A class for finding and storing the nt!ObHeaderCookie value. More...

Inheritance diagram for volatility.plugins.overlays.windows.win10.ObHeaderCookieStore:

Public Member Functions
def	__init__ (self)

def	cookie (self)

def	findcookie (self, kernel_space)
	Find and read the nt!ObHeaderCookie value. More...

Static Public Member Functions
def	instance ()

Detailed Description

A class for finding and storing the nt!ObHeaderCookie value.

Member Function Documentation

def volatility.plugins.overlays.windows.win10.ObHeaderCookieStore.findcookie	(	self,
		kernel_space
	)

Find and read the nt!ObHeaderCookie value.

On success, return True and save the cookie value in self._cookie. On Failure, return False.

This method must be called before performing any tasks that require object header validation including handles, psxview (due to pspcid) and the object scanning plugins (psscan, etc).

NOTE: this cannot be implemented as a volatility "magic" class, because it must be persistent across various classes and sources. We don't want to recalculate the cookie value multiple times.

The documentation for this class was generated from the following file:

volatility/plugins/overlays/windows/win10.py

Public Member Functions

Static Public Member Functions

Detailed Description

Member Function Documentation