Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package tools :: Module mspdb :: Class PDBParser
[frames] | no frames]

Class PDBParser

source code

Parses a Microsoft PDB file.

Instance Methods
 
__init__(self, filename, session)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
ParsePDB(self)
Parse the PDB info stream.		 source code
 
ParseDBI(self)
Parse the DBI stream.		 source code
 
ParseSectionHeaders(self, stream_id)
Gather the PE sections of this executable.		 source code
 
ParseOMAP(self, omap_stream_id)
Build an OMAP lookup table.		 source code
 
ParseGlobalSymbols(self, stream_id)
Parse the symbol records stream.		 source code
 
ParseTPI(self)
The TPI stream contains all the struct definitions.		 source code
 
AddEnumeration(self, name, enumeration) source code
 
AddReverseEnumeration(self, name, enumeration) source code
 
RegisterFixUp(self, definition) source code
 
Structs(self) source code
 
DefinitionByIndex(self, idx)
Return the vtype definition of the item identified by idx.		 source code
 
Resolve(self, idx) source code
 
__enter__(self) source code
 
__exit__(self, exc_type, exc_value, trace) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables
  TYPE_ENUM_TO_VTYPE = {'T_32PINT4': ['Pointer', {'target': 'lon...
Properties

Inherited from object: __class__

Method Details

__init__(self, filename, session)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

ParseDBI(self)

source code 

Parse the DBI stream.

This fires off subparsers for contained streams.

ParseOMAP(self, omap_stream_id)

source code 

Build an OMAP lookup table.

The OMAP is a translation between the original symbol's offset to the final offset. When the linker builds the executable, it reorders the original object files in the executable section. This translation table tells us where the symbols end up.


Class Variable Details

TYPE_ENUM_TO_VTYPE

Value:
{'T_32PINT4': ['Pointer', {'target': 'long'}],
 'T_32PLONG': ['Pointer', {'target': 'long'}],
 'T_32PQUAD': ['Pointer', {'target': 'long long'}],
 'T_32PRCHAR': ['Pointer', {'target': 'unsigned char'}],
 'T_32PREAL32': ['Pointer', {'target': 'Void'}],
 'T_32PREAL64': ['Pointer', {'target': 'Void'}],
 'T_32PSHORT': ['Pointer', {'target': 'short'}],
 'T_32PUCHAR': ['Pointer', {'target': 'unsigned char'}],
...

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:58 2017 http://epydoc.sourceforge.net