Fixed a bug in OSX.

Also updated more windows plugins to typed output. R=parki.san@gmail.com Review URL: https://codereview.appspot.com/297350043 .
google · May 24, 2016 · 59dc2ba · 59dc2ba
1 parent 5b036cd
commit 59dc2ba
Show file tree

Hide file tree

Showing 7 changed files with 85 additions and 106 deletions.
diff --git a/rekall-core/rekall/obj.py b/rekall-core/rekall/obj.py
@@ -1022,7 +1022,7 @@ def __iter__(self):
         if not self.obj_vm.is_valid_address(self.obj_offset):
             return
 
-        for position in xrange(0, self.count):
+        for position in utils.xrange(0, self.count):
             # Since we often calculate array counts it is possible to
             # calculate huge arrays. This will then spin here
             # uncontrollably. We use max_count as a safety to break out

diff --git a/rekall-core/rekall/plugins/common/search.py b/rekall-core/rekall/plugins/common/search.py
@@ -176,6 +176,8 @@ def collect(self):
         for producer in which.collect():
             # We know the producer plugin implements 'produce' because
             # 'which_plugin' guarantees it.
+            self.session.logging.debug("Producing %s from producer %r",
+                                       self.type_name, producer)
             for result in producer.produce():
                 previous = results.get(result.indices)
                 if previous:

diff --git a/rekall-core/rekall/plugins/overlays/darwin/darwin.py b/rekall-core/rekall/plugins/overlays/darwin/darwin.py
@@ -628,9 +628,9 @@ def list_of_type(self, type, member):
             yield item
             if item.obj_offset in seen:
                 return
-
+            seen.add(item.obj_offset)
             item = item.m(member).next.dereference_as(type)
-
+            
 
 class sockaddr_dl(obj.Struct):
     def __unicode__(self):

diff --git a/rekall-core/rekall/plugins/windows/handles.py b/rekall-core/rekall/plugins/windows/handles.py
@@ -30,41 +30,33 @@ class Handles(common.WinProcessFilter):
 
     __name = "handles"
 
-    @classmethod
-    def args(cls, parser):
-        """Declare the command line args we need."""
-        super(Handles, cls).args(parser)
-        parser.add_argument(
-            "-t", "--object_types", type="ArrayStringParser",
-            help="Types of objects to show.")
-        parser.add_argument(
-            "--named_only", type="Boolean",
-            help="Output only handles with a name .")
-
-    def __init__(self, *args, **kwargs):
-        """Lists the handles for processes.
-
-        Args:
-          object_types: Show these object types (An array of Object Types -
-                        for example: object_types=["Process", "File"]).
-          silent: Suppress less meaningful results
-        """
-        self.object_list = kwargs.pop("object_types", None)
-        self.silent = kwargs.pop("silent", False)
-        self.named_only = kwargs.pop("named_only", False)
-
-        super(Handles, self).__init__(*args, **kwargs)
+    __args = [
+        dict(name="object_types", type="ArrayStringParser",
+             help="Types of objects to show."),
+        dict(name="named_only", type="Boolean",
+             help="Output only handles with a name ."),
+    ]
+
+    table_header = [
+        dict(name="_OBJECT_HEADER", cname="offset_v", style="address"),
+        dict(name="_EPROCESS", type="_EPROCESS", cname="_EPROCESS"),
+        dict(name="Handle", cname="handle", style="address"),
+        dict(name="Access", cname="access", style="address"),
+        dict(name="Type", cname="obj_type", width=16),
+        dict(name="Details", cname="details")
+    ]
 
     def enumerate_handles(self, task):
         if task.ObjectTable.HandleTableList:
             for handle in task.ObjectTable.handles():
-                name = ""
+                name = u""
                 object_type = handle.get_object_type(self.kernel_address_space)
 
                 if object_type == None:
                     continue
 
-                if self.object_list and object_type not in self.object_list:
+                if (self.plugin_args.object_types and
+                        object_type not in self.plugin_args.object_types):
                     continue
 
                 elif object_type == "File":
@@ -86,41 +78,28 @@ def enumerate_handles(self, task):
                         thrd_obj.Cid.UniqueProcess)
 
                 elif handle.NameInfo.Name == None:
-                    name = ""
+                    name = u""
                 else:
                     name = handle.NameInfo.Name
 
