| Trees | Indices | Help |
|
|---|
|
|
1 # Rekall Memory Forensics 2 # 3 # Copyright 2012 Michael Cohen <scudette@gmail.com> 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; either version 2 of the License, or (at 9 # your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, but 12 # WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 # General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 # 20 21 """An Address Space for processing Mach-O coredumps.""" 22 23 from rekall import addrspace 24 from rekall.plugins.overlays.darwin import macho 25 2628 """This AS supports Mach-O coredump files.""" 29 30 __name = "macho64" 31 __image = True 326134 super(MACHOCoreDump, self).__init__(**kwargs) 35 36 self.check_file() 37 38 # Try to parse the file now. 39 macho_profile = self.session.LoadProfile("OSX/macho") 40 macho.MachoProfile(session=self.session) 41 self.header = macho_profile.mach_header_64( 42 vm=self.base, offset=0) 43 44 # Make sure the file is marked as MH_CORE here. 45 # self.as_assert(self.header.filetype == "MH_CORE") 46 47 for segment in self.header.segments: 48 # We only map segments into memory. 49 if segment.cmd == "LC_SEGMENT_64": 50 self.add_run( 51 segment.vmaddr, segment.fileoff, segment.filesize)52
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:40 2017 | http://epydoc.sourceforge.net |