memflow-py icon indicating copy to clipboard operation
memflow-py copied to clipboard
Published 1 year ago verified publisher icon memflow

Add more documentation

Open emesare opened this issue 3 years ago • 2 comments

The ideal place to add this documentation would be within the typing file, here.

emesare avatar Dec 02 '22 22:12 emesare

In process.rs there is a comment starting on line 259 stating that Process.address() returns the address of the PEB. Upon testing, I found that it actually is the address of the EPROCESS structure.

I would be happy to correct this as well as add more documentation, is there a desired format?

enie7 avatar Jul 04 '23 06:07 enie7

In process.rs there is a comment starting on line 259 stating that Process.address() returns the address of the PEB. Upon testing, I found that it actually is the address of the EPROCESS structure.

I would be happy to correct this as well as add more documentation, is there a desired format?

Are you observing this when enumerating kernel modules? If so, then If you would like to add a note next to it that in windows kernel this returns the EPROCESS structure that would help, thanks.

Maybe something like:

/// On a Windows process module this will be the address where the [`PEB`](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb) entry is stored.
/// On a Windows kernel module this will be the address of the [`_EPROCESS`](https://www.nirsoft.net/kernel_struct/vista/EPROCESS.html) structure.

emesare avatar Jul 04 '23 20:07 emesare