def _find_and_parse_index_file(self):
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
header_path = "unistd_32.h"
else:
header_path = "unistd_64.h"
find_file = linux_find_file.linux_find_file(self._config)
inodes = []
for (_, _, file_path, file_dentry) in find_file.walk_sbs():
ents = file_path.split("/")
if len(ents) > 1 and ents[-1] == header_path:
inode = file_dentry.d_inode
inodes.append(inode)
ret = None
for inode in inodes:
buf = ""
for page in find_file.get_file_contents(inode):
buf = buf + page
if len(buf) > 4096:
ret = buf
break
return ret
def _find_and_parse_index_file(self):
is_32, paths32, paths64 = self.get_unistd_paths()
index_tables = {"32bit": {}, "64bit": {}}
find_file = linux_find_file.linux_find_file(self._config)
for (_, _, file_path, file_dentry) in find_file.walk_sbs():
# stop enumerating files (slow) once we find our wanted information
if (is_32 and len(index_tables["32bit"].keys()) > 0) or \
(len(index_tables["32bit"].keys()) > 0 and len(index_tables["64bit"].keys()) > 0):
break
elif file_path in paths32:
table = "32bit"
paths32.remove(file_path)
elif file_path in paths64:
table = "64bit"
paths64.remove(file_path)
else:
continue
buf = ""
inode = file_dentry.d_inode
for page in find_file.get_file_contents(inode):
buf = buf + page
if len(buf) < 1024:
continue
index_tables[table] = self.parse_index_file(buf)
return index_tables
def _find_and_parse_index_file(self):
memory_model = self.addr_space.profile.metadata.get(
'memory_model', '32bit')
if memory_model == '32bit':
header_path = "unistd_32.h"
else:
header_path = "unistd_64.h"
find_file = linux_find_file.linux_find_file(self._config)
inodes = []
for (_, _, file_path, file_dentry) in find_file.walk_sbs():
ents = file_path.split("/")
if len(ents) > 1 and ents[-1] == header_path:
inode = file_dentry.d_inode
inodes.append(inode)
ret = None
for inode in inodes:
buf = ""
for page in find_file.get_file_contents(inode):
buf = buf + page
if len(buf) > 4096:
ret = buf
break
return ret
def _walk_xarray_pids(self):
ff = find_file.linux_find_file(self._config)
linux_common.set_plugin_members(ff)
self.XARRAY_TAG_MASK = 3
self.XARRAY_TAG_INTERNAL = 2
self.XA_CHUNK_SHIFT = 6
self.XA_CHUNK_SIZE = 1 << self.XA_CHUNK_SHIFT
self.XA_CHUNK_MASK = self.XA_CHUNK_SIZE - 1
ns_addr = self.addr_space.profile.get_symbol("init_pid_ns")
ns = obj.Object("pid_namespace", offset=ns_addr, vm=self.addr_space)
xarray = ns.idr.idr_rt
if not xarray.is_valid():
return
root = xarray.xa_head.v()
is_internal = ff.xa_is_internal(root)
if root & self.XARRAY_TAG_MASK != 0:
root = root & ~self.XARRAY_TAG_MASK
height = 0
node = obj.Object("xa_node", offset=root, vm=self.addr_space)
if is_internal and hasattr(node, "shift"):
height = (node.shift / self.XA_CHUNK_SHIFT) + 1
for node in self._do_walk_xarray(ff, node, height, 0):
if node and node.is_valid():
yield node
def _walk_xarray_pids(self):
ff = find_file.linux_find_file(self._config)
linux_common.set_plugin_members(ff)
self.XARRAY_TAG_MASK = 3
self.XARRAY_TAG_INTERNAL = 2
self.XA_CHUNK_SHIFT = 6
self.XA_CHUNK_SIZE = 1 << self.XA_CHUNK_SHIFT
self.XA_CHUNK_MASK = self.XA_CHUNK_SIZE - 1
ns_addr = self.addr_space.profile.get_symbol("init_pid_ns")
ns = obj.Object("pid_namespace", offset = ns_addr, vm = self.addr_space)
xarray = ns.idr.idr_rt
if not xarray.is_valid():
return
root = xarray.xa_head.v()
is_internal = ff.xa_is_internal(root)
if root & self.XARRAY_TAG_MASK != 0:
root = root & ~self.XARRAY_TAG_MASK
height = 0
node = obj.Object("xa_node", offset = root, vm = self.addr_space)
if is_internal and hasattr(node, "shift"):
height = (node.shift / self.XA_CHUNK_SHIFT) + 1
for node in self._do_walk_xarray(ff, node, height, 0):
if node and node.is_valid():
yield node
def check_file_cache(self, f_op_members, modules):
for (_, _, file_path, file_dentry) in find_file.linux_find_file(
self._config).walk_sbs():
for (hooked_member,
hook_address) in self.verify_ops(file_dentry.d_inode.i_fop,
f_op_members, modules):
yield (file_path, hooked_member, hook_address)
def _find_and_parse_index_file(self):
is_32, paths32, paths64 = self.get_unistd_paths()
index_tables = {"32bit" : {}, "64bit" : {}}
find_file = linux_find_file.linux_find_file(self._config)
for (_, _, file_path, file_dentry) in find_file.walk_sbs():
# stop enumerating files (slow) once we find our wanted information
if (is_32 and len(index_tables["32bit"].keys()) > 0) or \
(len(index_tables["32bit"].keys()) > 0 and len(index_tables["64bit"].keys()) > 0):
break
elif file_path in paths32:
