def from_stat(cls, filespec, session=None): filespec = FileSpec(filespec) result = FileInformation(filename=filespec, session=session) try: s = os.stat(filespec.os_path()) except (IOError, OSError) as e: return obj.NoneObject("Unable to stat %s", e) result.st_mode = Permissions(s.st_mode) result.st_ino = s.st_ino result.st_size = s.st_size result.st_dev = s.st_dev result.st_nlink = s.st_nlink result.st_uid = User.from_uid(s.st_uid) result.st_gid = Group.from_gid(s.st_gid) result.st_mtime = basic.UnixTimeStamp(name="st_mtime", value=s.st_mtime, session=session) result.st_atime = basic.UnixTimeStamp(name="st_atime", value=s.st_atime, session=session) result.st_ctime = basic.UnixTimeStamp(name="st_ctime", value=s.st_ctime, session=session) return result
def from_stat(cls, filename, session=None): filename = FileSpec(filename) if filename.filesystem != "API": raise RuntimeError("Unsupported file spec type %s" % filename.filesystem) result = cls(filename=filename, session=session) try: s = os.stat(result.filename.name) except (IOError, OSError) as e: return obj.NoneObject("Unable to stat %s", e) result.st_mode = Permissions(s.st_mode) result.st_ino = s.st_ino result.st_size = s.st_size result.st_dev = s.st_dev result.st_nlink = s.st_nlink result.st_uid = User.from_uid(s.st_uid) result.st_gid = Group.from_gid(s.st_gid) result.st_mtime = basic.UnixTimeStamp( name="st_mtime", value=s.st_mtime, session=session) result.st_atime = basic.UnixTimeStamp( name="st_atime", value=s.st_atime, session=session) result.st_ctime = basic.UnixTimeStamp( name="st_ctime", value=s.st_ctime, session=session) return result
def collect(self): dir_path = self.plugin_args.dir_path partition = self.session.GetParameter("partition_context") try: for entry in partition.filesystem.get_fs_entry_by_path(dir_path): yield dict( name=entry.name, inode=entry.tsk_file.info.meta.addr, type=entry.type, size=entry.size, ctime=basic.UnixTimeStamp( session=self.session, name="ctime", value=entry.tsk_file.info.meta.ctime), mtime=basic.UnixTimeStamp( session=self.session, name="mtime", value=entry.tsk_file.info.meta.mtime), atime=basic.UnixTimeStamp( session=self.session, name="atime", value=entry.tsk_file.info.meta.atime), ) except IOError as e: raise plugin.PluginError(e)
def list(self): if self.st_mode == stat.S_IFREG: return # We represent the virtual root of all hives. if self._hive_handle is None: for name in dir(_winreg): if name.startswith("HKEY_"): yield RegistryKeyInformation(filename=name, session=self.session) return try: with OpenKey(self._hive_handle, self.key_name) as key: (number_of_keys, number_of_values, last_modified) = QueryInfoKey(key) st_mtime = basic.UnixTimeStamp( name="st_mtime", value=(old_div(last_modified, 10000000) - WIN_UNIX_DIFF_MSECS), session=self.session) # First keys - These will look like directories. for i in range(number_of_keys): name = EnumKey(key, i) key_name = "\\".join((self.hive, self.key_name, name)) try: subkey = RegistryKeyInformation(filename=key_name, session=self.session) subkey.st_mtime = st_mtime yield subkey except WindowsError: pass # Now Values - These will look like files. for i in range(number_of_values): name, _, _ = EnumValue(key, i) key_name = "\\".join((self.hive, self.key_name, name)) try: subkey = RegistryKeyInformation(filename=key_name, session=self.session) subkey.st_mtime = st_mtime yield subkey except WindowsError: pass except WindowsError as e: raise IOError("Unable to list key %s: %s" % (self.key_name, e))
def __init__(self, proc, session=None): """Construct a representation of the live process. Args: proc: The psutil.Process instance. """ # Hold on to the original psutil object. self._proc = proc self.session = session super(_LiveProcess, self).__init__() self.start_time = basic.UnixTimeStamp( name="create_time", value=self.create_time, session=self.session)
def collect(self): kuser_shared = self.session.address_resolver.get_constant_object( "nt!KI_USER_SHARED_DATA", "_KUSER_SHARED_DATA") seconds_since_boot = self.session.plugins.imageinfo().GetBootTime( kuser_shared) kernel_time = kuser_shared.SystemTime boot_timestamp = basic.UnixTimeStamp( value=kernel_time - seconds_since_boot, session=self.session) yield [utils.AttributeDict(now=kernel_time, boot=boot_timestamp, uptime=seconds_since_boot)]
def _get_scopes(self): """Builds the scopes for this query.""" scopes = helpers.EFILTER_SCOPES.copy() scopes["timestamp"] = api.user_func( lambda x, **_: basic.UnixTimeStamp(value=x, session=self.session), arg_types=[float, int, long]) # This function is used to indicate that the string represents # a filename. This will cause the agent to upload it if the # user requested uploading files. # > select file(path.filename.name).filename.name from glob("/*") scopes["file"] = api.user_func( lambda x: common.FileInformation(session=self.session, filename=x), arg_types=[unicode, str]) return scopes
def collect(self): collection = interrogate.ClientStatisticsCollection.load_from_location( self._config.server.client_db_for_server(), session=self.session) conditions = {} if self.plugin_args.client_id: conditions["client_id"] = self.plugin_args.client_id if self.plugin_args.hostname: conditions["fqdn like ?"] = ("%" + self.plugin_args.hostname + "%") for row in collection.query(limit=self.plugin_args.limit, **conditions): yield dict( client_id=row["client_id"], hostname=row["fqdn"], os="%s %s" % (row["system"], row["architecture"]), last_time=basic.UnixTimeStamp(session=self.session, value=row["agent_start_time"]))
def _get_scope(self): """Builds the scope for this query. We add some useful functions to be available to the query: timestamp(): Wrap an int or float in a UnixTimeStamp so it gets rendered properly. substr(): Allows a string to be substringed. file(): Marks a string as a file name. The Rekall Agent will then potentially upload this file. """ scope = helpers.EFILTER_SCOPES.copy() scope["timestamp"] = api.user_func( lambda x, **_: basic.UnixTimeStamp(value=x, session=self.session), arg_types=[float, int, long]) # This function is used to indicate that the string represents # a filename. This will cause the agent to upload it if the # user requested uploading files. # > select file(path.filename.name).filename.name from glob("/*") scope["file"] = api.scalar_function( lambda x: common.FileInformation(session=self.session, filename=x), arg_types=(string.IString,)) scope["substr"] = api.scalar_function( lambda x, start, end: utils.SmartUnicode(x)[int(start):int(end)], arg_types=(string.IString, number.INumber, number.INumber)) scope["hex"] = api.scalar_function( lambda x: hex(int(x)), arg_types=(number.INumber,)) scope["deref"] = api.scalar_function( lambda x: x.deref(), arg_types=(obj.Pointer,)) return scope