def live(self): if os.geteuid() != 0: self.session.logging.error( "You are not root. It is likely that some operations " "may not be available.") try: # Stack the address spaces by hand. load_as = self.session.plugins.load_as(session=self.session) base_as = standard.FileAddressSpace(session=self.session, filename="/proc/kcore") self.session.physical_address_space = load_as.GuessAddressSpace( base_as=base_as) self.session.SetParameter("session_name", "Live(/proc/kcore)") except IOError as e: self.session.logging.error("Unable to load physical memory: %s ", e) with self.session: self.session.SetParameter("session_name", "Live") # Force timed cache for live sessions. with self.session: self.session.SetParameter("cache", "timed")
def __init__(self, filename, session): self.session = session self.fixups = [] self.enums = {} self.rev_enums = {} self.constants = {} self.functions = {} self.profile = self.session.LoadProfile("mspdb") self._TYPE_ENUM_e = self.profile.get_enum("_TYPE_ENUM_e") self._TYPE_ENUM_e = dict( (int(x), y) for x, y in self._TYPE_ENUM_e.items()) self.address_space = standard.FileAddressSpace(filename=filename, session=self.session) self.header = self.profile._PDB_HEADER_700(vm=self.address_space, offset=0) if not self.header.abSignature.is_valid(): raise IOError("PDB file not supported.") root_pages = self.header.get_page_list() root_stream = StreamBasedAddressSpace(base=self.address_space, page_size=self.header.dPageBytes, pages=root_pages, session=self.profile.session) self.root_stream_header = self.profile._PDB_ROOT_700( offset=0, vm=root_stream, context=dict(page_size=self.header.dPageBytes)) self.ParsePDB() self.ParseDBI() self.ParseTPI()
def get_file_address_space(self, filename): try: # Try to read the file with OS APIs. return standard.FileAddressSpace(filename=filename, session=self.session) except IOError: return
def __init__(self, base=None, **kwargs): """Currently this AS only supports files with the .vmem extension.""" self.as_assert(base != None, "No base address space provided") self.as_assert( getattr(base, "fname", "").endswith("vmem"), "Only VMEM files supported.") super(VMemAddressSpace, self).__init__(base=base, **kwargs) vmss_location = base.fname[:-4] + "vmss" try: vmss_as = standard.FileAddressSpace(filename=vmss_location, session=self.session) except IOError: # If we fail to open the vmss file it is not a proper vmem file. raise addrspace.ASAssertionError vmss_profile = VMWareProfile(session=self.session) self.header = vmss_profile._VMWARE_HEADER(vm=vmss_as) self.as_assert( self.header.Magic in [0xbed2bed0, 0xbad1bad1, 0xbed2bed2, 0xbed3bed3], "Invalid VMware signature: {0:#x}".format(self.header.Magic)) # Fill in the runs list from the header. virtual_offsets = self.header.GetTags("memory", "regionPPN") file_offsets = self.header.GetTags("memory", "regionPageNum") lengths = self.header.GetTags("memory", "regionSize") for v, p, l in zip(virtual_offsets, file_offsets, lengths): self.add_run(v * 0x1000, p * 0x1000, l * 0x1000)
def __init__(self, address_space=None, image_base=0, filename=None, session=None): """Constructor. Args: address_space: An address space to examine. image_base: The address of the dos header in the virtual address space. filename: If a filename is provided we open the file as a PE File. In this case, image_base and address_space are ignored. """ self.session = session if session is None: raise RuntimeError("Session must be provided.") # Use the session to load the pe profile. self.profile = self.session.LoadProfile("pe") # If neither filename or address_space were provided we just get the # session default. if filename is None and address_space is None: address_space = self.session.GetParameter("default_address_space") if address_space == None: raise IOError("Filename or address_space not specified.") self.vm = address_space self.image_base = image_base elif address_space: # Resolve the correct address space. This allows the address space # to be specified from the command line (e.g. "P") load_as = self.session.plugins.load_as(session=self.session) address_space = load_as.ResolveAddressSpace(address_space) self.vm = address_space self.image_base = image_base if self.image_base == None: raise RuntimeError("Image base is invalid.") else: file_address_space = standard.FileAddressSpace( filename=filename, session=self.session) self.vm = PEFileAddressSpace(base=file_address_space, session=self.session) self.image_base = self.vm.image_base self.dos_header = self.profile.Object( "_IMAGE_DOS_HEADER", vm=self.vm, offset=self.image_base, context=dict(image_base=self.image_base)) self.nt_header = self.dos_header.NTHeader
