Trees
Indices
Help
Rekall Memory Forensics
Package rekall
[
frames
] |
no frames
]
Package rekall
source code
Version:
1.7.1.dev11
Submodules
rekall._version
rekall.addrspace
rekall.addrspace_test
rekall.algo
:
This module contains general-purpose algorithms and data structures.
rekall.args
:
This module manages the command line parsing logic.
rekall.cache
rekall.compatibility
rekall.config
:
This is the Rekall configuration system.
rekall.constants
rekall.interactive
rekall.io_manager
:
IO Abstraction for Rekall.
rekall.io_manager_test
rekall.ipython_support
:
Support IPython 4.0.
rekall.kb
rekall.obj
:
The Rekall Memory Forensics object system.
rekall.obj_test
rekall.plugin
:
Plugins allow the core rekall system to be extended.
rekall.plugins
rekall.plugins.addrspaces
rekall.plugins.addrspaces.accelerated
:
The module provides alternate implementations utilizing C extension modules.
rekall.plugins.addrspaces.aff4
:
This Address Space allows us to open aff4 images.
rekall.plugins.addrspaces.amd64
:
This is based on Jesse Kornblum's patch to clean up the standard AS's.
rekall.plugins.addrspaces.arm
:
An address space to read ARM memory images.
rekall.plugins.addrspaces.crash
:
An Address Space for processing crash dump files.
rekall.plugins.addrspaces.elfcore
:
An Address Space for processing ELF64 coredumps.
rekall.plugins.addrspaces.ewf
:
This Address Space allows us to open ewf files
rekall.plugins.addrspaces.hibernate
:
A Hiber file Address Space
rekall.plugins.addrspaces.intel
:
Implement the base translating address spaces.
rekall.plugins.addrspaces.lime
:
This is an address space for the Lime file format.
rekall.plugins.addrspaces.macho
:
An Address Space for processing Mach-O coredumps.
rekall.plugins.addrspaces.mips
rekall.plugins.addrspaces.mmap_address_space
:
These are standard address spaces supported by Rekall Memory Forensics
rekall.plugins.addrspaces.pagefile
:
This address space overlays a pagefile into the physical address space.
rekall.plugins.addrspaces.pmem
:
Address spaces specific to pmem live here.
rekall.plugins.addrspaces.standard
:
These are standard address spaces supported by Rekall Memory Forensics
rekall.plugins.addrspaces.vmem
rekall.plugins.addrspaces.win32
:
This is a windows specific address space.
rekall.plugins.addrspaces.xpress
rekall.plugins.common
:
Plugins that are not OS-specific
rekall.plugins.common.address_resolver
:
The module implements the base class for address resolution.
rekall.plugins.common.api
:
Rekall specifies an external API where plugins can be invoked.
rekall.plugins.common.bovine
:
The plugins in this module are mainly used to visually test renderers.
rekall.plugins.common.efilter_plugins
rekall.plugins.common.efilter_plugins.helpers
rekall.plugins.common.efilter_plugins.info
:
Informational plugins for assistance of efilter operations.
rekall.plugins.common.efilter_plugins.ipython
:
Add a magic handler for select, describe and explain plugins.
rekall.plugins.common.efilter_plugins.search
:
Rekall's search function.
rekall.plugins.common.inspection
:
This module implements some general purpose plugins for inspecting the state of memory images.
rekall.plugins.common.memmap
:
This module implements core memmap/memdump plugins.
rekall.plugins.common.pas2kas
rekall.plugins.common.pfn
rekall.plugins.common.profile_index
:
This module implements profile indexing.
rekall.plugins.common.profile_index_test
:
Tests for profile_index.
rekall.plugins.common.scanners
rekall.plugins.common.sigscan
rekall.plugins.common.tests
rekall.plugins.core
:
This module implements core plugins.
rekall.plugins.core_test
rekall.plugins.darwin
:
OS X Specific plugins.
rekall.plugins.darwin.WKdm
:
A WKdm decompressor.
rekall.plugins.darwin.address_resolver
:
The module implements an OSX specific address resolution plugin.
rekall.plugins.darwin.checks
:
Plugins for checking internal consistancy of pointers.
rekall.plugins.darwin.common
rekall.plugins.darwin.compressor
:
Enumerate and dump all compressed memory pages on Darwin.
rekall.plugins.darwin.hooks
rekall.plugins.darwin.lsmod
:
Enumerate all kernel modules.
rekall.plugins.darwin.lsof
rekall.plugins.darwin.maps
rekall.plugins.darwin.misc
:
Miscelaneous information gathering plugins.
rekall.plugins.darwin.networking
rekall.plugins.darwin.pas2kas
rekall.plugins.darwin.pfn
rekall.plugins.darwin.processes
:
Darwin Process collectors.
