def live(self):
if os.geteuid() != 0:
self.session.logging.error(
"You are not root. It is likely that some operations "
"may not be available.")
try:
# Stack the address spaces by hand.
load_as = self.session.plugins.load_as(session=self.session)
base_as = standard.FileAddressSpace(session=self.session,
filename="/proc/kcore")
self.session.physical_address_space = load_as.GuessAddressSpace(
base_as=base_as)
self.session.SetParameter("session_name", "Live(/proc/kcore)")
except IOError as e:
self.session.logging.error("Unable to load physical memory: %s ",
e)
with self.session:
self.session.SetParameter("session_name", "Live")
# Force timed cache for live sessions.
with self.session:
self.session.SetParameter("cache", "timed")
def __init__(self, filename, session):
self.session = session
self.fixups = []
self.enums = {}
self.rev_enums = {}
self.constants = {}
self.functions = {}
self.profile = self.session.LoadProfile("mspdb")
self._TYPE_ENUM_e = self.profile.get_enum("_TYPE_ENUM_e")
self._TYPE_ENUM_e = dict(
(int(x), y) for x, y in self._TYPE_ENUM_e.items())
self.address_space = standard.FileAddressSpace(filename=filename,
session=self.session)
self.header = self.profile._PDB_HEADER_700(vm=self.address_space,
offset=0)
if not self.header.abSignature.is_valid():
raise IOError("PDB file not supported.")
root_pages = self.header.get_page_list()
root_stream = StreamBasedAddressSpace(base=self.address_space,
page_size=self.header.dPageBytes,
pages=root_pages,
session=self.profile.session)
self.root_stream_header = self.profile._PDB_ROOT_700(
offset=0,
vm=root_stream,
context=dict(page_size=self.header.dPageBytes))
self.ParsePDB()
self.ParseDBI()
self.ParseTPI()
def get_file_address_space(self, filename):
try:
# Try to read the file with OS APIs.
return standard.FileAddressSpace(filename=filename,
session=self.session)
except IOError:
return
def __init__(self, base=None, **kwargs):
"""Currently this AS only supports files with the .vmem extension."""
self.as_assert(base != None, "No base address space provided")
self.as_assert(
getattr(base, "fname", "").endswith("vmem"),
"Only VMEM files supported.")
super(VMemAddressSpace, self).__init__(base=base, **kwargs)
vmss_location = base.fname[:-4] + "vmss"
try:
vmss_as = standard.FileAddressSpace(filename=vmss_location,
session=self.session)
except IOError:
# If we fail to open the vmss file it is not a proper vmem file.
raise addrspace.ASAssertionError
vmss_profile = VMWareProfile(session=self.session)
self.header = vmss_profile._VMWARE_HEADER(vm=vmss_as)
self.as_assert(
self.header.Magic
in [0xbed2bed0, 0xbad1bad1, 0xbed2bed2, 0xbed3bed3],
"Invalid VMware signature: {0:#x}".format(self.header.Magic))
# Fill in the runs list from the header.
virtual_offsets = self.header.GetTags("memory", "regionPPN")
file_offsets = self.header.GetTags("memory", "regionPageNum")
lengths = self.header.GetTags("memory", "regionSize")
for v, p, l in zip(virtual_offsets, file_offsets, lengths):
self.add_run(v * 0x1000, p * 0x1000, l * 0x1000)
def __init__(self,
address_space=None,
image_base=0,
filename=None,
session=None):
"""Constructor.
Args:
address_space: An address space to examine.
image_base: The address of the dos header in the virtual address
space.
filename: If a filename is provided we open the file as a PE File. In
this case, image_base and address_space are ignored.
"""
self.session = session
if session is None:
raise RuntimeError("Session must be provided.")
