Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package tools :: Module profile_tool :: Class BuildIndex
[frames] | no frames]

Class BuildIndex

source code

Generate a profile index file based on an index specification.

The index specification is currently a yaml file with the following
structure:

```
base_symbol: (string) # OPTIONAL Compute ALL offsets as relative to this
    symbol. This includes MaxOffset and MinOffset.
symbols: (array of dicts) # A list of symbols to index.
  -
    name: (string) # Symbol name
    data: (string) # Data that should be at the symbol's offset
    shift: (int) # OPTIONAL Adjust symbol offset by this number
```

## Example:

```
path: win32k.sys
symbols:
  -
    # The name of the symbol we test for.
    name: "??_C@_1BO@KLKIFHLC@?$AAG?$AAU?$AAI?$AAF?$AAo?$AAn?$AAt?$AA?4?$AAH?$AAe?$AAi?$AAg?$AAh?$AAt?$AA?$AA@"

    # The data we expect to find at that offset.
    data: "47005500490046006f006e0074002e00480065006900670068007400"

  -
    name: "wcschr"
    shift: -1
    data: "90"
```

The result is an index profile. This has an $INDEX section which is a dict,
with keys being the profile name, and values being a list of (offset, match)
tuples. For example:

```
{
 "$INDEX": {
  "tcpip.sys/AMD64/6.0.6001.18000/0C1A1EC1D61E4508A33F5212FC1B37202": [[1184600, "495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],
  "tcpip.sys/AMD64/6.0.6001.18493/29A4DBCAF840463298F40190DD1492D02": [[1190376, "495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],
  "tcpip.sys/AMD64/6.0.6002.18272/7E79532FC7E349C690F5FBD16E3562172": [[1194296, "495053656344656c657465496e626f756e644f7574626f756e64536150616972"]],
...

 "$METADATA": {
  "ProfileClass": "Index",
  "Type": "Profile"
  "MaxOffset": 546567
  "MinOffset": 0
  }
 }
```
Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
__init__(self, spec=None, root='./', manager=None, **kwargs)
The constructor for this command.		 source code
 
ValidateDataIndex(self, index)
Check the index for collisions.		 source code
 
BuildDataIndex(self, spec)
Builds a data index from the specification.		 source code
 
BuildStructIndex(self, spec)
Builds a Struct index from specification.		 source code
 
BuildSymbolsIndex(self, spec)
Builds an index to identify profiles based on their symbols-offsets.		 source code
 
build_index(self, spec) source code
 
render(self, renderer)
Produce results on the renderer given.		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
args(cls, parser)
Declare the command line args this plugin needs.		 source code
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ModeBasedActiveMixin)		 source code
Class Variables
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = None
hash(x) (Inherited from rekall.plugin.Command)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
Properties
  name (Inherited from rekall.plugin.Command)

Inherited from object: __class__

Method Details

args(cls, parser)
Class Method

source code 

Declare the command line args this plugin needs.

Overrides: plugin.Command.args
(inherited documentation)

__init__(self, spec=None, root='./', manager=None, **kwargs)
(Constructor)

source code  
The constructor for this command.

Commands can take arbitrary named args and have access to the running
session.

Args:
  session: The session we will use. Many options are taken from the
    session by default, if not provided. This allows users to omit
    specifying many options.

  ignore_required: If this is true plugin constructors must allow the
    plugin to be instantiated with no parameters. All parameter
    validation shall be disabled and construction must succeed.
Overrides: object.__init__
(inherited documentation)

ValidateDataIndex(self, index)

source code 

Check the index for collisions.

An index collision occurs when all the comparison points in one GUID are also contained in another GUID. If these points match it is impossible to distinguish between the two indexes. We need to issue a warning so the user can add additional comparison points to resolve the ambiguity.

BuildDataIndex(self, spec)

source code 

Builds a data index from the specification.

A data index is an index which collates known data at known offsets in memory. We then apply the index to a memory location to discover the most likely match there.

BuildStructIndex(self, spec)

source code 

Builds a Struct index from specification.

A Struct index is a collection of struct offsets for certain members over all available versions.

BuildSymbolsIndex(self, spec)

source code 

Builds an index to identify profiles based on their symbols-offsets.

The index stores traits for each profile. A trait is a combination of 1 or more symbol-offset pairs that uniquely identify it within the current profile repository.

The code handles:

  • Incremental updates of the index. Adding a new profile to the index doesn't trigger recomputing the entire index.
  • Detection of duplicates. If a profile is to be added that's already in the index, it will be detected and skipped.
  • Clash detection. If a new profile has some symbol-offsets that were traits of other profiles, the profile whose traits are not unique anymore will be found and its index rebuilt.

render(self, renderer)

source code  
Produce results on the renderer given.

Each plugin should implement this method to produce output on the
renderer. The framework will initialize the plugin and provide it with
some kind of renderer to write output on. The plugin should not assume
that the renderer is actually TextRenderer, only that the methods
defined in the BaseRenderer exist.

Args:
  renderer: A renderer based at rekall.ui.renderer.BaseRenderer.
Overrides: plugin.Command.render
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:59 2017 http://epydoc.sourceforge.net