Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package common :: Module profile_index :: Class LinuxSymbolOffsetIndex
[frames] | no frames]

Class LinuxSymbolOffsetIndex

source code

Specialized symbol-offset index for linux.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.obj.Profile)
  top_level_class
A collection of types relating to a single compilation unit. (Inherited from rekall.obj.Profile)
Instance Methods
 
EnsureInitialized(self) (Inherited from rekall.obj.Profile) source code
 
GetPrototype(self, type_name)
Return a prototype of objects of type 'type_name'. (Inherited from rekall.obj.Profile)		 source code
 
IndexHits(self, image_base, address_space=None, minimal_match=1) (Inherited from rekall.plugins.common.profile_index.Index) source code
 
LoadIndex(self, index) (Inherited from rekall.plugins.common.profile_index.Index) source code
 
LookupHash(self, profile_hash)
Returns the profile with hash profile_hash. (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
 
LookupIndex(self, image_base, address_space=None, minimal_match=1) (Inherited from rekall.plugins.common.profile_index.Index) source code
 
LookupProfile(self, symbols)
Returns which profiles in the index match a dict of symbols. (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
 
Object(self, type_name=None, offset=None, vm=None, name=None, parent=None, context=None, **kwargs)
A function which instantiates the object named in type_name (as a string) from the type in profile passing optional args of kwargs. (Inherited from rekall.obj.Profile)		 source code
 
ProfileMetadata(self, profile_name) (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex) source code
 
RelativizeSymbols(self, symbols, base_symbol=None)
Modifies a dict of symbols so its offsets relative to base_symbol. (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
 
__dir__(self)
Support tab completion. (Inherited from rekall.obj.Profile)		 source code
 
__getattr__(self, attr)
Make it easier to instantiate individual members. (Inherited from rekall.obj.Profile)		 source code
 
__init__(self, *args, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
 
__iter__(self)
Yields tuples of profile_id, traits. (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
 
__len__(self) (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex) source code
 
__repr__(self)
repr(x) (Inherited from rekall.obj.Profile)		 source code
 
__unicode__(self) (Inherited from rekall.obj.Profile) source code
 
add_classes(self, classes_dict=None, **kwargs)
Add the classes in the dict to our object classes mapping. (Inherited from rekall.obj.Profile)		 source code
 
add_constant_type(self, constant, target, target_args) (Inherited from rekall.obj.Profile) source code
 
add_constants(self, constants=None, constants_are_addresses=False, **_)
Add the kwargs as constants for this profile. (Inherited from rekall.obj.Profile)		 source code
 
add_enums(self, **kwargs)
Add the kwargs as an enum for this profile. (Inherited from rekall.obj.Profile)		 source code
 
add_overlay(self, overlay)
Add an overlay to the current overlay stack. (Inherited from rekall.obj.Profile)		 source code
 
add_reverse_enums(self, **kwargs)
Add the kwargs as a reverse enum for this profile. (Inherited from rekall.obj.Profile)		 source code
 
add_types(self, abstract_types) (Inherited from rekall.obj.Profile) source code
 
compile_type(self, type_name)
Compile the specific type and ensure it exists in the type cache. (Inherited from rekall.obj.Profile)		 source code
 
copy(self)
Makes a copy of this profile. (Inherited from rekall.plugins.common.profile_index.Index)		 source code
 
flush_cache(self) (Inherited from rekall.obj.Profile) source code
 
get_constant(self, constant, is_address=False)
Retrieve a constant from the profile. (Inherited from rekall.obj.Profile)		 source code
 
get_constant_by_address(self, address) (Inherited from rekall.obj.Profile) source code
 
get_constant_object(self, constant, target=None, target_args=None, vm=None, **kwargs)
A help function for retrieving pointers from the symbol table. (Inherited from rekall.obj.Profile)		 source code
 
get_enum(self, enum_name, field=None) (Inherited from rekall.obj.Profile) source code
 
get_nearest_constant_by_address(self, address, below=True)
Returns the closest constant below or equal to the address. (Inherited from rekall.obj.Profile)		 source code
 
get_obj_offset(self, name, member)
Returns a member's offset within the struct. (Inherited from rekall.obj.Profile)		 source code
 
get_obj_size(self, name)
Returns the size of a struct (Inherited from rekall.obj.Profile)		 source code
 
get_reverse_enum(self, enum_name, field=None) (Inherited from rekall.obj.Profile) source code
 
has_class(self, class_name) (Inherited from rekall.obj.Profile) source code
 
has_type(self, type_name) (Inherited from rekall.obj.Profile) source code
 
integer_to_address(self, virtual_address) (Inherited from rekall.obj.Profile) source code
 