rekall.plugins.darwin.sessions
:
Darwin Session collectors and plugins.
rekall.plugins.darwin.sigscan
rekall.plugins.darwin.yarascan
rekall.plugins.darwin.zones
:
Collectors and plugins that deal with Darwin zone allocator.
rekall.plugins.filesystems
rekall.plugins.filesystems.lznt1
:
Decompression support for the LZNT1 compression algorithm.
rekall.plugins.filesystems.ntfs
:
This file implements support for parsing NTFS filesystem in Rekall.
rekall.plugins.filesystems.tsk
rekall.plugins.guess_profile
:
This module guesses the current profile using various heuristics.
rekall.plugins.hypervisors
:
Implements scanners and plugins to find hypervisors in memory.
rekall.plugins.imagecopy
rekall.plugins.linux
rekall.plugins.linux.address_resolver
:
The module implements the linux specific address resolution plugin.
rekall.plugins.linux.arp
rekall.plugins.linux.bash
:
Scan for bash history entries.
rekall.plugins.linux.check_afinfo
rekall.plugins.linux.check_creds
rekall.plugins.linux.check_fops
rekall.plugins.linux.check_idt
rekall.plugins.linux.check_modules
rekall.plugins.linux.check_syscall
rekall.plugins.linux.check_tty
rekall.plugins.linux.common
rekall.plugins.linux.cpuinfo
rekall.plugins.linux.dmesg
rekall.plugins.linux.fs
:
This module implements filesystem-related plugins for Linux.
rekall.plugins.linux.heap_analysis
:
This module implements several classes, allowing the glibc heap analysis for a given process.
rekall.plugins.linux.ifconfig
rekall.plugins.linux.iomem
rekall.plugins.linux.keepassx
:
Gathers information about password entries for keepassx.
rekall.plugins.linux.lsmod
rekall.plugins.linux.lsof
rekall.plugins.linux.misc
:
Miscelaneous information gathering plugins.
rekall.plugins.linux.mount
rekall.plugins.linux.netstat
rekall.plugins.linux.notifier_chains
rekall.plugins.linux.pas2kas
rekall.plugins.linux.proc_maps
rekall.plugins.linux.psaux
rekall.plugins.linux.pslist
rekall.plugins.linux.pstree
rekall.plugins.linux.psxview
rekall.plugins.linux.sigscan
rekall.plugins.linux.tests
rekall.plugins.linux.yarascan
rekall.plugins.linux.zsh
:
Gathers all issued commands for zsh.
rekall.plugins.modes
:
Declares all the modes Rekall can be in.
rekall.plugins.overlays
rekall.plugins.overlays.basic
:
This file defines some basic types which might be useful for many OS's
rekall.plugins.overlays.darwin
:
Profiles to support OSX specific data structures.
rekall.plugins.overlays.darwin.darwin
rekall.plugins.overlays.darwin.macho
:
This profile is for the Mach-O file format.
rekall.plugins.overlays.linux
:
Linux support for DWARF profiles.
rekall.plugins.overlays.linux.dwarfdump
rekall.plugins.overlays.linux.dwarfparser
:
A parser for dwarf modules which generates vtypes.
rekall.plugins.overlays.linux.elf
:
This file implements elf file parsing.
rekall.plugins.overlays.linux.linux
rekall.plugins.overlays.linux.vfs
rekall.plugins.overlays.native_types
:
Data types for various compilers.
rekall.plugins.overlays.windows
rekall.plugins.overlays.windows.common
:
Common windows overlays and classes.
rekall.plugins.overlays.windows.crashdump
:
This file adds support for windows debugging related data.
rekall.plugins.overlays.windows.heap
:
The module implements user mode heap overlays.
rekall.plugins.overlays.windows.kdbg_vtypes
rekall.plugins.overlays.windows.pe_vtypes
:
References: http://msdn.microsoft.com/en-us/magazine/ms809762.aspx http://msdn.microsoft.com/en-us/magazine/cc301805.aspx http://code.google.com/p/corkami/downloads/detail?name=pe-20110117.pdf http://code.google.com/p/pefile/
rekall.plugins.overlays.windows.tcpip_vtypes
rekall.plugins.overlays.windows.tokens
:
Classes around handling tokens, privileges etc.
rekall.plugins.overlays.windows.undocumented
:
This file contains all the undocumented structs that were derived by reversing.
rekall.plugins.overlays.windows.vista
rekall.plugins.overlays.windows.win10
rekall.plugins.overlays.windows.win7
rekall.plugins.overlays.windows.win8
rekall.plugins.overlays.windows.windows
rekall.plugins.overlays.windows.xp
rekall.plugins.renderers
rekall.plugins.renderers.base_objects
:
This module implements base object renderers.
