Class PEModule

source code

Windows overlays PE files in memory.

Instance Methods

detect_profile_from_session(self)
Get the module guid from the session cache.

source code

detect_guid_from_mapped_file(self)
Guess the guid for the PE file.

source code

detect_guid_pe_header(self)

source code

detect_profile_from_index(self)

source code

detect_profile_name(self)
Try to figure out the profile name for this module.

source code

build_local_profile(self, profile_name=None, force=False)
Fetch and build a local profile from the symbol server.

source code

build_profile_from_exports(self)
Create a dummy profile from PE exports.

source code

reset(self)

source code

load_profile(self, force=True)

source code

__init__(self, name=None, start=None, end=None, profile=None, session=None)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from rekall.plugins.common.address_resolver.Module)

source code

__str__(self)
str(x) (Inherited from rekall.plugins.common.address_resolver.Module)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __subclasshook__

Properties
	profile
Inherited from `object`: `__class__`

Method Details

detect_profile_from_session(self)

source code

Get the module guid from the session cache.

This allows the user to override the GUID detection with their own.

detect_profile_name(self)

source code

Try to figure out the profile name for this module.

We have a number of methods as we need to call these in the most appropriate order.

Property Details

profile

Get Method:: unreachable.profile(self)
Set Method:: unreachable.profile(self, value) - Allow the profile for this module to be overridden.