python-rekall-core 1.6.0+dfsg-2 / usr / lib / python2.7 / dist-packages / rekall / plugins / linux / lsof.py

This file is indexed.

/usr/lib/python2.7/dist-packages/rekall/plugins/linux/lsof.py is in python-rekall-core 1.6.0+dfsg-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Rekall Memory Forensics
#
# Copyright (C) 2007-2013 Volatility Foundation
# Copyright 2013 Google Inc. All Rights Reserved.
#
# This file is part of Rekall Memory Forensics.
#
# Rekall Memory Forensics is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License Version 2 as
# published by the Free Software Foundation.  You may not use, modify or
# distribute this program under any other version of the GNU General
# Public License.
#
# Rekall Memory Forensics is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with Rekall Memory Forensics.  If not, see <http://www.gnu.org/licenses/>.
#

"""
@author:       Andrew Case
@license:      GNU General Public License 2.0
@contact:      atcuno@gmail.com
@organization:
"""

from rekall import testlib
from rekall.plugins.linux import common


class Lsof(common.LinProcessFilter):
    """Lists open files."""

    __name = "lsof"

    def get_open_files(self, task):
        """List all the files open by a task."""
        # The user space file descriptor is simply the offset into the fd
        # array.
        for i, file_ptr in enumerate(task.files.fds):
            file_struct = file_ptr.deref()
            if file_struct:
                yield file_struct, i

    def lsof(self):
        for task in self.filter_processes():
            for file_struct, fd in self.get_open_files(task):
                yield task, file_struct, fd

    def render(self, renderer):

        renderer.table_header([("Name", "name", "20s"),
                               ("Pid", "pid", "8"),
                               ("User", "uid", ">8"),
                               ("FD", "fd", ">8"),
                               ("Size", "size", ">12"),
                               ("Offset", "offset", ">12"),
                               ("Node", "node", ">8"),
                               ("Path", "path", "")])

        for (task, file_struct, fd) in self.lsof():
            renderer.table_row(task.comm, task.pid, task.uid, fd,
                               file_struct.m("f_path.dentry.d_inode.i_size"),
                               file_struct.m("f_pos"),
                               file_struct.m("f_path.dentry.d_inode.i_ino"),
                               task.get_path(file_struct))


class TestLsof(testlib.SimpleTestCase):
    @classmethod
    def is_active(cls, session):
        return Lsof.is_active(session)

    PARAMETERS = dict(
        commandline="lsof --proc_regex %(proc_name)s",
        proc_name="bash"
        )

APT Browse - Built by Thomas Orozco.