legacy_field_descriptor(self, typeList)
Converts the list expression into a target, target_args notation. (Inherited from rekall.obj.Profile)		 source code
 
list_to_type(self, name, typeList)
Parses a specification list and returns a VType object. (Inherited from rekall.obj.Profile)		 source code
 
merge(self, other)
Merges another profile into this one. (Inherited from rekall.obj.Profile)		 source code
 
merge_symbols(self, other, *args) (Inherited from rekall.obj.Profile) source code
 
metadata(self, name, default=None)
Obtain metadata about this profile. (Inherited from rekall.obj.Profile)		 source code
 
metadatas(self, *args)
Obtain metadata about this profile. (Inherited from rekall.obj.Profile)		 source code
 
obj_has_member(self, name, member)
Returns whether an object has a certain member (Inherited from rekall.obj.Profile)		 source code
 
set_metadata(self, name, value) (Inherited from rekall.obj.Profile) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
FilterSymbols(cls, symbols)
Filters a dict of symbols, discarding irrelevant ones.		 source code
 
BuildIndex(cls, hashes=None, traits=None, duplicates=None, spec=None, iomanager=None)
Builds a SymbolOffset index from traits, profiles, hashes and a spec.		 source code
 
CalculateRawProfileHash(cls, profile)
Calculates a hash of a list of symbols. (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
 
CalculateRawSymbolsHash(cls, profile)
Calculates a hash of a list of symbols. (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
 
GetProfileMetadata(cls, iomanager=None, profile_id=None) (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex) source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
Initialize(cls, profile)
Install required types, classes and constants. (Inherited from rekall.obj.Profile)		 source code
 
LoadProfileFromData(cls, data, session=None, name=None, profile=None)
Creates a profile directly from a JSON object. (Inherited from rekall.obj.Profile)		 source code
 
ProfileMatchesTrait(cls, profile, trait)
Whether a profile matches another profile's trait. (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
 
RawProfileMatchesTrait(cls, profile, trait)
Whether a raw profile (JSON) matches another profile's trait. (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)		 source code
Class Variables
  COMMON_CLASSES = {'Array': <class 'rekall.obj.Array'>, 'BitFie... (Inherited from rekall.obj.Profile)
  EMPTY_DESCRIPTOR = [0, {}] (Inherited from rekall.obj.Profile)
  GOOD_MATCH = 0.75 (Inherited from rekall.plugins.common.profile_index.Index)
  METADATA = {} (Inherited from rekall.obj.Profile)
  PERFECT_MATCH = 1.0 (Inherited from rekall.plugins.common.profile_index.Index)
  applied_modifications = None
hash(x) (Inherited from rekall.obj.Profile)
  base_offset = 0 (Inherited from rekall.plugins.common.profile_index.Index)
  classes = {'APIBaseProfile': <class 'rekall.plugins.response.c... (Inherited from rekall.obj.Profile)
  classes_by_name = {None: [<class 'rekall.obj.Profile'>, <class... (Inherited from rekall.obj.Profile)
  constants = None
hash(x) (Inherited from rekall.obj.Profile)
  index = None
hash(x) (Inherited from rekall.plugins.common.profile_index.Index)
  overlays = None
hash(x) (Inherited from rekall.obj.Profile)
  plugin_feature = 'Profile' (Inherited from rekall.obj.Profile)
  types = None
hash(x) (Inherited from rekall.obj.Profile)
  vtypes = None
hash(x) (Inherited from rekall.obj.Profile)
Properties
  duplicates (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)
  hashes (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)
  profiles (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)
  traits (Inherited from rekall.plugins.common.profile_index.SymbolOffsetIndex)

Inherited from object: __class__

Method Details

FilterSymbols(cls, symbols)
Class Method

source code 

Filters a dict of symbols, discarding irrelevant ones.

Overrides: SymbolOffsetIndex.FilterSymbols

BuildIndex(cls, hashes=None, traits=None, duplicates=None, spec=None, iomanager=None)
Class Method

source code  
Builds a SymbolOffset index from traits, profiles, hashes and a spec.

Args:
    hashes: A dictionary of hash:profile_id. Hashes must be obtained via
    the SymbolOffsetIndex.CalculateRawProfileHash() method.

    traits: A dictionary of profile_id:traits. Traits are the result
    of calling the SymbolOffsetIndex.FindTraits() method.

    profiles: A dictionary of profile_id metadata. Profile metadata
    is obtained via SymbolOffsetIndex.GetProfileMetadata().

    duplicates: A list of newly found profile ids that are duplicate.
Overrides: SymbolOffsetIndex.BuildIndex
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: obj.Profile.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: obj.Profile.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:04 2017 http://epydoc.sourceforge.net