Documentation
¶
Index ¶
- Constants
- Variables
- func CTL_CODE(device_type, function, method, access uint32) uint32
- func CopyAndLog(ctx context.Context, in io.Reader, out io.Writer, logger Logger) error
- func GetCompressor(name string, w io.Writer) (io.Writer, func(), error)
- func GetDecompressor(header []byte, r io.Reader) (io.Reader, error)
- func InstallDriver(driver_path, service_name string, logger Logger) error
- func UninstallDriver(driver_path, service_name string, logger Logger) error
- func Winpmem_x64() (string, error)
- type Imager
- type LogContext
- type Logger
- type PHYSICAL_MEMORY_RANGE
- type PmemMode
- type Run
- type Uint64Hex
- type WINPMEM_MEMORY_INFO_64
- type WindowsFile
- type WinpmemInfo
- type WriteSeekCloser
Constants ¶
View Source
const ( NUMBER_OF_RUNS = 20 PAGE_SIZE = 0x1000 BUFSIZE = PAGE_SIZE * 1024 // 4Mb )
View Source
const ( PMEM_MODE_IOSPACE = PmemMode(0) PMEM_MODE_PHYSICAL = PmemMode(1) PMEM_MODE_PTE = PmemMode(2) )
Variables ¶
View Source
var ( IOCTL_SET_MODE = CTL_CODE(0x22, 0x101, 3, 3) IOCTL_WRITE_ENABLE = CTL_CODE(0x22, 0x102, 3, 3) IOCTL_GET_INFO = CTL_CODE(0x22, 0x103, 3, 3) IOCTL_REVERSE_SEARCH_QUERY = CTL_CODE(0x22, 0x104, 3, 3) YamlFixup = regexp.MustCompile(`"(0x[a-f0-9]+)"`) )
View Source
var ( SNAPPY = []byte{0xFF, 0x06, 0x00, 0x00, 0x73, 0x4E, 0x61, 0x50, 0x70, 0x59} S2 = []byte{0xFF, 0x06, 0x00, 0x00, 0x53, 0x32, 0x73, 0x54, 0x77, 0x4F} GZIP = []byte{0x1F, 0x8B, 0x08} )
View Source
var Winpmem_x64_gz string
Functions ¶
func CopyAndLog ¶
func InstallDriver ¶
func UninstallDriver ¶
func Winpmem_x64 ¶
Types ¶
type Imager ¶
type Imager struct {
// contains filtered or unexported fields
}
func (*Imager) Stats ¶
func (self *Imager) Stats() *WinpmemInfo
type LogContext ¶
type LogContext struct {
// contains filtered or unexported fields
}
func (*LogContext) Debug ¶
func (self *LogContext) Debug(format string, args ...interface{})
func (*LogContext) Info ¶
func (self *LogContext) Info(format string, args ...interface{})
func (*LogContext) Progress ¶
func (self *LogContext) Progress(pages int)
func (*LogContext) SetProgress ¶
func (self *LogContext) SetProgress(pages_per_dot int)
type Logger ¶
type PHYSICAL_MEMORY_RANGE ¶
type WINPMEM_MEMORY_INFO_64 ¶
type WINPMEM_MEMORY_INFO_64 struct {
CR3 uint64
NtBuildNumber uint64
KernelBase uint64
KDBG uint64
KPCR [64]uint64
PfnDataBase uint64
PsLoadedModuleList uint64
PsActiveProcessHead uint64
NtBuildNumberAddr uint64
Padding [0xfe]uint64
NumberOfRuns uint64
Run [NUMBER_OF_RUNS]PHYSICAL_MEMORY_RANGE
}
func (*WINPMEM_MEMORY_INFO_64) Info ¶
func (self *WINPMEM_MEMORY_INFO_64) Info() *WinpmemInfo
type WindowsFile ¶
type WindowsFile struct {
// contains filtered or unexported fields
}
func (*WindowsFile) Close ¶
func (self *WindowsFile) Close() error
type WinpmemInfo ¶
type WinpmemInfo struct {
CR3 Uint64Hex `yaml:"CR3"`
NtBuildNumber Uint64Hex `yaml:"NtBuildNumber"`
KernelBase Uint64Hex `yaml:"KernelBase"`
KPCR []Uint64Hex `yaml:"KPCR"`
NtBuildNumberAddr Uint64Hex `yaml:"NtBuildNumberAddr"`
Run []PHYSICAL_MEMORY_RANGE `yaml:"Run"`
}
func (*WinpmemInfo) ToYaml ¶
func (self *WinpmemInfo) ToYaml() string
type WriteSeekCloser ¶
func CreateFileForWriting ¶
func CreateFileForWriting(sparse bool, path string) (WriteSeekCloser, error)
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.