# Use the session to load the pe profile.
self.profile = self.session.LoadProfile("pe")
# If neither filename or address_space were provided we just get the
# session default.
if filename is None and address_space is None:
address_space = self.session.GetParameter("default_address_space")
if address_space == None:
raise IOError("Filename or address_space not specified.")
self.vm = address_space
self.image_base = image_base
elif address_space:
# Resolve the correct address space. This allows the address space
# to be specified from the command line (e.g. "P")
load_as = self.session.plugins.load_as(session=self.session)
address_space = load_as.ResolveAddressSpace(address_space)
self.vm = address_space
self.image_base = image_base
if self.image_base == None:
raise RuntimeError("Image base is invalid.")
else:
file_address_space = standard.FileAddressSpace(
filename=filename, session=self.session)
self.vm = PEFileAddressSpace(base=file_address_space,
session=self.session)
self.image_base = self.vm.image_base
self.dos_header = self.profile.Object(
"_IMAGE_DOS_HEADER",
vm=self.vm,
offset=self.image_base,
context=dict(image_base=self.image_base))
self.nt_header = self.dos_header.NTHeader
def live(self):
try:
base_as = standard.FileAddressSpace(session=self.session,
filename="/proc/kcore")
self.session.physical_address_space = elfcore.KCoreAddressSpace(
base=base_as)
except IOError as e:
self.session.logging.debug("%s", e)
raise plugin.PluginError("%s. Are you root?" % e)
def __init__(self,
filename,
session=None,
readers_private_key=None,
writers_public_key=None):
self.fd = standard.FileAddressSpace(filename=filename, session=session)
self.session = session
self.profile = AgentProfile(session=session)
self.readers_private_key = readers_private_key
self.writers_public_key = writers_public_key
self.rewind()
def _get_elf_header(self):
if self.plugin_args.binary_path:
address_space = standard.FileAddressSpace(
session=self.session, filename=self.plugin_args.binary_path)
else:
address_space = self.session.GetParameter("default_address_space")
if address_space == None:
address_space = self.session.GetParameter("physical_address_space")
return elf.ELFProfile(session=self.session).elf64_hdr(
vm=address_space, offset=self.plugin_args.header_offset)
def __init__(self,
address_space=None,
image_base=0,
filename=None,
session=None):
"""Constructor.
Args:
address_space: An address space to examine.
image_base: The address of the dos header in the virtual address
space.
filename: If a filename is provided we open the file as a PE File. In
this case, image_base and address_space are ignored.
"""
self.session = session
if session is None:
raise RuntimeError("Session must be provided.")
# Use the session to load the pe profile.
self.profile = self.session.LoadProfile("pe")
if address_space is None:
address_space = self.session.GetParameter("default_address_space")
if filename is None and address_space is None:
raise IOError("Filename or address_space not specified.")
elif address_space:
self.vm = address_space
self.image_base = image_base
if self.image_base == None:
raise RuntimeError("Image base is invalid.")
else:
file_address_space = standard.FileAddressSpace(
filename=filename, session=self.session)
self.vm = PEFileAddressSpace(base=file_address_space,
profile=self.profile)
self.image_base = self.vm.image_base
self.dos_header = self.profile.Object(
"_IMAGE_DOS_HEADER",
vm=self.vm,
offset=self.image_base,
context=dict(image_base=self.image_base))
self.nt_header = self.dos_header.NTHeader
def live(self):
try:
# Stack the address spaces by hand.
load_as = self.session.plugins.load_as(session=self.session)
base_as = standard.FileAddressSpace(session=self.session,
filename="/proc/kcore")
self.session.physical_address_space = load_as.GuessAddressSpace(
base_as=base_as)
self.session.GetParameter("live", True)
except IOError as e:
self.session.logging.debug("%s", e)
raise plugin.PluginError("%s. Are you root?" % e)
def render(self, renderer):
# Starting offset.
if self.offset is None:
self.offset = self.plugin_args.offset
location = self._config.server.location_from_path_for_server(
self.plugin_args.path)
local_filename = location.get_local_filename()
# Map the location as a file because it could be very large.
address_space = standard.FileAddressSpace(filename=local_filename,
session=self.session)
if address_space.read(0, 13) == "SQLite format":
return self.render_sqlite(location, renderer)
if (address_space.end() < self.MAX_SIZE
and address_space.read(0, 1) in "{["):
try:
data = json.loads(
address_space.read(0,
min(self.MAX_SIZE,
address_space.end())))
return self.render_json(data, renderer)
except Exception:
pass
# Auto detect the mode.
sample = address_space.read(0, min(1024 * 1024, address_space.end()))
try:
data = sample.decode(self.plugin_args.encoding)
return self.render_text(local_filename, self.plugin_args.encoding,
renderer)
except UnicodeError:
pass
# Fall back to hexdump
result = self.session.plugins.dump(rows=self.plugin_args.limit,
offset=self.offset,
address_space=address_space)
result.render(renderer)
self.offset = result.offset
return result