/usr/lib/python2.7/dist-packages/rekall/plugins/linux/check_afinfo.py is in python-rekall-core 1.6.0+dfsg-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 | # Rekall Memory Forensics
#
# This file is part of Rekall Memory Forensics.
# Copyright 2013 Google Inc. All Rights Reserved.
#
# Rekall Memory Forensics is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License Version 2 as
# published by the Free Software Foundation. You may not use, modify or
# distribute this program under any other version of the GNU General Public
# License.
#
# Rekall Memory Forensics is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# Rekall Memory Forensics. If not, see <http://www.gnu.org/licenses/>.
#
"""
@author: Michael Cohen (Based on original code by Andrew Case).
@license: GNU General Public License 2.0
@contact: scudette@gmail.com
"""
from rekall.plugins.linux import common
class CheckAFInfo(common.LinuxPlugin):
"""Verifies the operation function pointers of network protocols."""
__name = "check_afinfo"
table_header = [
dict(name="symbol", width=30),
dict(name="member", width=30),
dict(name="address", style="address"),
dict(name="module")
]
def CreateChecks(self):
"""Builds the sequence of function checks we need to look at.
We support multiple kernels by adding a bunch of function names which
may not exisit on the current kernel. This is expected as the code
simply ignores struct members which are not defined on this kernel.
"""
# Older kernels have the operations in the structs.
members = sorted(self.profile.file_operations().members.keys())
if self.profile.has_type("seq_operations"):
# Newer kernels use seq_ops struct.
members.extend(["seq_ops.%s" % x
for x in self.profile.seq_operations().members])
if self.profile.has_type("file_operations"):
# Newer kernels use seq_ops struct.
members.extend(["seq_fops.%s" % x
for x in self.profile.file_operations().members])
return [
dict(name="tcp",
constant_type="tcp_seq_afinfo",
global_vars=[
"tcp6_seq_afinfo",
"tcp4_seq_afinfo"
],
members=members,
),
dict(name="udp",
constant_type="udp_seq_afinfo",
global_vars=[
"udplite6_seq_afinfo",
"udp6_seq_afinfo",
"udplite4_seq_afinfo",
"udp4_seq_afinfo"
],
members=members,
),
]
def check_members(self, struct, members):
"""Yields struct members which are not known to exist in any module."""
for member in members:
ptr = struct.m(member)
if not ptr:
continue
# This is really a function pointer.
func = ptr.dereference_as(target="Function",
target_args=dict(name=member))
yield member, func
def check_functions(self, checks):
"""Apply the checks to the kernel and yields the results."""
for check in checks:
for variable in check["global_vars"]:
var_ptr = self.profile.get_constant_object(
variable, target=check["constant_type"],
vm=self.kernel_address_space)
for member, func in self.check_members(
var_ptr, check["members"]):
yield variable, member, func
def collect(self):
checks = self.CreateChecks()
for variable, member, func in self.check_functions(checks):
location = ", ".join(
self.session.address_resolver.format_address(
func.obj_offset))
# Point out suspicious constants.
highlight = None if location else "important"
yield dict(symbol=variable, member=member, address=func,
module=location, highlight=highlight)
|