Package rekall :: Package plugins :: Package windows :: Package malware :: Module cmdhistory

Module cmdhistory

Classes
	WinSrv86 A domain specific profile for the xp, 2008.
	WinSrv64 A domain specific profile for the xp, 2008.
	ConHost86 A domain specific profile for windows 7.
	ConHost64 A domain specific profile for windows 7.
	WinHistoryScanner A vad scanner for command histories.
	CmdScan Extract command history by scanning for _COMMAND_HISTORY
	ConsoleScanner A scanner for _CONSOLE_INFORMATION.
	ConsoleScan Extract command history by scanning for _CONSOLE_INFORMATION
	Conhost A profile for Conhost.exe.
	Consoles Enumerate command consoles.

Variables
	MAX_HISTORY_DEFAULT = `50`
	HISTORY_BUFFERS_DEFAULTS = `4`
	common_types = `{'_LIST_ENTRY': [8, {'Blink': [4, ['pointer', [...`
	common_types_64 = `{'_LIST_ENTRY': [16, {'Blink': [8, ['pointer...`
	conhost_types_x86 = `{'_ALIAS': [None, {'ListEntry': [0, ['_LIS...`
	conhost_types_x64 = `{'_ALIAS': [None, {'ListEntry': [0, ['_LIS...`
	winsrv_types_x86 = `{'_ALIAS': [None, {'ListEntry': [0, ['_LIST...`
	winsrv_types_x64 = `{'_ALIAS': [None, {'ListEntry': [0, ['_LIST...`
	__package__ = `'rekall.plugins.windows.malware'`

Variables Details

common_types

Value:

{'_LIST_ENTRY': [8,
                 {'Blink': [4, ['pointer', ['_LIST_ENTRY']]],
                  'Flink': [0, ['pointer', ['_LIST_ENTRY']]]}]}

common_types_64

Value:

{'_LIST_ENTRY': [16,
                 {'Blink': [8, ['pointer', ['_LIST_ENTRY']]],
                  'Flink': [0, ['pointer', ['_LIST_ENTRY']]]}]}

conhost_types_x86

Value:

{'_ALIAS': [None,
            {'ListEntry': [0, ['_LIST_ENTRY']],
             'Source': [12,
                        ['Pointer',
                         {'target': 'UnicodeString',
                          'target_args': {'encoding': 'utf16',
                                          'length': <function <lambda>
 at 0x7fafd1bdcb90>}}]],
...

conhost_types_x64

Value:

{'_ALIAS': [None,
            {'ListEntry': [0, ['_LIST_ENTRY']],
             'Source': [24,
                        ['pointer',
                         ['UnicodeString',
                          {'encoding': 'utf16',
                           'length': <function <lambda> at 0x7fafd1bdc
ed8>}]]],
...

winsrv_types_x86

Value:

{'_ALIAS': [None,
            {'ListEntry': [0, ['_LIST_ENTRY']],
             'Source': [12,
                        ['pointer',
                         ['UnicodeString',
                          {'encoding': 'utf16',
                           'length': <function <lambda> at 0x7fafd1bea
2a8>}]]],
...

winsrv_types_x64

Value:

{'_ALIAS': [None,
            {'ListEntry': [0, ['_LIST_ENTRY']],
             'Source': [20,
                        ['pointer',
                         ['UnicodeString',
                          {'encoding': 'utf16',
                           'length': <function <lambda> at 0x7fafd1bea
578>}]]],
...