Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Module native_types
[frames] | no frames]

Source Code for Module rekall.plugins.overlays.native_types

  1  """Data types for various compilers. 
  2   
  3  Different models: 
  4  http://www.unix.org/version2/whatsnew/lp64_wp.html 
  5  http://en.wikipedia.org/wiki/64-bit_computing 
  6   
  7  Python standard types: 
  8  http://docs.python.org/2/library/struct.html#format-characters 
  9  """ 
 10   
 11  from rekall import obj 
 12   
 13  # Model on 64 bit unix like operating systems. 
 14  LP64 = { 
 15      'bool' : obj.Curry(obj.Bool, type_name='bool', format_string='<c'), 
 16   
 17      # Char is 8 bits. 
 18      'char' : obj.Curry(obj.NativeType, type_name='char', format_string='<c'), 
 19      'unsigned char' : obj.Curry( 
 20          obj.NativeType, type_name='unsigned char', format_string='<B'), 
 21   
 22      'signed byte' : obj.Curry( 
 23          obj.NativeType, type_name='signed byte', format_string='<b'), 
 24   
 25      # Shorts are 16 bits. 
 26      'short' : obj.Curry(obj.NativeType, type_name='short', format_string='<h'), 
 27      'unsigned short' : obj.Curry( 
 28          obj.NativeType, type_name='unsigned short', format_string='<H'), 
 29   
 30      # ints are 32 bits. 
 31      'int' : obj.Curry(obj.NativeType, type_name='int', format_string='<i'), 
 32      'unsigned int' : obj.Curry( 
 33          obj.NativeType, type_name='unsigned int', format_string='<I'), 
 34   
 35      # Both long and long long are 64 bits. 
 36      'long': obj.Curry(obj.NativeType, type_name='long', format_string='<q'), 
 37      'unsigned long' : obj.Curry( 
 38          obj.NativeType, type_name='unsigned long', format_string='<Q'), 
 39   
 40      'long long': obj.Curry( 
 41          obj.NativeType, type_name='long long', format_string='<q'), 
 42   
 43      'unsigned long long' : obj.Curry( 
 44          obj.NativeType, type_name='unsigned long long', format_string='<Q'), 
 45   
 46      # Pointers are 64 bits. 
 47      'address' : obj.Curry( 
 48          obj.NativeType, type_name='address', format_string='<Q'), 
 49   
 50      'unsigned be short' : obj.Curry( 
 51          obj.NativeType, type_name='unsigned be short', format_string='>H'), 
 52      'unsigned be int' : obj.Curry( 
 53          obj.NativeType, type_name='unsigned be int', format_string='>I'), 
 54  } 
 55   
 56   
 57  # Model on 64 bit Windows. 
 58  LLP64 = { 
 59      'bool' : obj.Curry(obj.Bool, type_name='bool', format_string='<c'), 
 60   
 61      # Char is 8 bits. 
 62      'char' : obj.Curry(obj.NativeType, type_name='char', format_string='<c'), 
 63      'unsigned char' : obj.Curry( 
 64          obj.NativeType, type_name='unsigned char', format_string='<B'), 
 65   
 66      'signed byte' : obj.Curry( 
 67          obj.NativeType, type_name='signed byte', format_string='<b'), 
 68   
 69      # Shorts are 16 bits. 
 70      'short' : obj.Curry(obj.NativeType, type_name='short', format_string='<h'), 
 71      'unsigned short' : obj.Curry( 
 72          obj.NativeType, type_name='unsigned short', format_string='<H'), 
 73   
 74      # ints are 32 bits. 
 75      'int' : obj.Curry(obj.NativeType, type_name='int', format_string='<i'), 
 76      'unsigned int' : obj.Curry( 
 77          obj.NativeType, type_name='unsigned int', format_string='<I'), 
 78   
 79      # long is also 32 bits. 
 80      'long': obj.Curry(obj.NativeType, type_name='long', format_string='<i'), 
 81      'unsigned long' : obj.Curry( 
 82          obj.NativeType, type_name='unsigned long', format_string='<I'), 
 83   
 84      # But long long is 64 bits. 
 85      'long long': obj.Curry( 
 86          obj.NativeType, type_name='long long', format_string='<q'), 
 87   
 88      'unsigned long long' : obj.Curry( 
 89          obj.NativeType, type_name='unsigned long long', format_string='<Q'), 
 90   
 91      # Pointers are 64 bits. 
 92      'address' : obj.Curry( 
 93          obj.NativeType, type_name='address', format_string='<Q'), 
 94   
 95      'unsigned be short' : obj.Curry( 
 96          obj.NativeType, type_name='unsigned be short', format_string='>H'), 
 97      'unsigned be int' : obj.Curry( 
 98          obj.NativeType, type_name='unsigned be int', format_string='>I'), 
 99  } 
100   
101  # Model on 32 bit systems. 
102  ILP32 = { 
103      'bool' : obj.Curry(obj.Bool, type_name='bool', format_string='<c'), 
104   
105      # Char is 8 bits. 
