/usr/lib/python2.7/dist-packages/rekall/plugins/tools/live_linux.py is in python-rekall-core 1.6.0+dfsg-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 | #!/usr/bin/env python2
# Rekall Memory Forensics
# Copyright 2015 Google Inc. All Rights Reserved.
#
# Author: Michael Cohen scudette@google.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
__author__ = "Michael Cohen <scudette@google.com>"
"""A plugin to install relevant kernel modules to enable live analysis.
The intention is to allow the user to launch:
rekall live
and have Rekall install the right kernel module and connect to the driver on all
supported operating systems.
"""
import os
from rekall import plugin
from rekall import session
from rekall.plugins.addrspaces import standard
class Live(plugin.TypedProfileCommand,
plugin.ProfileCommand):
"""Launch a Rekall shell for live analysis on the current system."""
name = "live"
PROFILE_REQUIRED = False
__args = [
dict(name="mode", default="Memory", type="Choices",
choices=session.LIVE_MODES,
help="Mode for live analysis."),
]
def live(self):
if os.geteuid() != 0:
self.session.logging.error(
"You are not root. It is likely that some operations "
"may not be available.")
# Force timed cache for live sessions.
with self.session:
self.session.SetParameter("cache", "timed")
self.session.SetParameter("live_mode", self.plugin_args.mode)
self.session.SetParameter("session_name", "Live (%s)" %
self.plugin_args.mode)
if self.plugin_args.mode == "Memory":
try:
# Stack the address spaces by hand.
load_as = self.session.plugins.load_as(session=self.session)
base_as = standard.FileAddressSpace(session=self.session,
filename="/proc/kcore")
self.session.physical_address_space = (
load_as.GuessAddressSpace(base_as=base_as))
self.session.SetParameter("session_name",
"Live(/proc/kcore)")
except IOError as e:
self.session.logging.error(
"Unable to load physical memory: %s ", e)
def close(self):
pass
def __str__(self):
# The default __str__ form will run the plugin which will drop into a
# shell!
return "Live Plugin"
def __enter__(self):
self.live()
return self
def __exit__(self, exc_type, exc_value, trace):
self.close()
def collect(self, renderer):
renderer.format("Launching live memory analysis\n")
self.live()
# Launch the shell.
shell = self.session.plugins.shell()
shell.render(renderer)
|