def live(self):
if self.plugin_args.mode == "Memory":
phys_as = obj.NoneObject("Unable to access physical memory")
try:
phys_as = win32.WinPmemAddressSpace(
session=self.session, filename=self.plugin_args.device)
self.session.logging.debug("Using PMEM driver at %s",
self.plugin_args.device)
except IOError as e:
self.session.logging.debug("%s", e)
errno = self.parse_exception(e)
if errno == 5: # Access Denied.
self.session.logging.error(
"%s. Are you running as Administrator?" % e)
elif errno == 2: # File not found
try:
phys_as = self.load_driver()
except plugin.PluginError:
self.session.logging.error(
"Unable to load driver: %s." % e)
else:
self.session.logging.error(
"Unable to access physical memory: %s." % e)
self.session.physical_address_space = phys_as
with self.session:
self.session.SetParameter("live_mode", self.plugin_args.mode)
self.session.SetParameter("session_name",
"Live (%s)" % self.plugin_args.mode)
def live(self):
try:
phys_as = win32.WinPmemAddressSpace(session=self.session,
filename=self.device)
except IOError as e:
self.session.logging.debug("%s", e)
errno = self.parse_exception(e)
if errno == 5: # Access Denied.
raise plugin.PluginError(
"%s. Are you running as Administrator?" % e)
elif errno == 2: # File not found
phys_as = self.load_driver()
else:
raise plugin.PluginError("%s" % e)
self.session.physical_address_space = phys_as
class Live(plugin.PrivilegedMixIn, plugin.ProfileCommand):
"""Launch a Rekall shell for live analysis on the current system."""
name = "live"
PROFILE_REQUIRED = False
@classmethod
def args(cls, parser):
parser.add_argument("--driver",
default=None,
help="Driver file to load")
parser.add_argument("--device",
default=r"\\.\pmem",
help="Device name to use")
parser.add_argument("--service_name",
default=r"pmem",
help="Service name to use")
def __init__(self,
driver=None,
device=r"\\.\pmem",
service_name="pmem",
**kw):
super(Live, self).__init__(**kw)
self.driver = driver
self.device = device
self.name = service_name
# Did we start the service? If so we need to clean up.
self.we_started_service = False
exception_format_regex = re.compile(r": \((\d+),")
def parse_exception(self, e):
"""Yes! seriously there is no way to get at the real error code."""
# We often see code like if "Access Denied" in str(e):... but
# this is unreliable since the message will be different when
# different language packs are used. The best way is to
# compare the numeric error code, but this is not exported. In
# our testing e.errno is not being set properly by pywin32.
m = self.exception_format_regex.search(str(e))
if m:
return int(m.group(1))
def load_driver(self):
"""Load the driver if possible."""
# Check the driver is somewhere accessible.
if self.driver is None:
# Valid values
# http://superuser.com/questions/305901/possible-values-of-processor-architecture
machine = platform.machine()
if machine == "AMD64":
driver = "winpmem_x64.sys"
elif machine == "x86":
driver = "winpmem_x86.sys"
else:
raise plugin.PluginError("Unsupported architecture")
self.driver = os.path.join(rekall.RESOURCES_PATH,
"WinPmem/%s" % driver)
driver = os.path.join(os.getcwd(), self.driver)
self.session.logging.debug("Loading driver from %s", driver)
if not os.access(driver, os.R_OK):
raise plugin.PluginError("Driver file %s is not accessible." %
driver)
# Must have absolute path here.
self.hScm = win32service.OpenSCManager(
None, None, win32service.SC_MANAGER_CREATE_SERVICE)
try:
self.hSvc = win32service.CreateService(
self.hScm, self.name, self.name,
win32service.SERVICE_ALL_ACCESS,
win32service.SERVICE_KERNEL_DRIVER,
win32service.SERVICE_DEMAND_START,
win32service.SERVICE_ERROR_IGNORE, driver, None, 0, None, None,
None)
self.session.logging.debug("Created service %s", self.name)
# Remember to cleanup afterwards.
self.we_started_service = True
except win32service.error as e:
# Service is already there, try to open it instead.
self.hSvc = win32service.OpenService(
self.hScm, self.name, win32service.SERVICE_ALL_ACCESS)
# Make sure the service is stopped.
try:
win32service.ControlService(self.hSvc,
win32service.SERVICE_CONTROL_STOP)
except win32service.error:
pass
try:
win32service.StartService(self.hSvc, [])
except win32service.error, e:
self.session.logging.debug("%s: will try to continue", e)
try:
return win32.WinPmemAddressSpace(session=self.session,
filename=self.device)
except IOError as e:
raise plugin.PluginError(*e.args)
class Live(plugin.TypedProfileCommand, plugin.ProfileCommand):
"""Launch a Rekall shell for live analysis on the current system."""
