Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Module pagefile
[frames] | no frames]

Module pagefile

source code

This file adds pagefile support.

Although much of the address translation machinery occurs in hardware, when a page fault occurs the operating system's pager is called. The pager is responsible for faulting in invalid pages, and hence we need operating system specific support.

Rekall's base paging address spaces emulate the hardware's MMU page translation, but when the page is invalid Rekall emulates the operating system's page fault handling code. The correct (OS dependent) address space is selected in rekall.plugins.core.FindDTB.GetAddressSpaceImplementation() based on the profile metadata.

This file implements the algorithms described in the paper:

Forensic Analysis of Windows User space Applications through Heap allocations. Michael Cohen, 3rd IEEE International Workshop on Security and Forensics in Communication Systems 2015 [1]

http://www.rekall-forensic.com/docs/References/Papers/p1138-cohen.pdf

Author: Michael Cohen <scudette@google.com>

Classes
  WindowsPTEDescriptor
Print the PTE in exploded view.
  WindowsPDEDescriptor
  WindowsProtoTypePTEDescriptor
  WindowsSoftwarePTEDescriptor
  DemandZeroDescriptor
Describe a Demand Zero page.
  WindowsValidPTEDescriptor
A descriptor for Valid or in Transition PTEs.
  WindowsPagefileDescriptor
A descriptor to mark the final physical address resolution.
  WindowsFileMappingDescriptor
Describe a file mapping.
  WindowsSubsectionPTEDescriptor
A descriptor for a subsection PTE.
  VadPteDescriptor
A descriptor which applies specifically for Prototype PTEs from the VAD.
  WindowsDTBDescriptor
A descriptor for DTB values.
  WindowsPagedMemoryMixin
A mixin to implement windows specific paged memory address spaces.
  WindowsIA32PagedMemoryPae
A Windows specific IA32PagedMemoryPae.
  WindowsAMD64PagedMemory
A windows specific AMD64PagedMemory.
  Pagefiles
Report all the active pagefiles.
  PagefileHook
Map pagefile number to the filename.
Functions
 
Reentrant(func) source code
Variables
  __package__ = 'rekall.plugins.windows'
   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 http://epydoc.sourceforge.net