Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Module common :: Class WinFindDTB
[frames] | no frames]

Class WinFindDTB

source code

A plugin to search for the Directory Table Base for windows systems.

There are a number of ways to find the DTB:

- Scanner method: Scans the image for a known kernel process, and read the
  DTB from its Process Environment Block (PEB).

- Get the DTB from the KPCR structure.

- Note that the kernel is mapped into every process's address space (with
  the exception of session space which might be different) so using any
  process's DTB from the same session will work to read kernel data
  structures. If this plugin fails, try psscan to find potential DTBs.
Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
__init__(self, process_name='Idle', **kwargs)
A mixin for those plugins requiring a physical address space.		 source code
 
scan_for_process(self)
Scan the image for the idle process.		 source code
 
address_space_hits(self)
Finds DTBs and yields virtual address spaces that expose kernel.		 source code
 
dtb_eprocess_hits(self) source code
 
TestEProcess(self, address_space, eprocess) source code
 
VerifyHit(self, dtb)
Check the eprocess for sanity.		 source code
 
GetAddressSpaceImplementation(self)
Returns the correct address space class for this profile.		 source code
 
collect(self)
Collect data that will be passed to renderer.table_row.		 source code
 
CreateAS(self, dtb)
Creates an address space from this hit. (Inherited from rekall.plugins.core.FindDTB)		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
column_types(self)
Returns instances for each column definition. (Inherited from rekall.plugin.TypedProfileCommand)		 source code
 
dtb_hits(self)
Yields hits for the DTB offset. (Inherited from rekall.plugins.core.FindDTB)		 source code
 
get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code
 
getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
render(self, renderer, **options) (Inherited from rekall.plugin.TypedProfileCommand) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
args(cls, parser)
Declare the command line args we need.		 source code
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ProfileCommand)		 source code
Class Variables
  table_header = [{'name': '_EPROCESS (P)', 'style': 'address'},...
hash(x)
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  ROW_OPTIONS = set(['annotation', 'depth', 'hex_width', 'highli... (Inherited from rekall.plugin.TypedProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = 'mode_windows_memory'
hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsCommandPlugin)
  plugin_args = None
hash(x) (Inherited from rekall.plugin.ArgsParserMixin)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
  table_options = {} (Inherited from rekall.plugin.TypedProfileCommand)
Properties
  name (Inherited from rekall.plugin.Command)

Inherited from object: __class__

Method Details

args(cls, parser)
Class Method

source code 

Declare the command line args we need.

Overrides: plugin.Command.args

__init__(self, process_name='Idle', **kwargs)
(Constructor)

source code  
A mixin for those plugins requiring a physical address space.

Args:
  physical_address_space: The physical address space to use. If not
    specified we use the following options:

    1) session.physical_address_space,

    2) Guess using the load_as() plugin,

    3) Use session.kernel_address_space.base.
Overrides: object.__init__
(inherited documentation)

address_space_hits(self)

source code  
Finds DTBs and yields virtual address spaces that expose kernel.

Yields:
  BaseAddressSpace-derived instances, validated using the VerifyHit()
  method.
Overrides: core.FindDTB.address_space_hits

VerifyHit(self, dtb)

source code 

Check the eprocess for sanity.

Overrides: core.FindDTB.VerifyHit

GetAddressSpaceImplementation(self)

source code 

Returns the correct address space class for this profile.

Overrides: core.FindDTB.GetAddressSpaceImplementation

collect(self)

source code 

Collect data that will be passed to renderer.table_row.

Overrides: plugin.TypedProfileCommand.collect
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

Class Variable Details

table_header

hash(x)

Value:
[{'name': '_EPROCESS (P)', 'style': 'address'},
 {'name': 'dtv', 'style': 'address'},
 {'name': 'valid', 'width': 10}]

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:04 2017 http://epydoc.sourceforge.net