Trees | Indices | Help |
|
---|
|
Scans the memory attempting to find VMCS structures.
Uses the techniques discussed on "Hypervisor Memory Forensics" (http://s3.eurecom.fr/docs/raid13_graziano.pdf) with slight changes to identify VT-x hypervisors.
Nested Classes | |
__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.scan.BaseScanner) |
|
top_level_class Base class for all scanners. (Inherited from rekall.scan.BaseScanner) |
Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
Inherited from |
Class Methods | |||
|
|||
|
Class Variables | |
overlap = 0
|
|
checks =
|
|
classes =
(Inherited from rekall.scan.BaseScanner)
|
|
classes_by_name =
(Inherited from rekall.scan.BaseScanner)
|
|
plugin_feature =
(Inherited from rekall.scan.BaseScanner)
|
|
progress_message =
(Inherited from rekall.scan.BaseScanner)
|
Properties | |
Inherited from |
Method Details |
The base scanner. Args: profile: The profile to use for this scan. address_space: The address space we use for scanning. window_size: The size of the overlap window between each buffer read.
|
Returns instances of VMCS objects found.
|
Skip uninteresting regions. Where should we go next? By default we go 1 byte ahead, but if some of the checkers have skippers, we may actually go much farther. Checkers with skippers basically tell us that there is no way they can match anything before the skipped result, so there is no point in trying them on all the data in between. This optimization is useful to really speed things up.
|
|
|
Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:17 2017 | http://epydoc.sourceforge.net |