Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package addrspaces :: Module hibernate :: Class HibernationSupport
[frames] | no frames]

Class HibernationSupport

source code

Support hibernation file structures for different versions of windows.

Instance Methods

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __init__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
modify(cls, profile)
This class should modify the profile appropritately.		 source code
Static Methods
a new object with type S, a subtype of T
__new__(cls, profile) (Inherited from rekall.obj.ProfileModification) source code
Class Variables
  vtypes = {'_PO_MEMORY_RANGE_ARRAY_LINK': [0x10, {'NextTable': ...
  vistasp01_vtypes = {'_PO_MEMORY_RANGE_ARRAY': [0x20, {'RangeTa...
  vistasp2_vtypes = {'_PO_MEMORY_RANGE_ARRAY_LINK': [0x10, {'Nex...
  win7_vtypes = {'_PO_MEMORY_RANGE_ARRAY_LINK': [0x10, {'NextTab...
  win7_x64_vtypes = {'_PO_MEMORY_RANGE_ARRAY_LINK': [0x10, {'Nex...
  x64_vtypes = {'_PO_MEMORY_RANGE_ARRAY_LINK': [0x20, {'NextTabl...
  vistaSP2_x64_vtypes = {'_PO_MEMORY_RANGE_ARRAY_LINK': [0x18, {...
Properties

Inherited from object: __class__

Method Details

modify(cls, profile)
Class Method

source code  
This class should modify the profile appropritately.

The profile will be a copy of the original profile and will be returned
to the class caller.

Args:
   A profile to be modified.
Overrides: obj.ProfileModification.modify
(inherited documentation)

Class Variable Details

vtypes

Value:
{'_PO_MEMORY_RANGE_ARRAY_LINK': [0x10, {'NextTable': [0x4, ['unsigned \
long']], 'EntryCount': [0xc, ['unsigned long']],}], '_PO_MEMORY_RANGE_\
ARRAY_RANGE': [0x10, {'StartPage': [0x4, ['unsigned long']], 'EndPage'\
: [0x8, ['unsigned long']],}], '_PO_MEMORY_RANGE_ARRAY': [0x20, {'MemA\
rrayLink': [0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [0x10\
, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_AR\
RAY_RANGE']]],}], '_IMAGE_XPRESS_HEADER': [0x20, {'u09': [0x9, ['unsig\
ned char']], 'u0A': [0xA, ['unsigned char']], 'u0B': [0xB, ['unsigned \
...

vistasp01_vtypes

Value:
{'_PO_MEMORY_RANGE_ARRAY': [0x20, {'RangeTable': [0x10, ['array', lamb\
da x: x.Link.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]],}],}

vistasp2_vtypes

Value:
{'_PO_MEMORY_RANGE_ARRAY_LINK': [0x10, {'NextTable': [0x4, ['unsigned \
long']], 'EntryCount': [0x8, ['unsigned long']],}], '_PO_MEMORY_RANGE_\
ARRAY_RANGE': [0x8, {'StartPage': [0x0, ['unsigned long']], 'EndPage':\
 [0x4, ['unsigned long']],}], '_PO_MEMORY_RANGE_ARRAY': [0x20, {'MemAr\
rayLink': [0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [0xc, \
['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRA\
Y_RANGE']]],}],}

win7_vtypes

Value:
{'_PO_MEMORY_RANGE_ARRAY_LINK': [0x10, {'NextTable': [0x0, ['unsigned \
long']], 'EntryCount': [0x4, ['unsigned long']],}], '_PO_MEMORY_RANGE_\
ARRAY_RANGE': [0x8, {'StartPage': [0x0, ['unsigned long']], 'EndPage':\
 [0x4, ['unsigned long']],}], '_PO_MEMORY_RANGE_ARRAY': [0x20, {'MemAr\
rayLink': [0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [0x8, \
['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRA\
Y_RANGE']]],}],}

win7_x64_vtypes

Value:
{'_PO_MEMORY_RANGE_ARRAY_LINK': [0x10, {'NextTable': [0x0, ['unsigned \
long long']], 'EntryCount': [0x8, ['unsigned long']],}], '_PO_MEMORY_R\
ANGE_ARRAY_RANGE': [0x10, {'StartPage': [0x0, ['unsigned long long']],\
 'EndPage': [0x8, ['unsigned long long']],}], '_PO_MEMORY_RANGE_ARRAY'\
: [0x20, {'MemArrayLink': [0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'Ran\
geTable': [0x10, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_\
MEMORY_RANGE_ARRAY_RANGE']]],}],}

x64_vtypes

Value:
{'_PO_MEMORY_RANGE_ARRAY_LINK': [0x20, {'NextTable': [0x8, ['unsigned \
long long']], 'EntryCount': [0x14, ['unsigned long']],}], '_PO_MEMORY_\
RANGE_ARRAY_RANGE': [0x20, {'StartPage': [0x8, ['unsigned long long']]\
, 'EndPage': [0x10, ['unsigned long long']],}], '_PO_MEMORY_RANGE_ARRA\
Y': [0x40, {'MemArrayLink': [0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'R\
angeTable': [0x20, ['array', lambda x: x.MemArrayLink.EntryCount, ['_P\
O_MEMORY_RANGE_ARRAY_RANGE']]],}],}

vistaSP2_x64_vtypes

Value:
{'_PO_MEMORY_RANGE_ARRAY_LINK': [0x18, {'NextTable': [0x8, ['unsigned \
long long']], 'EntryCount': [0x10, ['unsigned long']],}], '_PO_MEMORY_\
RANGE_ARRAY_RANGE': [0x10, {'StartPage': [0x0, ['unsigned long long']]\
, 'EndPage': [0x8, ['unsigned long long']],}], '_PO_MEMORY_RANGE_ARRAY\
': [0x28, {'MemArrayLink': [0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'Ra\
ngeTable': [0x18, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO\
_MEMORY_RANGE_ARRAY_RANGE']]],}],}

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:59 2017 http://epydoc.sourceforge.net