Package rekall :: Package plugins :: Package windows :: Module pagefile :: Class WindowsFileMappingDescriptor

Class WindowsFileMappingDescriptor

Describe a file mapping.

Instance Methods

__init__(self, pte_address=None, page_offset=0, original_pte=None, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature

source code

get_subsection(self)
Find the right subsection object for this pte.

source code

filename_and_offset(self, subsection=None)
Return the filename of the file mapped (if it is a file mapping).

source code

get_owners(self, subsection=None)
Returns a list of _EPROCESS, virtual offsets for owners.

source code

render(self, renderer)
Render this step.

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables
	object_name = `None` hash(x) (Inherited from rekall.plugins.addrspaces.intel.AddressTranslationDescriptor)

Properties
Inherited from `object`: `__class__`

Method Details

init(self, pte_address=None, page_offset=0, original_pte=None, **kwargs)
(Constructor)

source code

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__: (inherited documentation)

render(self, renderer)

source code

Render this step.

Overrides: addrspaces.intel.AddressTranslationDescriptor.render: (inherited documentation)

Class WindowsFileMappingDescriptor

__init__(self, pte_address=None, page_offset=0, original_pte=None, **kwargs) (Constructor)

render(self, renderer)

init(self, pte_address=None, page_offset=0, original_pte=None, **kwargs)
(Constructor)