Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Module scan :: Class FastStructScanner
[frames] | no frames]

Class FastStructScanner

source code

This scanner looks for a struct in memory.

Arguments:
    expected_values:
        Provide a list/tuple of dicts mapping member names to their
        expected values. Each dict in the list you provide will correspond
        to a struct at the same index in an array. If you're only looking
        for a single struct, pass a list with only one dict in it.
    type_name: Name of the type to scan for.
Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.scan.BaseScanner)
  top_level_class
Base class for all scanners. (Inherited from rekall.scan.BaseScanner)
Instance Methods
 
__init__(self, type_name=None, expected_values=None, *args, **kwargs)
The base scanner.		 source code
 
build_checks(self, array_idx, struct_members) source code
 
build_constraints(self) (Inherited from rekall.scan.BaseScanner) source code
 
check_addr(self, offset, buffer_as=None)
Check an address. (Inherited from rekall.scan.BaseScanner)		 source code
 
scan(self, offset=0, maxlen=None, end=None)
Scan the region from offset for maxlen. (Inherited from rekall.scan.BaseScanner)		 source code
 
skip(self, buffer_as, offset)
Skip uninteresting regions. (Inherited from rekall.scan.BaseScanner)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
Class Variables
  type_name = None
hash(x)
  prototype = None
hash(x)
  expected_values = None
hash(x)
  checks = () (Inherited from rekall.scan.BaseScanner)
  classes = {'BaseScanner': <class 'rekall.scan.BaseScanner'>, '... (Inherited from rekall.scan.BaseScanner)
  classes_by_name = {None: [<class 'rekall.scan.BaseScanner'>, <... (Inherited from rekall.scan.BaseScanner)
  overlap = 1024 (Inherited from rekall.scan.BaseScanner)
  plugin_feature = 'BaseScanner' (Inherited from rekall.scan.BaseScanner)
  progress_message = 'Scanning 0x%(offset)08X with %(name)s' (Inherited from rekall.scan.BaseScanner)
Properties

Inherited from object: __class__

Method Details

__init__(self, type_name=None, expected_values=None, *args, **kwargs)
(Constructor)

source code  
The base scanner.

Args:
   profile: The profile to use for this scan.
   address_space: The address space we use for scanning.
   window_size: The size of the overlap window between each buffer read.
Overrides: object.__init__
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: BaseScanner.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: BaseScanner.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:26 2017 http://epydoc.sourceforge.net