address, Address(addr_space.dtb)) volmagic = obj.VolMagic(addr_space) if hasattr(addr_space, "dtb"): kdbg = volmagic.KDBG.v() if type(kdbg) == int: kdbg = obj.Object("_KDDEBUGGER_DATA64", offset=kdbg, vm=addr_space) if kdbg.is_valid(): yield ('KDBG', Address, Address(kdbg.obj_offset)) kpcr_list = list(kdbg.kpcrs()) yield ('Number of Processors', int, len(kpcr_list)) yield ('Image Type (Service Pack)', int, kdbg.ServicePack) for kpcr in kpcr_list: yield ('KPCR for CPU {0}'.format( kpcr.ProcessorBlock.Number), Address, Address(kpcr.obj_offset)) KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v() if KUSER_SHARED_DATA: yield ('KUSER_SHARED_DATA', Address, Address(KUSER_SHARED_DATA)) data = self.get_image_time(addr_space) if data: yield ('Image date and time', str, str(data['ImageDatetime'])) yield ('Image local date and time', str, timefmt.display_datetime( data['ImageDatetime'].as_datetime(), data['ImageTz'])) # Make sure to reset the profile to its original value to keep the invalidator from blocking the cache self._config.update('PROFILE', origprofile)
def calculate(self): """Calculates various information about the image""" print "Determining profile based on KDBG search...\n" profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ] bestguess = None suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)] if suglist: bestguess = suglist[0] suggestion = ", ".join(set(suglist)) # Set our suggested profile first, then run through the list if bestguess in profilelist: profilelist = [bestguess] + profilelist chosen = 'no profile' # Save the original profile origprofile = self._config.PROFILE # Force user provided profile over others profilelist = [origprofile] + profilelist for profile in profilelist: debug.debug('Trying profile ' + profile) self._config.update('PROFILE', profile) addr_space = utils.load_as(self._config, astype = 'any') if hasattr(addr_space, "dtb"): chosen = profile break if bestguess != chosen: if not suggestion: suggestion = 'No suggestion' suggestion += ' (Instantiated with ' + chosen + ')' yield ('Suggested Profile(s)', suggestion) tmpas = addr_space count = 0 while tmpas: count += 1 yield ('AS Layer' + str(count), tmpas.__class__.__name__ + " (" + tmpas.name + ")") tmpas = tmpas.base if not hasattr(addr_space, "pae"): yield ('PAE type', "No PAE") else: yield ('PAE type', "PAE" if addr_space.pae else "No PAE") if hasattr(addr_space, "dtb"): yield ('DTB', hex(addr_space.dtb)) volmagic = obj.VolMagic(addr_space) if hasattr(addr_space, "dtb"): kdbgoffset = volmagic.KDBG.v() if kdbgoffset: yield ('KDBG', hex(kdbgoffset)) kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = kdbgoffset, vm = addr_space) kpcr_list = list(kdbg.kpcrs()) yield ('Number of Processors', len(kpcr_list)) yield ('Image Type (Service Pack)', kdbg.ServicePack) for kpcr in kpcr_list: yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset)) KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v() if KUSER_SHARED_DATA: yield ('KUSER_SHARED_DATA', hex(KUSER_SHARED_DATA)) data = self.get_image_time(addr_space) if data: yield ('Image date and time', data['ImageDatetime']) yield ('Image local date and time', timefmt.display_datetime(data['ImageDatetime'].as_datetime(), data['ImageTz'])) # Make sure to reset the profile to its original value to keep the invalidator from blocking the cache self._config.update('PROFILE', origprofile)
def calculate(self): """Calculates various information about the image""" print "Determining profile based on KDBG search...\n" profilelist = [ p.__name__ for p in registry.PROFILES.classes ] bestguess = None suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)] if suglist: bestguess = suglist[0] suggestion = ", ".join(suglist) # Set our suggested profile first, then run through the list if bestguess in profilelist: profilelist = [bestguess] + profilelist chosen = 'no profile' # Save the original profile origprofile = self._config.PROFILE # Force user provided profile over others profilelist = [origprofile] + profilelist for profile in profilelist: debug.debug('Trying profile ' + profile) self._config.update('PROFILE', profile) addr_space = utils.load_as(self._config, astype = 'any') if hasattr(addr_space, "dtb"): chosen = profile break if bestguess != chosen: if not suggestion: suggestion = 'No suggestion' suggestion += ' (Instantiated with ' + chosen + ')' yield ('Suggested Profile(s)', suggestion) tmpas = addr_space count = 0 while tmpas: count += 1 yield ('AS Layer' + str(count), tmpas.__class__.__name__ + " (" + tmpas.name + ")") tmpas = tmpas.base if not hasattr(addr_space, "pae"): yield ('PAE type', "No PAE") else: yield ('PAE type', "PAE" if addr_space.pae else "No PAE") if hasattr(addr_space, "dtb"): yield ('DTB', hex(addr_space.dtb)) volmagic = obj.Object('VOLATILITY_MAGIC', 0x0, addr_space) kpcroffset = None if hasattr(addr_space, "dtb"): kdbgoffset = volmagic.KDBG.v() if kdbgoffset: yield ('KDBG', hex(kdbgoffset)) kpcroffset = volmagic.KPCR.v() if kpcroffset: yield ('KPCR', hex(kpcroffset)) KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v() if KUSER_SHARED_DATA: yield ('KUSER_SHARED_DATA', hex(KUSER_SHARED_DATA)) data = self.get_image_time(addr_space) if data: yield ('Image date and time', data['ImageDatetime']) yield ('Image local date and time', timefmt.display_datetime(data['ImageDatetime'].as_datetime(), data['ImageTz'])) for csdversion, numprocessors in self.find_task_items(addr_space): try: yield ('Number of Processors', numprocessors) yield ('Image Type', csdversion) except tasks.TasksNotFound: pass # Make sure to reset the profile to its original value to keep the invalidator from blocking the cache self._config.update('PROFILE', origprofile)