def render_text(self, outfd, data):
"""Renders the calculated data as text to outfd"""
# Convert the result into a datetime object for display in local and non local format
dt = data['ImageDatetime'].as_datetime()
# Display the datetime in UTC as taken from the image
outfd.write("Image date and time : {0}\n".format(data['ImageDatetime']))
# Display the datetime taking into account the timezone of the image itself
outfd.write("Image local date and time : {0}\n".format(timefmt.display_datetime(dt, data['ImageTz'])))
def __format__(self, formatspec):
"""Formats the datetime according to the timefmt module"""
dt = self.as_datetime()
if dt != None:
return format(timefmt.display_datetime(dt), formatspec)
return "-"
def __format__(self, formatspec):
"""Formats the datetime according to the timefmt module"""
dt = self.as_datetime()
if dt != None:
return format(timefmt.display_datetime(dt), formatspec)
return "-"
def calculate(self):
"""Calculates various information about the image"""
debug.info("Determining profile based on KDBG search...")
profilelist = [
p.__name__
for p in registry.get_plugin_classes(obj.Profile).values()
]
bestguess = None
suglist = [s for s, _ in kdbgscan.KDBGScan.calculate(self)]
if suglist:
bestguess = suglist[0]
suggestion = ", ".join(set(suglist))
# Set our suggested profile first, then run through the list
if bestguess in profilelist:
profilelist = [bestguess] + profilelist
chosen = 'no profile'
# Save the original profile
origprofile = self._config.PROFILE
# Force user provided profile over others
profilelist = [origprofile] + profilelist
for profile in profilelist:
debug.debug('Trying profile ' + profile)
self._config.update('PROFILE', profile)
addr_space = utils.load_as(self._config, astype='any')
if hasattr(addr_space, "dtb"):
chosen = profile
break
if bestguess != chosen:
if not suggestion:
suggestion = 'No suggestion'
suggestion += ' (Instantiated with ' + chosen + ')'
yield ('Suggested Profile(s)', str, suggestion)
tmpas = addr_space
count = 0
while tmpas:
count += 1
yield ('AS Layer' + str(count), str,
tmpas.__class__.__name__ + " (" + tmpas.name + ")")
tmpas = tmpas.base
if not hasattr(addr_space, "pae"):
yield ('PAE type', str, "No PAE")
else:
yield ('PAE type', str, "PAE" if addr_space.pae else "No PAE")
if hasattr(addr_space, "dtb"):
yield ('DTB', Address, Address(addr_space.dtb))
volmagic = obj.VolMagic(addr_space)
if hasattr(addr_space, "dtb"):
kdbg = volmagic.KDBG.v()
if type(kdbg) == int:
kdbg = obj.Object("_KDDEBUGGER_DATA64",
offset=kdbg,
vm=addr_space)
if kdbg.is_valid():
yield ('KDBG', Address, Address(kdbg.obj_offset))
kpcr_list = list(kdbg.kpcrs())
yield ('Number of Processors', int, len(kpcr_list))
yield ('Image Type (Service Pack)', int, kdbg.ServicePack)
for kpcr in kpcr_list:
yield ('KPCR for CPU {0}'.format(
kpcr.ProcessorBlock.Number), Address,
Address(kpcr.obj_offset))
KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v()
if KUSER_SHARED_DATA:
yield ('KUSER_SHARED_DATA', Address,
Address(KUSER_SHARED_DATA))
data = self.get_image_time(addr_space)
if data:
yield ('Image date and time', str, str(data['ImageDatetime']))
yield ('Image local date and time', str,
timefmt.display_datetime(
data['ImageDatetime'].as_datetime(),
data['ImageTz']))
# Make sure to reset the profile to its original value to keep the invalidator from blocking the cache
self._config.update('PROFILE', origprofile)
def calculate(self):
"""Calculates various information about the image"""
print "Determining profile based on KDBG search...\n"
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
bestguess = None
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
if suglist:
bestguess = suglist[0]
suggestion = ", ".join(set(suglist))
# Set our suggested profile first, then run through the list
if bestguess in profilelist:
profilelist = [bestguess] + profilelist
chosen = 'no profile'
# Save the original profile
origprofile = self._config.PROFILE
# Force user provided profile over others
profilelist = [origprofile] + profilelist
