A class for finding and storing the nt!ObHeaderCookie value. More...
Public Member Functions | |
def | __init__ (self) |
def | cookie (self) |
def | findcookie (self, kernel_space) |
Find and read the nt!ObHeaderCookie value. More... | |
Static Public Member Functions | |
def | instance () |
A class for finding and storing the nt!ObHeaderCookie value.
def volatility.plugins.overlays.windows.win10.ObHeaderCookieStore.findcookie | ( | self, | |
kernel_space | |||
) |
Find and read the nt!ObHeaderCookie value.
On success, return True and save the cookie value in self._cookie. On Failure, return False.
This method must be called before performing any tasks that require object header validation including handles, psxview (due to pspcid) and the object scanning plugins (psscan, etc).
NOTE: this cannot be implemented as a volatility "magic" class, because it must be persistent across various classes and sources. We don't want to recalculate the cookie value multiple times.