Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package linux :: Module check_syscall :: Class CheckSyscall
[frames] | no frames]

Class CheckSyscall

source code

Checks if the system call table has been altered.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
Find_sys_call_tables(self)
Calculates the size of the syscall table.		 source code
 
collect(self)
This works by walking the system call table and verifies that each is a symbol in the kernel		 source code
 
__init__(self, *args, **kwargs)
A mixin for plugins which require a valid kernel address space. (Inherited from rekall.plugin.KernelASMixin)		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
column_types(self)
Returns instances for each column definition. (Inherited from rekall.plugin.TypedProfileCommand)		 source code
 
get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code
 
getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
render(self, renderer, **options) (Inherited from rekall.plugin.TypedProfileCommand) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, metadata) (Inherited from rekall.plugin.PhysicalASMixin) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ProfileCommand)		 source code
Class Variables
  table_header = [{'name': 'divider', 'type': 'Divider'}, {'hidd...
hash(x)
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  ROW_OPTIONS = set(['annotation', 'depth', 'hex_width', 'highli... (Inherited from rekall.plugin.TypedProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = 'mode_linux_memory'
hash(x) (Inherited from rekall.plugins.linux.common.AbstractLinuxCommandPlugin)
  plugin_args = None
hash(x) (Inherited from rekall.plugin.ArgsParserMixin)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
  table_options = {} (Inherited from rekall.plugin.TypedProfileCommand)
Properties
  name (Inherited from rekall.plugin.Command)

Inherited from object: __class__

Method Details

Find_sys_call_tables(self)

source code  
Calculates the size of the syscall table.

Here we need the symbol __NR_syscall_max. We derive it from
disassembling the following system calls:

- system_call_fastpath function:

http://lxr.linux.no/linux+v3.12/arch/x86/kernel/entry_64.S#L620
system_call_fastpath:
#if __SYSCALL_MASK == ~0
        cmpq $__NR_syscall_max,%rax
#else
        andl $__SYSCALL_MASK,%eax
        cmpl $__NR_syscall_max,%eax
#endif

- ret_from_sys_call function (with a small rewind):
http://lxr.linux.no/linux+v2.6.26/arch/x86/kernel/entry_64.S#L249

249        cmpq $__NR_syscall_max,%rax
250        ja badsys
251        movq %r10,%rcx
252        call *sys_call_table(,%rax,8)  # XXX:    rip relative
253        movq %rax,RAX-ARGOFFSET(%rsp)
254 /*
255  * Syscall return path ending with SYSRET (fast path)
256  * Has incomplete stack frame and undefined top of stack.
257  */
258 ret_from_sys_call:
259        movl $_TIF_ALLWORK_MASK,%edi
260        /* edi: flagmask */


- sysenter_do_call
   Linux> dis "linux!sysenter_do_call"
   Address    Rel           Op Codes           Instruction    Comment
   ------- ---------- -------------------- ------------------ -------
   ------ linux!sysenter_do_call ------: 0xc12c834d
   0xc12c834d        0x0 3d5d010000           CMP EAX, 0x15d
   0xc12c8352        0x5 0f8397baffff         JAE 0xc12c3def  linux!syscall_badsys

collect(self)

source code 

This works by walking the system call table and verifies that each is a symbol in the kernel

Overrides: plugin.TypedProfileCommand.collect

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

Class Variable Details

table_header

hash(x)

Value:
[{'name': 'divider', 'type': 'Divider'},
 {'hidden': True, 'name': 'table'},
 {'name': 'index', 'style': 'address'},
 {'name': 'address', 'style': 'address'},
 {'name': 'symbol', 'width': 80}]

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:19 2017 http://epydoc.sourceforge.net