def live(self): try: base_as = standard.FileAddressSpace(session=self.session, filename="/proc/kcore") self.session.physical_address_space = elfcore.KCoreAddressSpace( base=base_as) except IOError as e: self.session.logging.debug("%s", e) raise plugin.PluginError("%s. Are you root?" % e)
def __init__(self, filename, session=None, readers_private_key=None, writers_public_key=None): self.fd = standard.FileAddressSpace(filename=filename, session=session) self.session = session self.profile = AgentProfile(session=session) self.readers_private_key = readers_private_key self.writers_public_key = writers_public_key self.rewind()
def _get_elf_header(self): if self.plugin_args.binary_path: address_space = standard.FileAddressSpace( session=self.session, filename=self.plugin_args.binary_path) else: address_space = self.session.GetParameter("default_address_space") if address_space == None: address_space = self.session.GetParameter("physical_address_space") return elf.ELFProfile(session=self.session).elf64_hdr( vm=address_space, offset=self.plugin_args.header_offset)
def __init__(self, address_space=None, image_base=0, filename=None, session=None): """Constructor. Args: address_space: An address space to examine. image_base: The address of the dos header in the virtual address space. filename: If a filename is provided we open the file as a PE File. In this case, image_base and address_space are ignored. """ self.session = session if session is None: raise RuntimeError("Session must be provided.") # Use the session to load the pe profile. self.profile = self.session.LoadProfile("pe") if address_space is None: address_space = self.session.GetParameter("default_address_space") if filename is None and address_space is None: raise IOError("Filename or address_space not specified.") elif address_space: self.vm = address_space self.image_base = image_base if self.image_base == None: raise RuntimeError("Image base is invalid.") else: file_address_space = standard.FileAddressSpace( filename=filename, session=self.session) self.vm = PEFileAddressSpace(base=file_address_space, profile=self.profile) self.image_base = self.vm.image_base self.dos_header = self.profile.Object( "_IMAGE_DOS_HEADER", vm=self.vm, offset=self.image_base, context=dict(image_base=self.image_base)) self.nt_header = self.dos_header.NTHeader
def live(self): try: # Stack the address spaces by hand. load_as = self.session.plugins.load_as(session=self.session) base_as = standard.FileAddressSpace(session=self.session, filename="/proc/kcore") self.session.physical_address_space = load_as.GuessAddressSpace( base_as=base_as) self.session.GetParameter("live", True) except IOError as e: self.session.logging.debug("%s", e) raise plugin.PluginError("%s. Are you root?" % e)
def render(self, renderer): # Starting offset. if self.offset is None: self.offset = self.plugin_args.offset location = self._config.server.location_from_path_for_server( self.plugin_args.path) local_filename = location.get_local_filename() # Map the location as a file because it could be very large. address_space = standard.FileAddressSpace(filename=local_filename, session=self.session) if address_space.read(0, 13) == "SQLite format": return self.render_sqlite(location, renderer) if (address_space.end() < self.MAX_SIZE and address_space.read(0, 1) in "{["): try: data = json.loads( address_space.read(0, min(self.MAX_SIZE, address_space.end()))) return self.render_json(data, renderer) except Exception: pass # Auto detect the mode. sample = address_space.read(0, min(1024 * 1024, address_space.end())) try: data = sample.decode(self.plugin_args.encoding) return self.render_text(local_filename, self.plugin_args.encoding, renderer) except UnicodeError: pass # Fall back to hexdump result = self.session.plugins.dump(rows=self.plugin_args.limit, offset=self.offset, address_space=address_space) result.render(renderer) self.offset = result.offset return result