Trees | Indices | Help |
|
---|
|
Compares module list to sysfs info, if available.
Sysfs contains a kset objects for a number of kernel objects (kobjects). One of the ksets is the "module_kset" which holds references to all loaded kernel modules.
Each struct module object holds within it a kobj struct for reference counting. This object is referenced both from the struct module and the sysfs kset.
This plugin traverses the kset and resolves the kobj back to its containing object (which is the struct module itself). We then compare the struct module with the list of known modules (which is obtained by traversing the module's list member). So if a module were to simply unlink itself from the list, it would still be found by its reference from sysfs.
Nested Classes | |
__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command) |
|
top_level_class A command can be run from the rekall command line. (Inherited from rekall.plugin.Command) |
Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
Inherited from |
Class Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Class Variables | |
table_header =
hash(x) |
|
PHYSICAL_AS_REQUIRED = True
(Inherited from rekall.plugin.PhysicalASMixin)
|
|
PROFILE_REQUIRED = True
(Inherited from rekall.plugin.ProfileCommand)
|
|
ROW_OPTIONS =
(Inherited from rekall.plugin.TypedProfileCommand)
|
|
classes =
(Inherited from rekall.plugin.Command)
|
|
classes_by_name =
(Inherited from rekall.plugin.Command)
|
|
error_status = None hash(x) (Inherited from rekall.plugin.Command) |
|
interactive = False
(Inherited from rekall.plugin.Command)
|
|
mode =
hash(x) (Inherited from rekall.plugins.linux.common.AbstractLinuxCommandPlugin) |
|
plugin_args = None hash(x) (Inherited from rekall.plugin.ArgsParserMixin) |
|
plugin_feature =
(Inherited from rekall.plugin.Command)
|
|
producer = False
(Inherited from rekall.plugin.Command)
|
|
table_options =
(Inherited from rekall.plugin.TypedProfileCommand)
|
Properties | |
name (Inherited from rekall.plugin.Command) | |
Inherited from |
Method Details |
Checks we are active. This method will be called with the session to check if this specific class is active. This mechanism allows multiple implementations to all share the same name, as long as only one is actually active. For example, we can have a linux, windows and mac version of plugins with the "pslist" name. This mixin provides the mixed class with a basic is_active() method which honors a mode member defined on the class and all its subclasses. The mode is additive (meaning each class and its subclasses are only active if the mode is active).
|
Collect data that will be passed to renderer.table_row.
|
|
|
Class Variable Details |
table_headerhash(x)
|
Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:19 2017 | http://epydoc.sourceforge.net |