Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package windows :: Module heap
[frames] | no frames]

Module heap

source code

The module implements user mode heap overlays.

Recent versions of windows use the Low Fragmentation Heap (LFH).

http://illmatics.com/Understanding_the_LFH.pdf

Author: Michael Cohen <scudette@google.com>

Classes
  Ntdll
A profile for the ntdll user mode DLL.
Functions
 
InitializeHeapProfile(profile) source code
Variables
  overlays = {'_HEAP': [None, {'BlocksIndex': [None, ['Pointer',...
  __package__ = 'rekall.plugins.overlays.windows'
Variables Details

overlays

Value:
{'_HEAP': [None,
           {'BlocksIndex': [None,
                            ['Pointer',
                             {'target': '_HEAP_LIST_LOOKUP'}]],
            'Flags': [None,
                      ['Flags',
                       {'maskmap': {'CREATE_ALIGN_16': 65536,
                                    'CREATE_ENABLE_EXECUTE': 262144,
...

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:46 2017 http://epydoc.sourceforge.net