Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Module obj :: Class Profile
[frames] | no frames]

Class Profile

source code

A collection of types relating to a single compilation unit.

Profiles are usually not instantiated directly. Rather, the profiles are loaded from the profile repository using the session.LoadProfile() method.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses.
  top_level_class
A collection of types relating to a single compilation unit.
Instance Methods
 
__init__(self, name=None, session=None, metadata=None, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
EnsureInitialized(self) source code
 
flush_cache(self) source code
 
copy(self)
Makes a copy of this profile.		 source code
 
merge(self, other)
Merges another profile into this one.		 source code
 
merge_symbols(self, other, *args) source code
 
metadata(self, name, default=None)
Obtain metadata about this profile.		 source code
 
set_metadata(self, name, value) source code
 
metadatas(self, *args)
Obtain metadata about this profile.		 source code
 
has_type(self, type_name) source code
 
has_class(self, class_name) source code
 
add_classes(self, classes_dict=None, **kwargs)
Add the classes in the dict to our object classes mapping.		 source code
 
add_constant_type(self, constant, target, target_args) source code
 
add_constants(self, constants=None, constants_are_addresses=False, **_)
Add the kwargs as constants for this profile.		 source code
 
add_reverse_enums(self, **kwargs)
Add the kwargs as a reverse enum for this profile.		 source code
 
add_enums(self, **kwargs)
Add the kwargs as an enum for this profile.		 source code
 
add_types(self, abstract_types) source code
 
compile_type(self, type_name)
Compile the specific type and ensure it exists in the type cache.		 source code
 
legacy_field_descriptor(self, typeList)
Converts the list expression into a target, target_args notation.		 source code
 
list_to_type(self, name, typeList)
Parses a specification list and returns a VType object.		 source code
 
GetPrototype(self, type_name)
Return a prototype of objects of type 'type_name'.		 source code
 
get_obj_offset(self, name, member)
Returns a member's offset within the struct.		 source code
 
get_obj_size(self, name)
Returns the size of a struct		 source code
 
obj_has_member(self, name, member)
Returns whether an object has a certain member		 source code
 
add_overlay(self, overlay)
Add an overlay to the current overlay stack.		 source code
 
get_constant(self, constant, is_address=False)
Retrieve a constant from the profile.		 source code
 
get_constant_object(self, constant, target=None, target_args=None, vm=None, **kwargs)
A help function for retrieving pointers from the symbol table.		 source code
 
get_constant_by_address(self, address) source code
 
get_nearest_constant_by_address(self, address, below=True)
Returns the closest constant below or equal to the address.		 source code
 
get_enum(self, enum_name, field=None) source code
 
get_reverse_enum(self, enum_name, field=None) source code
 
__dir__(self)
Support tab completion.		 source code
 
__getattr__(self, attr)
Make it easier to instantiate individual members.		 source code
 
Object(self, type_name=None, offset=None, vm=None, name=None, parent=None, context=None, **kwargs)
A function which instantiates the object named in type_name (as a string) from the type in profile passing optional args of kwargs.		 source code
 
__unicode__(self) source code
 
__repr__(self)
repr(x)		 source code
 
integer_to_address(self, virtual_address) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
LoadProfileFromData(cls, data, session=None, name=None, profile=None)
Creates a profile directly from a JSON object.		 source code
 
Initialize(cls, profile)
Install required types, classes and constants.		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
Class Variables
  overlays = None
hash(x)
  vtypes = None
hash(x)
  types = None
hash(x)
  constants = None
hash(x)
  applied_modifications = None
hash(x)
  EMPTY_DESCRIPTOR = [0, {}]
  METADATA = {}
  COMMON_CLASSES = {'Array': <class 'rekall.obj.Array'>, 'BitFie...
  classes = {'APIBaseProfile': <class 'rekall.plugins.response.c...
  classes_by_name = {None: [<class 'rekall.obj.Profile'>, <class...
  plugin_feature = 'Profile'
Properties

Inherited from object: __class__

Method Details

LoadProfileFromData(cls, data, session=None, name=None, profile=None)
Class Method

source code  
Creates a profile directly from a JSON object.

Args:
  data: A data structure of an encoded profile. Described:
  http://www.rekall-forensic.com/docs/development.html#_profile_serializations
  session: A Session object.
  name: The name of the profile.
  profile: An optional initial profile to apply the new sections to. If
    None we create a new profile instance according to the $METADATA
    section.

Returns:
  a Profile() instance.

Raises:
  IOError if we can not load the profile.

Initialize(cls, profile)
Class Method

source code 

Install required types, classes and constants.