rekall.plugins.renderers.darwin
:
This module implements renderers specific to darwin structures.
rekall.plugins.renderers.data_export
:
This module implements the data export renderer.
rekall.plugins.renderers.efilter
:
Renderers for Efilter..
rekall.plugins.renderers.json_storage
:
This file implements ObjectRenderers for the JsonRenderer.
rekall.plugins.renderers.linux
:
This module implements renderers specific to Linux structures.
rekall.plugins.renderers.tests
rekall.plugins.renderers.virtualization
:
This module implements renderers specific to virtualization.
rekall.plugins.renderers.visual_aides
:
This module implements various visual aides and their renderers.
rekall.plugins.renderers.visual_aides_test
rekall.plugins.renderers.windows
:
This module implements renderers specific to windows structures.
rekall.plugins.renderers.xls
:
This file implements an xls renderer based on the openpyxl project.
rekall.plugins.response
rekall.plugins.response.common
:
This module adds support for incident response to Rekall.
rekall.plugins.response.common_test
rekall.plugins.response.files
:
This module adds arbitrary file reading to Rekall.
rekall.plugins.response.files_test
rekall.plugins.response.forensic_artifacts
:
This module implements plugins related to forensic artifacts.
rekall.plugins.response.interpolators
:
This module defines interpolators for the common OSs.
rekall.plugins.response.linux
:
Linux specific response plugins.
rekall.plugins.response.osquery
rekall.plugins.response.processes
:
Rekall plugins for displaying processes in live triaging.
rekall.plugins.response.registry
:
Support the windows registry.
rekall.plugins.response.renderers
rekall.plugins.response.windows
:
Windows specific response plugins.
rekall.plugins.response.windows_processes
rekall.plugins.response.yarascan
rekall.plugins.tests
rekall.plugins.tools
rekall.plugins.tools.aff4acquire
:
This plugin adds the ability for Rekall to acquire an AFF4 image.
rekall.plugins.tools.caching_url_manager
:
This file implements a caching URL manager.
rekall.plugins.tools.disassembler
:
Provides the primitives needed to disassemble code using capstone.
rekall.plugins.tools.dynamic_profiles
:
This module implements dynamic profiles.
rekall.plugins.tools.dynamic_profiles_test
rekall.plugins.tools.ewf
:
This file provides read/write support for EWF files.
rekall.plugins.tools.ipython
rekall.plugins.tools.json_test
:
Tests for json encoding/decoding.
rekall.plugins.tools.json_tools
:
Tools for manipulating json output.
rekall.plugins.tools.live_darwin
rekall.plugins.tools.live_linux
rekall.plugins.tools.live_windows
rekall.plugins.tools.mspdb
:
These plugins are for manipulating Microsoft PDB file.
rekall.plugins.tools.profile_tool
:
Converts Volatility profile files into the Rekall format.
rekall.plugins.tools.profile_tool_test
:
Tests for profile_tool.
rekall.plugins.tools.repository_manager
:
This plugin manages the profile repository.
rekall.plugins.tools.tests
rekall.plugins.tools.yara_support
:
Routines for manipulating yara rule definitions.
rekall.plugins.tools.yara_support_test
rekall.plugins.windows
rekall.plugins.windows.address_resolver
:
The module implements the windows specific address resolution plugin.
rekall.plugins.windows.cache
:
This module adds plugins to inspect the windows cache manager.
rekall.plugins.windows.common
:
This plugin contains CORE classes used by lots of other plugins
rekall.plugins.windows.connections
rekall.plugins.windows.connscan
:
This module implements the fast connection scanning
rekall.plugins.windows.crashinfo
rekall.plugins.windows.dns
:
This module implements plugins to inspect Window's DNS resolver cache.
rekall.plugins.windows.dumpcerts
rekall.plugins.windows.filescan
rekall.plugins.windows.gui
:
These plugins implement analysis of the win32k graphic subsystem.
rekall.plugins.windows.gui.atoms
rekall.plugins.windows.gui.autodetect
:
Autodetect struct layout of various Win32k GUI structs.
rekall.plugins.windows.gui.clipboard
rekall.plugins.windows.gui.constants
rekall.plugins.windows.gui.sessions
rekall.plugins.windows.gui.tests
rekall.plugins.windows.gui.userhandles
:
Analyzes User handles registered with the Win32k Subsystem.
rekall.plugins.windows.gui.vtypes
rekall.plugins.windows.gui.vtypes.win7
rekall.plugins.windows.gui.vtypes.win7_sp0_x64_vtypes_gui
rekall.plugins.windows.gui.vtypes.win7_sp0_x86_vtypes_gui
rekall.plugins.windows.gui.vtypes.win7_sp1_x64_vtypes_gui
rekall.plugins.windows.gui.vtypes.win7_sp1_x86_vtypes_gui
rekall.plugins.windows.gui.vtypes.xp
:
Most of the following structures are actually documented in Windows 7 onwards, but are not documented in windows XP.
