Class VadTraverser
Class VadTraverser

The windows Vad tree is basically the same in all versions of windows, but the exact name of the structs vary with version. This is the base class for all Vad traversor.

Give each object a unique ID.
traverse_as_type(self, type=None, member=None)
Traverse an AVL tree - similar to _LIST_ENTRY.list_as_type().
traverse(self, visited=None, depth=0, type=None)
Traverse the VAD tree.
Returns the raw data of this object.
SetMember(self, attr, value)
Write a value to a member.
__comparator__(self, other, method)
Hide any members with _.
__eq__(self, other)
__format__(self, formatspec)
default object formatter
__ge__(self, other)
__getattr__(self, attr)
__gt__(self, other)
__hash__(self)
hash(x)
__init__(self, members=None, struct_size=0, callable_members=None, **kwargs)
This must be instantiated with a dict of members.
__int__(self)
Return our offset as an integer.
__le__(self, other)
__long__(self)
__lt__(self, other)
__ne__(self, other)
__nonzero__(self)
This method is called when we test the truth value of an Object.
__repr__(self)
repr(x)
__str__(self)
str(x)
__unicode__(self)
cast(self, type_name=None, vm=None, **kwargs)
deref(self, vm=None)
An alias for dereference - less to type.
dereference(self, vm=None)
is_valid(self)
m(self, attr, allow_callable_attributes=False)
Fetch the member named by attr.
multi_m(self, *args, **opts)
Retrieve a set of fields in order.
obj_actual_offset(self)
The number of bytes before the object which are part of the object.
proxied(self)
reference(self)
Produces a pointer to this object.
v(self, vm=None)
When a struct is evaluated we just return our offset.
walk_list(self, list_member, include_current=True, deref_as=None)
Walk a single linked list in this struct.
write(self, value)
Function for writing the object back to disk
collect(cls)
Return all members that are intended to represent some data.
Class Variables
  tag_map = {'Vad ': '_MMVAD', 'VadF': '_MMVAD_SHORT', 'VadS': '...
  left = 'LeftChild'
  right = 'RightChild'
  obj_name = <No name> (Inherited from rekall.obj.BaseObject)
  obj_parent = <No parent> (Inherited from rekall.obj.BaseObject)
  obj_producers = None
obj_hash(self)
hash(x)
Returns (usually 1) representation(s) of self usable as dict keys.
  obj_end (Inherited from rekall.obj.BaseObject)
  obj_size (Inherited from rekall.obj.Struct)
obj_parents
Returns all the parents of this object.

traverse(self, visited=None, depth=0, type=None)

Traverse the VAD tree.

Generate all the left items, then the right items.

We try to be tolerant of cycles by storing all offsets visited.

If type is specified we always return that type instead of check the pool tag from the tag_map.

{'Vad ': '_MMVAD',
 'VadF': '_MMVAD_SHORT',
 'VadS': '_MMVAD_SHORT',
 'Vadl': '_MMVAD_LONG',
 'Vadm': '_MMVAD_LONG'}