Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package darwin :: Module darwin :: Class vm_map_entry
[frames] | no frames]

Class vm_map_entry

source code

Nested Classes
  __metaclass__
Give each object a unique ID. (Inherited from rekall.obj.BaseObject)
Instance Methods
 
find_vnode_object(self)
Find the underlying vnode object for the given vm_map_entry.		 source code
 
GetData(self)
Returns the raw data of this object. (Inherited from rekall.obj.BaseObject)		 source code
 
SetMember(self, attr, value)
Write a value to a member. (Inherited from rekall.obj.Struct)		 source code
 
__comparator__(self, other, method) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__dir__(self)
Hide any members with _. (Inherited from rekall.obj.BaseObject)		 source code
 
__eq__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__format__(self, formatspec)
default object formatter (Inherited from rekall.obj.BaseObject)		 source code
 
__ge__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__getattr__(self, attr) (Inherited from rekall.obj.Struct) source code
 
__gt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__hash__(self)
hash(x) (Inherited from rekall.obj.Struct)		 source code
 
__init__(self, members=None, struct_size=0, callable_members=None, **kwargs)
This must be instantiated with a dict of members. (Inherited from rekall.obj.Struct)		 source code
 
__int__(self)
Return our offset as an integer. (Inherited from rekall.obj.Struct)		 source code
 
__le__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__long__(self) (Inherited from rekall.obj.Struct) source code
 
__lt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__ne__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__nonzero__(self)
This method is called when we test the truth value of an Object. (Inherited from rekall.obj.BaseObject)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.obj.Struct)		 source code
 
__str__(self)
str(x) (Inherited from rekall.obj.BaseObject)		 source code
 
__unicode__(self) (Inherited from rekall.obj.Struct) source code
 
cast(self, type_name=None, vm=None, **kwargs) (Inherited from rekall.obj.BaseObject) source code
 
deref(self, vm=None)
An alias for dereference - less to type. (Inherited from rekall.obj.BaseObject)		 source code
 
dereference(self, vm=None) (Inherited from rekall.obj.BaseObject) source code
 
is_valid(self) (Inherited from rekall.obj.BaseObject) source code
 
m(self, attr, allow_callable_attributes=False)
Fetch the member named by attr. (Inherited from rekall.obj.Struct)		 source code
 
multi_m(self, *args, **opts)
Retrieve a set of fields in order. (Inherited from rekall.obj.Struct)		 source code
 
preamble_size(self)
The number of bytes before the object which are part of the object. (Inherited from rekall.obj.Struct)		 source code
 
proxied(self) (Inherited from rekall.obj.BaseObject) source code
 
reference(self)
Produces a pointer to this object. (Inherited from rekall.obj.BaseObject)		 source code
 
v(self, vm=None)
When a struct is evaluated we just return our offset. (Inherited from rekall.obj.Struct)		 source code
 
walk_list(self, list_member, include_current=True, deref_as=None)
Walk a single linked list in this struct. (Inherited from rekall.obj.Struct)		 source code
 
write(self, value)
Function for writing the object back to disk (Inherited from rekall.obj.BaseObject)		 source code

Inherited from object: __delattr__, __getattribute__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
getproperties(cls)
Return all members that are intended to represent some data. (Inherited from rekall.obj.BaseObject)		 source code
Class Variables
  obj_name = <No name> (Inherited from rekall.obj.BaseObject)
  obj_parent = <No parent> (Inherited from rekall.obj.BaseObject)
  obj_producers = None
hash(x) (Inherited from rekall.obj.BaseObject)
Properties
  sharing_mode
Returns the sharing mode of the backing vm_object.
  code_signed
  last_shadow
  start
  end
  vmo_object
Return the vm_object instance for this entry.
  indices
Returns (usually 1) representation(s) of self usable as dict keys. (Inherited from rekall.obj.Struct)
  obj_end (Inherited from rekall.obj.BaseObject)
  obj_size (Inherited from rekall.obj.Struct)
  parents
Returns all the parents of this object. (Inherited from rekall.obj.BaseObject)

Inherited from object: __class__

Method Details

find_vnode_object(self)

source code 

Find the underlying vnode object for the given vm_map_entry.

xnu-2422.1.72/osfmk/vm/bsd_vm.c: 1339.


Property Details

sharing_mode

Returns the sharing mode of the backing vm_object.

This is losely adapted from vm_map.c, void vm_map_region_top_walk(), except we're not filling page counts for resident/reusable, etc.

Get Method:
unreachable.sharing_mode(self) - Returns the sharing mode of the backing vm_object.

code_signed

Get Method:
unreachable.code_signed(self)

last_shadow

Get Method:
unreachable.last_shadow(self)

start

Get Method:
unreachable.start(self)

end

Get Method:
unreachable.end(self)

vmo_object

Return the vm_object instance for this entry.

There's an intermediate link called struct vm_map_entry.

The members will be called either 'object' and 'vm_object' or 'vme_object' and 'vmo_object'.

There is no easy heuristic for which it will be in a particular kernel version* so we just try both, since they mean the same thing.

* The kernel version numbers could be identical for kernels built from a feature branch and a kernel build from trunk, and the two could be months apart. Furthermore, the profiles are generated not from the kernel itself but from a debug kit and can end up using out of date naming conventions.

Get Method:
unreachable.vmo_object(self) - Return the vm_object instance for this entry.

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:32 2017 http://epydoc.sourceforge.net