Package rekall :: Package plugins :: Package response :: Module windows_processes

Module windows_processes

Classes
	SYSTEM_INFO_32
	SYSTEM_INFO_64
	MEMORY_BASIC_INFORMATION_32
	MEMORY_BASIC_INFORMATION_64
	ProcessHandle
	LiveVad Collect information about a VAD region.
	APIVad A VAD plugin using the APIs.
	WinAPIProcessAddressSpace An address space which read processes using ReadProcessMemory().
	WinAPIProfile Profile for Windows live analysis.

Functions

is_wow64(proc)
Determine if the proc is Wow64.

source code

Variables
	READ_ACCESS = `win32con.PROCESS_VM_READ \| win32con.PROCESS_VM_O...`
	MEMORY_PROTECTIONS = `{0x10: "x---", 0x20: "xr--", 0x40: "xrw-"...`
	MEMORY_TYPES = `{0x1000000: "MEM_IMAGE", 0x40000: "MEM_MAPPED",...`
	OpenProcess = `ctypes.windll.kernel32.OpenProcess`
	ReadProcessMemory = `ctypes.windll.kernel32.ReadProcessMemory`
	CloseHandle = `ctypes.windll.kernel32.CloseHandle`
	GetMappedFileNameA = `ctypes.windll.psapi.GetMappedFileNameA`
	VirtualQueryEx = `ctypes.windll.kernel32.VirtualQueryEx`
	MAX_PATH = `1024`

Variables Details

Value:

win32con.PROCESS_VM_READ | win32con.PROCESS_VM_OPERATION | win32con.PR
OCESS_QUERY_INFORMATION

Value:

{0x10: "x---", 0x20: "xr--", 0x40: "xrw-", 0x80: "xrwc", 0x01: "----",
 0x02: "-r--", 0x04: "-rw-", 0x08: "--wc"}

Value:

{0x1000000: "MEM_IMAGE", 0x40000: "MEM_MAPPED", 0x20000: "MEM_PRIVATE"
}