Package rekall :: Package plugins :: Package overlays :: Package windows :: Module pe_vtypes

Module pe_vtypes

References: http://msdn.microsoft.com/en-us/magazine/ms809762.aspx http://msdn.microsoft.com/en-us/magazine/cc301805.aspx http://code.google.com/p/corkami/downloads/detail?name=pe-20110117.pdf http://code.google.com/p/pefile/

Version information: http://msdn.microsoft.com/en-us/library/windows/desktop/ff468916(v=vs.85).aspx

Classes
	SentinelArray A sential terminated array.
	SentinelListArray A variable sized array with a sentinel termination.
	RVAPointer A pointer through a relative virtual address.
	ResourcePointer A pointer relative to our resource section.
	ThunkArray A sential terminated array of thunks.
	VS_VERSIONINFO
	PE A convenience object to access PE file information.
	PEProfile A profile for PE files.
	PEFileAddressSpace An address space which applies to PE files.
	Demangler A utility class to demangle VC++ names.
	BasicPEProfile A basic profile for a pe image.

Functions

RoundUpToWordAlignment(offset)
Round up the next word boundary.

source code

AlignAfter(name)
Align a Struct's member after another member.

source code

Variables
	pe_overlays = `{'CV_RSDS_HEADER': [None, {'Age': [20, ['unsigne...`
	__package__ = `'rekall.plugins.overlays.windows'`

Function Details

AlignAfter(name)

source code

Align a Struct's member after another member.

Produce a callable which returns the next aligned offset after the member of the required name in this struct. This callable is suitable to be specified in the overlay's offset field.

Variables Details

pe_overlays

Value:

{'CV_RSDS_HEADER': [None,
                    {'Age': [20, ['unsigned int']],
                     'Filename': [24, ['String']],
                     'GUID': [4, ['_GUID']],
                     'GUID_AGE': <function <lambda> at 0x7fafd6c03aa0>
,
                     'Signature': [0, ['String', {'length': 4}]]}],
 'PrefixedString': [2, {'Buffer': [2, ['UnicodeString', {'length': <fu
...