Wenzel/auto_config.py

## auto_config.py
import os
import sys
import stat
import logging
import libvirt
from tempfile import TemporaryDirectory, NamedTemporaryFile
from rekall import plugins, session

def extract_config(ram_dump):
    home = os.getenv('HOME')
    local_cache_path = os.path.join(home, '.rekall_cache')
    try:
        os.makedirs(local_cache_path)
    except OSError: # already exists
        pass
    logging.info('Analyzing RAM dump with Rekall')
    s = session.Session(
            filename=ram_dump,
            autodetect=["rsds"],
            logger=logging.getLogger(),
            autodetect_build_local='none',
            format='data',
            profile_path=[
                local_cache_path,
                "http://profiles.rekall-forensic.com"
            ])

    pdbase = s.profile.get_obj_offset('_KPROCESS', 'DirectoryTableBase')
    tasks = s.profile.get_obj_offset('_EPROCESS', 'ActiveProcessLinks')
    name = s.profile.get_obj_offset('_EPROCESS', 'ImageFileName')
    pid = s.profile.get_obj_offset('_EPROCESS', 'UniqueProcessId')

    config = {
        "ostype": "Windows",
        "win_pdbase": pdbase,
        "win_tasks": tasks,
        "win_pid": pid,
        "win_name": name,
    }

    return config


def get_windows_config(domain):
    # take memory dump
    # we need to put the ram dump in our own directory
    # because otherwise it will be created in /tmp
    # and later owned by root
    with TemporaryDirectory() as tmp_dir:
        with NamedTemporaryFile(dir=tmp_dir) as ram_dump:
            # chmod to be r/w by everyone
            os.chmod(ram_dump.name,
                     stat.S_IRUSR | stat.S_IWUSR |
                     stat.S_IRGRP | stat.S_IWGRP |
                     stat.S_IROTH | stat.S_IWOTH)
            # take a ram dump
            logging.info('Dumping physical memory to %s', ram_dump.name)
            flags = libvirt.VIR_DUMP_MEMORY_ONLY
            dumpformat = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW
            domain.coreDumpWithFormat(ram_dump.name, dumpformat, flags)
            config = extract_config(ram_dump.name)
            return config
	import os
	import sys
	import stat
	import logging
	import libvirt
	from tempfile import TemporaryDirectory, NamedTemporaryFile
	from rekall import plugins, session

	def extract_config(ram_dump):
	home = os.getenv('HOME')
	local_cache_path = os.path.join(home, '.rekall_cache')
	try:
	os.makedirs(local_cache_path)
	except OSError: # already exists
	pass
	logging.info('Analyzing RAM dump with Rekall')
	s = session.Session(
	filename=ram_dump,
	autodetect=["rsds"],
	logger=logging.getLogger(),
	autodetect_build_local='none',
	format='data',
	profile_path=[
	local_cache_path,
	"http://profiles.rekall-forensic.com"
	])

	pdbase = s.profile.get_obj_offset('_KPROCESS', 'DirectoryTableBase')
	tasks = s.profile.get_obj_offset('_EPROCESS', 'ActiveProcessLinks')
	name = s.profile.get_obj_offset('_EPROCESS', 'ImageFileName')
	pid = s.profile.get_obj_offset('_EPROCESS', 'UniqueProcessId')

	config = {
	"ostype": "Windows",
	"win_pdbase": pdbase,
	"win_tasks": tasks,
	"win_pid": pid,
	"win_name": name,
	}

	return config


	def get_windows_config(domain):
	# take memory dump
	# we need to put the ram dump in our own directory
	# because otherwise it will be created in /tmp
	# and later owned by root
	with TemporaryDirectory() as tmp_dir:
	with NamedTemporaryFile(dir=tmp_dir) as ram_dump:
	# chmod to be r/w by everyone
	os.chmod(ram_dump.name,
	stat.S_IRUSR \| stat.S_IWUSR \|
	stat.S_IRGRP \| stat.S_IWGRP \|
	stat.S_IROTH \| stat.S_IWOTH)
	# take a ram dump
	logging.info('Dumping physical memory to %s', ram_dump.name)
	flags = libvirt.VIR_DUMP_MEMORY_ONLY
	dumpformat = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW
	domain.coreDumpWithFormat(ram_dump.name, dumpformat, flags)
	config = extract_config(ram_dump.name)
	return config