Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package common :: Module address_resolver :: Class AddressResolverMixin
[frames] | no frames]

Class AddressResolverMixin

source code

The basic building block for constructing an address resolver plugin.

An address resolver maintains a collection of Modules and abstracts access
to specific symbol names within the modules.

Rekall uses a symbolic notation to refer to specific addresses within the
address space. The address resolver is responsible for parsing this notation
and resolving it to an actual address.

Rules of symbol syntax
======================

The address space is divided into "modules". A module has a name, a start
address and an end address. Modules can also contain a profile which knows
about symbols related to that module.

1. Module reference: The start address of a module can be refered to by its
   name. e.g:  "nt", "ntdll", "tcpip".

2. If a module contains a valid profile, the profile may also know about
   symbols within the module. We can refer to these
   symbols. e.g. "nt!MmGetIoSessionState"

3. If an exact symbol is not found, it can be referred to with an offset
   from another symbol name. e.g. "nt!MmGetIoSessionState+5FE" (Note
   integers are given in hex).

4. If the symbol is preceeded with a "*" - it means that the symbol is a
   pointer. The address will be read as a pointer and the symbol name will
   resolve to the address of the pointer's target.
Instance Methods
 
__init__(self, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
reset(self) source code
 
NormalizeModuleName(self, module_name) source code
 
AddModule(self, module) source code
 
modules(self) source code
 
GetContainingModule(self, address)
Finds the module containing the specified address.		 source code
 
GetModuleByName(self, name) source code
 
GetAllModules(self) source code
 
get_constant_object(self, name, target=None, **kwargs)
Instantiate the named constant with these args.		 source code
 
get_address_by_name(self, name)
Convert the symbol annotated by name to an address.		 source code
 
format_address(self, address, max_distance=16777216)
Format the address as a symbol name.		 source code
 
get_nearest_constant_by_address(self, address, max_distance=16777216)
Searches for a known symbol at an address lower than this.		 source code
 
search_symbol(self, pattern)
Searches symbols for the pattern.		 source code
 
collect(self) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables
  table_header = [{'name': 'Symbol', 'width': 20}, {'name': 'Off...
  name = 'address_resolver'
hash(x)
  ADDRESS_NAME_REGEX = re.compile(r'(?P<deref>\*)?((?P<address>0...
Properties

Inherited from object: __class__

Method Details

__init__(self, **kwargs)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

GetContainingModule(self, address)

source code  
Finds the module containing the specified address.

Returns:
  A Module() instance.

get_constant_object(self, name, target=None, **kwargs)

source code 

Instantiate the named constant with these args.

This method is the main entry point for instantiating constants. It is preferred than calling the profile's method of the same name directly since it will be responsible with loading the right profile.

format_address(self, address, max_distance=16777216)

source code 

Format the address as a symbol name.

This means to try and find the containing module, the symbol within the module or possibly an offset from a known symbol. e.g.

nt!PspCidTable nt!PspCidTable + 0x10 nt + 0x234

Returns a list of symbol names for the address. The list is empty if the address is not in a containing module if the nearest known symbol is farther than max_distance away.

get_nearest_constant_by_address(self, address, max_distance=16777216)

source code 

Searches for a known symbol at an address lower than this.

Returns a tuple (nearest_offset, list of symbol names).

search_symbol(self, pattern)

source code 

Searches symbols for the pattern.

pattern may contain wild cards (*). Note that currently a module name is required. Example pattern:

nt!Ps*


Class Variable Details

table_header

Value:
[{'name': 'Symbol', 'width': 20},
 {'name': 'Offset', 'style': 'address', 'width': 20}]

ADDRESS_NAME_REGEX

Value:
re.compile(r'(?P<deref>\*)?((?P<address>0x[0-9A-Fa-f]+)|(?P<module>[A-\
Za-z_0-9\.\\]+)!?(?P<symbol>[^ \+-]+)?)(?P<op> *[\+-] *)?(?P<offset>[0\
-9a-fA-Fx]+)?')

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:01 2017 http://epydoc.sourceforge.net