Package rekall :: Package plugins :: Module hypervisors

Module hypervisors

Implements scanners and plugins to find hypervisors in memory.

Classes
	Error Base exception.
	UnrelatedVmcsError The provided VMCS is unrelated to the VM.
	IncompatibleASError An attempt was done at comparing VMCS from different address spaces.
	InvalidVM The provided VM is invalid.
	VMCSProfile Profile to parse hypervisor control structures.
	VMCSCheck
	VMCSScanner Scans the memory attempting to find VMCS structures.
	VirtualMachine Represents a virtual machine.
	VmScan Scan the physical memory attempting to find hypervisors.

Variables
	KNOWN_REVISION_IDS = `{1: 'VMWARE_NESTED', 13: 'PENRYN', 14: 'N...`
	KNOWN_ABORT_INDICATOR_CODES = `{'\x00\x00\x00\x00': 'NO ABORT',...`
	vmcs_overlay = `{'HASWELL_VMCS': [None, {'IS_NESTED': <function...`
	__package__ = `'rekall.plugins'`

Variables Details

KNOWN_REVISION_IDS

Value:

{1: 'VMWARE_NESTED',
 13: 'PENRYN',
 14: 'NEHALEM',
 15: 'WESTMERE',
 16: 'SANDYBRIDGE',
 18: 'HASWELL',
 14287872: 'XEN_NESTED',
 300252880: 'KVM_NESTED'}

KNOWN_ABORT_INDICATOR_CODES

Value:

{'\x00\x00\x00\x00': 'NO ABORT',
 '\x05\x00\x00\x00': 'MACHINE CHECK DURING VM EXIT',
 '\r\x00\x00\x00': 'TXT SHUTDOWN'}

vmcs_overlay

Value:

{'HASWELL_VMCS': [None,
                  {'IS_NESTED': <function <lambda> at 0x7fafd27dc398>}
],
 'KVM_NESTED_VMCS': [None,
                     {'IS_NESTED': <function <lambda> at 0x7fafd27dc57
8>}],
 'NEHALEM_VMCS': [None,
                  {'IS_NESTED': <function <lambda> at 0x7fafd27dc2a8>}
...