Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Module guess_profile :: Class WindowsKernelImageDetector
[frames] | no frames]

Class WindowsKernelImageDetector

source code

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  find_dtb_impl
A plugin to search for the Directory Table Base for windows systems. (Inherited from rekall.plugins.guess_profile.WindowsRSDSDetector)
  top_level_class
A baseclass to implement autodetection methods. (Inherited from rekall.plugins.guess_profile.DetectionMethod)
Instance Methods
 
Offsets(self)
Return a list of offsets we care about.		 source code
 
DetectFromHit(self, hit, _, address_space)
Gets called for each hit.		 source code
 
Keywords(self)
Returns a list of keywords which will be searched. (Inherited from rekall.plugins.guess_profile.WindowsRSDSDetector)		 source code
 
VerifyProfile(self, profile_name)
Check that the profile name is valid. (Inherited from rekall.plugins.guess_profile.WindowsRSDSDetector)		 source code
 
__init__(self, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from rekall.plugins.guess_profile.WindowsRSDSDetector)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
Class Variables
  name = 'windows_kernel_file'
hash(x)
  order = 50
  KERNEL_PATHS = ['C:\\Windows\\SysNative\\ntoskrnl.exe', 'C:\\W...
  KERNEL_NAMES = set(['ntkrnlmp.pdb', 'ntkrnlpa.pdb', 'ntkrpamp.... (Inherited from rekall.plugins.guess_profile.WindowsRSDSDetector)
  classes = {'DarwinIndexDetector': <class 'rekall.plugins.guess... (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  classes_by_name = {None: [<class 'rekall.plugins.guess_profile... (Inherited from rekall.plugins.guess_profile.DetectionMethod)
  plugin_feature = 'DetectionMethod' (Inherited from rekall.plugins.guess_profile.DetectionMethod)
Properties

Inherited from object: __class__

Method Details

Offsets(self)

source code 

Return a list of offsets we care about.

Overrides: DetectionMethod.Offsets
(inherited documentation)

DetectFromHit(self, hit, _, address_space)

source code 

Gets called for each hit.

If a profile matches, return it, otherwise None.

Overrides: DetectionMethod.DetectFromHit
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: DetectionMethod.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: DetectionMethod.ImplementationByName

Class Variable Details

KERNEL_PATHS

Value:
['C:\\Windows\\SysNative\\ntoskrnl.exe',
 'C:\\Windows\\System32\\ntoskrnl.exe']

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:16 2017 http://epydoc.sourceforge.net