Package rekall :: Package plugins :: Package overlays :: Package linux :: Module linux :: Class Linux

Class Linux

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.obj.Profile)
	top_level_class A collection of types relating to a single compilation unit. (Inherited from rekall.obj.Profile)

Instance Methods

GetImageBase(self)

source code

add_kernel_config_options(self, **kwargs)
Add the kwargs as kernel config options for this profile.

source code

get_kernel_config(self, config_option)
Returns the kernel config option config_option for this profile.

source code

get_wall_to_monotonic(self, vm=None)

source code

get_total_sleep_time(self, vm=None)

source code

getboottime(self, vm=None)
Returns the real time of system boot.

source code

ktime_sub(self, lhs, rhs)
Substracts two ktime_t instances.

source code

ktime_to_timespec(self, kt)
Transforms a ktime_t to a timespec.

source code

ns_to_timespec(self, nsec)
Transforms nanoseconds to a timespec.

source code

phys_addr(self, va)
Returns the physical address of a given virtual address va.

source code

GetPageOffset(self)
Gets the page offset.

source code

nsec_to_clock_t(self, x)
Convers nanoseconds to a clock_t.

source code

EnsureInitialized(self) (Inherited from rekall.obj.Profile)

source code

GetPrototype(self, type_name)
Return a prototype of objects of type 'type_name'. (Inherited from rekall.obj.Profile)

source code

Object(self, type_name=None, offset=None, vm=None, name=None, parent=None, context=None, **kwargs)
A function which instantiates the object named in type_name (as a string) from the type in profile passing optional args of kwargs. (Inherited from rekall.obj.Profile)

source code

__dir__(self)
Support tab completion. (Inherited from rekall.obj.Profile)

source code

__getattr__(self, attr)
Make it easier to instantiate individual members. (Inherited from rekall.obj.Profile)

source code

__init__(self, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from rekall.plugins.overlays.basic.RelativeOffsetMixin)

source code

__repr__(self)
repr(x) (Inherited from rekall.obj.Profile)

source code

__unicode__(self) (Inherited from rekall.obj.Profile)

source code

add_classes(self, classes_dict=None, **kwargs)
Add the classes in the dict to our object classes mapping. (Inherited from rekall.obj.Profile)

source code

add_constant_type(self, constant, target, target_args) (Inherited from rekall.obj.Profile)

source code

add_constants(self, constants=None, constants_are_absolute=False, **opts) (Inherited from rekall.plugins.overlays.basic.RelativeOffsetMixin)

source code

add_enums(self, **kwargs)
Add the kwargs as an enum for this profile. (Inherited from rekall.obj.Profile)

source code

add_overlay(self, overlay)
Add an overlay to the current overlay stack. (Inherited from rekall.obj.Profile)

source code

add_reverse_enums(self, **kwargs)
Add the kwargs as a reverse enum for this profile. (Inherited from rekall.obj.Profile)

source code

add_types(self, abstract_types) (Inherited from rekall.obj.Profile)

source code

compile_type(self, type_name)
Compile the specific type and ensure it exists in the type cache. (Inherited from rekall.obj.Profile)

source code

copy(self)
Makes a copy of this profile. (Inherited from rekall.obj.Profile)

source code

flush_cache(self) (Inherited from rekall.obj.Profile)

source code

get_constant(self, name, is_address=False)
Gets the constant from the profile. (Inherited from rekall.plugins.overlays.basic.RelativeOffsetMixin)

source code

get_constant_by_address(self, address) (Inherited from rekall.obj.Profile)

source code

get_constant_object(self, constant, target=None, target_args=None, vm=None, **kwargs)
A help function for retrieving pointers from the symbol table. (Inherited from rekall.obj.Profile)

source code

get_enum(self, enum_name, field=None) (Inherited from rekall.obj.Profile)

source code

get_nearest_constant_by_address(self, address, below=True) (Inherited from rekall.plugins.overlays.basic.RelativeOffsetMixin)

source code

get_obj_offset(self, name, member)
Returns a member's offset within the struct. (Inherited from rekall.obj.Profile)

source code

get_obj_size(self, name)
Returns the size of a struct (Inherited from rekall.obj.Profile)

source code

get_reverse_enum(self, enum_name, field=None) (Inherited from rekall.obj.Profile)

source code

has_class(self, class_name) (Inherited from rekall.obj.Profile)

source code

has_type(self, type_name) (Inherited from rekall.obj.Profile)

source code

integer_to_address(self, virtual_address) (Inherited from rekall.obj.Profile)

source code

legacy_field_descriptor(self, typeList)
Converts the list expression into a target, target_args notation. (Inherited from rekall.obj.Profile)

source code

list_to_type(self, name, typeList)
Parses a specification list and returns a VType object. (Inherited from rekall.obj.Profile)

source code

merge(self, other)
Merges another profile into this one. (Inherited from rekall.obj.Profile)

source code

merge_symbols(self, other, *args) (Inherited from rekall.obj.Profile)

source code

metadata(self, name, default=None)
Obtain metadata about this profile. (Inherited from rekall.obj.Profile)

source code

metadatas(self, *args)
Obtain metadata about this profile. (Inherited from rekall.obj.Profile)

source code

obj_has_member(self, name, member)
Returns whether an object has a certain member (Inherited from rekall.obj.Profile)

source code

set_metadata(self, name, value) (Inherited from rekall.obj.Profile)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods

Initialize(cls, profile)
Install required types, classes and constants.

source code

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

LoadProfileFromData(cls, data, session=None, name=None, profile=None)
Creates a profile directly from a JSON object. (Inherited from rekall.obj.Profile)

source code

Class Variables
	METADATA = `{'os': 'linux', 'type': 'Kernel'}`
	image_base = `None` hash(x)
	COMMON_CLASSES = `{'Array': <class 'rekall.obj.Array'>, 'BitFie...` (Inherited from rekall.obj.Profile)
	EMPTY_DESCRIPTOR = `[0, {}]` (Inherited from rekall.obj.Profile)
	applied_modifications = `None` hash(x) (Inherited from rekall.obj.Profile)
	classes = `{'APIBaseProfile': <class 'rekall.plugins.response.c...` (Inherited from rekall.obj.Profile)
	classes_by_name = `{None: [<class 'rekall.obj.Profile'>, <class...` (Inherited from rekall.obj.Profile)
	constants = `None` hash(x) (Inherited from rekall.obj.Profile)
	overlays = `None` hash(x) (Inherited from rekall.obj.Profile)
	plugin_feature = `'Profile'` (Inherited from rekall.obj.Profile)
	types = `None` hash(x) (Inherited from rekall.obj.Profile)
	vtypes = `None` hash(x) (Inherited from rekall.obj.Profile)

Properties
Inherited from `object`: `__class__`

Method Details

Initialize(cls, profile)
Class Method

source code

Install required types, classes and constants.

This method should be extended by derived classes. It is a class method to allow other profiles to call this method and install the various components into their own profiles.

Overrides: obj.Profile.Initialize: (inherited documentation)

GetImageBase(self)

source code

Overrides: basic.RelativeOffsetMixin.GetImageBase

get_kernel_config(self, config_option)

source code

Returns the kernel config option config_option for this profile.

Raises if no kernel configuration is present in the profile.

phys_addr(self, va)

source code

Returns the physical address of a given virtual address va.

Linux has a direct mapping between the kernel virtual address space and the physical memory. This is the difference between the virtual and physical addresses (aka PAGE_OFFSET). This is defined by the __va macro:

#define __va(x) ((void *)((unsigned long) (x) + PAGE_OFFSET))