Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Package gui :: Module sessions :: Class Sessions
[frames] | no frames]

Class Sessions

source code

List details on _MM_SESSION_SPACE (user logon sessions).

Windows uses sessions in order to separate processes. Sessions are used to separate the address spaces of windows processes.

Note that this plugin traverses the ProcessList member of the session object to list the processes - yet another list _EPROCESS objects are on.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
session_spaces(self)
Generates unique _MM_SESSION_SPACE objects.		 source code
 
find_session_space(self, session_id)
Get a _MM_SESSION_SPACE object by its ID.		 source code
 
collect(self)
Collect data that will be passed to renderer.table_row.		 source code
 
__init__(self, *args, **kwargs)
A mixin for plugins which require a valid kernel address space. (Inherited from rekall.plugin.KernelASMixin)		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
column_types(self)
Returns instances for each column definition. (Inherited from rekall.plugin.TypedProfileCommand)		 source code
 
filter_processes(self)
Filters eprocess list using pids lists. (Inherited from rekall.plugins.windows.common.WinProcessFilter)		 source code
 
get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code
 
getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
list_eprocess(self)
List processes using chosen methods. (Inherited from rekall.plugins.windows.common.WinProcessFilter)		 source code
 
list_from_eprocess(self) (Inherited from rekall.plugins.windows.common.WinProcessFilter) source code
 
reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
render(self, renderer, **options) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
virtual_process_from_physical_offset(self, physical_offset)
Tries to return an eprocess in virtual space from a physical offset. (Inherited from rekall.plugins.windows.common.WinProcessFilter)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, metadata) (Inherited from rekall.plugin.PhysicalASMixin) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ProfileCommand)		 source code
Class Variables
  table_header = [{'name': 'divider', 'type': 'Divider'}, {'hidd...
hash(x)
  METHODS = ['PsActiveProcessHead', 'CSRSS', 'PspCidTable', 'Ses... (Inherited from rekall.plugins.windows.common.WinProcessFilter)
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  ROW_OPTIONS = set(['annotation', 'depth', 'hex_width', 'highli... (Inherited from rekall.plugin.TypedProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = 'mode_windows_memory'
hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsCommandPlugin)
  plugin_args = None
hash(x) (Inherited from rekall.plugin.ArgsParserMixin)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
  table_options = {} (Inherited from rekall.plugin.TypedProfileCommand)
Properties
  filtering_requested (Inherited from rekall.plugins.windows.common.WinProcessFilter)
  name (Inherited from rekall.plugin.Command)

Inherited from object: __class__

Method Details

session_spaces(self)

source code  
Generates unique _MM_SESSION_SPACE objects.

Generates unique _MM_SESSION_SPACE objects referenced by active
processes.

Yields:
  _MM_SESSION_SPACE instantiated from the session space's address space.

find_session_space(self, session_id)

source code  
Get a _MM_SESSION_SPACE object by its ID.

Args:
  session_id: the session ID to find.

Returns:
  _MM_SESSION_SPACE instantiated from the session space's address space.

collect(self)

source code 

Collect data that will be passed to renderer.table_row.

Overrides: plugin.TypedProfileCommand.collect
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

Class Variable Details

table_header

hash(x)

Value:
[{'name': 'divider', 'type': 'Divider'},
 {'hidden': True, 'name': 'session_id'},
 {'name': 'process', 'width': 40},
 {'name': 'image'}]

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:07 2017 http://epydoc.sourceforge.net