rekall.plugins.windows.gui.win32k_core
rekall.plugins.windows.gui.windowstations
:
The following is a description of windows stations from MSDN:
rekall.plugins.windows.handles
rekall.plugins.windows.heap_analysis
:
The module implements user mode heap analysis.
rekall.plugins.windows.index
:
This module implements profile indexing.
rekall.plugins.windows.interactive
rekall.plugins.windows.interactive.profiles
rekall.plugins.windows.interactive.structs
:
Interactive plugins.
rekall.plugins.windows.kdbgscan
rekall.plugins.windows.kernel
:
This module discovers the kernel base address.
rekall.plugins.windows.kpcr
:
This plugin is used for displaying information about the Kernel Processor Control Blocks.
rekall.plugins.windows.lsadecryptxp
:
Windows NT 5.1 and 5.2 LsaEncryptMemory decryption algorithm.
rekall.plugins.windows.malware
:
The following modules were written and contributed by Michael Hale (michael.hale@gmail.com).
rekall.plugins.windows.malware.apihooks
rekall.plugins.windows.malware.apihooks_test
rekall.plugins.windows.malware.callbacks
rekall.plugins.windows.malware.cmdhistory
rekall.plugins.windows.malware.devicetree
rekall.plugins.windows.malware.impscan
rekall.plugins.windows.malware.malfind
rekall.plugins.windows.malware.psxview
rekall.plugins.windows.malware.sigscan
rekall.plugins.windows.malware.svcscan
rekall.plugins.windows.malware.timers
rekall.plugins.windows.malware.yarascan
rekall.plugins.windows.mimikatz
:
Partial emulation of the Mimikatz tool.
rekall.plugins.windows.misc
:
Miscelaneous information gathering plugins.
rekall.plugins.windows.modscan
:
This module implements the fast module scanning
rekall.plugins.windows.modules
rekall.plugins.windows.netscan
rekall.plugins.windows.network
:
This module extracts network information using kernel object inspection.
rekall.plugins.windows.pagefile
:
This file adds pagefile support.
rekall.plugins.windows.pas2kas
rekall.plugins.windows.pfn
rekall.plugins.windows.pfn_test
:
Tests for the pfn plugins.
rekall.plugins.windows.pool
:
Plugins to inspect the windows pools.
rekall.plugins.windows.privileges
:
Inspect the privileges in each process's tokens.
rekall.plugins.windows.procdump
rekall.plugins.windows.procdump_test
:
Tests for the procexecdump plugins.
rekall.plugins.windows.procinfo
:
This module print details information about PE files and processes.
rekall.plugins.windows.pstree
:
pstree example file
rekall.plugins.windows.registry
rekall.plugins.windows.registry.evtlogs
rekall.plugins.windows.registry.getservicesids
rekall.plugins.windows.registry.getsids
rekall.plugins.windows.registry.hashdump
rekall.plugins.windows.registry.lsadump
rekall.plugins.windows.registry.lsasecrets
rekall.plugins.windows.registry.printkey
rekall.plugins.windows.registry.printkey_test
:
Tests for the printkey plugin.
rekall.plugins.windows.registry.registry
:
This is the registry parser.
rekall.plugins.windows.registry.tests
rekall.plugins.windows.registry.userassist
rekall.plugins.windows.shimcache
:
Shimcache plugin.
rekall.plugins.windows.ssdt
rekall.plugins.windows.taskmods
rekall.plugins.windows.tests
rekall.plugins.windows.vadinfo
rekall.plugins.windows.vadinfo_test
:
Tests for the vadinfo plugins.
rekall.plugins.yarascanner
:
A Rekall Memory Forensics scanner which uses yara.
rekall.quotas
rekall.rekal
rekall.resources
rekall.scan
rekall.session
:
This module implements the rekall session.
rekall.session_test
rekall.testlib
:
Base classes for all tests.
rekall.tests
rekall.threadpool
rekall.type_generator
:
This module generates types automatically by disassembling code.
rekall.ui
rekall.ui.colors
:
Various functions for handling colors.
rekall.ui.identity
:
This module implements a pass-through renderer.
rekall.ui.json_renderer
:
This module implements a JSON render.
rekall.ui.renderer
:
This module implements the Rekall renderer API.
rekall.ui.text
:
This module implements a text based render.
rekall.ui.text_test
rekall.yaml_utils
Variables
__package__
=
'
rekall
'
Trees
Indices
Help
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:46 2017
http://epydoc.sourceforge.net