Package rekall :: Package plugins :: Package windows :: Package registry :: Module registry

Module registry

This is the registry parser.

We parse registry structures from files or memory.

Author: Michael Cohen <scudette@gmail.com> based on original code by Brendan Dolan-Gavitt

Classes
	HiveBaseAddressSpace
	HiveFileAddressSpace Translate between hive addresses and a flat file address space.
	HiveAddressSpace
	Registry A High level class to abstract access to the registry hive.
	RegistryHive
	RegistryPlugin A generic registry plugin.
	Hives List all the registry hives on the system.

Functions

RekallRegisteryImplementation(profile)
The standard rekall registry parsing subsystem.

source code

Variables
	registry_overlays = `{'_CHILD_LIST': [None, {'List': [None, ['P...`
	__package__ = `'rekall.plugins.windows.registry'`

Variables Details

registry_overlays

Value:

{'_CHILD_LIST': [None,
                 {'List': [None,
                           ['Pointer32',
                            {'target': 'Array',
                             'target_args': {'count': <function <lambd
a> at 0x7fafd1a03b90>,
                                             'target': 'Pointer32',
                                             'target_args': {'target':
...