def close(self): if self.unload or self.we_started_driver: tarfile_handle = tarfile.open(self.driver_path) for member_name in tarfile_handle.getnames(): if not member_name.endswith(".kext"): continue self.member_name = member_name.lstrip("/") # Try to extract the resource into a tempdir. with utils.TempDirectory() as tmp_name: tarfile_handle.extractall(tmp_name) full_driver_path = os.path.join(tmp_name, self.member_name) self.session.logging.info("Unloading driver from %s", full_driver_path) try: subprocess.check_call([ "kextunload", os.path.join(tmp_name, self.member_name) ]) except Exception as e: # There isnt much we can do about it here. self.session.logging.debug( "Unable to unload driver: %s" % e)
def load_driver(self): """Unpack and load the driver.""" tarfile_handle = tarfile.open(self.plugin_args.driver_path) # Try to extract the resource into a tempdir. with utils.TempDirectory() as tmp_name: self.session.logging.info("Unpacking driver to %s", tmp_name) tarfile_handle.extractall(tmp_name) # Change ownership of the extracted files to make sure they are # owned by root otherwise they will not load. for root, files, dirs in os.walk(tmp_name): for f in files: os.chown(os.path.join(root, f), 0, 0) for d in dirs: os.chown(os.path.join(root, d), 0, 0) for member_name in tarfile_handle.getnames(): if member_name.endswith(".kext"): self.member_name = member_name.lstrip("/") full_driver_path = os.path.join(tmp_name, self.member_name) self.session.logging.info("Loading driver from %s", full_driver_path) res = subprocess.check_call(["kextload", full_driver_path]) if res != 0: raise plugin.PluginError( "Failed to load driver. Are you root?")
def _fetch_and_parse(self, module_name, guid): """Fetch the profile from the symbol server. Raises: IOError if the profile is not found on the symbol server or can not be retrieved. Returns: the profile data. """ with utils.TempDirectory() as dump_dir: pdb_filename = "%s.pdb" % module_name fetch_pdb_plugin = self.session.plugins.fetch_pdb( pdb_filename=pdb_filename, guid=guid, dump_dir=dump_dir) # Store the PDB file somewhere. pdb_pathname = os.path.join(dump_dir, pdb_filename) with open(pdb_pathname, "wb") as outfd: outfd.write(fetch_pdb_plugin.FetchPDBFile()) parse_pdb = self.session.plugins.parse_pdb( pdb_filename=pdb_pathname, dump_dir=dump_dir) return parse_pdb.parse_pdb()
def render(self, renderer): renderer.format("Starting Manuskript web console.\n") renderer.format("Press Ctrl-c to return to the interactive shell.\n") if os.path.isdir(self.pre_load): self.worksheet_fd = WebConsoleDocument( self.pre_load, session=self.session) return self._serve_wsgi() with utils.TempDirectory() as temp_dir: logging.info("Using working directory %s", temp_dir) # We need to copy the pre load file into the working file. if self.pre_load: dst = os.path.join(temp_dir, os.path.basename(self.pre_load)) shutil.copy(self.pre_load, dst) logging.info("Initialized from %s", self.pre_load) self.worksheet_fd = io_manager.ZipFileManager( dst, mode="a") else: self.worksheet_fd = io_manager.ZipFileManager( os.path.join(temp_dir, "rekall.zip"), mode="a") self._serve_wsgi()
def FetchPDBFile(self, pdb_filename, guid): # Ensure the pdb filename has the correct extension. if not pdb_filename.endswith(".pdb"): pdb_filename += ".pdb" for url in self.SYM_URLS: basename = ntpath.splitext(pdb_filename)[0] url += "/%s/%s/%s.pd_" % (pdb_filename, guid, basename) self.session.report_progress("Trying to fetch %s\n", url) request = urllib2.Request(url, None, headers={'User-Agent': self.USER_AGENT}) url_handler = urllib2.urlopen(request) with utils.TempDirectory() as temp_dir: compressed_output_file = os.path.join(temp_dir, "%s.pd_" % basename) output_file = os.path.join(temp_dir, "%s.pdb" % basename) # Download the compressed file to a temp file. with open(compressed_output_file, "wb") as outfd: while True: data = url_handler.read(8192) if not data: break outfd.write(data) self.session.report_progress("%s: Downloaded %s bytes", basename, outfd.tell()) # Now try to decompress it with system tools. This might fail. try: if platform.system() == "Windows": # This should already be installed on windows systems. subprocess.check_call( ["expand", compressed_output_file, output_file], cwd=temp_dir) else: # In Linux we just hope the cabextract program was # installed. subprocess.check_call( ["cabextract", compressed_output_file], cwd=temp_dir, stdout=sys.stderr) except (subprocess.CalledProcessError, OSError): raise RuntimeError("Failed to decompress output file %s. " "Ensure cabextract is installed.\n" % output_file) # We read the entire file into memory here - it should not be # larger than approximately 10mb. with open(output_file, "rb") as fd: return fd.read(50 * 1024 * 1024)
