Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package linux :: Module heap_analysis :: Class malloc_chunk
[frames] | no frames]

Class malloc_chunk

source code

Extends the malloc_chunk class

Nested Classes
  __metaclass__
Give each object a unique ID. (Inherited from rekall.obj.BaseObject)
Instance Methods
 
__init__(self, **kwargs)
This must be instantiated with a dict of members.		 source code
 
get_size(self)
Returns the value of the size field, including potential bit flags.		 source code
 
get_prev_size(self)
Returns the value of the prev_size field.		 source code
 
prev_inuse(self)
Returns True if this chunk has its PREV_INUSE bit set.		 source code
 
is_mmapped(self)
Returns True if the chunk has been obtained with mmap().		 source code
 
non_main_arena(self)
Returns True if current chunk does NOT belong to main_arena.		 source code
 
chunksize(self)
Returns the real size of a chunk, excluding bit flags.		 source code
 
is_allocated_chunk(self)
Returns True if this chunk is not a bottom, small/large bin, fastbin or top chunk.		 source code
 
is_freed_chunk(self)
Returns True if this chunk is a small/large bin, fastbin or top chunk.		 source code
 
start_and_length(self)
Returns the relevant start offset and length for dumping.		 source code
 
to_string(self, length=None, offset=None)
Returns a string containing the data part of the given allocated chunk.		 source code
 
next_chunk(self)
Returns the following chunk.		 source code
 
is_in_use(self)
Returns true, if this chunk is in use: the next chunk's PREV_INUSE flag is set.		 source code
 
next_chunk_generator(self)
Returns all following chunks, beginning with the current.		 source code
 
GetData(self)
Returns the raw data of this object. (Inherited from rekall.obj.BaseObject)		 source code
 
SetMember(self, attr, value)
Write a value to a member. (Inherited from rekall.obj.Struct)		 source code
 
__comparator__(self, other, method) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__dir__(self)
Hide any members with _. (Inherited from rekall.obj.BaseObject)		 source code
 
__eq__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__format__(self, formatspec)
default object formatter (Inherited from rekall.obj.BaseObject)		 source code
 
__ge__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__getattr__(self, attr) (Inherited from rekall.obj.Struct) source code
 
__gt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__hash__(self)
hash(x) (Inherited from rekall.obj.Struct)		 source code
 
__int__(self)
Return our offset as an integer. (Inherited from rekall.obj.Struct)		 source code
 
__le__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__long__(self) (Inherited from rekall.obj.Struct) source code
 
__lt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__ne__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__nonzero__(self)
This method is called when we test the truth value of an Object. (Inherited from rekall.obj.BaseObject)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.obj.Struct)		 source code
 
__str__(self)
str(x) (Inherited from rekall.obj.BaseObject)		 source code
 
__unicode__(self) (Inherited from rekall.obj.Struct) source code
 
cast(self, type_name=None, vm=None, **kwargs) (Inherited from rekall.obj.BaseObject) source code
 
deref(self, vm=None)
An alias for dereference - less to type. (Inherited from rekall.obj.BaseObject)		 source code
 
dereference(self, vm=None) (Inherited from rekall.obj.BaseObject) source code
 
is_valid(self) (Inherited from rekall.obj.BaseObject) source code
 
m(self, attr, allow_callable_attributes=False)
Fetch the member named by attr. (Inherited from rekall.obj.Struct)		 source code
 
multi_m(self, *args, **opts)
Retrieve a set of fields in order. (Inherited from rekall.obj.Struct)		 source code
 
preamble_size(self)
The number of bytes before the object which are part of the object. (Inherited from rekall.obj.Struct)		 source code
 
proxied(self) (Inherited from rekall.obj.BaseObject) source code
 
reference(self)
Produces a pointer to this object. (Inherited from rekall.obj.BaseObject)		 source code
 
v(self, vm=None)
When a struct is evaluated we just return our offset. (Inherited from rekall.obj.Struct)		 source code
 
walk_list(self, list_member, include_current=True, deref_as=None)
Walk a single linked list in this struct. (Inherited from rekall.obj.Struct)		 source code
 
write(self, value)
Function for writing the object back to disk (Inherited from rekall.obj.BaseObject)		 source code

Inherited from object: __delattr__, __getattribute__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
getproperties(cls)
Return all members that are intended to represent some data. (Inherited from rekall.obj.BaseObject)		 source code
Class Variables
  obj_name = <No name> (Inherited from rekall.obj.BaseObject)
  obj_parent = <No parent> (Inherited from rekall.obj.BaseObject)
  obj_producers = None
hash(x) (Inherited from rekall.obj.BaseObject)
Properties
  indices
Returns (usually 1) representation(s) of self usable as dict keys. (Inherited from rekall.obj.Struct)
  obj_end (Inherited from rekall.obj.BaseObject)
  obj_size (Inherited from rekall.obj.Struct)
  parents
Returns all the parents of this object. (Inherited from rekall.obj.BaseObject)

Inherited from object: __class__

Method Details

__init__(self, **kwargs)
(Constructor)

source code  
This must be instantiated with a dict of members. The keys
are the offsets, the values are Curried Object classes that
will be instantiated when accessed.

Args:
   members: A dict of callables to use for retrieving each member. (Key
     is member name, value is a callable). Normally these are populated
     by the profile system

   struct_size: The size of this struct if known (Can be None).
Overrides: object.__init__
(inherited documentation)

to_string(self, length=None, offset=None)

source code 

Returns a string containing the data part of the given allocated chunk. The length parameter is intended only for printing shorter parts of the current chunk. The offset makes only sense in combination with the length parameter and starts from the beginning of the chunk, so an offset of 4 on a 32 bit architecture starts on the size member.


   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:24 2017 http://epydoc.sourceforge.net