/usr/lib/python2.7/dist-packages/rekall/plugins/linux/cpuinfo.py is in python-rekall-core 1.6.0+dfsg-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 | # Rekall Memory Forensics
#
# Copyright 2013 Google Inc. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
@author: Andrew Case
@license: GNU General Public License 2.0 or later
@contact: atcuno@gmail.com
@organization: Digital Forensics Solutions
"""
from rekall.plugins.linux import common
class Banner(common.LinuxPlugin):
"""Prints the Linux banner information."""
__name = "banner"
table_header = [
dict(name="banner", width=80)
]
def collect(self):
banner = self.profile.get_constant_object(
"linux_banner", target="String", vm=self.kernel_address_space)
yield dict(banner=banner)
class CpuInfo(common.LinuxPlugin):
"""Prints information about each active processor."""
__name = "cpuinfo"
table_header = [
dict(name="CPU", width=4),
dict(name="vendor", width=20),
dict(name="model", width=80)
]
def online_cpus(self):
"""returns a list of online cpus (the processor numbers)"""
#later kernels.
cpus = (self.profile.get_constant("cpu_online_bits") or
self.profile.get_constant("cpu_present_map"))
if not cpus:
raise AttributeError("Unable to determine number of online CPUs "
"for memory capture")
bmap = self.profile.Object(
"unsigned long", offset=cpus, vm=self.kernel_address_space)
for i in xrange(0, bmap.obj_size):
if bmap & (1 << i):
yield i
def calculate(self):
cpus = list(self.online_cpus())
if len(cpus) > 1 and (self.profile.get_constant("cpu_info") or
self.profile.get_constant("per_cpu__cpu_info")):
return self.get_info_smp()
elif self.profile.get_constant("boot_cpu_data"):
return self.get_info_single()
else:
raise AttributeError("Unable to get CPU info for memory capture")
def get_info_single(self):
cpu = self.profile.cpuinfo_x86(
self.profile.get_constant("boot_cpu_data"),
vm=self.kernel_address_space)
yield 0, cpu
# pulls the per_cpu cpu info
# will break apart the per_cpu code if a future plugin needs it
def get_info_smp(self):
cpus = list(self.online_cpus())
# get the highest numbered cpu
max_cpu = cpus[-1]
per_offsets = self.profile.Array(
target='unsigned long', count=max_cpu,
offset=self.profile.get_constant("__per_cpu_offset"),
vm=self.kernel_address_space)
i = 0
for i in cpus:
offset = per_offsets[i]
cpuinfo_addr = (self.profile.get_constant("cpu_info") or
self.profile.get_constant("per_cpu__cpu_info"))
addr = cpuinfo_addr + offset.v()
var = self.profile.Object("cpuinfo_x86", offset=addr,
vm=self.kernel_address_space)
yield i, var
def collect(self):
for processor, cpu in self.calculate():
yield dict(CPU=processor, vendor=cpu.x86_vendor_id,
model=cpu.x86_model_id)
|