Added a times plugin.

Review URL: https://codereview.appspot.com/297430043 .
google · Jun 1, 2016 · 43960e2 · 43960e2
1 parent 00a1409
commit 43960e2
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 4 deletions.
diff --git a/rekall-core/rekall/plugins/overlays/windows/common.py b/rekall-core/rekall/plugins/overlays/windows/common.py
@@ -620,7 +620,7 @@ def base(self):
     @utils.safe_property
     def filename(self):
         object_tree_plugin = self.obj_session.plugins.object_tree()
-        return object_tree_plugin.FileNameWithDrive(self.FullDllName.v())
+        return object_tree_plugin.FileNameWithDrive(unicode(self.FullDllName))
 
     @utils.safe_property
     def end(self):
@@ -655,7 +655,7 @@ def v(self, vm=None):
                 vm=vm)
             return data.v()
         else:
-            return ''
+            return u''
 
     def __nonzero__(self):
         ## Unicode strings are valid if they point at a valid memory

diff --git a/rekall-core/rekall/plugins/renderers/base_objects.py b/rekall-core/rekall/plugins/renderers/base_objects.py
@@ -325,3 +325,27 @@ def render_compact(self, target, **_):
     def render_repr(self, target, **_):
         """Explicitly just render the repr."""
         return text.Cell(repr(target))
+
+
+class AttributeDictTextRenderer(text.TextObjectRenderer):
+    renders_type = "dict"
+    renderers = ["TextRenderer", "TestRenderer"]
+
+    def __init__(self, *args, **kwargs):
+        """We make a sub table for key, values."""
+        super(AttributeDictTextRenderer, self).__init__(*args, **kwargs)
+        self.table = text.TextTable(
+            columns=[
+                dict(name="Key"),
+                dict(name="Value"),
+            ],
+            auto_widths=True,
+            renderer=self.renderer,
+            session=self.session)
+
+    def render_row(self, item, **options):
+        result = []
+        for key, value in item.iteritems():
+            result.append(self.table.get_row(key, value))
+
+        return text.StackedCell(*result)
diff --git a/rekall-core/rekall/plugins/windows/misc.py b/rekall-core/rekall/plugins/windows/misc.py
@@ -18,14 +18,14 @@
 """Miscelaneous information gathering plugins."""
 
 __author__ = "Michael Cohen <[email protected]>"
-
 import hashlib
 import re
 
 # pylint: disable=protected-access
 from rekall import obj
 from rekall import utils
 from rekall.plugins import core
+from rekall.plugins.overlays import basic
 from rekall.plugins.windows import common
 
 
@@ -337,7 +337,6 @@ def FileNameWithDrive(self, path):
         # First normalize the path.
         try:
             path = self.ResolveSymlinks(path)
-
             for prefix, drive_letter in self.session.GetParameter(
                     "drive_letter_device_map").iteritems():
                 prefix = self.ResolveSymlinks(prefix)
@@ -431,3 +430,28 @@ def render(self, renderer):
 
         seen = set()
         self._render_directory(root, renderer, seen)
+
+
+class WindowsTimes(common.WindowsCommandPlugin):
+    """Return current time, as known to the kernel."""
+
+    name = "times"
+
+    table_header = [
+        dict(name="Times"),
+    ]
+
+    def collect(self):
+        kuser_shared = self.session.address_resolver.get_constant_object(
+            "nt!KI_USER_SHARED_DATA", "_KUSER_SHARED_DATA")
+
+        seconds_since_boot = self.session.plugins.imageinfo().GetBootTime(
+            kuser_shared)
+
+        kernel_time = kuser_shared.SystemTime
+        boot_timestamp = basic.UnixTimeStamp(
+            value=kernel_time - seconds_since_boot,
+            session=self.session)
+
+        yield [utils.AttributeDict(now=kernel_time, boot=boot_timestamp,
+                                   uptime=seconds_since_boot)]