Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package darwin :: Module common :: Class DarwinFindKASLR
[frames] | no frames]

Class DarwinFindKASLR

source code

A scanner for KASLR slide values in the Darwin kernel.

The scanner works by looking up a known data structure and comparing its actual location to its expected location. Verification is a similar process, using a second constant. This takes advantage of the fact that both data structures are in a region of kernel memory that maps to the physical memory in a predictable way (see ID_MAP_VTOP).

Human-readable output includes values of the kernel version string (which is used for validation) for manual review, in case there are false positives.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
all_catfish_hits(self)
Yields possible lowGlo offsets, starting with session-cached one.		 source code
 
vm_kernel_slide_hits(self)
Tries to compute the KASLR slide.		 source code
 
vm_kernel_slide(self)
Returns the first result of vm_kernel_slide hits and stops the scan.		 source code
 
render(self, renderer)
Produce results on the renderer given.		 source code
 
__init__(self, *args, **kwargs)
A mixin for those plugins requiring a physical address space. (Inherited from rekall.plugin.PhysicalASMixin)		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, metadata) (Inherited from rekall.plugin.PhysicalASMixin) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ProfileCommand)		 source code
Class Variables
  name = 'find_kaslr'
  mode = 'mode_darwin_mountain_lion_plus'
hash(x)
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
Properties

Inherited from object: __class__

Method Details

all_catfish_hits(self)

source code 

Yields possible lowGlo offsets, starting with session-cached one.

Because the first hit on the catfish string isn't necessarily the right one, this function will yield subsequent ones by scanning the physical address space, starting with the offset of the cached first hit.

The caller is responsible for updating the session cache with the correct offset.

vm_kernel_slide_hits(self)

source code  
Tries to compute the KASLR slide.

In an ideal scenario, this should return exactly one valid result.

Yields:
  (int) semi-validated KASLR value

vm_kernel_slide(self)

source code  
Returns the first result of vm_kernel_slide hits and stops the scan.

This is the idiomatic way of using this plugin if all you need is the
likely KASLR slide value.

Returns:
  A value for the KASLR slide that appears sane.

render(self, renderer)

source code  
Produce results on the renderer given.

Each plugin should implement this method to produce output on the
renderer. The framework will initialize the plugin and provide it with
some kind of renderer to write output on. The plugin should not assume
that the renderer is actually TextRenderer, only that the methods
defined in the BaseRenderer exist.

Args:
  renderer: A renderer based at rekall.ui.renderer.BaseRenderer.
Overrides: plugin.Command.render
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:07 2017 http://epydoc.sourceforge.net