def close(self):
if self.unload or self.we_started_driver:
tarfile_handle = tarfile.open(self.driver_path)
for member_name in tarfile_handle.getnames():
if not member_name.endswith(".kext"):
continue
self.member_name = member_name.lstrip("/")
# Try to extract the resource into a tempdir.
with utils.TempDirectory() as tmp_name:
tarfile_handle.extractall(tmp_name)
full_driver_path = os.path.join(tmp_name, self.member_name)
self.session.logging.info("Unloading driver from %s",
full_driver_path)
try:
subprocess.check_call([
"kextunload",
os.path.join(tmp_name, self.member_name)
])
except Exception as e:
# There isnt much we can do about it here.
self.session.logging.debug(
"Unable to unload driver: %s" % e)
def load_driver(self):
"""Unpack and load the driver."""
tarfile_handle = tarfile.open(self.plugin_args.driver_path)
# Try to extract the resource into a tempdir.
with utils.TempDirectory() as tmp_name:
self.session.logging.info("Unpacking driver to %s", tmp_name)
tarfile_handle.extractall(tmp_name)
# Change ownership of the extracted files to make sure they are
# owned by root otherwise they will not load.
for root, files, dirs in os.walk(tmp_name):
for f in files:
os.chown(os.path.join(root, f), 0, 0)
for d in dirs:
os.chown(os.path.join(root, d), 0, 0)
for member_name in tarfile_handle.getnames():
if member_name.endswith(".kext"):
self.member_name = member_name.lstrip("/")
full_driver_path = os.path.join(tmp_name, self.member_name)
self.session.logging.info("Loading driver from %s",
full_driver_path)
res = subprocess.check_call(["kextload", full_driver_path])
if res != 0:
raise plugin.PluginError(
"Failed to load driver. Are you root?")
def _fetch_and_parse(self, module_name, guid):
"""Fetch the profile from the symbol server.
Raises:
IOError if the profile is not found on the symbol server or can not be
retrieved.
Returns:
the profile data.
"""
with utils.TempDirectory() as dump_dir:
pdb_filename = "%s.pdb" % module_name
fetch_pdb_plugin = self.session.plugins.fetch_pdb(
pdb_filename=pdb_filename,
guid=guid, dump_dir=dump_dir)
# Store the PDB file somewhere.
pdb_pathname = os.path.join(dump_dir, pdb_filename)
with open(pdb_pathname, "wb") as outfd:
outfd.write(fetch_pdb_plugin.FetchPDBFile())
parse_pdb = self.session.plugins.parse_pdb(
pdb_filename=pdb_pathname,
dump_dir=dump_dir)
return parse_pdb.parse_pdb()
def render(self, renderer):
renderer.format("Starting Manuskript web console.\n")
renderer.format("Press Ctrl-c to return to the interactive shell.\n")
if os.path.isdir(self.pre_load):
self.worksheet_fd = WebConsoleDocument(
self.pre_load, session=self.session)
return self._serve_wsgi()
with utils.TempDirectory() as temp_dir:
logging.info("Using working directory %s", temp_dir)
# We need to copy the pre load file into the working file.
if self.pre_load:
dst = os.path.join(temp_dir, os.path.basename(self.pre_load))
shutil.copy(self.pre_load, dst)
logging.info("Initialized from %s", self.pre_load)
self.worksheet_fd = io_manager.ZipFileManager(
dst, mode="a")
else:
self.worksheet_fd = io_manager.ZipFileManager(
os.path.join(temp_dir, "rekall.zip"), mode="a")
self._serve_wsgi()
def FetchPDBFile(self, pdb_filename, guid):
# Ensure the pdb filename has the correct extension.
if not pdb_filename.endswith(".pdb"):
pdb_filename += ".pdb"
for url in self.SYM_URLS:
basename = ntpath.splitext(pdb_filename)[0]
url += "/%s/%s/%s.pd_" % (pdb_filename, guid, basename)
self.session.report_progress("Trying to fetch %s\n", url)
request = urllib2.Request(url,
None,
headers={'User-Agent': self.USER_AGENT})
url_handler = urllib2.urlopen(request)
with utils.TempDirectory() as temp_dir:
compressed_output_file = os.path.join(temp_dir,
"%s.pd_" % basename)
output_file = os.path.join(temp_dir, "%s.pdb" % basename)
# Download the compressed file to a temp file.
with open(compressed_output_file, "wb") as outfd:
while True:
data = url_handler.read(8192)
if not data:
break
outfd.write(data)
self.session.report_progress("%s: Downloaded %s bytes",
basename, outfd.tell())
# Now try to decompress it with system tools. This might fail.
try:
if platform.system() == "Windows":
