Package rekall :: Package plugins :: Package darwin :: Module checks :: Class DarwinFindSysent

Class DarwinFindSysent

Find sysent by scanning around nsysent.

The production kernel no longer ships with the 'sysent' symbol, which is the address of the syscall switch table. However, because sysent and nsysent are initialized around the same time it works out that they are always near each other.

This is an old technique, documented around the internet, for example here: https://reverse.put.as/2010/11/27/a-semi-automated-way-to-find-sysent/

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.kb.ParameterHook)
	top_level_class A mechanism for automatically calculating a parameter. (Inherited from rekall.kb.ParameterHook)

Instance Methods

scan(self, start, limit)

source code

calculate(self)
Derive the value of the parameter.

source code

__init__(self, session)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from rekall.kb.ParameterHook)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ModeBasedActiveMixin)

source code

Class Variables
	name = `'sysent_scan'` hash(x)
	SYSENT_REL_OFFSET = `-16777216`
	LIMIT = `33554432`
	classes = `{'AMD64Mode': <class 'rekall.plugins.modes.AMD64Mode...` (Inherited from rekall.kb.ParameterHook)
	classes_by_name = `{'ObjectTypeMap': [<class 'rekall.plugins.ov...` (Inherited from rekall.kb.ParameterHook)
	expiry = `None` hash(x) (Inherited from rekall.kb.ParameterHook)
	mode = `'mode_darwin_memory'` hash(x) (Inherited from rekall.plugins.darwin.common.DarwinOnlyMixin)
	plugin_feature = `'ParameterHook'` (Inherited from rekall.kb.ParameterHook)
	volatile = `True` (Inherited from rekall.kb.ParameterHook)

Properties
Inherited from `object`: `__class__`

Method Details

calculate(self)

source code

Derive the value of the parameter.

Overrides: kb.ParameterHook.calculate: (inherited documentation)

ImplementationByClass(self, name)
Class Method

source code

Overrides: kb.ParameterHook.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code

Overrides: kb.ParameterHook.ImplementationByName

Class DarwinFindSysent

calculate(self)

ImplementationByClass(self, name) Class Method

ImplementationByName(self, name) Class Method

ImplementationByClass(self, name)
Class Method

ImplementationByName(self, name)
Class Method