| Trees | Indices | Help |
|
|---|
|
|
One version of arp_init looks like this:
void
arp_init(void)
{
VERIFY(!arpinit_done);
LIST_INIT(&llinfo_arp); // <-- This is the global we want.
llinfo_arp_zone = zinit(sizeof (struct llinfo_arp),
LLINFO_ARP_ZONE_MAX * sizeof (struct llinfo_arp), 0,
LLINFO_ARP_ZONE_NAME);
if (llinfo_arp_zone == NULL)
panic("%s: failed allocating llinfo_arp_zone", __func__);
zone_change(llinfo_arp_zone, Z_EXPAND, TRUE);
zone_change(llinfo_arp_zone, Z_CALLERACCT, FALSE);
arpinit_done = 1;
}
Disassembled, the first few instructions look like this:
0x0 55 PUSH RBP
0x1 4889e5 MOV RBP, RSP
0x4 803d65e9400001 CMP BYTE [RIP+0x40e965], 0x1
0xb 7518 JNZ 0xff80090a7f95
0xd 488d3dee802900 LEA RDI, [RIP+0x2980ee]
0x14 488d35f5802900 LEA RSI, [RIP+0x2980f5]
0x1b baf3000000 MOV EDX, 0xf3
# This is a call to kernel!panic (later kernel!assfail):
0x20 e80b6c1400 CALL 0xff80091eeba0
# This is where it starts initializing the linked list:
0x25 48c70548e94000000000 MOV QWORD [RIP+0x40e948], 0x0
00
0x30 488d0d0e812900 LEA RCX, [RIP+0x29810e]
| Nested Classes | |
|
__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.kb.ParameterHook) |
|
|
top_level_class A mechanism for automatically calculating a parameter. (Inherited from rekall.kb.ParameterHook) |
|
| Instance Methods | |||
|
|||
|
|||
|
Inherited from |
|||
| Class Methods | |||
|
|||
|
|||
|
|||
| Class Variables | |
name = hash(x) |
|
PANIC_FUNCTIONS = |
|
classes = |
|
classes_by_name = |
|
expiry = Nonehash(x) (Inherited from rekall.kb.ParameterHook) |
|
mode = hash(x) (Inherited from rekall.plugins.darwin.common.DarwinOnlyMixin) |
|
plugin_feature = |
|
volatile = True
(Inherited from rekall.kb.ParameterHook)
|
|
| Properties | |
|
Inherited from |
| Method Details |
Derive the value of the parameter.
|
|
|
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:09 2017 | http://epydoc.sourceforge.net |