-                if not name and self.named_only:
+                if not name and self.plugin_args.named_only:
                     continue
 
                 yield handle, object_type, name
 
-    def render(self, renderer):
-        renderer.table_header([("_OBJECT_HEADER", "offset_v", "[addrpad]"),
-                               dict(name="_EPROCESS", type="_EPROCESS",
-                                    cname="_EPROCESS"),
-                               ("Handle", "handle", "[addr]"),
-                               ("Access", "access", "[addr]"),
-                               ("Type", "obj_type", "16"),
-                               ("Details", "details", "")])
-
+    def collect(self):
         for task in self.filter_processes():
             for count, (handle, object_type, name) in enumerate(
                     self.enumerate_handles(task)):
 
                 self.session.report_progress("%s: %s handles" % (
                     task.ImageFileName, count))
 
-                if self.silent:
-                    if len(utils.SmartUnicode(name).replace("'", "")) == 0:
-                        continue
-
-                renderer.table_row(
-                    handle,
-                    task,
-                    handle.HandleValue,
-                    handle.GrantedAccess,
-                    object_type, name)
+                yield (handle,
+                       task,
+                       handle.HandleValue,
+                       handle.GrantedAccess,
+                       object_type, utils.SmartUnicode(name))
 
 
 class TestHandles(testlib.SimpleTestCase):

diff --git a/rekall-core/rekall/plugins/windows/modules.py b/rekall-core/rekall/plugins/windows/modules.py
@@ -20,12 +20,11 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #
 
-import bisect
 import re
 
-from rekall import obj
 from rekall import plugin
 from rekall import scan
+from rekall import utils
 from rekall.plugins.windows import common
 
 
@@ -34,25 +33,29 @@ class Modules(common.WindowsCommandPlugin):
 
     __name = "modules"
 
-    @classmethod
-    def args(cls, parser):
-        """Declare the command line args we need."""
-        super(Modules, cls).args(parser)
-        parser.add_argument("--name_regex",
-                            help="Filter module names by this regex.")
+    __args = [
+        dict(name="name_regex", type="RegEx",
+             help="Filter module names by this regex.")
+    ]
 
-    def __init__(self, name_regex=None, **kwargs):
-        """List kernel modules by walking the PsLoadedModuleList."""
-        super(Modules, self).__init__(**kwargs)
-        self.name_regex = re.compile(name_regex or ".", re.I)
+    table_header = [
+        dict(name="_LDR_DATA_TABLE_ENTRY", cname="offset_v", style="address"),
+        dict(name="Name", cname="file_name", width=20),
+        dict(name='Base', cname="module_base", style="address"),
+        dict(name='Size', cname="module_size", style="address"),
+        dict(name='File', cname="path")
+    ]
 
     def lsmod(self):
         """ A Generator for modules (uses _KPCR symbols) """
-        for module in self.session.GetParameter("PsLoadedModuleList").list_of_type(
-                "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks"):
+        for module in self.session.GetParameter(
+                "PsLoadedModuleList").list_of_type(
+                    "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks"):
 
             # Skip modules which do not match.
-            if not self.name_regex.search(str(module.FullDllName)):
+            if (self.plugin_args.name_regex and
+                    not self.plugin_args.name_regex.search(
+                        utils.SmartUnicode(module.FullDllName))):
                 continue
 
             yield module
@@ -61,24 +64,15 @@ def addresses(self):
         """Returns a list of module addresses."""
         return sorted(self.mod_lookup.keys())
 
-    def render(self, renderer):
+    def collect(self):
         object_tree_plugin = self.session.plugins.object_tree()
 
-        renderer.table_header(
-            [("_LDR_DATA_TABLE_ENTRY", "offset_v", "[addrpad]"),
-             ("Name", "file_name", "20"),
-             ('Base', "module_base", "[addrpad]"),
-             ('Size', "module_size", "[addr]"),
-             ('File', "path", "")
-            ])
-
         for module in self.lsmod():
-            renderer.table_row(
-                module.obj_offset,
-                module.BaseDllName,
-                module.DllBase,
-                module.SizeOfImage,
-                object_tree_plugin.FileNameWithDrive(module.FullDllName.v()))
+            yield (module,
+                   module.BaseDllName,
+                   module.DllBase,
+                   module.SizeOfImage,
+                   object_tree_plugin.FileNameWithDrive(module.FullDllName.v()))
 
 
 class RSDSScanner(scan.BaseScanner):
@@ -94,6 +88,13 @@ class ModVersions(Modules):
 
