/usr/lib/python2.7/dist-packages/rekall/plugins/windows/malware/timers.py is in python-rekall-core 1.6.0+dfsg-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 | # Rekall Memory Forensics
# Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh@mnin.org>
# Copyright 2013 Google Inc. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
from rekall import utils
from rekall.plugins.windows import common
# pylint: disable=protected-access
#References:
# http://www.dcl.hpi.uni-potsdam.de/research/WRK/2007/08/a-performance-issue-in-windows-timer-management/
class Timers(common.WindowsCommandPlugin):
"""Print kernel timers and associated module DPCs.
Ref:
http://computer.forensikblog.de/en/2011/10/timers-and-times.html
"""
__name = "timers"
table_header = [
dict(name="Tbl", align="r", width=3),
dict(name="_KTIMER", style="address"),
dict(name="due", width=22),
dict(name="due_time", width=24),
dict(name="period", width=11, align="r"),
dict(name="sig", align="r", width=4),
dict(name="routine", style="address"),
dict(name="symbol")
]
def _timers(self):
if self.profile.get_constant("KiTimerTableListHead"):
# On XP x64, Windows 2003 SP1-SP2, and Vista SP0-SP2,
# KiTimerTableListHead is an array of 512 _KTIMER_TABLE_ENTRY
# structs.
if self.profile.has_type("_KTIMER_TABLE_ENTRY"):
lists = self.profile.get_constant_object(
"KiTimerTableListHead",
target="Array",
target_args=dict(
target='_KTIMER_TABLE_ENTRY',
count=512)
)
for i, l in enumerate(lists):
for t in l.Entry.list_of_type("_KTIMER", "TimerListEntry"):
yield i, t
else:
# On XP SP0-SP3 x86 and Windows 2003 SP0, KiTimerTableListHead
# is an array of 256 _LIST_ENTRY for _KTIMERs.
lists = self.profile.get_constant_object(
"KiTimerTableListHead",
target="Array",
target_args=dict(
target='_LIST_ENTRY',
count=256)
)
for i, l in enumerate(lists):
for t in l.list_of_type_fast("_KTIMER", "TimerListEntry"):
yield i, t
else:
# On Windows 7, there is no more KiTimerTableListHead. The list is
# at _KPCR.PrcbData.TimerTable.TimerEntries (credits to Matt Suiche
# for this one. See http://pastebin.com/FiRsGW3f).
kpcr = self.session.plugins.kpcr().kpcr()
for i, table in enumerate(kpcr.Prcb.TimerTable.TimerEntries):
self.session.report_progress("Table %r", table)
for t in table.Entry.list_of_type_fast(
"_KTIMER", "TimerListEntry"):
yield i, t
def timers(self):
"""A generator of timer objects."""
# Sort the timers by address to make them easier to inspect.
for i, timer in self._timers():
# This is the code from reactos which checks for this:
# #define ASSERT_TIMER(E) \
# NT_ASSERT(((E)->Header.Type == TimerNotificationObject) || \
# ((E)->Header.Type == TimerSynchronizationObject))
if timer.Header.Type not in ["TimerNotificationObject",
"TimerNotificationObject"]:
continue
self.session.report_progress("Looking at %#x", timer)
# Ignore timers without DPCs
if (not timer.Dpc.is_valid() or
not timer.Dpc.DeferredRoutine.is_valid()):
continue
yield i, timer
def collect(self):
# Print kuser_shared things.
kuser_shared = self.profile.get_constant_object(
"KI_USER_SHARED_DATA", "_KUSER_SHARED_DATA")
interrupt_time = ((kuser_shared.InterruptTime.High1Time << 32) +
kuser_shared.InterruptTime.LowPart)
now = kuser_shared.SystemTime.as_windows_timestamp() - interrupt_time
seen = set()
for i, timer in self.timers():
if timer in seen:
continue
seen.add(timer)
if timer.Header.SignalState.v():
signaled = "Yes"
else:
signaled = "-"
yield dict(Tbl=i,
_KTIMER=timer,
# Due time in InterruptTime (100ns).
due="0x%0.20x" % timer.DueTime.QuadPart,
due_time=self.profile.WinFileTime(
value=now+timer.DueTime.QuadPart,
is_utc=True),
period=timer.Period,
sig=signaled,
routine=timer.Dpc.DeferredRoutine,
symbol=utils.FormattedAddress(
self.session.address_resolver,
timer.Dpc.DeferredRoutine)
)
|