name = "live"
PROFILE_REQUIRED = False
__args = [
dict(name="mode",
default="Memory",
type="Choices",
choices=session.LIVE_MODES,
help="Mode for live analysis."),
dict(name="driver", help="Driver file to load"),
dict(name="device", default=r"\\.\pmem", help="Device name to use"),
dict(name="service_name", default=r"pmem", help="Service name to use")
]
table_header = [dict(name="Message")]
def __init__(self, *args, **kw):
super(Live, self).__init__(*args, **kw)
# It is OK for non privileged sessions to use the default drivers.
if not self.session.privileged and self.plugin_args.driver:
raise plugin.PluginError(
"Installing arbitrary drivers is only available for "
"interactive or privileged sessions.")
# Did we start the service? If so we need to clean up.
self.we_started_service = False
self.hScm = None
self.hSvc = None
exception_format_regex = re.compile(r": \((\d+),")
def parse_exception(self, e):
"""Yes! seriously there is no way to get at the real error code."""
# We often see code like if "Access Denied" in str(e):... but
# this is unreliable since the message will be different when
# different language packs are used. The best way is to
# compare the numeric error code, but this is not exported. In
# our testing e.errno is not being set properly by pywin32.
m = self.exception_format_regex.search(str(e))
if m:
return int(m.group(1))
def load_driver(self):
"""Load the driver if possible."""
# Check the driver is somewhere accessible.
if self.plugin_args.driver is None:
# Valid values
# http://superuser.com/questions/305901/possible-values-of-processor-architecture
machine = platform.machine()
if machine == "AMD64":
driver = "winpmem_x64.sys"
elif machine == "x86":
driver = "winpmem_x86.sys"
else:
raise plugin.PluginError("Unsupported architecture")
self.plugin_args.driver = resources.get_resource("WinPmem/%s" %
driver)
# Try the local directory
if self.plugin_args.driver is None:
self.plugin_args.driver = os.path.join(os.getcwd(), "WinPmem",
driver)
self.session.logging.debug("Loading driver from %s",
self.plugin_args.driver)
if not os.access(self.plugin_args.driver, os.R_OK):
raise plugin.PluginError("Driver file %s is not accessible." %
self.plugin_args.driver)
self.hScm = win32service.OpenSCManager(
None, None, win32service.SC_MANAGER_CREATE_SERVICE)
# First uninstall the driver
self.remove_service(also_close_as=False)
try:
self.hSvc = win32service.CreateService(
self.hScm, self.plugin_args.service_name,
self.plugin_args.service_name, win32service.SERVICE_ALL_ACCESS,
win32service.SERVICE_KERNEL_DRIVER,
win32service.SERVICE_DEMAND_START,
win32service.SERVICE_ERROR_IGNORE, self.plugin_args.driver,
None, 0, None, None, None)
self.session.logging.debug("Created service %s",
self.plugin_args.service_name)
# Remember to cleanup afterwards.
self.we_started_service = True
except win32service.error as e:
# Service is already there, try to open it instead.
self.hSvc = win32service.OpenService(
self.hScm, self.plugin_args.service_name,
win32service.SERVICE_ALL_ACCESS)
# Make sure the service is stopped.
try:
win32service.ControlService(self.hSvc,
win32service.SERVICE_CONTROL_STOP)
except win32service.error:
pass
try:
win32service.StartService(self.hSvc, [])
except win32service.error, e:
self.session.logging.debug("%s: will try to continue", e)
try:
return win32.WinPmemAddressSpace(session=self.session,
filename=self.plugin_args.device)
except IOError as e:
raise plugin.PluginError(*e.args)