Package gui

These plugins implement analysis of the win32k graphic subsystem.

This work stemmed from the seminal work:

Kernel Attacks through user mode callbacks Tarjei Mandt.

http://mista.nu/blog/2011/08/11/windows-hooks-of-death-kernel-attacks-through-user-mode-callbacks/

Other interesting references: http://volatility-labs.blogspot.de/2012/09/movp-13-desktops-heaps-and-ransomware.html

Submodules

rekall.plugins.windows.gui.atoms
rekall.plugins.windows.gui.autodetect: Autodetect struct layout of various Win32k GUI structs.
rekall.plugins.windows.gui.clipboard
rekall.plugins.windows.gui.constants
rekall.plugins.windows.gui.sessions
rekall.plugins.windows.gui.tests
rekall.plugins.windows.gui.userhandles: Analyzes User handles registered with the Win32k Subsystem.
rekall.plugins.windows.gui.vtypes
- rekall.plugins.windows.gui.vtypes.win7
- rekall.plugins.windows.gui.vtypes.win7_sp0_x64_vtypes_gui
- rekall.plugins.windows.gui.vtypes.win7_sp0_x86_vtypes_gui
- rekall.plugins.windows.gui.vtypes.win7_sp1_x64_vtypes_gui
- rekall.plugins.windows.gui.vtypes.win7_sp1_x86_vtypes_gui
- rekall.plugins.windows.gui.vtypes.xp: Most of the following structures are actually documented in Windows 7 onwards, but are not documented in windows XP.
rekall.plugins.windows.gui.win32k_core
rekall.plugins.windows.gui.windowstations: The following is a description of windows stations from MSDN:

Variables
	__package__ = `'rekall.plugins.windows.gui'`