Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package windows :: Module windows :: Class Nt
[frames] | no frames]

Class Nt

source code

Alias for the windows kernel class.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.obj.Profile)
  top_level_class
A collection of types relating to a single compilation unit. (Inherited from rekall.obj.Profile)
Instance Methods
 
EnsureInitialized(self) (Inherited from rekall.obj.Profile) source code
 
GetImageBase(self) (Inherited from rekall.plugins.overlays.windows.windows.Ntoskrnl) source code
 
GetPrototype(self, type_name)
Return a prototype of objects of type 'type_name'. (Inherited from rekall.obj.Profile)		 source code
 
Object(self, type_name=None, offset=None, vm=None, name=None, parent=None, context=None, **kwargs)
A function which instantiates the object named in type_name (as a string) from the type in profile passing optional args of kwargs. (Inherited from rekall.obj.Profile)		 source code
 
__dir__(self)
Support tab completion. (Inherited from rekall.obj.Profile)		 source code
 
__getattr__(self, attr)
Make it easier to instantiate individual members. (Inherited from rekall.obj.Profile)		 source code
 
__init__(self, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from rekall.plugins.overlays.basic.RelativeOffsetMixin)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.obj.Profile)		 source code
 
__unicode__(self) (Inherited from rekall.obj.Profile) source code
 
add_classes(self, classes_dict=None, **kwargs)
Add the classes in the dict to our object classes mapping. (Inherited from rekall.obj.Profile)		 source code
 
add_constant_type(self, constant, target, target_args) (Inherited from rekall.obj.Profile) source code
 
add_constants(self, constants=None, **opts)
Add the demangled constants. (Inherited from rekall.plugins.overlays.windows.pe_vtypes.BasicPEProfile)		 source code
 
add_enums(self, **kwargs)
Add the kwargs as an enum for this profile. (Inherited from rekall.obj.Profile)		 source code
 
add_overlay(self, overlay)
Add an overlay to the current overlay stack. (Inherited from rekall.obj.Profile)		 source code
 
add_reverse_enums(self, **kwargs)
Add the kwargs as a reverse enum for this profile. (Inherited from rekall.obj.Profile)		 source code
 
add_types(self, abstract_types) (Inherited from rekall.obj.Profile) source code
 
compile_type(self, type_name)
Compile the specific type and ensure it exists in the type cache. (Inherited from rekall.obj.Profile)		 source code
 
copy(self)
Makes a copy of this profile. (Inherited from rekall.plugins.overlays.windows.pe_vtypes.BasicPEProfile)		 source code
 
flush_cache(self) (Inherited from rekall.obj.Profile) source code
 
get_constant(self, name, is_address=False)
Gets the constant from the profile. (Inherited from rekall.plugins.overlays.basic.RelativeOffsetMixin)		 source code
 
get_constant_by_address(self, address) (Inherited from rekall.obj.Profile) source code
 
get_constant_object(self, constant, target=None, target_args=None, vm=None, **kwargs)
A help function for retrieving pointers from the symbol table. (Inherited from rekall.obj.Profile)		 source code
 
get_enum(self, enum_name, field=None) (Inherited from rekall.obj.Profile) source code
 
get_nearest_constant_by_address(self, address, below=True) (Inherited from rekall.plugins.overlays.basic.RelativeOffsetMixin) source code
 
get_obj_offset(self, name, member)
Returns a member's offset within the struct. (Inherited from rekall.obj.Profile)		 source code
 
get_obj_size(self, name)
Returns the size of a struct (Inherited from rekall.obj.Profile)		 source code
 
get_reverse_enum(self, enum_name, field=None) (Inherited from rekall.obj.Profile) source code
 
has_class(self, class_name) (Inherited from rekall.obj.Profile) source code
 
has_type(self, type_name) (Inherited from rekall.obj.Profile) source code
 
integer_to_address(self, virtual_address) (Inherited from rekall.obj.Profile) source code
 
legacy_field_descriptor(self, typeList)
Converts the list expression into a target, target_args notation. (Inherited from rekall.obj.Profile)		 source code
 
list_to_type(self, name, typeList)
Parses a specification list and returns a VType object. (Inherited from rekall.obj.Profile)		 source code
 
merge(self, other)
Merges another profile into this one. (Inherited from rekall.obj.Profile)		 source code
 
merge_symbols(self, other, *args) (Inherited from rekall.obj.Profile) source code
 
metadata(self, name, default=None)
Obtain metadata about this profile. (Inherited from rekall.obj.Profile)		 source code
 
metadatas(self, *args)
Obtain metadata about this profile. (Inherited from rekall.obj.Profile)		 source code
 
obj_has_member(self, name, member)
Returns whether an object has a certain member (Inherited from rekall.obj.Profile)		 source code
 
set_metadata(self, name, value) (Inherited from rekall.obj.Profile) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
GuessVersion(cls, profile)
Guess the windows version of a profile. (Inherited from rekall.plugins.overlays.windows.windows.Ntoskrnl)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
Initialize(cls, profile)
Install required types, classes and constants. (Inherited from rekall.plugins.overlays.windows.windows.Ntoskrnl)		 source code
 
LoadProfileFromData(cls, data, session=None, name=None, profile=None)
Creates a profile directly from a JSON object. (Inherited from rekall.obj.Profile)		 source code
Class Variables
  COMMON_CLASSES = {'Array': <class 'rekall.obj.Array'>, 'BitFie... (Inherited from rekall.obj.Profile)
  EMPTY_DESCRIPTOR = [0, {}] (Inherited from rekall.obj.Profile)
  METADATA = {'os': 'windows'} (Inherited from rekall.plugins.overlays.windows.pe_vtypes.BasicPEProfile)
  applied_modifications = None
hash(x) (Inherited from rekall.obj.Profile)
  classes = {'APIBaseProfile': <class 'rekall.plugins.response.c... (Inherited from rekall.obj.Profile)
  classes_by_name = {None: [<class 'rekall.obj.Profile'>, <class... (Inherited from rekall.obj.Profile)
  constants = None
hash(x) (Inherited from rekall.obj.Profile)
  image_base = 0 (Inherited from rekall.plugins.overlays.windows.pe_vtypes.BasicPEProfile)
  overlays = None
hash(x) (Inherited from rekall.obj.Profile)
  plugin_feature = 'Profile' (Inherited from rekall.obj.Profile)
  types = None
hash(x) (Inherited from rekall.obj.Profile)
  vtypes = None
hash(x) (Inherited from rekall.obj.Profile)
Properties

Inherited from object: __class__

Method Details

ImplementationByClass(self, name)
Class Method

source code 
Overrides: obj.Profile.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: obj.Profile.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:38 2017 http://epydoc.sourceforge.net