Package rekall :: Package plugins :: Package overlays :: Package windows :: Module win8

Module win8

Classes
	ObpInfoMaskToOffsetHook By caching this map we can speed up lookups significantly.

Functions

TagOffset(x)

source code

InitializeWindows8Profile(profile)
Initialize windows 8 and 8.1 profiles.

source code

Variables
	win8_overlays = `{'_CONTROL_AREA': [None, {'FilePointer': [None...`
	win8_1_overlays = `{'_EPROCESS': [None, {'RealVadRoot': <functi...`
	win8_undocumented_amd64 = `{'_IMAGE_ENTRY_IN_SESSION': [None, {...`
	win8_undocumented_i386 = `{'_IMAGE_ENTRY_IN_SESSION': [None, {'...`
	__package__ = `'rekall.plugins.overlays.windows'`

Variables Details

win8_overlays

Value:

{'_CONTROL_AREA': [None,
                   {'FilePointer': [None,
                                    ['_EX_FAST_REF',
                                     {'target': '_FILE_OBJECT'}]]}],
 '_EPROCESS': [None,
               {'RealVadRoot': <function <lambda> at 0x7fafd6c817d0>}]
,
 '_HANDLE_TABLE_ENTRY': [None, {'Object': <function <lambda> at 0x7faf
...

win8_1_overlays

Value:

{'_EPROCESS': [None,
               {'RealVadRoot': <function <lambda> at 0x7fafd6c87500>}]
,
 '_HANDLE_TABLE': [None,
                   {'HandleCount': <function <lambda> at 0x7fafd6c8757
8>}]}

win8_undocumented_amd64

Value:

{'_IMAGE_ENTRY_IN_SESSION': [None,
                             {'Address': [32, ['Pointer']],
                              'Link': [0, ['_LIST_ENTRY']]}]}

win8_undocumented_i386

Value:

{'_IMAGE_ENTRY_IN_SESSION': [None,
                             {'Address': [16, ['Pointer']],
                              'Link': [0, ['_LIST_ENTRY']]}]}