Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package darwin :: Module common :: Class DarwinFindDTB
[frames] | no frames]

Class DarwinFindDTB

source code

Tries to find the DTB address for the Darwin/XNU kernel.

As the XNU kernel developed over the years, the best way of deriving this information changed. This class now offers multiple methods of finding the DTB. Calling find_dtb should automatically select the best method for the job, based on the profile. It will also attempt to fall back on less ideal ways of getting the DTB if the best way fails.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
dtb_hits(self)
Yields hits for the DTB offset.		 source code
 
VerifyHit(self, hit)
Verify the hit for correctness, yielding an address space.		 source code
 
render(self, renderer)
Produce results on the renderer given.		 source code
 
CreateAS(self, dtb)
Creates an address space from this hit. (Inherited from rekall.plugins.core.FindDTB)		 source code
 
GetAddressSpaceImplementation(self, simple=False)
Returns the correct address space class for this profile. (Inherited from rekall.plugins.core.FindDTB)		 source code
 
__init__(self, vm_kernel_slide=None, **kwargs)
A mixin for Darwin plugins that require a valid KASLR slide. (Inherited from rekall.plugins.darwin.common.DarwinKASLRMixin)		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
address_space_hits(self)
Finds DTBs and yields virtual address spaces that expose kernel. (Inherited from rekall.plugins.core.FindDTB)		 source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, parser) (Inherited from rekall.plugins.darwin.common.DarwinKASLRMixin) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ProfileCommand)		 source code
Class Variables
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = 'mode_darwin_memory'
hash(x) (Inherited from rekall.plugins.darwin.common.DarwinOnlyMixin)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
Properties
  name (Inherited from rekall.plugin.Command)

Inherited from object: __class__

Method Details

dtb_hits(self)

source code 

Yields hits for the DTB offset.

Overrides: core.FindDTB.dtb_hits
(inherited documentation)

VerifyHit(self, hit)

source code 

Verify the hit for correctness, yielding an address space.

Overrides: core.FindDTB.VerifyHit
(inherited documentation)

render(self, renderer)

source code  
Produce results on the renderer given.

Each plugin should implement this method to produce output on the
renderer. The framework will initialize the plugin and provide it with
some kind of renderer to write output on. The plugin should not assume
that the renderer is actually TextRenderer, only that the methods
defined in the BaseRenderer exist.

Args:
  renderer: A renderer based at rekall.ui.renderer.BaseRenderer.
Overrides: plugin.Command.render
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:07 2017 http://epydoc.sourceforge.net