python-rekall-core 1.6.0+dfsg-2 / usr / lib / python2.7 / dist-packages / rekall / plugins / linux / psxview.py

This file is indexed.

/usr/lib/python2.7/dist-packages/rekall/plugins/linux/psxview.py is in python-rekall-core 1.6.0+dfsg-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Rekall Memory Forensics
# Copyright (C) 2007-2013 Volatility Foundation
# Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh@mnin.org>
# Copyright 2014 Google Inc. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

# pylint: disable=protected-access


from rekall.plugins.linux import common


class LinuxPsxView(common.LinProcessFilter):
    """Find hidden processes comparing various process listings."""

    __name = "psxview"

    METHODS = common.LinProcessFilter.METHODS + [
        "PidHashTable",
    ]

    __args = [
        dict(name="method", choices=METHODS, type="ChoiceArray",
             default=METHODS, help="Method to list processes.",
             override=True),
    ]

    def render(self, renderer):
        headers = [('Offset(V)', 'virtual_offset', '[addrpad]'),
                   ('Name', 'name', '<20'),
                   ('PID', 'pid', '>12'),
                  ]

        for method in self.plugin_args.method:
            headers.append((method, method, "%s" % len(method)))

        renderer.table_header(headers)

        for process in self.filter_processes():
            row = [process.obj_offset, process.comm, process.pid]

            for method in self.plugin_args.method:
                row.append(process.obj_offset in
                           self.session.GetParameter("pslist_%s" % method))

            renderer.table_row(*row)


class PidHashTableHook(common.AbstractLinuxParameterHook):
    name = "pslist_PidHashTable"

    def calculate(self):
        seen = set()
        pidhashtable_plugin = self.session.plugins.pidhashtable()
        for task in pidhashtable_plugin.filter_processes():
            if task.obj_offset not in seen:
                seen.add(task.obj_offset)

        return seen

APT Browse - Built by Thomas Orozco.