# This should already be installed on windows systems.
subprocess.check_call(
["expand", compressed_output_file, output_file],
cwd=temp_dir)
else:
# In Linux we just hope the cabextract program was
# installed.
subprocess.check_call(
["cabextract", compressed_output_file],
cwd=temp_dir,
stdout=sys.stderr)
except (subprocess.CalledProcessError, OSError):
raise RuntimeError("Failed to decompress output file %s. "
"Ensure cabextract is installed.\n" %
output_file)
# We read the entire file into memory here - it should not be
# larger than approximately 10mb.
with open(output_file, "rb") as fd:
return fd.read(50 * 1024 * 1024)
def live(self):
try:
base_as = pmem.MacPmemAddressSpace(session=self.session,
filename=self.device)
except IOError as e:
self.session.logging.debug("%s", e)
tarfile_handle = tarfile.open(self.driver_path)
# Try to extract the resource into a tempdir.
with utils.TempDirectory() as tmp_name:
self.session.logging.info("Unpacking driver to %s", tmp_name)
tarfile_handle.extractall(tmp_name)
# Change ownership of the extracted files to make sure they are
# owned by root otherwise they will not load.
for root, files, dirs in os.walk(tmp_name):
for f in files:
os.chown(os.path.join(root, f), 0, 0)
for d in dirs:
os.chown(os.path.join(root, d), 0, 0)
for member_name in tarfile_handle.getnames():
if member_name.endswith(".kext"):
self.member_name = member_name.lstrip("/")
full_driver_path = os.path.join(
tmp_name, self.member_name)
self.session.logging.info("Loading driver from %s",
full_driver_path)
res = subprocess.check_call(
["kextload", full_driver_path])
if res != 0:
raise plugin.PluginError("%s. Are you root?" % e)
try:
base_as = pmem.MacPmemAddressSpace(
session=self.session, filename=self.device)
self.we_started_driver = True
break
except IOError as e:
self.session.logging.debug("%s", e)
raise plugin.PluginError("%s. Are you root?" % e)
self.session.physical_address_space = base_as
with self.session:
self.session.SetParameter("live", True)
def ParsePDB(self, guid, original_pdb_filename):
repository = self.args.repository
data = repository.GetData("src/pdb/%s.pdb" % guid, raw=True)
profile_class = (self.args.profile_class
or original_pdb_filename.capitalize())
with utils.TempDirectory() as temp_dir:
pdb_filename = os.path.join(temp_dir, guid + ".pdb")
with open(pdb_filename, "wb") as fd:
fd.write(data)
parse_pdb = self.session.plugins.parse_pdb(
pdb_filename=pdb_filename, profile_class=profile_class)
profile_data = json.loads(str(parse_pdb))
profile_data = self.TransformProfile(profile_data)
repository.StoreData("%s/%s" % (self.args.profile_name, guid),
profile_data)
def close(self):
if self.unload or self.we_started_driver:
tarfile_handle = tarfile.open(self.driver_path)
for member_name in tarfile_handle.getnames():
if not member_name.endswith(".kext"):
continue
self.member_name = member_name.lstrip("/")
# Try to extract the resource into a tempdir.
with utils.TempDirectory() as tmp_name:
tarfile_handle.extractall(tmp_name)
full_driver_path = os.path.join(tmp_name,
self.member_name)
self.session.logging.info(
"Unloading driver from %s", full_driver_path)
res = subprocess.check_call(
["kextunload", os.path.join(tmp_name, self.member_name)])
if res != 0:
raise plugin.PluginError("Unable to unload driver: %s" % e)
def live(self):
try:
base_as = pmem.MacPmemAddressSpace(session=self.session,
filename=self.device)
except IOError as e:
self.session.logging.debug("%s", e)
tarfile_handle = tarfile.open(self.driver_path)
# Try to extract the resource into a tempdir.
with utils.TempDirectory() as tmp_name:
self.session.logging.info("Unpacking driver to %s", tmp_name)
tarfile_handle.extractall(tmp_name)
for member_name in tarfile_handle.getnames():
if member_name.endswith(".kext"):
self.member_name = member_name.lstrip("/")
full_driver_path = os.path.join(tmp_name,
self.member_name)
self.session.logging.info(
"Loading driver from %s", full_driver_path)
res = subprocess.check_call(
["kextload", full_driver_path])
if res != 0:
raise plugin.PluginError("%s. Are you root?" % e)
try:
base_as = pmem.MacPmemAddressSpace(session=self.session,
filename=self.device)
self.we_started_driver = True
break
except IOError as e:
self.session.logging.debug("%s", e)
raise plugin.PluginError("%s. Are you root?" % e)
self.session.physical_address_space = base_as
