Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Package gui :: Module win32k_core :: Class tagDESKTOP
[frames] | no frames]

Class tagDESKTOP

source code

A class for Desktop objects

Nested Classes
  __metaclass__
Give each object a unique ID. (Inherited from rekall.obj.BaseObject)
Instance Methods
 
is_valid(self) source code
 
threads(self)
Generator for _EPROCESS objects attached to this desktop		 source code
 
hooks(self)
Generator for tagHOOK info.		 source code
 
windows(self, win, filter=<function <lambda> at 0x7fafd2686aa0>, level=0)
Traverses windows in their Z order, bottom to top.		 source code
 
heaps(self)
Generator for the desktop heaps		 source code
 
traverse(self, vm=None)
Generator for next desktops in the list		 source code
 
GetData(self)
Returns the raw data of this object. (Inherited from rekall.obj.BaseObject)		 source code
 
SetMember(self, attr, value)
Write a value to a member. (Inherited from rekall.obj.Struct)		 source code
 
__comparator__(self, other, method) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__dir__(self)
Hide any members with _. (Inherited from rekall.obj.BaseObject)		 source code
 
__eq__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__format__(self, formatspec)
default object formatter (Inherited from rekall.obj.BaseObject)		 source code
 
__ge__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__getattr__(self, attr) (Inherited from rekall.obj.Struct) source code
 
__gt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__hash__(self)
hash(x) (Inherited from rekall.obj.Struct)		 source code
 
__init__(self, members=None, struct_size=0, callable_members=None, **kwargs)
This must be instantiated with a dict of members. (Inherited from rekall.obj.Struct)		 source code
 
__int__(self)
Return our offset as an integer. (Inherited from rekall.obj.Struct)		 source code
 
__le__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__long__(self) (Inherited from rekall.obj.Struct) source code
 
__lt__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__ne__(self, other) (Inherited from rekall.obj.BaseAddressComparisonMixIn) source code
 
__nonzero__(self)
This method is called when we test the truth value of an Object. (Inherited from rekall.obj.BaseObject)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.obj.Struct)		 source code
 
__str__(self)
str(x) (Inherited from rekall.obj.BaseObject)		 source code
 
__unicode__(self) (Inherited from rekall.obj.Struct) source code
 
cast(self, type_name=None, vm=None, **kwargs) (Inherited from rekall.obj.BaseObject) source code
 
deref(self, vm=None)
An alias for dereference - less to type. (Inherited from rekall.obj.BaseObject)		 source code
 
dereference(self, vm=None) (Inherited from rekall.obj.BaseObject) source code
 
desktops(self)
A generator that yields the window station's desktops (Inherited from rekall.plugins.windows.gui.win32k_core.tagWINDOWSTATION)		 source code
 
m(self, attr, allow_callable_attributes=False)
Fetch the member named by attr. (Inherited from rekall.obj.Struct)		 source code
 
multi_m(self, *args, **opts)
Retrieve a set of fields in order. (Inherited from rekall.obj.Struct)		 source code
 
preamble_size(self)
The number of bytes before the object which are part of the object. (Inherited from rekall.obj.Struct)		 source code
 
proxied(self) (Inherited from rekall.obj.BaseObject) source code
 
reference(self)
Produces a pointer to this object. (Inherited from rekall.obj.BaseObject)		 source code
 
v(self, vm=None)
When a struct is evaluated we just return our offset. (Inherited from rekall.obj.Struct)		 source code
 
walk_list(self, list_member, include_current=True, deref_as=None)
Walk a single linked list in this struct. (Inherited from rekall.obj.Struct)		 source code
 
write(self, value)
Function for writing the object back to disk (Inherited from rekall.obj.BaseObject)		 source code

Inherited from object: __delattr__, __getattribute__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
getproperties(cls)
Return all members that are intended to represent some data. (Inherited from rekall.obj.BaseObject)		 source code
Class Variables
  obj_name = <No name> (Inherited from rekall.obj.BaseObject)
  obj_parent = <No parent> (Inherited from rekall.obj.BaseObject)
  obj_producers = None
hash(x) (Inherited from rekall.obj.BaseObject)
Properties
  WindowStation
Returns this desktop's parent window station
  DeskInfo
Returns the desktop info object
  Interactive
Check if a window station is interactive (Inherited from rekall.plugins.windows.gui.win32k_core.tagWINDOWSTATION)
  LastRegisteredViewer
The EPROCESS of the last registered clipboard viewer (Inherited from rekall.plugins.windows.gui.win32k_core.tagWINDOWSTATION)
  Name
Get the window station name. (Inherited from rekall.plugins.windows.gui.win32k_core.tagWINDOWSTATION)
  indices
Returns (usually 1) representation(s) of self usable as dict keys. (Inherited from rekall.obj.Struct)
  obj_end (Inherited from rekall.obj.BaseObject)
  obj_size (Inherited from rekall.obj.Struct)
  parents
Returns all the parents of this object. (Inherited from rekall.obj.BaseObject)

Inherited from object: __class__

Method Details

is_valid(self)

source code 
Overrides: obj.BaseObject.is_valid

windows(self, win, filter=<function <lambda> at 0x7fafd2686aa0>, level=0)

source code 

Traverses windows in their Z order, bottom to top.

Parameters:
  • win - an HWND to start. Usually this is the desktop window currently in focus.
  • filter - a callable (usually lambda) to use for filtering the results. See below for examples:

    # only print subclassed windows filter = lambda x : x.lpfnWndProc == x.pcls.lpfnWndProc

    # only print processes named csrss.exe filter = lambda x : str(x.head.pti.ppi.Process.ImageFileName).lower() == "csrss.exe" if x.head.pti.ppi else False

    # only print processes by pid filter = lambda x : x.head.pti.pEThread.Cid.UniqueThread == 0x1020

    # only print visible windows filter = lambda x : 'WS_VISIBLE' not in x.get_flags()


Property Details

WindowStation

Returns this desktop's parent window station

Get Method:
unreachable.WindowStation(self) - Returns this desktop's parent window station

DeskInfo

Returns the desktop info object

Get Method:
unreachable.DeskInfo(self) - Returns the desktop info object

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:08 2017 http://epydoc.sourceforge.net