Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Module core :: Class LoadAddressSpace
[frames] | no frames]

Class LoadAddressSpace

source code

Load address spaces into the session if its not already loaded.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
__init__(self, pas_spec='auto', **kwargs)
Tries to create the address spaces and assigns them to the session.		 source code
 
ResolveAddressSpace(self, name=None)
Resolve the name into an address space.		 source code
 
GetPhysicalAddressSpace(self) source code
 
GetVirtualAddressSpace(self, dtb=None)
Load the Kernel Virtual Address Space.		 source code
 
GuessAddressSpace(self, base_as=None, **kwargs)
Loads an address space by stacking valid ASes on top of each other (priority order first).		 source code
 
AddressSpaceFactory(self, specification='', **kwargs)
Build the address space from the specification.		 source code
 
render(self, renderer)
Produce results on the renderer given.		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, parser)
Declare the command line args this plugin needs. (Inherited from rekall.plugin.Command)		 source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ModeBasedActiveMixin)		 source code
Class Variables
  ADDRESS_SPACE_RE = re.compile(r'([a-zA-Z0-9]+)@((0x)?[0-9a-zA-...
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = None
hash(x) (Inherited from rekall.plugin.Command)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
Properties
  name (Inherited from rekall.plugin.Command)

Inherited from object: __class__

Method Details

__init__(self, pas_spec='auto', **kwargs)
(Constructor)

source code  
Tries to create the address spaces and assigns them to the session.

An address space specification is a column delimited list of AS
constructors which will be stacked. For example:

FileAddressSpace:EWF

if the specification is "auto" we guess by trying every combintion until
a virtual AS is obtained.

The virtual address space is chosen based on the profile.

Args:
  pas_spec: A Physical address space specification.
Overrides: object.__init__

ResolveAddressSpace(self, name=None)

source code  
Resolve the name into an address space.

This function is intended to be called from plugins which allow an
address space to be specified on the command line. We implement a simple
way for the user to specify the address space using a string. The
following formats are supported:

Kernel, K : Represents the kernel address space.
Physical, P: Represents the physical address space.

as_type@dtb_address: Instantiates the address space at the specified
    DTB. For example: amd64@0x18700

pid@pid_number: Use the process address space for the specified pid.

GetVirtualAddressSpace(self, dtb=None)

source code 

Load the Kernel Virtual Address Space.

Note that this function is usually not used since the Virtual AS is now loaded from guess_profile.ApplyFindDTB() when profiles are guessed. This function is only used when the profile is directly provided by the user.

AddressSpaceFactory(self, specification='', **kwargs)

source code  
Build the address space from the specification.

Args:
   specification: A column separated list of AS class names to be
   stacked.

render(self, renderer)

source code  
Produce results on the renderer given.

Each plugin should implement this method to produce output on the
renderer. The framework will initialize the plugin and provide it with
some kind of renderer to write output on. The plugin should not assume
that the renderer is actually TextRenderer, only that the methods
defined in the BaseRenderer exist.

Args:
  renderer: A renderer based at rekall.ui.renderer.BaseRenderer.
Overrides: plugin.Command.render
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

Class Variable Details

ADDRESS_SPACE_RE

Value:
re.compile(r'([a-zA-Z0-9]+)@((0x)?[0-9a-zA-Z]+)')

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:05 2017 http://epydoc.sourceforge.net