Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Module index
[frames] | no frames]

Module index

source code

This module implements profile indexing.

Rekall relies on accurate profiles for reliable analysis of memory artifacts. We depend on selecting the correct profile from the profile repository, but sometimes its hard to determine the exact profile to use. For windows, the profile must match exactly the GUID in the driver.

However, sometimes, the GUID is unavailable or it could be manipulated. In that case we would like to determine the profile version by applying the index.

The profile repository has an index for each kernel module stored. We can use this index to determine the exact version of the profile very quickly - even if the RSDS GUID is not available or incorrect.

Author: Michael Cohen <scudette@google.com>

Classes
  GuessGUID
Try to guess the exact version of a kernel module by using an index.
  EProcessIndex
A profile index for _EPROCESS structs.
  TestGuessGUID
Variables
  __package__ = 'rekall.plugins.windows'
   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 http://epydoc.sourceforge.net