This method should be extended by derived classes. It is a class method to allow other profiles to call this method and install the various components into their own profiles.

__init__(self, name=None, session=None, metadata=None, **kwargs)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

merge(self, other)

source code 

Merges another profile into this one.

The result is that we are able to parse all the types that the other profile has.

compile_type(self, type_name)

source code 

Compile the specific type and ensure it exists in the type cache.

The type_name here is a reference to the vtypes which are loaded into the profile.

legacy_field_descriptor(self, typeList)

source code  
Converts the list expression into a target, target_args notation.

Legacy vtypes use lists to specify the objects. This function is used to
convert from the legacy format to the more accurate modern
format. Hopefully the legacy format can be deprecated at some point.

Args:
   typeList: A list of types. e.g. ['pointer64', ['_HMAP_TABLE']]

Returns:
   A target, target_args tuple. Target is the class name which should be
   instantiated, while target_args is a dict of args to be passed to
   this class.
   e.g. 'Pointer',  {target="_HMAP_TABLE"}

list_to_type(self, name, typeList)

source code 

Parses a specification list and returns a VType object.

This function is a bit complex because we support lots of different list types for backwards compatibility.

This is the core function which effectively parses the VType language.

GetPrototype(self, type_name)

source code 

Return a prototype of objects of type 'type_name'.

A prototype is a dummy object that looks like a type, but uses data from the profile to provide a list of members and type information.

get_obj_offset(self, name, member)

source code 

Returns a member's offset within the struct.

Note that this can be wrong if the offset is a callable.

get_constant(self, constant, is_address=False)

source code  
Retrieve a constant from the profile.

Args:
   constant: The name of the constant to retrieve.

   is_address: If true the constant is converted to an address.

__getattr__(self, attr)
(Qualification operator)

source code 

Make it easier to instantiate individual members.

This method makes it possible to use the form:

self.profile._EPROCESS(vm=self.kernel_address_space, offset=X)

Which is easier to type and works well with attribute completion (provided by __dir__).

Object(self, type_name=None, offset=None, vm=None, name=None, parent=None, context=None, **kwargs)

source code  
A function which instantiates the object named in type_name (as
a string) from the type in profile passing optional args of
kwargs.

Args:
  type_name: The name of the Struct to instantiate (e.g. _EPROCESS).

  vm: The address space to instantiate the object onto. If not provided
    we use a dummy null padded address space.

  offset: The location in the address space where the object is
    instantiated.

  name: An optional name for the object.

  context: An opaque dict which is passed to all objects created from
    this object.

  parent: The object can maintain a reference to its parent object.

__repr__(self)
(Representation operator)

source code 

repr(x)

Overrides: object.__repr__
(inherited documentation)

Class Variable Details

COMMON_CLASSES

Value:
{'Array': <class 'rekall.obj.Array'>,
 'BitField': <class 'rekall.obj.BitField'>,
 'Function': <class 'rekall.plugins.tools.disassembler.Function'>,
 'ListArray': <class 'rekall.obj.ListArray'>,
 'NativeType': <class 'rekall.obj.NativeType'>,
 'Pointer': <class 'rekall.obj.Pointer'>,
 'Pointer32': <class 'rekall.obj.Pointer32'>,
 'PointerArray': <class 'rekall.obj.PointerArray'>,
...

classes

Value:
{'APIBaseProfile': <class 'rekall.plugins.response.common.APIBaseProfi\
le'>,
 'ArtifactProfile': <class 'rekall.plugins.response.forensic_artifacts\
.ArtifactProfile'>,
 'BasicClasses': <class 'rekall.plugins.overlays.basic.BasicClasses'>,
 'BasicPEProfile': <class 'rekall.plugins.overlays.windows.pe_vtypes.B\
asicPEProfile'>,
 'ConHost64': <class 'rekall.plugins.windows.malware.cmdhistory.ConHos\
...

classes_by_name

Value:
{None: [<class 'rekall.obj.Profile'>,
        <class 'rekall.obj.TestProfile'>,
        <class 'rekall.plugins.overlays.basic.ProfileMIPS32Bits'>,
        <class 'rekall.plugins.overlays.basic.Profile32Bits'>,
        <class 'rekall.plugins.overlays.basic.ProfileLLP64'>,
        <class 'rekall.plugins.overlays.basic.ProfileLP64'>,
        <class 'rekall.plugins.overlays.basic.BasicClasses'>,
        <class 'rekall.plugins.overlays.linux.elf.ELFProfile'>,
...

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:53 2017 http://epydoc.sourceforge.net