package documentation

Package related to Windows utilities.

Provide multiple utilities:

  • Retrieving of the current `EPROCESS` and `ETHREAD`
  • Retrieving Handle from handle values and listing the accessible ones
  • Parsing the Object associated with the handles

The entry point is Context that can be constructed from a reven2.trace.Context and contains methods to retrieve those information.

Known limitations

Those utilities could partially work on older Windows version but are mainly built for Windows 10 (x86 and x64).

Module context A wrapper above reven2.trace.Context to add more utilities method to it for Windows 10.
Module handle Parsing of Windows 10 handles from handle tables
Module object Parsing of Windows 10 objects with header and optional headers
Module utils Some general utilities for Windows