     __name = "version_modules"
 
+    table_header = [
+        dict(name="Offset (V)", cname="offset_v", style="address"),
+        dict(name="Name", cname="file_name", width=20),
+        dict(name='GUID/Version', cname="guid", width=33),
+        dict(name="PDB", cname="pdb")
+    ]
+
     def ScanVersions(self):
         pe_profile = self.session.LoadProfile("pe")
         scanner = RSDSScanner(address_space=self.kernel_address_space,
@@ -108,19 +109,12 @@ def ScanVersions(self):
                 guid = "%s%x" % (rsds.GUID.AsString, rsds.Age)
                 yield module, rsds, guid
 
-    def render(self, renderer):
-        renderer.table_header(
-            [("Offset (V)", "offset_v", "[addrpad]"),
-             ("Name", "file_name", "20"),
-             ('GUID/Version', "guid", "33"),
-             ("PDB", "pdb", "")])
-
+    def collect(self):
         for module, rsds, guid in self.ScanVersions():
-            renderer.table_row(
-                rsds,
-                module.BaseDllName,
-                guid,
-                rsds.Filename)
+            yield (rsds,
+                   module.BaseDllName,
+                   guid,
+                   rsds.Filename)
 
 
 class VersionScan(plugin.PhysicalASMixin, plugin.Command):
@@ -191,7 +185,14 @@ class UnloadedModules(common.WindowsCommandPlugin):
 
     name = "unloaded_modules"
 
-    def render(self, renderer):
+    table_header = [
+        dict(name="Name", cname="name", width=20),
+        dict(name="Start", cname="start", style="address"),
+        dict(name="End", cname="end", style="address"),
+        dict(name="Time", cname="time")
+    ]
+
+    def collect(self):
         unloaded_table = self.profile.get_constant_object(
             "MmUnloadedDrivers",
             target="Pointer",
@@ -210,21 +211,18 @@ def render(self, renderer):
             mistate = self.profile.get_constant_object(
                 "MiState", target="_MI_SYSTEM_INFORMATION")
 
-            unloaded_table = mistate.UnloadedDrivers.dereference_as(
+            unloaded_table = mistate.multi_m(
+                "UnloadedDrivers",
+                "Vs.UnloadedDrivers"
+            ).dereference_as(
                 "Array",
                 target_args=dict(
                     target="_UNLOADED_DRIVERS",
                     count=mistate.LastUnloadedDriver)
             )
 
-
-        renderer.table_header([("Name", "name", "20"),
-                               ("Start", "start", "[addrpad]"),
-                               ("End", "end", "[addrpad]"),
-                               ("Time", "time", "")])
-
         for driver in unloaded_table:
-            renderer.table_row(driver.Name,
-                               driver.StartAddress.v(),
-                               driver.EndAddress.v(),
-                               driver.CurrentTime)
+            yield (driver.Name,
+                   driver.StartAddress.v(),
+                   driver.EndAddress.v(),
+                   driver.CurrentTime)
diff --git a/tools/installers/winbuild.py b/tools/installers/winbuild.py
@@ -144,7 +144,7 @@ def main():
 
     print "Copy resources into the package."
     # Recent versions of Pyinstaller already copy resources they know about.
-    # copy("rekall-core/resources/*", "dist/rekal/resources")
+    copy("rekall-core/resources", "dist/rekal")
     copy("rekall-gui/manuskript", "dist/rekal")
     copy("rekall-gui/rekall_gui/plugins/webconsole",
          "dist/rekal/rekall_gui/plugins")

diff --git a/tools/pmem/pmem.h b/tools/pmem/pmem.h
@@ -16,7 +16,7 @@ specific language governing permissions and limitations under the License.
 #ifndef TOOLS_PMEM_PMEM_H_
 #define TOOLS_PMEM_PMEM_H_
 
-#define PMEM_VERSION "2.1.post3";
+#define PMEM_VERSION "2.1.post4";
 
 #include <aff4/libaff4.h>
 #include <aff4/aff4_imager_utils.h>