def open(filename):
try:
cached = localcache[filename]
return cached
except:
lex = Container.identify(filename)
resolver = data_store.MemoryDataStore(lex)
with zip.ZipFile.NewZipFile(resolver, filename) as zip_file:
if lex == lexicon.standard:
image = resolver.QueryPredicateObject(
lexicon.AFF4_TYPE, lex.Image).next()
datastreams = list(
resolver.QuerySubjectPredicate(image, lex.dataStream))
for stream in datastreams:
if lex.map in resolver.QuerySubjectPredicate(
stream, lexicon.AFF4_TYPE):
res = resolver.AFF4FactoryOpen(stream)
localcache[filename] = res
res.parent = aff4.Image(resolver, urn=image)
return res
elif lex == lexicon.scudette:
m = resolver.QueryPredicateObject(lexicon.AFF4_TYPE,
lex.map).next()
cat = resolver.QuerySubjectPredicate(m,
lex.category).next()
if cat == lex.memoryPhysical:
res = resolver.AFF4FactoryOpen(m)
localcache[filename] = res
res.parent = aff4.Image(resolver, urn=m)
legacyYamlInfoURI = res.urn.Append("information.yaml")
with resolver.AFF4FactoryOpen(legacyYamlInfoURI) as fd:
txt = fd.read(10000000)
dt = yaml.safe_load(txt)
print txt
try:
CR3 = dt["Registers"]["CR3"]
resolver.Add(
res.parent.urn, lexicon.standard.
memoryPageTableEntryOffset,
rdfvalue.XSDInteger(CR3))
kaslr_slide = dt["kaslr_slide"]
resolver.Add(res.parent.urn,
lexicon.standard.OSXKALSRSlide,
rdfvalue.XSDInteger(kaslr_slide))
except:
pass
return res
def new(urn):
lex = lexicon.standard
resolver = data_store.MemoryDataStore(lex)
with zip.ZipFile.NewZipFile(resolver, urn) as zip_file:
volumeURN = zip_file.urn
imageURN = next(resolver.QueryPredicateObject(lexicon.AFF4_TYPE, lex.Image))
datastreams = list(resolver.QuerySubjectPredicate(imageURN, lex.dataStream))
with resolver.AFF4FactoryOpen(zip_file.backing_store_urn) as backing_store:
for stream in datastreams:
if lex.map in resolver.QuerySubjectPredicate(stream, lexicon.AFF4_TYPE):
dataStream = resolver.AFF4FactoryOpen(stream)
image = aff4.Image(resolver, urn=imageURN)
dataStream.parent = image
return PhysicalImageContainer(backing_store, zip_file, volumeURN, zip_file, resolver, lex, image, dataStream)
def openURNtoContainer(urn, mode=None):
if data_store.HAS_HDT:
resolver = data_store.HDTAssistedDataStore(lexicon.standard)
else:
resolver = data_store.MemoryDataStore(lexicon.standard)
(version, lex) = Container.identifyURN(urn, resolver=resolver)
resolver.lexicon = lex
if mode != None and mode == "+":
resolver.Set(lexicon.transient_graph, urn, lexicon.AFF4_STREAM_WRITE_MODE,
rdfvalue.XSDString("random"))
with zip.ZipFile.NewZipFile(resolver, version, urn) as zip_file:
with resolver.AFF4FactoryOpen(zip_file.backing_store_urn) as backing_store:
volumeURN = zip_file.urn
if lex == lexicon.standard or lex == lexicon.standard11:
images = list(resolver.QueryPredicateObject(volumeURN, lexicon.AFF4_TYPE, lex.Image))
if len(images) > 0:
imageURN = images[0]
datastreams = list(resolver.QuerySubjectPredicate(volumeURN, imageURN, lex.dataStream))
if len(datastreams) > 0:
# it is a disk image or a memory image
for stream in datastreams:
if lex.map in resolver.QuerySubjectPredicate(volumeURN, stream, lexicon.AFF4_TYPE):
dataStream = resolver.AFF4FactoryOpen(stream)
image = aff4.Image(resolver, urn=imageURN)
dataStream.parent = image
return PhysicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex, image, dataStream)
else:
# it is a logical image
if version.is11():
# AFF4 logical images are defined at version 1.1
if mode != None and mode == "+":
return WritableHashBasedImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex)
else:
return LogicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex)
else:
# scudette's winpmem pre-std implementation is at 1.0
lex = lexicon.pmemlogical
return PreStdLogicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex)
else:
# no images
encryptedStreams = list(resolver.QueryPredicateObject(volumeURN, lexicon.AFF4_TYPE, lexicon.standard11.EncryptedStream))
if len(encryptedStreams) == 1:
encryptedBlockStreamARN = encryptedStreams[0]
return EncryptedImageContainer(backing_store, zip_file, version, volumeURN, resolver, lexicon.standard11, encryptedBlockStreamARN, mode)
else:
return LogicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex)
elif lex == lexicon.scudette:
m = next(resolver.QueryPredicateObject(volumeURN, lexicon.AFF4_TYPE, lex.map))
cat = next(resolver.QuerySubjectPredicate(volumeURN, m, lex.category))
if cat == lex.memoryPhysical:
dataStream = resolver.AFF4FactoryOpen(m)
image = aff4.Image(resolver, urn=m)
dataStream.parent = image
legacyYamlInfoURI = dataStream.urn.Append("information.yaml")
try:
with resolver.AFF4FactoryOpen(legacyYamlInfoURI) as fd:
txt = fd.read(10000000)
dt = yaml.safe_load(txt)
CR3 = dt["Registers"]["CR3"]
resolver.Add(dataStream.parent.urn, lexicon.standard.memoryPageTableEntryOffset, rdfvalue.XSDInteger(CR3))
kaslr_slide = dt["kaslr_slide"]
resolver.Add(dataStream.parent.urn, lexicon.standard.OSXKALSRSlide, rdfvalue.XSDInteger(kaslr_slide))
except:
pass
return PhysicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex, image, dataStream)