Package rekall :: Module kb :: Class ParameterHook

Class ParameterHook

A mechanism for automatically calculating a parameter.

The session contains many parameters which are calculated through the various plugins, or provided by the user. These parameters essentially represent a growing body of knowledge about the image we are currently analysing.

Some plugins require this information before they can continue. If the information is already known, we do not need to re-derive it, and the value can be cached in the session.

A ParameterHook is a class which is called to find out the value of a parameter when it is not known.

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses.
	top_level_class A mechanism for automatically calculating a parameter.

Instance Methods

__init__(self, session)
x.__init__(...) initializes x; see help(type(x)) for signature

source code

calculate(self)
Derive the value of the parameter.

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ModeBasedActiveMixin)

source code

Class Variables
	name = `None` hash(x)
	expiry = `None` hash(x)
	volatile = `True`
	classes = `{'AMD64Mode': <class 'rekall.plugins.modes.AMD64Mode...`
	classes_by_name = `{'ObjectTypeMap': [<class 'rekall.plugins.ov...`
	mode = `None` hash(x) (Inherited from rekall.plugin.ModeBasedActiveMixin)
	plugin_feature = `'ParameterHook'`

Properties
Inherited from `object`: `__class__`

Method Details

init(self, session)
(Constructor)

source code

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__: (inherited documentation)

Class Variable Details

classes

Value:

{'AMD64Mode': <class 'rekall.plugins.modes.AMD64Mode'>,
 'CatfishOffsetHook': <class 'rekall.plugins.darwin.common.CatfishOffs
etHook'>,
 'DTB2TaskMap': <class 'rekall.plugins.windows.kernel.DTB2TaskMap'>,
 'DarwinFindSysent': <class 'rekall.plugins.darwin.checks.DarwinFindSy
sent'>,
 'DarwinGetArpListHead': <class 'rekall.plugins.darwin.networking.Darw
inGetArpListHead'>,
...

classes_by_name

Value:

{'ObjectTypeMap': [<class 'rekall.plugins.overlays.windows.win7.Object
TypeMapHook'>],
 'ObpInfoMaskToOffset': [<class 'rekall.plugins.overlays.windows.win8.
ObpInfoMaskToOffsetHook'>],
 'PsActiveProcessHead': [<class 'rekall.plugins.windows.common.PsActiv
eProcessHeadHook'>],
 'PsLoadedModuleList': [<class 'rekall.plugins.windows.common.PsLoaded
ModuleList'>],
...

Class ParameterHook

__init__(self, session) (Constructor)

classes

classes_by_name

init(self, session)
(Constructor)