Package rekall :: Package plugins :: Package windows :: Package gui :: Package vtypes :: Module xp

Module xp

Most of the following structures are actually documented in Windows 7 onwards, but are not documented in windows XP.

For those structs which did not change between Windows XP and Windows 7, we can just copy the ones from Win7 but some things have changes so we still need to hard code the following.

Ideally we should use generate_types here.

Variables
	vtypes_xp_32 = `{'_LARGE_UNICODE_STRING': [12, {'Buffer': [8, [...`
	vtypes_xp_64 = `{'tagCLS': [None, {'atomClassName': [8, ['unsig...`
	__package__ = `'rekall.plugins.windows.gui.vtypes'`

Variables Details

vtypes_xp_32

Value:

{'_LARGE_UNICODE_STRING': [12,
                           {'Buffer': [8,
                                       ['pointer', ['unsigned short']]
],
                            'Length': [0, ['unsigned long']],
                            'MaximumLength': [4,
                                              ['BitField',
                                               {'end_bit': 31, 'start_
...

vtypes_xp_64

Value:

{'tagCLS': [None,
            {'atomClassName': [8, ['unsigned short']],
             'atomNVClassName': [10, ['unsigned short']],
             'pclsNext': [0, ['pointer64', ['tagCLS']]]}],
 'tagDESKTOP': [208,
                {'PtiList': [160, ['_LIST_ENTRY']],
                 'dwSessionId': [0, ['unsigned long']],
                 'hsectionDesktop': [112, ['pointer64', ['void']]],
...