def __init__(self, filename=None, **kwargs): super(AFF4AddressSpace, self).__init__(**kwargs) self.as_assert(self.base == None, "Must stack on another address space") path = filename or self.session.GetParameter("filename") self.as_assert(path != None, "Filename must be specified") self.image = None self.phys_base = self self.resolver = data_store.MemoryDataStore() try: volume_path, stream_path = self._LocateAFF4Volume(path) except IOError: raise addrspace.ASAssertionError("Unable to open AFF4 volume") # filename is a volume, and there is no stream specified, just autoload # the stream if possible. if not stream_path: try: self._AutoLoadAFF4Volume(volume_path) return except IOError: raise addrspace.ASAssertionError("Unable to open AFF4 volume") # If the user asked for a specific stream just load that one. Note that # you can still load the pagefile manually using the --pagefile # parameter. with zip.ZipFile.NewZipFile(self.resolver, volume_path) as volume: self._LoadMemoryImage(volume.urn.Append(stream_path))
def __init__(self, filename=None, **kwargs): super(AFF4AddressSpace, self).__init__(**kwargs) self.as_assert(self.base == None, "Must stack on another address space") path = filename or self.session.GetParameter("filename") self.as_assert(path != None, "Filename must be specified") self.image = None self.resolver = data_store.MemoryDataStore() # If we have a cache directory, configure AFF4 to use it. try: cache_dir = cache.GetCacheDir(self.session) if cache_dir: self.resolver.Set(lexicon.AFF4_CONFIG_CACHE_DIR, lexicon.AFF4_FILE_NAME, rdfvalue.XSDString( os.path.join(cache_dir, "aff4_cache"))) except IOError: pass # A map between the filename and the offset it is mapped into the # address space. self.mapped_files = {} try: volume_path, stream_path = self._LocateAFF4Volume(path) except IOError as e: self.session.logging.debug("Unable to open AFF4 image %s", e) raise addrspace.ASAssertionError("Unable to open AFF4 volume") # filename is a volume, and there is no stream specified, just autoload # the stream if possible. if not stream_path: try: self._AutoLoadAFF4Volume(volume_path) return except IOError as e: raise addrspace.ASAssertionError( "Unable to open AFF4 volume: %s" % e) # If the user asked for a specific stream just load that one. Note that # you can still load the pagefile manually using the --pagefile # parameter. try: image_urn = volume_path.Append(stream_path) self._LoadMemoryImage(image_urn) except IOError as e: raise addrspace.ASAssertionError( "Unable to open AFF4 stream %s: %s" % ( stream_path, e))
def __init__(self, base=None, filename=None, session=None, **kwargs): self.as_assert(base == None, 'Must be first Address Space') self.session = session path = filename or (session and session.GetParameter("filename")) self.as_assert( path, "Filename must be specified in session (e.g. " "session.SetParameter('filename', 'MyFile.raw').") self.name = os.path.basename(path) self.fname = os.path.abspath(path) self.mode = 'rb' if path.startswith(r"\\\\.\\"): raise RuntimeError( "Unable to open a device without the win32file package " "installed.") try: fhandle = open(self.fname, self.mode) except (IOError, OSError) as e: raise addrspace.ASAssertionError("%s" % e) self._closer = weakref.ref(self, lambda x: fhandle.close()) super(FileAddressSpace, self).__init__(fhandle=fhandle, session=session, **kwargs)
def __init__(self, ept=None, **kwargs): # A dummy DTB is passed to the base class so the DTB checks on # IA32PagedMemory don't bail out. We require the DTB to never be used # for page translation outside of get_pml4e. try: super(VTxPagedMemory, self).__init__(dtb=0xFFFFFFFF, **kwargs) except TypeError: raise addrspace.ASAssertionError() # Reset the DTB, in case a plugin or AS relies on us providing one. self.dtb = None ept_list = ept or self.session.GetParameter("ept") if not isinstance(ept_list, (list, tuple)): ept_list = [ept_list] self.as_assert(ept_list, "No EPT specified") this_ept = None if isinstance(self.base, VTxPagedMemory): # Find our EPT, which will be the next one after the base one. base_idx = ept_list.index(self.base._ept) try: this_ept = ept_list[base_idx + 1] except IndexError: pass else: this_ept = ept_list[0] self.as_assert(this_ept != None, "No more EPTs specified") self._ept = this_ept self.name = "VTxPagedMemory@%#x" % self._ept
def __init__(self, base=None, filename=None, session=None, **kwargs): self.as_assert(base == None, 'Must be first Address Space') path = filename or session.GetParameter("filename") self.as_assert(path.startswith("\\\\"), "Filename does not look like a device.") super(WinPmemAddressSpace, self).__init__(filename=filename, session=session, **kwargs) try: # First open for write in case the driver is in write mode. fhandle = self._OpenFileForWrite(path) except IOError: fhandle = self._OpenFileForRead(path) self.fhandle_as = Win32FileWrapper(fhandle) try: self.ParseMemoryRuns(fhandle) except Exception: raise addrspace.ASAssertionError( "This is not a WinPmem based driver.") # Key: lower cased filename, value: offset where it is mapped. self.mapped_files = {} self.filesystems = {}
