Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Module core :: Class Dump
[frames] | no frames]

Class Dump

source code

Hexdump an object or memory location.

You can use this plugin repeateadely to keep dumping more data using the
 "p _" (print last result) operation:

In [2]: dump 0x814b13b0, address_space="K"
------> dump(0x814b13b0, address_space="K")
Offset                         Hex                              Data
---------- ------------------------------------------------ ----------------
0x814b13b0 03 00 1b 00 00 00 00 00 b8 13 4b 81 b8 13 4b 81  ..........K...K.

Out[3]: <rekall.plugins.core.Dump at 0x2967510>

In [4]: p _
------> p(_)
Offset                         Hex                              Data
---------- ------------------------------------------------ ----------------
0x814b1440 70 39 00 00 54 1b 01 00 18 0a 00 00 32 59 00 00  p9..T.......2Y..
0x814b1450 6c 3c 01 00 81 0a 00 00 18 0a 00 00 00 b0 0f 06  l<..............
0x814b1460 00 10 3f 05 64 77 ed 81 d4 80 21 82 00 00 00 00  ..?.dw....!.....
Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
column_types(self)
Returns instances for each column definition.		 source code
 
__init__(self, *args, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
collect(self)
Collect data that will be passed to renderer.table_row.		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code
 
getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
render(self, renderer, **options) (Inherited from rekall.plugin.TypedProfileCommand) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, parser) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ModeBasedActiveMixin)		 source code
Class Variables
  table_header = [{'name': 'offset', 'style': 'address'}, {'name...
hash(x)
  ROW_OPTIONS = set(['annotation', 'depth', 'hex_width', 'highli... (Inherited from rekall.plugin.TypedProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = None
hash(x) (Inherited from rekall.plugin.Command)
  plugin_args = None
hash(x) (Inherited from rekall.plugin.ArgsParserMixin)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
  table_options = {} (Inherited from rekall.plugin.TypedProfileCommand)
Properties
  name (Inherited from rekall.plugin.Command)

Inherited from object: __class__

Method Details

column_types(self)

source code 

Returns instances for each column definition.

The actual objects that are returned when the plugin runs are often determined at run time because they depend on the profile loaded.

This method is used in order to introspect the types of each column without actually running the plugin. A plugin must provide an instance for each column without running any code. This allows interospectors to learn about the output format before running the actual plugin.

Note that this method should almost always be overloaded. We try to do our best here but it is not ideal. Ultimately all plugins will override this method and just declare a column_types() method.

Overrides: plugin.TypedProfileCommand.column_types
(inherited documentation)

__init__(self, *args, **kwargs)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

collect(self)

source code 

Collect data that will be passed to renderer.table_row.

Overrides: plugin.TypedProfileCommand.collect
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

Class Variable Details

table_header

hash(x)

Value:
[{'name': 'offset', 'style': 'address'},
 {'name': 'hexdump', 'width': 65},
 {'name': 'comment', 'width': 40}]

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:05 2017 http://epydoc.sourceforge.net