This scanner carves things that look like _EPROCESS structures. More...

Inheritance diagram for contrib.plugins.psdispscan.PSDispScanner:

Static Public Attributes
list	checks

Detailed Description

This scanner carves things that look like _EPROCESS structures.

Since the _EPROCESS does not need to be linked to the process list, this scanner is useful to recover terminated or cloaked processes.

Member Data Documentation

list contrib.plugins.psdispscan.PSDispScanner.checks

static

Initial value:

 = [ ("DispatchHeaderCheck", {}),
                ("CheckDTBAligned", {}),
                ("CheckThreadList", {}),
                ("CheckSynchronization", {})
                ]

The documentation for this class was generated from the following file:

contrib/plugins/psdispscan.py

Static Public Attributes

Detailed Description

Member Data Documentation