Trees | Indices | Help |
|
---|
|
Convert the physical address space to a crash dump. The Windows debugger (Windbg) works only with memory dumps stored in the proprietary 'crashdump' file format. This file format contains the following features: 1) Physical memory ranges are stored in a sparse way - there is a 'Runs' table which specifies the mapping between the physical offset and the file offset of each page. This allows the format to omit unmapped regions (unlike raw format which must pad them with zero to maintain alignment). 2) The crash dump header contains metadata about the image. Specifically, the header contain a copy of the Kernel Debugger Data Block (AKA the KDBG). This data is used to bootstrap the windows debugger by providing critical initial hints to the debugger. Since the KDBG block is created at system boot and never used (until the crash dump is written) it is trivial for malware to overwrite it - making it really hard for responders since windbg will not be able to read the file. In later versions of windows, the kdbg is also obfuscated (See the function "nt!KdCopyDataBlock" which decrypts it.). Rekall itself does not use the KDBG block any more, although older memory forensic tools still do use it. Rekall instead relies on accurate debugging symbols to locate critical kernel data structures, reducing the level of trust we place on the image itself (so Rekall is more resilient to manipulation). In order to ensure that the windows debugger is able to read the produced crash dump, we recreate the kernel debugger block from the symbol information we already have. NOTE: The crashdump file format can be deduced by: dis 'nt!IoFillDumpHeader' This is the reference for this plugin.
Nested Classes | |
__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command) |
|
top_level_class A command can be run from the rekall command line. (Inherited from rekall.plugin.Command) |
Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
Inherited from |
Class Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Class Variables | |
table_header =
hash(x) |
|
table_options =
|
|
PHYSICAL_AS_REQUIRED = True
(Inherited from rekall.plugin.PhysicalASMixin)
|
|
PROFILE_REQUIRED = True
(Inherited from rekall.plugin.ProfileCommand)
|
|
ROW_OPTIONS =
(Inherited from rekall.plugin.TypedProfileCommand)
|
|
classes =
(Inherited from rekall.plugin.Command)
|
|
classes_by_name =
(Inherited from rekall.plugin.Command)
|
|
error_status = None hash(x) (Inherited from rekall.plugin.Command) |
|
interactive = False
(Inherited from rekall.plugin.Command)
|
|
mode =
hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsCommandPlugin) |
|
plugin_args = None hash(x) (Inherited from rekall.plugin.ArgsParserMixin) |
|
plugin_feature =
(Inherited from rekall.plugin.Command)
|
|
producer = False
(Inherited from rekall.plugin.Command)
|
Properties | |
name (Inherited from rekall.plugin.Command) | |
Inherited from |
Method Details |
Returns instances for each column definition. The actual objects that are returned when the plugin runs are often determined at run time because they depend on the profile loaded. This method is used in order to introspect the types of each column without actually running the plugin. A plugin must provide an instance for each column without running any code. This allows interospectors to learn about the output format before running the actual plugin. Note that this method should almost always be overloaded. We try to do our best here but it is not ideal. Ultimately all plugins will override this method and just declare a column_types() method.
|
A mixin for plugins which require a valid kernel address space. Args: dtb: A potential dtb to be used.
|
Collect data that will be passed to renderer.table_row.
|
|
|
Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:05 2017 | http://epydoc.sourceforge.net |