rekall.plugins.response.windows_processes.WinAPIProfile

Class WinAPIProfile

Profile for Windows live analysis.

Nested Classes

__metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.obj.Profile)

top_level_class
A collection of types relating to a single compilation unit. (Inherited from rekall.obj.Profile)

Instance Methods

__init__(self, proc=None, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature

source code

EnsureInitialized(self) (Inherited from rekall.obj.Profile)

source code

GetPrototype(self, type_name)
Return a prototype of objects of type 'type_name'. (Inherited from rekall.obj.Profile)

source code

Object(self, type_name=None, offset=None, vm=None, name=None, parent=None, context=None, **kwargs)
A function which instantiates the object named in type_name (as a string) from the type in profile passing optional args of kwargs. (Inherited from rekall.obj.Profile)

source code

__dir__(self)
Support tab completion. (Inherited from rekall.obj.Profile)

source code

__getattr__(self, attr)
Make it easier to instantiate individual members. (Inherited from rekall.obj.Profile)

source code

__repr__(self)
repr(x) (Inherited from rekall.obj.Profile)

source code

__unicode__(self) (Inherited from rekall.obj.Profile)

source code

add_classes(self, classes_dict=None, **kwargs)
Add the classes in the dict to our object classes mapping. (Inherited from rekall.obj.Profile)

source code

add_constant_type(self, constant, target, target_args) (Inherited from rekall.obj.Profile)

source code

add_constants(self, constants=None, constants_are_addresses=False, **_)
Add the kwargs as constants for this profile. (Inherited from rekall.obj.Profile)

source code

add_enums(self, **kwargs)
Add the kwargs as an enum for this profile. (Inherited from rekall.obj.Profile)

source code

add_overlay(self, overlay)
Add an overlay to the current overlay stack. (Inherited from rekall.obj.Profile)

source code

add_reverse_enums(self, **kwargs)
Add the kwargs as a reverse enum for this profile. (Inherited from rekall.obj.Profile)

source code

add_types(self, abstract_types) (Inherited from rekall.obj.Profile)

source code

compile_type(self, type_name)
Compile the specific type and ensure it exists in the type cache. (Inherited from rekall.obj.Profile)

source code

copy(self)
Makes a copy of this profile. (Inherited from rekall.obj.Profile)

source code

flush_cache(self) (Inherited from rekall.obj.Profile)

source code

get_constant(self, constant, is_address=False)
Retrieve a constant from the profile. (Inherited from rekall.obj.Profile)

source code

get_constant_by_address(self, address) (Inherited from rekall.obj.Profile)

source code

get_constant_object(self, constant, target=None, target_args=None, vm=None, **kwargs)
A help function for retrieving pointers from the symbol table. (Inherited from rekall.obj.Profile)

source code

get_enum(self, enum_name, field=None) (Inherited from rekall.obj.Profile)

source code

get_nearest_constant_by_address(self, address, below=True)
Returns the closest constant below or equal to the address. (Inherited from rekall.obj.Profile)

source code

get_obj_offset(self, name, member)
Returns a member's offset within the struct. (Inherited from rekall.obj.Profile)

source code

get_obj_size(self, name)
Returns the size of a struct (Inherited from rekall.obj.Profile)

source code

get_reverse_enum(self, enum_name, field=None) (Inherited from rekall.obj.Profile)

source code

has_class(self, class_name) (Inherited from rekall.obj.Profile)

source code

has_type(self, type_name) (Inherited from rekall.obj.Profile)

source code

integer_to_address(self, virtual_address) (Inherited from rekall.obj.Profile)

source code

legacy_field_descriptor(self, typeList)
Converts the list expression into a target, target_args notation. (Inherited from rekall.obj.Profile)

source code

list_to_type(self, name, typeList)
Parses a specification list and returns a VType object. (Inherited from rekall.obj.Profile)

source code

merge(self, other)
Merges another profile into this one. (Inherited from rekall.obj.Profile)

source code

merge_symbols(self, other, *args) (Inherited from rekall.obj.Profile)

source code

metadata(self, name, default=None)
Obtain metadata about this profile. (Inherited from rekall.obj.Profile)

source code

metadatas(self, *args)
Obtain metadata about this profile. (Inherited from rekall.obj.Profile)

source code

obj_has_member(self, name, member)
Returns whether an object has a certain member (Inherited from rekall.obj.Profile)

source code

set_metadata(self, name, value) (Inherited from rekall.obj.Profile)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables

COMMON_CLASSES = {'Array': <class 'rekall.obj.Array'>, 'BitFie... (Inherited from rekall.obj.Profile)

EMPTY_DESCRIPTOR = [0, {}] (Inherited from rekall.obj.Profile)

METADATA = {'live': True, 'os': 'Linux', 'type': 'API'} (Inherited from rekall.plugins.response.common.APIBaseProfile)

applied_modifications = None
hash(x) (Inherited from rekall.obj.Profile)

classes = {'APIBaseProfile': <class 'rekall.plugins.response.c... (Inherited from rekall.obj.Profile)

classes_by_name = {None: [<class 'rekall.obj.Profile'>, <class... (Inherited from rekall.obj.Profile)

constants = None
hash(x) (Inherited from rekall.obj.Profile)

overlays = None
hash(x) (Inherited from rekall.obj.Profile)

plugin_feature = 'Profile' (Inherited from rekall.obj.Profile)

types = None
hash(x) (Inherited from rekall.obj.Profile)

vtypes = None
hash(x) (Inherited from rekall.obj.Profile)

Properties

Inherited from object: __class__

Method Details

init(self, proc=None, **kwargs)
(Constructor)

source code

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__: (inherited documentation)

Class WinAPIProfile

__init__(self, proc=None, **kwargs) (Constructor)

init(self, proc=None, **kwargs)
(Constructor)