Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Module procdump :: Class ProcExeDump
[frames] | no frames]

Class ProcExeDump

source code

Dump a process to an executable file sample

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
__init__(self, *args, **kwargs)
Dump a process from memory into an executable.		 source code
 
collect(self)
Renders the tasks to disk images, outputting progress as they go		 source code
 
CopyToFile(self, address_space, start, end, outfd)
Copy a part of the address space to the output file. (Inherited from rekall.plugins.core.DirectoryDumperMixin)		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
check_dump_dir(self, dump_dir=None) (Inherited from rekall.plugins.core.DirectoryDumperMixin) source code
 
collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
column_types(self)
Returns instances for each column definition. (Inherited from rekall.plugin.TypedProfileCommand)		 source code
 
filter_processes(self)
Filters eprocess list using pids lists. (Inherited from rekall.plugins.windows.common.WinProcessFilter)		 source code
 
get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code
 
getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
list_eprocess(self)
List processes using chosen methods. (Inherited from rekall.plugins.windows.common.WinProcessFilter)		 source code
 
list_from_eprocess(self) (Inherited from rekall.plugins.windows.common.WinProcessFilter) source code
 
reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
render(self, renderer, **options) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
virtual_process_from_physical_offset(self, physical_offset)
Tries to return an eprocess in virtual space from a physical offset. (Inherited from rekall.plugins.windows.common.WinProcessFilter)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, metadata) (Inherited from rekall.plugin.PhysicalASMixin) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ProfileCommand)		 source code
Class Variables
  dump_dir_optional = True
  table_header = [{'name': '_EPROCESS', 'width': 50}, {'name': '...
hash(x)
  METHODS = ['PsActiveProcessHead', 'CSRSS', 'PspCidTable', 'Ses... (Inherited from rekall.plugins.windows.common.WinProcessFilter)
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  ROW_OPTIONS = set(['annotation', 'depth', 'hex_width', 'highli... (Inherited from rekall.plugin.TypedProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  default_dump_dir = '.' (Inherited from rekall.plugins.core.DirectoryDumperMixin)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = 'mode_windows_memory'
hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsCommandPlugin)
  plugin_args = None
hash(x) (Inherited from rekall.plugin.ArgsParserMixin)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
  table_options = {} (Inherited from rekall.plugin.TypedProfileCommand)
Properties
  filtering_requested (Inherited from rekall.plugins.windows.common.WinProcessFilter)
  name (Inherited from rekall.plugin.Command)

Inherited from object: __class__

Method Details

__init__(self, *args, **kwargs)
(Constructor)

source code  
Dump a process from memory into an executable.

        In windows PE files are mapped into memory in sections. Each section is
        mapped into a region within the process virtual memory from a region in
        the executable file:

    File on Disk                 Memory Image
0-> ------------    image base-> ------------
     Header                      Header
    ------------                 ------------
     Section 1
    ------------                 ------------
     Section 2                    Section 1
    ------------                 ------------

                                 ------------
                                  Section 2
                                 ------------

        This plugin simply copies the sections from memory back into the file on
        disk. Its likely that some of the pages in memory are not actually
        memory resident, so we might get invalid page reads. In this case the
        region on disk is null padded. If that happens it will not be possible
        to run the executable, but the executable can still be disassembled and
        analysed statically.

        References:
        http://code.google.com/p/corkami/downloads/detail?name=pe-20110117.pdf

        NOTE: Malware can mess with the headers after loading. The remap option
        allows to remap the sections on the disk file so they do not collide.

        Args:
          remap: If set, allows to remap the sections on disk so they do not
            overlap.

          out_fd: Alternatively, a filelike object can be provided directly.
Overrides: object.__init__

collect(self)

source code 

Renders the tasks to disk images, outputting progress as they go

Overrides: plugin.TypedProfileCommand.collect

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

Class Variable Details

table_header

hash(x)

Value:
[{'name': '_EPROCESS', 'width': 50}, {'name': 'Filename'}]

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:21 2017 http://epydoc.sourceforge.net