Package rekall :: Package plugins :: Package windows :: Module dns

Module dns

This module implements plugins to inspect Window's DNS resolver cache.

In windows DNS requests are cached by the DNS resolver service. This is a service running in svchost.exe and implemented as the mostly undocumented DLL dnsrslvr.dll.

Classes
	DNS_RECORD
	WinDNSCache Dump the windows DNS resolver cache.

Functions

InitializedDNSTypes(profile)

source code

Variables
	DNS_TYPES = `{1: 'A', 5: 'CNAME', 28: 'AAAA'}`
	types = `{'DNS_HASHTABLE_ENTRY': [None, {'List': [0, ['_LIST_EN...`
	win10_overlays = `{'DNS_HASHTABLE_ENTRY': [None, {'List': [8, [...`
	__package__ = `'rekall.plugins.windows'`

Variables Details

types

Value:

{'DNS_HASHTABLE_ENTRY': [None,
                         {'List': [0, ['_LIST_ENTRY']],
                          'Name': [8,
                                   ['Pointer',
                                    {'target': 'UnicodeString'}]],
                          'Record': [24,
                                     ['Pointer',
                                      {'target': 'DNS_RECORD'}]]}],
...

win10_overlays

Value:

{'DNS_HASHTABLE_ENTRY': [None,
                         {'List': [8, ['_LIST_ENTRY']],
                          'Name': [56,
                                   ['Pointer',
                                    {'target': 'UnicodeString'}]],
                          'Record': [88,
                                     ['Pointer',
                                      {'target': 'DNS_RECORD'}]]}]}