106      'char' : obj.Curry(obj.NativeType, type_name='char', format_string='<c'), 
107      'unsigned char' : obj.Curry( 
108          obj.NativeType, type_name='unsigned char', format_string='<B'), 
109   
110      'signed byte' : obj.Curry( 
111          obj.NativeType, type_name='signed byte', format_string='<b'), 
112   
113      # Shorts are 16 bits. 
114      'short' : obj.Curry(obj.NativeType, type_name='short', format_string='<h'), 
115      'unsigned short' : obj.Curry( 
116          obj.NativeType, type_name='unsigned short', format_string='<H'), 
117   
118      # ints are 32 bits. 
119      'int' : obj.Curry(obj.NativeType, type_name='int', format_string='<i'), 
120      'unsigned int' : obj.Curry( 
121          obj.NativeType, type_name='unsigned int', format_string='<I'), 
122   
123      # long is also 32 bits. 
124      'long': obj.Curry(obj.NativeType, type_name='long', format_string='<i'), 
125      'unsigned long' : obj.Curry( 
126          obj.NativeType, type_name='unsigned long', format_string='<I'), 
127   
128      # But long long is 64 bits. 
129      'long long': obj.Curry( 
130          obj.NativeType, type_name='long long', format_string='<q'), 
131   
132      'unsigned long long' : obj.Curry( 
133          obj.NativeType, type_name='unsigned long long', format_string='<Q'), 
134   
135      # Pointers are 32 bits. 
136      'address' : obj.Curry( 
137          obj.NativeType, type_name='address', format_string='<I'), 
138   
139      'unsigned be short' : obj.Curry( 
140          obj.NativeType, type_name='unsigned be short', format_string='>H'), 
141      'unsigned be int' : obj.Curry( 
142          obj.NativeType, type_name='unsigned be int', format_string='>I'), 
143  } 
144   
145  # Model on 32 bit systems. 
146  BE32 = { 
147      'bool' : obj.Curry(obj.Bool, type_name='bool', format_string='>c'), 
148   
149      # Char is 8 bits. 
150      'char' : obj.Curry(obj.NativeType, type_name='char', format_string='>c'), 
151      'unsigned char' : obj.Curry( 
152          obj.NativeType, type_name='unsigned char', format_string='>B'), 
153   
154      'signed byte' : obj.Curry( 
155          obj.NativeType, type_name='signed byte', format_string='<b'), 
156   
157      # Shorts are 16 bits. 
158      'short' : obj.Curry(obj.NativeType, type_name='short', format_string='>h'), 
159      'unsigned short' : obj.Curry( 
160          obj.NativeType, type_name='unsigned short', format_string='>H'), 
161   
162      # ints are 32 bits. 
163      'int' : obj.Curry(obj.NativeType, type_name='int', format_string='>i'), 
164      'unsigned int' : obj.Curry( 
165          obj.NativeType, type_name='unsigned int', format_string='>I'), 
166   
167      # long is also 32 bits. 
168      'long': obj.Curry(obj.NativeType, type_name='long', format_string='>i'), 
169      'unsigned long' : obj.Curry( 
170          obj.NativeType, type_name='unsigned long', format_string='>I'), 
171   
172      # But long long is 64 bits. 
173      'long long': obj.Curry( 
174          obj.NativeType, type_name='long long', format_string='>q'), 
175   
176      'unsigned long long' : obj.Curry( 
177          obj.NativeType, type_name='unsigned long long', format_string='>Q'), 
178   
179      # Pointers are 32 bits. 
180      'address' : obj.Curry( 
181          obj.NativeType, type_name='address', format_string='>I'), 
182   
183      'unsigned be short' : obj.Curry( 
184          obj.NativeType, type_name='unsigned be short', format_string='>H'), 
185      'unsigned be int' : obj.Curry( 
186          obj.NativeType, type_name='unsigned be int', format_string='>I'), 
187  } 
188   
189  # These are aliases for the same things 
190  for model in [LP64, ILP32, LLP64, BE32]: 
191      for old, new in [ 
192          ['char', 'signed char'], 
193          ['unsigned char', 'byte'], 
194   
195          ['short', 'short int'], 
196          ['unsigned short', 'unsigned short int'], 
197   
198          ['long', 'long int'], 
199          ['unsigned long', 'unsigned long int'], 
200          ['unsigned long', 'long unsigned int'], 
201   
202          ['long long', 'long long int'], 
203          ['unsigned long long', 'unsigned long long int'], 
204   
205          # Some weird combinations we sometimes see. 
206          ['unsigned long long', 'long long unsigned int'], 
207          ['unsigned short', 'short unsigned int'], 
208          ]: 
209          model[new] = model[old] 
210

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:49 2017 http://epydoc.sourceforge.net