def live(self): try: base_as = pmem.MacPmemAddressSpace(session=self.session, filename=self.device) except IOError as e: self.session.logging.debug("%s", e) tarfile_handle = tarfile.open(self.driver_path) # Try to extract the resource into a tempdir. with utils.TempDirectory() as tmp_name: self.session.logging.info("Unpacking driver to %s", tmp_name) tarfile_handle.extractall(tmp_name) # Change ownership of the extracted files to make sure they are # owned by root otherwise they will not load. for root, files, dirs in os.walk(tmp_name): for f in files: os.chown(os.path.join(root, f), 0, 0) for d in dirs: os.chown(os.path.join(root, d), 0, 0) for member_name in tarfile_handle.getnames(): if member_name.endswith(".kext"): self.member_name = member_name.lstrip("/") full_driver_path = os.path.join( tmp_name, self.member_name) self.session.logging.info("Loading driver from %s", full_driver_path) res = subprocess.check_call( ["kextload", full_driver_path]) if res != 0: raise plugin.PluginError("%s. Are you root?" % e) try: base_as = pmem.MacPmemAddressSpace( session=self.session, filename=self.device) self.we_started_driver = True break except IOError as e: self.session.logging.debug("%s", e) raise plugin.PluginError("%s. Are you root?" % e) self.session.physical_address_space = base_as with self.session: self.session.SetParameter("live", True)
def ParsePDB(self, guid, original_pdb_filename): repository = self.args.repository data = repository.GetData("src/pdb/%s.pdb" % guid, raw=True) profile_class = (self.args.profile_class or original_pdb_filename.capitalize()) with utils.TempDirectory() as temp_dir: pdb_filename = os.path.join(temp_dir, guid + ".pdb") with open(pdb_filename, "wb") as fd: fd.write(data) parse_pdb = self.session.plugins.parse_pdb( pdb_filename=pdb_filename, profile_class=profile_class) profile_data = json.loads(str(parse_pdb)) profile_data = self.TransformProfile(profile_data) repository.StoreData("%s/%s" % (self.args.profile_name, guid), profile_data)
def close(self): if self.unload or self.we_started_driver: tarfile_handle = tarfile.open(self.driver_path) for member_name in tarfile_handle.getnames(): if not member_name.endswith(".kext"): continue self.member_name = member_name.lstrip("/") # Try to extract the resource into a tempdir. with utils.TempDirectory() as tmp_name: tarfile_handle.extractall(tmp_name) full_driver_path = os.path.join(tmp_name, self.member_name) self.session.logging.info( "Unloading driver from %s", full_driver_path) res = subprocess.check_call( ["kextunload", os.path.join(tmp_name, self.member_name)]) if res != 0: raise plugin.PluginError("Unable to unload driver: %s" % e)
def live(self): try: base_as = pmem.MacPmemAddressSpace(session=self.session, filename=self.device) except IOError as e: self.session.logging.debug("%s", e) tarfile_handle = tarfile.open(self.driver_path) # Try to extract the resource into a tempdir. with utils.TempDirectory() as tmp_name: self.session.logging.info("Unpacking driver to %s", tmp_name) tarfile_handle.extractall(tmp_name) for member_name in tarfile_handle.getnames(): if member_name.endswith(".kext"): self.member_name = member_name.lstrip("/") full_driver_path = os.path.join(tmp_name, self.member_name) self.session.logging.info( "Loading driver from %s", full_driver_path) res = subprocess.check_call( ["kextload", full_driver_path]) if res != 0: raise plugin.PluginError("%s. Are you root?" % e) try: base_as = pmem.MacPmemAddressSpace(session=self.session, filename=self.device) self.we_started_driver = True break except IOError as e: self.session.logging.debug("%s", e) raise plugin.PluginError("%s. Are you root?" % e) self.session.physical_address_space = base_as