Package rekall :: Package plugins :: Package overlays :: Package darwin :: Module darwin :: Class fileproc

Class fileproc

Represents an open file, owned by a process.

Nested Classes
	__metaclass__ Give each object a unique ID. (Inherited from rekall.obj.BaseObject)

Instance Methods

autocast_fg_data(self)
Returns the correct struct with fg_type-specific information.

source code

GetData(self)
Returns the raw data of this object. (Inherited from rekall.obj.BaseObject)

source code

SetMember(self, attr, value)
Write a value to a member. (Inherited from rekall.obj.Struct)

source code

__comparator__(self, other, method) (Inherited from rekall.obj.BaseAddressComparisonMixIn)

source code

__dir__(self)
Hide any members with _. (Inherited from rekall.obj.BaseObject)

source code

__eq__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn)

source code

__format__(self, formatspec)
default object formatter (Inherited from rekall.obj.BaseObject)

source code

__ge__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn)

source code

__getattr__(self, attr) (Inherited from rekall.obj.Struct)

source code

__gt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn)

source code

__hash__(self)
hash(x) (Inherited from rekall.obj.Struct)

source code

__init__(self, members=None, struct_size=0, callable_members=None, **kwargs)
This must be instantiated with a dict of members. (Inherited from rekall.obj.Struct)

source code

__int__(self)
Return our offset as an integer. (Inherited from rekall.obj.Struct)

source code

__le__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn)

source code

__long__(self) (Inherited from rekall.obj.Struct)

source code

__lt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn)

source code

__ne__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn)

source code

__nonzero__(self)
This method is called when we test the truth value of an Object. (Inherited from rekall.obj.BaseObject)

source code

__repr__(self)
repr(x) (Inherited from rekall.obj.Struct)

source code

__str__(self)
str(x) (Inherited from rekall.obj.BaseObject)

source code

__unicode__(self) (Inherited from rekall.obj.Struct)

source code

cast(self, type_name=None, vm=None, **kwargs) (Inherited from rekall.obj.BaseObject)

source code

deref(self, vm=None)
An alias for dereference - less to type. (Inherited from rekall.obj.BaseObject)

source code

dereference(self, vm=None) (Inherited from rekall.obj.BaseObject)

source code

is_valid(self) (Inherited from rekall.obj.BaseObject)

source code

m(self, attr, allow_callable_attributes=False)
Fetch the member named by attr. (Inherited from rekall.obj.Struct)

source code

multi_m(self, *args, **opts)
Retrieve a set of fields in order. (Inherited from rekall.obj.Struct)

source code

preamble_size(self)
The number of bytes before the object which are part of the object. (Inherited from rekall.obj.Struct)

source code

proxied(self) (Inherited from rekall.obj.BaseObject)

source code

reference(self)
Produces a pointer to this object. (Inherited from rekall.obj.BaseObject)

source code

v(self, vm=None)
When a struct is evaluated we just return our offset. (Inherited from rekall.obj.Struct)

source code

walk_list(self, list_member, include_current=True, deref_as=None)
Walk a single linked list in this struct. (Inherited from rekall.obj.Struct)

source code

write(self, value)
Function for writing the object back to disk (Inherited from rekall.obj.BaseObject)

source code

Inherited from object: __delattr__, __getattribute__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods

getproperties(cls)
Return all members that are intended to represent some data. (Inherited from rekall.obj.BaseObject)

source code

Class Variables
	DTYPE_TO_HUMAN = `{'-': 'INVALID', 'DTYPE_ATALK': '<unknown>', ...`
	obj_name = `<No name>` (Inherited from rekall.obj.BaseObject)
	obj_parent = `<No parent>` (Inherited from rekall.obj.BaseObject)
	obj_producers = `None` hash(x) (Inherited from rekall.obj.BaseObject)

Properties
	fg_type Returns type of the fileglob (e.g.
	socket Return the associated socket if the dtype is for socket.
	vnode Return the associated vnode if the dtype is for vnode.
	human_name
	human_type
	indices Returns (usually 1) representation(s) of self usable as dict keys. (Inherited from rekall.obj.Struct)
	obj_end (Inherited from rekall.obj.BaseObject)
	obj_size (Inherited from rekall.obj.Struct)
	parents Returns all the parents of this object. (Inherited from rekall.obj.BaseObject)
Inherited from `object`: `__class__`

Method Details

autocast_fg_data(self)

source code

Returns the correct struct with fg_type-specific information.

This can be one of vnode, socket, shared memory or semaphore [1].

Of those four, we currently only get extra information for vnode and
socket. For everything else, we return a NoneObject.

[1]:
  https://github.com/opensource-apple/xnu/blob/10.9/bsd/sys/file_internal.h#L184

Class Variable Details

DTYPE_TO_HUMAN

Value:

{'-': 'INVALID',
 'DTYPE_ATALK': '<unknown>',
 'DTYPE_FSEVENTS': 'FS Events',
 'DTYPE_KQUEUE': 'kernel queue',
 'DTYPE_PIPE': 'pipe',
 'DTYPE_PSXSEM': 'POSIX Semaphore',
 'DTYPE_PSXSHM': 'POSIX Shared Mem.',
 'DTYPE_SOCKET': 'socket',
...

Property Details

fg_type

Returns type of the fileglob (e.g. vnode, socket, etc.)

Get Method:: unreachable.fg_type(self) - Returns type of the fileglob (e.g.

socket

Return the associated socket if the dtype is for socket.

Get Method:: unreachable.socket(self) - Return the associated socket if the dtype is for socket.

vnode

Return the associated vnode if the dtype is for vnode.

Get Method:: unreachable.vnode(self) - Return the associated vnode if the dtype is for vnode.

human_name

Get Method:: unreachable.human_name(self)

human_type

Get Method:: unreachable.human_type(self)