The Volatility Framework
Public Member Functions | Public Attributes | List of all members
volatility.plugins.gui.atoms.PoolScanAtom Class Reference

Pool scanner for atom tables. More...

Inheritance diagram for volatility.plugins.gui.atoms.PoolScanAtom:
volatility.poolscan.PoolScanner

Public Member Functions

def __init__ (self, address_space)
 
- Public Member Functions inherited from volatility.poolscan.PoolScanner
def __init__ (self, address_space)
 

Public Attributes

 pooltag
 
 struct_name
 
 checks
 
 padding
 Note: all OS after XP, there are an extra 8 bytes (for 32-bit) or 16 bytes (for 64-bit) between the _POOL_HEADER and _RTL_ATOM_TABLE. More...
 
- Public Attributes inherited from volatility.poolscan.PoolScanner
 address_space
 
 struct_name
 
 object_type
 
 use_top_down
 
 skip_type_check
 
 pooltag
 
 checks
 
 padding
 

Detailed Description

Pool scanner for atom tables.

Member Data Documentation

volatility.plugins.gui.atoms.PoolScanAtom.padding

Note: all OS after XP, there are an extra 8 bytes (for 32-bit) or 16 bytes (for 64-bit) between the _POOL_HEADER and _RTL_ATOM_TABLE.

This is variable length structure, so we can't use the bottom-up approach as we do with other object scanners - because the size of an _RTL_ATOM_TABLE differs depending on the number of hash buckets.

The documentation for this class was generated from the following file: