search

memflow / memflow-py

Python support for memflow
https://pypi.org/project/memflow/
MIT License
13 stars 4 forks source link

Add more documentation #3

Open emesare opened 1 year ago

emesare commented 1 year ago

The ideal place to add this documentation would be within the typing file, here.

roadkillsanta commented 1 year ago

In process.rs there is a comment starting on line 259 stating that Process.address() returns the address of the PEB. Upon testing, I found that it actually is the address of the EPROCESS structure.

I would be happy to correct this as well as add more documentation, is there a desired format?

emesare commented 1 year ago

In process.rs there is a comment starting on line 259 stating that Process.address() returns the address of the PEB. Upon testing, I found that it actually is the address of the EPROCESS structure.

I would be happy to correct this as well as add more documentation, is there a desired format?

Are you observing this when enumerating kernel modules? If so, then If you would like to add a note next to it that in windows kernel this returns the EPROCESS structure that would help, thanks.

Maybe something like:

/// On a Windows process module this will be the address where the [`PEB`](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb) entry is stored.
/// On a Windows kernel module this will be the address of the [`_EPROCESS`](https://www.nirsoft.net/kernel_struct/vista/EPROCESS.html) structure.