 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
A very fast check for an _EPROCESS.Pcb.Header. More...
Public Member Functions | |
| def | __init__ (self, address_space, _kwargs) |
| def | check (self, offset) |
| def | skip (self, data, offset) |
Public Attributes | |
| type | |
| Because this checks needs to be super fast we first instantiate the _EPROCESS and work out the offsets of the type and size members. More... | |
| size | |
| buffer_size | |
Static Public Attributes | |
| int | order = 10 |
A very fast check for an _EPROCESS.Pcb.Header.
This check assumes that the type and size of _EPROCESS.Pcb.Header are unsigned chars, but allows their offsets to be determined from vtypes (so they could change between OS versions).
| contrib.plugins.psdispscan.DispatchHeaderCheck.type |
Because this checks needs to be super fast we first instantiate the _EPROCESS and work out the offsets of the type and size members.
Then in the check we just read those offsets directly.
1.8.9.1