Package rekall :: Package plugins :: Package windows :: Module privileges :: Class PrivilegesHook

Class PrivilegesHook

Fetch the PrivilegesHook table.

In Windows, privilege values are not constant, they are actually stored in kernel globals. We can see this kind of privilege check:

0xf800027b4e10 mov rcx, qword ptr [rip + 0x3a42a1] 0x7 nt!SeTcbPrivilege 0xf800027b4e17 call 0xf80002956a58 nt!SeSinglePrivilegeCheck

Demonstrating that the kernel reads the values in these locations (i.e. they are not hard coded). Although in reality they are never changed in runtime and probably do not really change between systems or versions.

This hook collects these values from the image.

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.kb.ParameterHook)
	top_level_class A mechanism for automatically calculating a parameter. (Inherited from rekall.kb.ParameterHook)

Instance Methods

calculate(self)
Derive the value of the parameter.

source code

__init__(self, session)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from rekall.kb.ParameterHook)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ModeBasedActiveMixin)

source code

Class Variables
	name = `'privilege_table'` hash(x)
	classes = `{'AMD64Mode': <class 'rekall.plugins.modes.AMD64Mode...` (Inherited from rekall.kb.ParameterHook)
	classes_by_name = `{'ObjectTypeMap': [<class 'rekall.plugins.ov...` (Inherited from rekall.kb.ParameterHook)
	expiry = `None` hash(x) (Inherited from rekall.kb.ParameterHook)
	mode = `'mode_windows_memory'` hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsParameterHook)
	plugin_feature = `'ParameterHook'` (Inherited from rekall.kb.ParameterHook)
	volatile = `True` (Inherited from rekall.kb.ParameterHook)

Properties
Inherited from `object`: `__class__`

Method Details

calculate(self)

source code

Derive the value of the parameter.

Overrides: kb.ParameterHook.calculate: (inherited documentation)

ImplementationByClass(self, name)
Class Method

source code

Overrides: kb.ParameterHook.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code

Overrides: kb.ParameterHook.ImplementationByName

Class PrivilegesHook

calculate(self)

ImplementationByClass(self, name) Class Method

ImplementationByName(self, name) Class Method

ImplementationByClass(self, name)
Class Method

ImplementationByName(self, name)
Class Method