Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Module type_generator :: Class Disassembler
[frames] | no frames]

Class Disassembler

source code

A constant generator deriving values based on the disassembler.

Instance Methods
 
__init__(self, session=None, name=None, start=None, end=None, length=300, rules=None, max_separation=10)
Derive a value from disassembly.		 source code
 
__str__(self)
str(x)		 source code
 
CompileRule(self, rule)
Convert the rule into a regular expression.		 source code
 
calculate(self, session)
Returns the expected value or a NoneObject.		 source code
 
GenerateVector(self, hits, vector, level) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __subclasshook__

Class Variables
  __metaclass__ = registry.MetaclassRegistry (Inherited from rekall.type_generator.DynamicParser)
Properties

Inherited from object: __class__

Method Details

__init__(self, session=None, name=None, start=None, end=None, length=300, rules=None, max_separation=10)
(Constructor)

source code  
Derive a value from disassembly.

Args:
  start: Where to start disassembly (Usually a symbol name).
  end: Where to stop disassembly.

  length: If end is not specified, we disassemble at most this many
    bytes.

  rules: A list of rules (see above).
Overrides: object.__init__

__str__(self)
(Informal representation operator)

source code 

str(x)

Overrides: object.__str__
(inherited documentation)

CompileRule(self, rule)

source code 

Convert the rule into a regular expression.

Rules are a list of patterns. Each pattern corresponds to a single instruction. There can be an arbitrary number of instructions between each rule.

Output is captured using $out (this can only be specified once). Wild cards are denoted by *. Wildcards only apply across a single instruction (and comment). The following is an example of a rule:

MOV EAX, [ESI+$out] TEST EAX, EAX PUSH EAX CALL DWORD *__imp__PsGetProcessId

calculate(self, session)

source code 

Returns the expected value or a NoneObject.

Overrides: DynamicParser.calculate
(inherited documentation)

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:29 2017 http://epydoc.sourceforge.net