volatility3.framework.symbols.windows.extensions package¶
-
class
CONTROL_AREA
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A class for _CONTROL_AREA structures
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
PAGE_MASK
= 4095¶
-
PAGE_SIZE
= 4096¶
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_available_pages
()[source]¶ Get the available pages that correspond to a cached file.
The tuples generated are (physical_offset, file_offset, page_size).
-
get_subsection
()[source]¶ Get the Subsection object, which is found immediately after the _CONTROL_AREA.
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
DEVICE_OBJECT
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
,volatility3.framework.symbols.windows.extensions.pool.ExecutiveObject
A class for kernel device objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_object_header
()¶ - Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
DRIVER_OBJECT
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
,volatility3.framework.symbols.windows.extensions.pool.ExecutiveObject
A class for kernel driver objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_object_header
()¶ - Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
EPROCESS
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.symbols.generic.GenericIntelProcess
,volatility3.framework.symbols.windows.extensions.pool.ExecutiveObject
A class for executive kernel processes objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
add_process_layer
(config_prefix=None, preferred_name=None)[source]¶ Constructs a new layer based on the process’s DirectoryTableBase.
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
environment_variables
()[source]¶ Generator for environment variables.
The PEB points to our env block - a series of null-terminated unicode strings. Each string cannot be more than 0x7FFF chars. End of the list is a quad-null.
-
get_object_header
()¶ - Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
init_order_modules
()[source]¶ Generator for DLLs in the order that they were initialized
- Return type
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
ETHREAD
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A class for executive thread objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
EX_FAST_REF
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
This is a standard Windows structure that stores a pointer to an object but also leverages the least significant bits to encode additional details.
When dereferencing the pointer, we need to strip off the extra bits.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
FILE_OBJECT
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
,volatility3.framework.symbols.windows.extensions.pool.ExecutiveObject
A class for windows file objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_object_header
()¶ - Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
KMUTANT
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
,volatility3.framework.symbols.windows.extensions.pool.ExecutiveObject
A class for windows mutant objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_object_header
()¶ - Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
KSYSTEM_TIME
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A system time structure that stores a high and low part.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
KTHREAD
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A class for thread control block objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
LIST_ENTRY
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
,collections.abc.Iterable
A class for double-linked lists on Windows.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
to_list
(symbol_type, member, forward=True, sentinel=True, layer=None)[source]¶ Returns an iterator of the entries in the list.
- Return type
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
MMVAD
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.symbols.windows.extensions.MMVAD_SHORT
A version of the process virtual memory range structure that contains additional fields necessary to map files from disk.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_commit_charge
()¶ Get the VAD’s commit charge (number of committed pages)
-
get_end
()¶ Get the VAD’s ending virtual address.
-
get_left_child
()¶ Get the left child member.
-
get_parent
()¶ Get the VAD’s parent member.
-
get_private_memory
()¶ Get the VAD’s private memory setting.
-
get_protection
(protect_values, winnt_protections)¶ Get the VAD’s protection constants as a string.
-
get_right_child
()¶ Get the right child member.
-
get_start
()¶ Get the VAD’s starting virtual address.
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
get_tag
()¶
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
traverse
(visited=None, depth=0)¶ Traverse the VAD tree, determining each underlying VAD node type by looking up the pool tag for the structure and then casting into a new object.
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
MMVAD_SHORT
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A class that represents process virtual memory ranges.
Each instance is a node in a binary tree structure and is pointed to by VadRoot.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_protection
(protect_values, winnt_protections)[source]¶ Get the VAD’s protection constants as a string.
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
traverse
(visited=None, depth=0)[source]¶ Traverse the VAD tree, determining each underlying VAD node type by looking up the pool tag for the structure and then casting into a new object.
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
OBJECT_SYMBOLIC_LINK
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
,volatility3.framework.symbols.windows.extensions.pool.ExecutiveObject
A class for kernel link objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_object_header
()¶ - Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
SHARED_CACHE_MAP
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A class for _SHARED_CACHE_MAP structures
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
VACB_ARRAY
= 128¶
-
VACB_BLOCK
= 262144¶
-
VACB_LEVEL_SHIFT
= 7¶
-
VACB_OFFSET_SHIFT
= 18¶
-
VACB_SIZE_OF_FIRST_LEVEL
= 33554432¶
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_available_pages
()[source]¶ Get the available pages that correspond to a cached file.
The lists generated are (virtual_offset, file_offset, page_size).
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
process_index_array
(array_pointer, level, limit, vacb_list=None)[source]¶ Recursively process the sparse multilevel VACB index array.
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
TOKEN
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A class for process etoken object.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
UNICODE_STRING
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A class for Windows unicode string structures.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
property
String
¶ - Return type
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
VACB
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
A class for _VACB structures
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
FILEOFFSET_MASK
= 18446744073709486080¶
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
Submodules¶
- volatility3.framework.symbols.windows.extensions.kdbg module
- volatility3.framework.symbols.windows.extensions.network module
- volatility3.framework.symbols.windows.extensions.pe module
- volatility3.framework.symbols.windows.extensions.pool module
- volatility3.framework.symbols.windows.extensions.registry module
- volatility3.framework.symbols.windows.extensions.services module