Package rekall :: Package plugins :: Package linux :: Module heap_analysis :: Class HeapChunkDumper
Class HeapChunkDumper

Dumps allocated/freed chunks from selected processes

Nested Classes
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
Collect data that will be passed to renderer.table_row.
dump_chunk_to_file(self, chunk, chunksize, identifier)
Used as the wrapper to dump a given chunk to file.
CopyToFile(self, address_space, start, end, outfd)
Copy a part of the address space to the output file. (Inherited from rekall.plugins.core.DirectoryDumperMixin)
__init__(self, *args_, **kwargs)
Dump to a directory. (Inherited from rekall.plugins.core.DirectoryDumperMixin)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)
repr(x) (Inherited from rekall.plugin.Command)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)
Sets _preserve_chunks to True. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Sets the class attribute self.statistics with a dict containing e.g. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Calls size comparison methods to verify the gathered chunks and prints warnings on any discrepancies. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
check_dump_dir(self, dump_dir=None) (Inherited from rekall.plugins.core.DirectoryDumperMixin) source code
collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
Returns instances for each column definition. (Inherited from rekall.plugin.TypedProfileCommand)
Compares the calculated count and size of all MMAPPED chunks with the data from the malloc_par struct. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Filters eprocess list using pids lists. (Inherited from rekall.plugins.linux.common.LinProcessFilter)
get_aligned_address(self, address, different_align_mask=None)
Returns an aligned address or MINSIZE, if given MIN_CHUNK_SIZE as argument. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
get_aligned_size(self, size)
Returns an aligned size. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns all allocated chunks, no matter to what arena they belong or if they are MMAPPED or not. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
get_all_allocated_chunks_for_arena(self, arena)
Returns all allocated chunks for a given arena. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns all allocated chunks belonging to the main arena (excludes thread and MMAPPED chunks). (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns all allocated chunks which belong to a thread arena. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns all chunks (allocated, freed and MMAPPED chunks). (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns all freed chunks, no matter to what arena they belong. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns all top chunks, freed chunks and freed fastbin chunks, no matter to what arena they belong. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns all freed fastbin chunks, no matter to what arena they belong. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns all allocated MMAPPED chunks. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
source code
get_chunks_for_addresses(self, addresses, ignore_prevsize=False)
Returns the chunks located at the given addresses. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
Returns the main_arena for the current task, which is the first arena in the arenas list. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Returns statistics according to the mallinfo struct except for keepcost and usmblks. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)
getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
heap_for_ptr(self, ptr)
Returns the heap from the internal heap lists, the given pointer belongs to. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
init_for_task(self, task)
initializes the process address space and malloc_par struct and calls initialize_*. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
iterate_through_chunks(self, first_chunk, mem_end, only_free=False, only_alloc=False)
This function iterates chunk after chunk until hitting mem_end. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
list_from_task_head(self) (Inherited from rekall.plugins.linux.common.LinProcessFilter) source code
list_tasks(self) (Inherited from rekall.plugins.linux.common.LinProcessFilter) source code
reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand) source code
render(self, renderer, **options) (Inherited from rekall.plugin.TypedProfileCommand) source code
search_chunks_for_needle(self, search_string=None, search_regex=None, pointers=None, search_struct=False)
Searches all chunks for the given pointer(s) and returns the ones containing them. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
search_vmas_for_needle(self, search_string=None, search_regex=None, pointers=None, vmas=None, hidden_mmap_vmas=None, vma_regex=None)
Searches all vmas or only the given ones for the given pointer(s). (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
virtual_process_from_physical_offset(self, physical_offset)
Tries to return an task in virtual space from a physical offset. (Inherited from rekall.plugins.linux.common.LinProcessFilter)
Class Methods
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)
ImplementationByClass(self, name) source code
ImplementationByName(self, name) source code
args(cls, metadata) (Inherited from rekall.plugin.PhysicalASMixin) source code
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugins.linux.heap_analysis.HeapAnalysis)
Class Variables
  table_header = [{'name': 'pid', 'width': 6}, {'name': 'allocat...
  METHODS = ['InitTask'] (Inherited from rekall.plugins.linux.common.LinProcessFilter)
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  ROW_OPTIONS = set(['annotation', 'depth', 'hex_width', 'highli... (Inherited from rekall.plugin.TypedProfileCommand)
  classes = {'AFF4Acquire': <class ' (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class ' (Inherited from rekall.plugin.Command)
  default_dump_dir = '.' (Inherited from rekall.plugins.core.DirectoryDumperMixin)
  dump_dir_optional = True (Inherited from rekall.plugins.core.DirectoryDumperMixin)
  error_status = None
  interactive = False (Inherited from rekall.plugin.Command)
  mode = 'mode_linux_memory'
  plugin_args = None
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
  table_options = {} (Inherited from rekall.plugin.TypedProfileCommand)
  filtering_requested (Inherited from rekall.plugins.linux.common.LinProcessFilter)
  name (Inherited from rekall.plugin.Command)

Method Details


Collect data that will be passed to renderer.table_row.

Overrides: plugin.TypedProfileCommand.collect
ImplementationByClass(self, name)
Class Method

Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

Overrides: plugin.Command.ImplementationByName

Class Variable Details



[{'name': 'pid', 'width': 6},
 {'name': 'allocated', 'width': 12},
 {'name': 'freed_bin', 'width': 12},
 {'name': 'freed_fastbin', 'width': 14},
 {'name': 'top_chunks', 'width': 12}]