for profile in profilelist:
debug.debug('Trying profile ' + profile)
self._config.update('PROFILE', profile)
addr_space = utils.load_as(self._config, astype = 'any')
if hasattr(addr_space, "dtb"):
chosen = profile
break
if bestguess != chosen:
if not suggestion:
suggestion = 'No suggestion'
suggestion += ' (Instantiated with ' + chosen + ')'
yield ('Suggested Profile(s)', suggestion)
tmpas = addr_space
count = 0
while tmpas:
count += 1
yield ('AS Layer' + str(count), tmpas.__class__.__name__ + " (" + tmpas.name + ")")
tmpas = tmpas.base
if not hasattr(addr_space, "pae"):
yield ('PAE type', "No PAE")
else:
yield ('PAE type', "PAE" if addr_space.pae else "No PAE")
if hasattr(addr_space, "dtb"):
yield ('DTB', hex(addr_space.dtb))
volmagic = obj.VolMagic(addr_space)
if hasattr(addr_space, "dtb"):
kdbgoffset = volmagic.KDBG.v()
if kdbgoffset:
yield ('KDBG', hex(kdbgoffset))
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = kdbgoffset, vm = addr_space)
kpcr_list = list(kdbg.kpcrs())
yield ('Number of Processors', len(kpcr_list))
yield ('Image Type (Service Pack)', kdbg.ServicePack)
for kpcr in kpcr_list:
yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset))
KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v()
if KUSER_SHARED_DATA:
yield ('KUSER_SHARED_DATA', hex(KUSER_SHARED_DATA))
data = self.get_image_time(addr_space)
if data:
yield ('Image date and time', data['ImageDatetime'])
yield ('Image local date and time', timefmt.display_datetime(data['ImageDatetime'].as_datetime(), data['ImageTz']))
# Make sure to reset the profile to its original value to keep the invalidator from blocking the cache
self._config.update('PROFILE', origprofile)
def calculate(self):
"""Calculates various information about the image"""
print "Determining profile based on KDBG search...\n"
profilelist = [ p.__name__ for p in registry.PROFILES.classes ]
bestguess = None
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
if suglist:
bestguess = suglist[0]
suggestion = ", ".join(suglist)
# Set our suggested profile first, then run through the list
if bestguess in profilelist:
profilelist = [bestguess] + profilelist
chosen = 'no profile'
# Save the original profile
origprofile = self._config.PROFILE
# Force user provided profile over others
profilelist = [origprofile] + profilelist
for profile in profilelist:
debug.debug('Trying profile ' + profile)
self._config.update('PROFILE', profile)
addr_space = utils.load_as(self._config, astype = 'any')
if hasattr(addr_space, "dtb"):
chosen = profile
break
if bestguess != chosen:
if not suggestion:
suggestion = 'No suggestion'
suggestion += ' (Instantiated with ' + chosen + ')'
yield ('Suggested Profile(s)', suggestion)
tmpas = addr_space
count = 0
while tmpas:
count += 1
yield ('AS Layer' + str(count), tmpas.__class__.__name__ + " (" + tmpas.name + ")")
tmpas = tmpas.base
if not hasattr(addr_space, "pae"):
yield ('PAE type', "No PAE")
else:
yield ('PAE type', "PAE" if addr_space.pae else "No PAE")
if hasattr(addr_space, "dtb"):
yield ('DTB', hex(addr_space.dtb))
volmagic = obj.Object('VOLATILITY_MAGIC', 0x0, addr_space)
kpcroffset = None
if hasattr(addr_space, "dtb"):
kdbgoffset = volmagic.KDBG.v()
if kdbgoffset:
yield ('KDBG', hex(kdbgoffset))
kpcroffset = volmagic.KPCR.v()
if kpcroffset:
yield ('KPCR', hex(kpcroffset))
KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v()
if KUSER_SHARED_DATA:
yield ('KUSER_SHARED_DATA', hex(KUSER_SHARED_DATA))
data = self.get_image_time(addr_space)
if data:
yield ('Image date and time', data['ImageDatetime'])
yield ('Image local date and time', timefmt.display_datetime(data['ImageDatetime'].as_datetime(), data['ImageTz']))
for csdversion, numprocessors in self.find_task_items(addr_space):
try:
yield ('Number of Processors', numprocessors)
yield ('Image Type', csdversion)
except tasks.TasksNotFound:
pass
# Make sure to reset the profile to its original value to keep the invalidator from blocking the cache
self._config.update('PROFILE', origprofile)
