Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Module guess_profile :: Class WindowsIndexDetector
[frames] | no frames]

Class WindowsIndexDetector

source code

Apply the windows index to detect the profile.

Nested Classes
  find_dtb_impl
A plugin to search for the Directory Table Base for windows systems.
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  top_level_class
A baseclass to implement autodetection methods. (Inherited from rekall.plugins.guess_profile.DetectionMethod)
Instance Methods
 
__init__(self, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
Keywords(self)
We trigger when we see some common windows processes.		 source code
 
Offsets(self)
Return a list of offsets we care about.		 source code
 
VerifyAMD64DTB(self, test_as)
Verify this address space.		 source code
 
VerifyI386DTB(self, test_as)
Verify this address space.		 source code
 
DetectWindowsDTB(self, filename_offset, address_space)
Checks the possible filename hit for a valid DTB address.		 source code
 
DetectFromHit(self, hit, filename_offset, address_space)
Gets called for each hit.		 source code
 
VerifyProfile(self, profile_name)
Check that the profile name is valid. (Inherited from rekall.plugins.guess_profile.DetectionMethod)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
Class Variables
  name = 'nt_index'
hash(x)
  classes = {'DarwinIndexDetector': <class 'rekall.plugins.guess... (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  classes_by_name = {None: [<class 'rekall.plugins.guess_profile... (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  order = 100 (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  plugin_feature = 'DetectionMethod' (Inherited from rekall.plugins.guess_profile.DetectionMethod)
Properties

Inherited from object: __class__

Method Details

__init__(self, **kwargs)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

Keywords(self)

source code 

We trigger when we see some common windows processes.

Since all windows processes also map the kernel we can detect it.

Overrides: DetectionMethod.Keywords

Offsets(self)

source code 

Return a list of offsets we care about.

Overrides: DetectionMethod.Offsets
(inherited documentation)

VerifyAMD64DTB(self, test_as)

source code 

Verify this address space.

Checks that the _KUSER_SHARED_DATA makes sense. This structure is always at a known offset since it must be shared with user space apps.

VerifyI386DTB(self, test_as)

source code 

Verify this address space.

Checks that the _KUSER_SHARED_DATA makes sense. This structure is always at a known offset since it must be shared with user space apps.

DetectFromHit(self, hit, filename_offset, address_space)

source code 

Gets called for each hit.

If a profile matches, return it, otherwise None.

Overrides: DetectionMethod.DetectFromHit
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: DetectionMethod.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: DetectionMethod.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:16 2017 http://epydoc.sourceforge.net