python-rekall-core 1.6.0+dfsg-2 / usr / lib / python2.7 / dist-packages / rekall / plugins / windows / privileges.py

This file is indexed.

/usr/lib/python2.7/dist-packages/rekall/plugins/windows/privileges.py is in python-rekall-core 1.6.0+dfsg-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/python

# Rekall Memory Forensics
# Copyright 2013 Google Inc. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

"""Inspect the privileges in each process's tokens.

These sets of plugins are designed around the blog post "Windows Access Tokens -
!token and _TOKEN"::
https://bsodtutorials.wordpress.com/2014/08/09/windows-access-tokens-token-and-_token/
"""

__author__ = "Michael Cohen <scudette@gmail.com>"

from rekall import plugin
from rekall.plugins.windows import common


class PrivilegesHook(common.AbstractWindowsParameterHook):
    """Fetch the PrivilegesHook table.

    In Windows, privilege values are not constant, they are actually stored in
    kernel globals. We can see this kind of privilege check:

    0xf800027b4e10 mov rcx, qword ptr [rip + 0x3a42a1] 0x7 nt!SeTcbPrivilege
    0xf800027b4e17 call 0xf80002956a58                 nt!SeSinglePrivilegeCheck

    Demonstrating that the kernel reads the values in these locations (i.e. they
    are not hard coded). Although in reality they are never changed in runtime
    and probably do not really change between systems or versions.

    This hook collects these values from the image.
    """
    name = "privilege_table"

    def calculate(self):
        result = {}
        for symbol in self.session.address_resolver.search_symbol(
                "nt!Se*Privilege"):

            value = self.session.address_resolver.get_constant_object(
                symbol, "unsigned int")

            if value != None and value < 100:
                result[int(value)] = symbol.split("!")[-1]

        return result


class Privileges(common.WinProcessFilter):
    """Prints process privileges."""

    name = "privileges"

    table_header = [
        dict(name="Process", type="_EPROCESS"),
        dict(name="Value", width=3, align="r"),
        dict(name="Privileges", width=40),
        dict(name="Attributes", type="list")
    ]

    def collect(self):
        privilege_table = self.session.GetParameter("privilege_table")

        for task in self.filter_processes():
            for value, flags in task.Token.GetPrivileges():
                # By default skip the privileges that are not present.
                if self.plugin_args.verbosity <= 1 and "Present" not in flags:
                    continue

                yield (task,
                       value,
                       privilege_table.get(value),
                       flags)

APT Browse - Built by Thomas Orozco.