table = "32bit"
paths32.remove(file_path)
elif file_path in paths64:
table = "64bit"
paths64.remove(file_path)
else:
continue
buf = ""
inode = file_dentry.d_inode
for page in find_file.get_file_contents(inode):
buf = buf + page
if len(buf) < 1024:
continue
index_tables[table] = self.parse_index_file(buf)
return index_tables
def calculate(self):
linux_common.set_plugin_members(self)
for (_, _, file_path, file_dentry)in linux_find_file.linux_find_file(self._config).walk_sbs():
inode = file_dentry.d_inode
yield inode, inode.i_ino, file_path
def calculate(self):
linux_common.set_plugin_members(self)
num_files = 0
if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)):
debug.error("Please specify an existing output dir (--dump-dir)")
ff = linux_find_file.linux_find_file(self._config)
for (_, _, file_path, file_dentry) in ff.walk_sbs():
self._make_path(file_path, file_dentry)
self._write_file(ff, file_path, file_dentry)
self._fix_metadata(file_path, file_dentry)
num_files = num_files + 1
yield num_files
def calculate(self):
linux_common.set_plugin_members(self)
num_files = 0
if (not self._config.DUMP_DIR
or not os.path.isdir(self._config.DUMP_DIR)):
debug.error("Please specify an existing output dir (--dump-dir)")
ff = linux_find_file.linux_find_file(self._config)
for (_, _, file_path, file_dentry) in ff.walk_sbs():
self._make_path(file_path, file_dentry)
self._write_file(ff, file_path, file_dentry)
self._fix_metadata(file_path, file_dentry)
num_files = num_files + 1
yield num_files
def process_directory(self, dentry, _recursive=0, parent=""):
for dentry in dentry.d_subdirs.list_of_type("dentry", "d_u"):
name = dentry.d_name.name.dereference_as("String", length=255)
inode = dentry.d_inode
if inode:
new_file = os.path.join(parent, name)
(perms, _size, atime, mtime) = (inode.i_mode, inode.i_size,
inode.i_atime, inode.i_mtime)
if linux_common.S_ISDIR(inode.i_mode):
# since the directory may already exist
try:
os.mkdir(new_file)
except OSError:
pass
self.fix_md(new_file, perms, atime, mtime, 1)
self.process_directory(dentry, 1, new_file)
elif linux_common.S_ISREG(inode.i_mode):
contents = linux_find_file.linux_find_file(
self._config).get_file_contents(inode)
f = open(new_file, "wb")
f.write(contents)
f.close()
self.fix_md(new_file, perms, atime, mtime)
# FUTURE add support for symlinks
else:
#print "skipped: %s" % name
pass
else:
#print "no inode for %s" % name
pass
def process_directory(self, dentry, _recursive=0, parent=""):
for dentry in dentry.d_subdirs.list_of_type("dentry", "d_u"):
name = dentry.d_name.name.dereference_as("String", length=255)
inode = dentry.d_inode
if inode:
new_file = os.path.join(parent, name)
(perms, _size, atime, mtime) = (inode.i_mode, inode.i_size, inode.i_atime, inode.i_mtime)
if linux_common.S_ISDIR(inode.i_mode):
# since the directory may already exist
try:
os.mkdir(new_file)
except OSError:
pass
self.fix_md(new_file, perms, atime, mtime, 1)
self.process_directory(dentry, 1, new_file)
elif linux_common.S_ISREG(inode.i_mode):
contents = linux_find_file.linux_find_file(self._config).get_file_contents(inode)
f = open(new_file, "wb")
f.write(contents)
f.close()
self.fix_md(new_file, perms, atime, mtime)
# FUTURE add support for symlinks
else:
# print "skipped: %s" % name
pass
else:
# print "no inode for %s" % name
pass
def dumpFile(self, listF, task):
toFind = len(listF)
if toFind == 0:
print "\t0 files have to be extracted"
return
else:
print "\t" + str(toFind) + " files have to be extracted"
for name, inode_addr in listF.iteritems():
inode = obj.Object("inode",
offset=int(inode_addr, 0),
vm=self.addr_space)
try:
f = open(name, "wb")
except IOError, e:
debug.error("Unable to open output file (%s): %s" %
(outfile, str(e)))
for page in linux_find_file.linux_find_file(
self._config).get_file_contents(inode):
f.write(page)
f.close()
print "\t{0} extracted".format(name)
def check_file_cache(self, f_op_members, modules):
for (_, _, file_path, file_dentry) in find_file.linux_find_file(self._config).walk_sbs():
for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(file_dentry.d_inode.i_fop, f_op_members, modules):
yield (file_path, hooked_member, hook_type, hook_address)
def calculate(self):
linux_common.set_plugin_members(self)
for (_, _, file_path,
_) in linux_find_file.linux_find_file(self._config).walk_sbs():
yield file_path
def calculate(self):
linux_common.set_plugin_members(self)
for (_, _, file_path, _)in linux_find_file.linux_find_file(self._config).walk_sbs():
yield file_path