Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Module kernel
[frames] | no frames]

Module kernel

source code

This module discovers the kernel base address.

The profile provides kernel addresses relative to the kernel base address. This varies each time, so we need a way to locate the kernel base address in the kernel address space.

Author: Michael Cohen <scudette@google.com>

Classes
  ExportScanner
  ObjectTreeHook
Cache the object tree.
  DriveLetterDeviceHook
Maps device names to drive letters.
  KernelBaseHook
Finds the kernel base address.
  WindowsHighestUserAddress
The highest address for user mode/kernel mode division.
  DTB2TaskMap
Maps the DTB to the _EPROCESS structs.
Variables
  __package__ = 'rekall.plugins.windows'
   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 http://epydoc.sourceforge.net