volatility3.framework.contexts package¶
A Context maintains the accumulated state required for various plugins and framework functions.
This has been made an object to allow quick swapping and changing of contexts, to allow a plugin to act on multiple different contexts without them interfering eith each other.
-
class
Context
[source]¶ Bases:
volatility3.framework.interfaces.context.ContextInterface
Maintains the context within which to construct objects.
The context object is the main method of carrying around state that’s been constructed for the purposes of investigating memory. It contains a symbol_space of all the symbols that can be accessed by plugins using the context. It also contains the memory made up of data and translation layers, and it contains a factory method for creating new objects.
Other context objects can be constructed as long as they support the
ContextInterface
. This is the primary context object to be used in the volatility framework. It maintains theInitializes the context.
-
add_layer
(layer)[source]¶ Adds a named translation layer to the context.
- Parameters
layer (
DataLayerInterface
) – The layer to be added to the memory- Raises
volatility3.framework.exceptions.LayerException – if the layer is already present, or has unmet dependencies
- Return type
-
clone
()¶ Produce a clone of the context (and configuration), allowing modifications to be made without affecting any mutable objects in the original.
Memory constraints may become an issue for this function depending on how much is actually stored in the context
- Return type
-
property
config
¶ Returns a mutable copy of the configuration, but does not allow the whole configuration to be altered.
- Return type
-
property
layers
¶ A LayerContainer object, allowing access to all data and translation layers currently available within the context.
- Return type
-
module
(module_name, layer_name, offset, native_layer_name=None, size=None)[source]¶ Constructs a new os-independent module.
- Parameters
module_name (
str
) – The name of the modulelayer_name (
str
) – The layer within the context in which the module existsoffset (
int
) – The offset at which the module exists in the layernative_layer_name (
Optional
[str
]) – The default native layer for objects constructed by the modulesize (
Optional
[int
]) – The size, in bytes, that the module occupys from offset location within the layer named layer_name
- Return type
-
object
(object_type, layer_name, offset, native_layer_name=None, **arguments)[source]¶ Object factory, takes a context, symbol, offset and optional layername.
Looks up the layername in the context, finds the object template based on the symbol, and constructs an object using the object template on the layer at the offset.
- Parameters
object_type (
Union
[str
,Template
]) – The name (or template) of the symbol type on which to construct the object. If this is a name, it should contain an explicit table name.layer_name (
str
) – The name of the layer on which to construct the objectoffset (
int
) – The offset within the layer at which the data used to create the object livesnative_layer_name (
Optional
[str
]) – The name of the layer the object references (for pointers) if different to layer_name
- Return type
- Returns
A fully constructed object
-
property
symbol_space
¶ The space of all symbols that can be accessed within this context.
- Return type
-
-
class
Module
(context, module_name, layer_name, offset, symbol_table_name=None, native_layer_name=None)[source]¶ Bases:
volatility3.framework.interfaces.context.ModuleInterface
Constructs a new os-independent module.
- Parameters
context (
ContextInterface
) – The context within which this module will existmodule_name (
str
) – The name of the modulelayer_name (
str
) – The layer within the context in which the module existsoffset (
int
) – The offset at which the module exists in the layersymbol_table_name (
Optional
[str
]) – The name of an associated symbol tablenative_layer_name (
Optional
[str
]) – The default native layer for objects constructed by the module
-
property
context
¶ Context that the module uses.
- Return type
-
get_symbol
(name)¶ Returns a symbol from the module.
- Return type
-
object
(object_type, offset=None, native_layer_name=None, absolute=False, **kwargs)[source]¶ Returns an object created using the symbol_table_name and layer_name of the Module.
- Parameters
object_type (
str
) – Name of the type/enumeration (within the module) to constructoffset (
Optional
[int
]) – The location of the object, ignored when symbol_type is SYMBOLnative_layer_name (
Optional
[str
]) – Name of the layer in which constructed objects are made (for pointers)absolute (
bool
) – whether the type’s offset is absolute within memory or relative to the module
- Return type
-
object_from_symbol
(symbol_name, native_layer_name=None, absolute=False, **kwargs)[source]¶ Returns an object based on a specific symbol (containing type and offset information) and the layer_name of the Module. This will throw a ValueError if the symbol does not contain an associated type, or if the symbol name is invalid. It will throw a SymbolError if the symbol cannot be found.
- Parameters
- Return type
-
class
ModuleCollection
(modules)[source]¶ Bases:
object
Class to contain a collection of SizedModules and reason about their contents.
-
deduplicate
()[source]¶ Returns a new deduplicated ModuleCollection featuring no repeated modules (based on data hash)
All 0 sized modules will have identical hashes and are therefore included in the deduplicated version
- Return type
-
get_module_symbols_by_absolute_location
(offset, size=0)[source]¶ Returns a tuple of (module_name, list_of_symbol_names) for each module, where symbols live at the absolute offset in memory provided.
-
property
modules
¶ A name indexed dictionary of modules using that name in this collection.
- Return type
Dict
[str
,List
[SizedModule
]]
-
-
class
SizedModule
(context, module_name, layer_name, offset, size, symbol_table_name=None, native_layer_name=None)[source]¶ Bases:
volatility3.framework.contexts.Module
Constructs a new os-independent module.
- Parameters
context (
ContextInterface
) – The context within which this module will existmodule_name (
str
) – The name of the modulelayer_name (
str
) – The layer within the context in which the module existsoffset (
int
) – The offset at which the module exists in the layersymbol_table_name (
Optional
[str
]) – The name of an associated symbol tablenative_layer_name (
Optional
[str
]) – The default native layer for objects constructed by the module
-
property
context
¶ Context that the module uses.
- Return type
-
get_symbol
(name)¶ Returns a symbol from the module.
- Return type
-
get_symbols_by_absolute_location
(offset, size=0)[source]¶ Returns the symbols within this module that live at the specified absolute offset provided.
-
property
hash
¶ Hashes the module for equality checks.
The mapping should be sorted and should be quicker than reading the data We turn it into JSON to make a common string and use a quick hash, because collissions are unlikely
- Return type
-
object
(object_type, offset=None, native_layer_name=None, absolute=False, **kwargs)¶ Returns an object created using the symbol_table_name and layer_name of the Module.
- Parameters
object_type (
str
) – Name of the type/enumeration (within the module) to constructoffset (
Optional
[int
]) – The location of the object, ignored when symbol_type is SYMBOLnative_layer_name (
Optional
[str
]) – Name of the layer in which constructed objects are made (for pointers)absolute (
bool
) – whether the type’s offset is absolute within memory or relative to the module
- Return type
-
object_from_symbol
(symbol_name, native_layer_name=None, absolute=False, **kwargs)¶ Returns an object based on a specific symbol (containing type and offset information) and the layer_name of the Module. This will throw a ValueError if the symbol does not contain an associated type, or if the symbol name is invalid. It will throw a SymbolError if the symbol cannot be found.
- Parameters
- Return type
-
property
offset
¶ Returns the offset that the module resides within the layer of layer_name.
- Return type