Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Module guess_profile :: Class DarwinIndexDetector
[frames] | no frames]

Class DarwinIndexDetector

source code

Detect the Darwin version using the index.

To work around KASLR, we have an index of known symbols' offsets relative to the Catfish string, along with the data we expect to find at those offsets. Profile similarity is the percentage of these symbols that match as expected.

Ideally, we'd like a 100% match, but in case we don't have the exact profile, we'll make do with anything higher than 0% that can resolve the DTB.

Nested Classes
  find_dtb_impl
Tries to find the DTB address for the Darwin/XNU kernel.
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  top_level_class
A baseclass to implement autodetection methods. (Inherited from rekall.plugins.guess_profile.DetectionMethod)
Instance Methods
 
__init__(self, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
Keywords(self)
Returns a list of keywords which will be searched.		 source code
 
DetectFromHit(self, hit, offset, address_space)
Gets called for each hit.		 source code
 
Offsets(self)
Return a list of offsets we care about. (Inherited from rekall.plugins.guess_profile.DetectionMethod)		 source code
 
VerifyProfile(self, profile_name)
Check that the profile name is valid. (Inherited from rekall.plugins.guess_profile.DetectionMethod)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
Class Variables
  name = 'osx'
hash(x)
  classes = {'DarwinIndexDetector': <class 'rekall.plugins.guess... (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  classes_by_name = {None: [<class 'rekall.plugins.guess_profile... (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  order = 100 (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  plugin_feature = 'DetectionMethod' (Inherited from rekall.plugins.guess_profile.DetectionMethod)
Properties

Inherited from object: __class__

Method Details

__init__(self, **kwargs)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

Keywords(self)

source code 

Returns a list of keywords which will be searched.

Each time the keyword is matched, this instance will be called to attempt detection.

Overrides: DetectionMethod.Keywords
(inherited documentation)

DetectFromHit(self, hit, offset, address_space)

source code 

Gets called for each hit.

If a profile matches, return it, otherwise None.

Overrides: DetectionMethod.DetectFromHit
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: DetectionMethod.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: DetectionMethod.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:16 2017 http://epydoc.sourceforge.net