Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package darwin :: Module darwin :: Class LIST_ENTRY
[frames] | no frames]

Class LIST_ENTRY

source code

XNU defines lists inline using an annonymous struct. This makes it hard
for us to automatically support lists because the debugging symbols dont
indicate this inner struct is of any particular type (since its annonymous).

We therefore depend on the overlays to redefine each list memeber as a
LIST_ENTRY member. For example we see code like:

struct proc {
   LIST_ENTRY(proc) p_list;
   ...

Where:

#define  LIST_ENTRY(type)                                             struct {                                                            struct type *le_next;  /* next element */                           struct type **le_prev; /* address of previous next element */     }
Nested Classes
  __metaclass__
Give each object a unique ID. (Inherited from rekall.obj.BaseObject)
Instance Methods
 
is_valid(self)
Must have both valid next and prev pointers.		 source code
 
dereference_as(self, type, member, vm=None)
Recasts the list entry as a member in a type, and return the type.		 source code
 
find_all_lists(self, type, member, seen=None)
Follows all the list entries starting from lst.		 source code
 
list_of_type(self, type, member=None, include_current=True) source code
 
reflect(self, vm=None)
Reflect this list element by following its Flink and Blink.		 source code
 
__nonzero__(self)
This method is called when we test the truth value of an Object.		 source code
 
__iter__(self) source code
 
GetData(self)
Returns the raw data of this object. (Inherited from rekall.obj.BaseObject)		 source code
 
SetMember(self, attr, value)
Write a value to a member. (Inherited from rekall.obj.Struct)		 source code
 
__comparator__(self, other, method) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__dir__(self)
Hide any members with _. (Inherited from rekall.obj.BaseObject)		 source code
 
__eq__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__format__(self, formatspec)
default object formatter (Inherited from rekall.obj.BaseObject)		 source code
 
__ge__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__getattr__(self, attr) (Inherited from rekall.obj.Struct) source code
 
__gt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__hash__(self)
hash(x) (Inherited from rekall.obj.Struct)		 source code
 
__init__(self, members=None, struct_size=0, callable_members=None, **kwargs)
This must be instantiated with a dict of members. (Inherited from rekall.obj.Struct)		 source code
 
__int__(self)
Return our offset as an integer. (Inherited from rekall.obj.Struct)		 source code
 
__le__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__long__(self) (Inherited from rekall.obj.Struct) source code
 
__lt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__ne__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__repr__(self)
repr(x) (Inherited from rekall.obj.Struct)		 source code
 
__str__(self)
str(x) (Inherited from rekall.obj.BaseObject)		 source code
 
__unicode__(self) (Inherited from rekall.obj.Struct) source code
 
cast(self, type_name=None, vm=None, **kwargs) (Inherited from rekall.obj.BaseObject) source code
 
deref(self, vm=None)
An alias for dereference - less to type. (Inherited from rekall.obj.BaseObject)		 source code
 
dereference(self, vm=None) (Inherited from rekall.obj.BaseObject) source code
 
m(self, attr, allow_callable_attributes=False)
Fetch the member named by attr. (Inherited from rekall.obj.Struct)		 source code
 
multi_m(self, *args, **opts)
Retrieve a set of fields in order. (Inherited from rekall.obj.Struct)		 source code
 
preamble_size(self)
The number of bytes before the object which are part of the object. (Inherited from rekall.obj.Struct)		 source code
 
proxied(self) (Inherited from rekall.obj.BaseObject) source code
 
reference(self)
Produces a pointer to this object. (Inherited from rekall.obj.BaseObject)		 source code
 
v(self, vm=None)
When a struct is evaluated we just return our offset. (Inherited from rekall.obj.Struct)		 source code
 
walk_list(self, list_member, include_current=True, deref_as=None)
Walk a single linked list in this struct. (Inherited from rekall.obj.Struct)		 source code
 
write(self, value)
Function for writing the object back to disk (Inherited from rekall.obj.BaseObject)		 source code

Inherited from object: __delattr__, __getattribute__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
getproperties(cls)
Return all members that are intended to represent some data. (Inherited from rekall.obj.BaseObject)		 source code
Class Variables
  obj_name = <No name> (Inherited from rekall.obj.BaseObject)
  obj_parent = <No parent> (Inherited from rekall.obj.BaseObject)
  obj_producers = None
hash(x) (Inherited from rekall.obj.BaseObject)
Properties
  indices
Returns (usually 1) representation(s) of self usable as dict keys. (Inherited from rekall.obj.Struct)
  obj_end (Inherited from rekall.obj.BaseObject)
  obj_size (Inherited from rekall.obj.Struct)
  parents
Returns all the parents of this object. (Inherited from rekall.obj.BaseObject)

Inherited from object: __class__

Method Details

is_valid(self)

source code 

Must have both valid next and prev pointers.

Overrides: obj.BaseObject.is_valid

dereference_as(self, type, member, vm=None)

source code 

Recasts the list entry as a member in a type, and return the type.

Args: type: The name of this Struct type. member: The name of the member of this Struct. address_space: An optional address space to switch during deferencing.

find_all_lists(self, type, member, seen=None)

source code 

Follows all the list entries starting from lst.

We basically convert the list to a tree and recursively search it for new nodes. From each node we follow the Flink and then the Blink. When we see a node we already have, we backtrack.

reflect(self, vm=None)

source code 

Reflect this list element by following its Flink and Blink.

This is basically the same as Flink.Blink except that it also checks Blink.Flink. It also ensures that Flink and Blink are dereferences to the correct type in case the vtypes do not specify them as pointers.

Returns: the result of Flink.Blink.

__nonzero__(self)
(Boolean test operator)

source code  
This method is called when we test the truth value of an Object.

In rekall we consider an object to have True truth value only when it is
a valid object. Its possible for example to have a Pointer object which
is not valid - this will have a truth value of False.

You should be testing for validity like this:
if X:
   # object is valid

Do not test for validity like this:

if int(X) == 0:

or

if X is None:
  .....

the later form is not going to work when X is a NoneObject.
Overrides: obj.BaseObject.__nonzero__
(inherited documentation)

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:31 2017 http://epydoc.sourceforge.net