 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
A Scanner for KDBG data within an address space. More...
Public Member Functions | |
| def | v (self) |
| The –kdbg parameter for this Win8/2012 KDBG structure is the virtual address of the nt!KdCopyDataBlock function (see kdbgscan output). | |
| def | get_suggestions (self) |
| def | decode_kdbg (self, vals) |
| Decoder the KDBG block using the provided magic values and the algorithm reversed from the Windows kernel file. More... | |
| def | copy_data_block (self, full_addr) |
| This function emulates nt!KdCopyDataBlock on a live machine by finding the encoded KDBG structure and using the required entropy values to decode it. More... | |
| def | generate_suggestions (self) |
| Generates a list of possible KDBG structure locations. | |
 Public Member Functions inherited from volatility.obj.VolatilityMagic | |
| def | __init__ (self, theType, offset, vm, value=None, configname=None, kwargs) |
| def | v (self) |
| def | __str__ (self) |
| def | get_suggestions (self) |
| Returns a list of possible suggestions for the value. More... | |
| def | generate_suggestions (self) |
| def | get_best_suggestion (self) |
| Returns the best suggestion for a list of possible suggestsions. | |
| Public Member Functions inherited from volatility.obj.BaseObject | |
| def | __init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs) |
| def | obj_type (self) |
| def | obj_vm (self) |
| def | obj_offset (self) |
| def | obj_parent (self) |
| def | obj_name (self) |
| def | obj_native_vm (self) |
| def | set_native_vm (self, native_vm) |
| Sets the native_vm. | |
| def | rebase (self, offset) |
| def | proxied (self, attr) |
| def | newattr (self, attr, value) |
| Sets a new attribute after the object has been created. | |
| def | write (self, value) |
| Function for writing the object back to disk. | |
| def | __getattr__ (self, attr) |
| This is only useful for proper methods (not ones that start with __ ) | |
| def | __setattr__ (self, attr, value) |
| def | __nonzero__ (self) |
| This method is called when we test the truth value of an Object. More... | |
| def | __eq__ (self, other) |
| def | __ne__ (self, other) |
| def | __hash__ (self) |
| def | m (self, memname) |
| def | is_valid (self) |
| def | dereference (self) |
| def | dereference_as (self, derefType, kwargs) |
| def | cast (self, castString) |
| def | v (self) |
| Do the actual reading and decoding of this member. | |
| def | __format__ (self, formatspec) |
| def | __str__ (self) |
| def | __repr__ (self) |
| def | d (self) |
| Display diagnostic information. | |
| def | __getstate__ (self) |
| This controls how we pickle and unpickle the objects. | |
| def | __setstate__ (self, state) |
Additional Inherited Members | |
| Public Attributes inherited from volatility.obj.VolatilityMagic | |
| configname | |
| value | |
| Public Attributes inherited from volatility.obj.BaseObject | |
| obj_offset | |
| obj_vm | |
A Scanner for KDBG data within an address space.
This implementation is specific for Windows 8 / 2012 64-bit versions because the KDBG block is encoded. We have to find it a special way and then perform the decoding routine before Volatility plugins can run.
| def volatility.plugins.overlays.windows.win8_kdbg.VolatilityKDBG.copy_data_block | ( | self, | |
| full_addr | |||
| ) |
This function emulates nt!KdCopyDataBlock on a live machine by finding the encoded KDBG structure and using the required entropy values to decode it.
| def volatility.plugins.overlays.windows.win8_kdbg.VolatilityKDBG.decode_kdbg | ( | self, | |
| vals | |||
| ) |
Decoder the KDBG block using the provided magic values and the algorithm reversed from the Windows kernel file.
1.8.9.1