/usr/lib/python2.7/dist-packages/rekall/plugins/windows/kpcr.py is in python-rekall-core 1.6.0+dfsg-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | # Rekall Memory Forensics
#
# Copyright 2013 Google Inc. All Rights Reserved.
#
# Authors:
# Michael Cohen <scudette@gmail.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
"""This plugin is used for displaying information about the Kernel Processor
Control Blocks.
"""
# pylint: disable=protected-access
from rekall import obj
from rekall.plugins.windows import common
class KPCR(common.WindowsCommandPlugin):
"""A plugin to print all KPCR blocks."""
__name = "kpcr"
def kpcr(self):
"""A generator of KPCR objects (one for each CPU)."""
# On windows 7 the KPCR is just stored in a symbol.
initial_pcr = self.profile.get_constant_object(
"KiInitialPCR",
"_KPCR")
# Validate the PCR through the self member.
self_Pcr = initial_pcr.m("SelfPcr") or initial_pcr.m("Self")
if self_Pcr.v() == initial_pcr.obj_offset:
return initial_pcr
# On windows XP the KPCR is hardcoded to 0xFFDFF000
pcr = self.profile._KPCR(0xFFDFF000)
if pcr.SelfPcr.v() == pcr.obj_offset:
return pcr
return obj.NoneObject("Unknown KPCR")
def render(self, renderer):
kpcr = self.kpcr()
renderer.section()
renderer.table_header([("Property", "property", "<30"),
("Value", "value", "<")])
renderer.table_row("Offset (V)", "%#x" % kpcr.obj_offset)
renderer.table_row("KdVersionBlock", kpcr.KdVersionBlock, style="full")
renderer.table_row("IDT", "%#x" % kpcr.IDT)
renderer.table_row("GDT", "%#x" % kpcr.GDT)
current_thread = kpcr.ProcessorBlock.CurrentThread
idle_thread = kpcr.ProcessorBlock.IdleThread
next_thread = kpcr.ProcessorBlock.NextThread
if current_thread:
renderer.format("{0:<30}: {1:#x} TID {2} ({3}:{4})\n",
"CurrentThread",
current_thread, current_thread.Cid.UniqueThread,
current_thread.owning_process().ImageFileName,
current_thread.Cid.UniqueProcess,
)
if idle_thread:
renderer.format("{0:<30}: {1:#x} TID {2} ({3}:{4})\n",
"IdleThread",
idle_thread, idle_thread.Cid.UniqueThread,
idle_thread.owning_process().ImageFileName,
idle_thread.Cid.UniqueProcess,
)
if next_thread:
renderer.format("{0:<30}: {1:#x} TID {2} ({3}:{4})\n",
"NextThread",
next_thread,
next_thread.Cid.UniqueThread,
next_thread.owning_process().ImageFileName,
next_thread.Cid.UniqueProcess,
)
renderer.format("{0:<30}: CPU {1} ({2} @ {3} MHz)\n",
"Details",
kpcr.ProcessorBlock.Number,
kpcr.ProcessorBlock.VendorString,
kpcr.ProcessorBlock.MHz)
renderer.format(
"{0:<30}: {1:#x}\n", "CR3/DTB",
kpcr.ProcessorBlock.ProcessorState.SpecialRegisters.Cr3)
|