Package rekall :: Package plugins :: Package windows :: Module pagefile :: Class VadPteDescriptor

Class VadPteDescriptor

A descriptor which applies specifically for Prototype PTEs from the VAD.

Windows uses placeholder values in the PTE to trigger a further resolution of the PTE from the VAD. For example a PTE of 0xffffffff00000420 would signal to consult the VAD for the real status of this PTE.

Instance Methods

__init__(self, virtual_address=None, **kwargs)
Define a windows PTE object.

source code

render(self, renderer)
Render this step.

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables
	default_pte_type = `None` hash(x) (Inherited from rekall.plugins.windows.pagefile.WindowsPTEDescriptor)
	object_name = `'pte'` hash(x) (Inherited from rekall.plugins.windows.pagefile.WindowsPTEDescriptor)

Properties
Inherited from `object`: `__class__`

Method Details

init(self, virtual_address=None, **kwargs)
(Constructor)

source code

Define a windows PTE object.

Valid PTE types are all the members inside the _MMPTE union. e.g. "Hard", "Transition", "Soft", etc).

Overrides: object.__init__

render(self, renderer)

source code

Render this step.

Overrides: addrspaces.intel.AddressTranslationDescriptor.render: (inherited documentation)

Class VadPteDescriptor

__init__(self, virtual_address=None, **kwargs) (Constructor)

render(self, renderer)

init(self, virtual_address=None, **kwargs)
(Constructor)