Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package windows :: Module crashdump
[frames] | no frames]

Module crashdump

source code

This file adds support for windows debugging related data.

1) Support for Crash Dump files. 2) Support for Kernel Debugger Data Block and related structures.

Classes
  CrashDump32Profile
A profile for crash dumps.
  CrashDump64Profile
A profile for crash dumps.
Functions
 
InstallKDDebuggerProfile(profile)
Define the kernel debugger structures.		 source code
Variables
  vtypes = {'_DBGKD_DEBUG_DATA_HEADER64': [24, {'List': [0, ['LI...
  vtypes64 = {'_BMP_DUMP_HEADER': [56, {'Bitmap': [56, ['Array',...
  overlays = {'_DMP_HEADER': [None, {'DumpType': [None, ['Enumer...
  __package__ = 'rekall.plugins.overlays.windows'
Function Details

InstallKDDebuggerProfile(profile)

source code 

Define the kernel debugger structures.

The kernel debugger strucutures do not vary with windows operating system version very much. This is probably done to make it easier for Windbg to support all the different windows versions.


Variables Details

vtypes

Value:
{'_DBGKD_DEBUG_DATA_HEADER64': [24,
                                {'List': [0, ['LIST_ENTRY64']],
                                 'OwnerTag': [16,
                                              ['String',
                                               {'length': 4}]],
                                 'Size': [20, ['unsigned long']]}],
 '_DMP_HEADER': [4096,
                 {'BugCheckCode': [40, ['unsigned long']], 'BugCheckCo\
...

vtypes64

Value:
{'_BMP_DUMP_HEADER': [56,
                      {'Bitmap': [56,
                                  ['Array',
                                   {'count': <function <lambda> at 0x7\
fafd6c8d398>,
                                    'target': 'unsigned int'}]],
                       'FirstPage': [32, ['unsigned long long']],
                       'Pages': [48, ['unsigned long long']],
...

overlays

Value:
{'_DMP_HEADER': [None,
                 {'DumpType': [None,
                               ['Enumeration',
                                {'choices': {1: 'Full Dump',
                                             2: 'Kernel Dump',
                                             5: 'BMP Dump'},
                                 'target': 'unsigned int'}]],
                  'Signature': [None, ['String', {'length': 4}]],
...

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:46 2017 http://epydoc.sourceforge.net