def __init__(self, base=None, filename=None, **kwargs): super(MacPmemAddressSpace, self).__init__(**kwargs) self.as_assert(base == None, "Must be mapped directly over a raw device.") self.fname = filename or (self.session and self.session.GetParameter("filename")) self.as_assert(self.fname, "Filename must be specified.") # Open as read-only even if writes are supported and allowed, because # permissions may be set up such that opening for writing would be # disallowed. try: self.fd = open(self.fname, "r") except (OSError, IOError): raise addrspace.ASAssertionError( "Filename does not exist or can not be opened.") self.fname_info = "%s_info" % self.fname self.as_assert( path.exists(self.fname_info), "MacPmem would declare a YML device at %s" % self.fname_info) self._load_yml(self.fname_info)
def __init__(self, filename=None, **kwargs): super(MmapFileAddressSpace, self).__init__(**kwargs) self.as_assert(self.base is self, 'Must be first Address Space') path = self.session.GetParameter("filename") or filename self.as_assert(path and os.path.exists(path), 'Filename must be specified and exist') self.fname = self.name = os.path.abspath(path) self.mode = 'rb' if self.session.GetParameter("writable_physical_memory"): self.mode += '+' self.fhandle = open(self.fname, self.mode) self.fhandle.seek(0, 2) self.fsize = self.fhandle.tell() self.offset = 0 # On 64 bit architectures we can just map the entire image into our # process. Its probably not worth the effort to make it work on 32 bit # systems, which should just fall back to the slightly slower # FileAddressSpace. try: self.map = mmap.mmap(self.fhandle.fileno(), self.fsize, access=mmap.ACCESS_READ) except Exception as e: raise addrspace.ASAssertionError("Unable to mmap: %s" % e)
def __init__(self, base=None, filename=None, **kwargs): self.as_assert(base == None, "Must be mapped directly over a raw device.") super(PmemAddressSpace, self).__init__(**kwargs) self.phys_base = self path = filename or (self.session and self.session.GetParameter("filename")) self.as_assert(path, "Filename must be specified.") self.fname = path # See if the device is writable. self.write_enabled = False try: self.fd = open(path, "rw") self.write_enabled = True except IOError: self.fd = open(path, "r") # Reading from some offsets in the device can crash the system. # Let's make sure we don't do that. try: for offset, pages, efi_type in pmem_parse_mmap(self.fd): if efi_type_readable(efi_type): self.runs.insert((offset, offset, pages * 0x1000)) except IOError: # Apparently we're not dealing with Pmem. raise addrspace.ASAssertionError( "File at %s is not a pmem device." % path)
def __init__(self, filename=None, **kwargs): super(AFF4AddressSpace, self).__init__(**kwargs) self.as_assert(self.base == None, "Must stack on another address space") path = filename or self.session.GetParameter("filename") self.as_assert(path != None, "Filename must be specified") self.image = None self.resolver = data_store.MemoryDataStore() # A map between the filename and the offset it is mapped into the # address space. self.mapped_files = {} try: volume_path, stream_path = self._LocateAFF4Volume(path) except IOError: raise addrspace.ASAssertionError("Unable to open AFF4 volume") # filename is a volume, and there is no stream specified, just autoload # the stream if possible. if not stream_path: try: self._AutoLoadAFF4Volume(volume_path) return except IOError as e: raise addrspace.ASAssertionError( "Unable to open AFF4 volume: %s" % e) # If the user asked for a specific stream just load that one. Note that # you can still load the pagefile manually using the --pagefile # parameter. try: image_urn = volume_path.Append(stream_path) self._LoadMemoryImage(image_urn) except IOError as e: raise addrspace.ASAssertionError( "Unable to open AFF4 stream %s: %s" % (stream_path, e))
def __init__(self, filename=None, **kwargs): super(AFF4AddressSpace, self).__init__(**kwargs) self.as_assert(self.base == None, "Must stack on another address space") path = filename or self.session.GetParameter("filename") self.as_assert(path != None, "Filename must be specified") self.image = None self.phys_base = self try: self._LoadAFF4Volume(path) except IOError: raise addrspace.ASAssertionError("Unable to open AFF4 volume")
def __init__(self, base=None, filename=None, **kwargs): self.as_assert(base == None, 'Must be first Address Space') super(Win32FileAddressSpace, self).__init__(**kwargs) self.phys_base = self path = filename or self.session.GetParameter("filename") self.as_assert( path, "Filename must be specified in session (e.g. " "session.SetParameter('filename', 'MyFile.raw').") self.fname = path # The file is just a regular file, we open for reading. self._OpenFileForRead(path) # If we can not get the file size it means this is not a regular file - # maybe a device. try: self.runs.insert((0, 0, win32file.GetFileSize(self.fhandle))) except pywintypes.error: raise addrspace.ASAssertionError("Not a regular file.")