python-rekall-core 1.6.0+dfsg-2 / usr / lib / python2.7 / dist-packages / rekall / plugins / response / interpolators.py

This file is indexed.

/usr/lib/python2.7/dist-packages/rekall/plugins/response/interpolators.py is in python-rekall-core 1.6.0+dfsg-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
# Rekall Memory Forensics
# Copyright 2016 Google Inc. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

"""This module defines interpolators for the common OSs.

Globs and Artifacts may expand interpolations from the KnowledgeBase. This
module provides a live, on demand, KnowledgeBase.
"""
import os
import re
import platform

from rekall import kb
from rekall import registry


class KnowledgeBase(object):

    def __init__(self, session):
        self.session = session

    def expand(self, variable):
        return []


class LinuxKnowledgeBase(KnowledgeBase):
    @registry.memoize
    def _get_users_homedir(self):
        homedirs = []

        for user in open("/etc/passwd"):
            user = user.strip()
            homedirs.append(user.split(":")[5])

        return homedirs

    def expand(self, variable):
        if variable == "%%users.homedir%%":
            return self._get_users_homedir()

        self.session.logging.warn("Unable to interpolate %s", variable)
        return []


class WindowsKnowledgeBase(KnowledgeBase):
    @registry.memoize
    def _get_sids(self):
        result = []
        for hit in self.session.plugins.glob(
                r"HKEY_USERS\*", filesystem="Reg", root="\\",
                path_sep="\\").collect():
            path = hit["path"]
            m = re.search(
                r"(S-(\d+-)+\d+)$", path.filename.name or "", re.I)
            if m:
                result.append(m.group(1))

        return result

    @registry.memoize
    def _get_homedirs(self):
        """On windows the homedirs are the paths of the user's profile."""
        result = []
        for artifact_hit in self.session.plugins.artifact_collector(
                "WindowsRegistryProfiles"):
            for hit_result in artifact_hit.get("result", []):
                profile_path = hit_result.get("value")
                if profile_path:
                    result.append(profile_path)

        return result

    def expand(self, variable):
        if variable == "%%users.sid%%":
            return self._get_sids()

        if variable == "%%users.homedir%%":
            return self._get_homedirs()

        if variable == "%%environ_systemroot%%":
            return [os.environ["systemroot"]]

        return []


class KnowledgeBaseHook(kb.ParameterHook):
    name = "knowledge_base"

    def calculate(self):
        if platform.system() == "Linux":
            return LinuxKnowledgeBase(self.session)
        elif platform.system() == "Windows":
            return WindowsKnowledgeBase(self.session)

APT Browse - Built by Thomas Orozco.