Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package windows :: Module pe_vtypes :: Class PE
[frames] | no frames]

Class PE

source code

A convenience object to access PE file information.

Instance Methods
 
__init__(self, address_space=None, image_base=0, filename=None, session=None)
Constructor.		 source code
 
ImportDirectory(self)
A generator over the import directory.		 source code
 
IAT(self)
A generator over the IAT.		 source code
 
ExportDirectory(self)
A generator over the export directory.		 source code
 
GetProcAddress(self, name)
Scan the export table for a function of the given name.		 source code
 
VersionInformation(self)
A generator of key, value pairs.		 source code
 
VersionInformationDict(self) source code
 
Sections(self) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Properties
  RSDS

Inherited from object: __class__

Method Details

__init__(self, address_space=None, image_base=0, filename=None, session=None)
(Constructor)

source code  
Constructor.

Args:
  address_space: An address space to examine.

  image_base: The address of the dos header in the virtual address
    space.

  filename: If a filename is provided we open the file as a PE File. In
    this case, image_base and address_space are ignored.
Overrides: object.__init__

ImportDirectory(self)

source code  
A generator over the import directory.

Note that this iterates over the OriginalFirstThunk which still remains
from the on-disk executable. The IAT is constructed by the linker at
load time, and is stored in FirstThunk in memory. Hence the IAT() method
is going to return code objects while this method simply returns names.

Yields:
   a tuple of (dll, function_name)

IAT(self)

source code  
A generator over the IAT.

Note that this iterates over the FirstThunk imports. In memory, these
contain the IAT which has been resolved by the loader.

Yields:
  a tuple of (dll, function_name)

GetProcAddress(self, name)

source code 

Scan the export table for a function of the given name.

Similar to the GetProcAddress function.


Property Details

RSDS

Get Method:
unreachable.RSDS(self)

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:36 2017 http://epydoc.sourceforge.net