volatility3.framework.interfaces.objects module¶
Objects are the core of volatility, and provide pythonic access to interpreted values of data from a layer.
-
class
ObjectInformation
(layer_name, offset, member_name=None, parent=None, native_layer_name=None, size=None)[source]¶ Bases:
volatility3.framework.interfaces.objects.ReadOnlyMapping
This typically contains information such as the layer the object belongs to, the offset where it was constructed, and if it is a subordinate object, its parent.
This is primarily used to reduce the number of parameters passed to object constructors and keep them all together in a single place. These values are based on the
ReadOnlyMapping
class, to prevent their modification.Constructs a container for basic information about an object.
- Parameters
layer_name (
str
) – Layer from which the data for the object will be readoffset (
int
) – Offset within the layer at which the data for the object will be readmember_name (
Optional
[str
]) – If the object was accessed as a member of a parent object, this was the name used to access itparent (
Optional
[ObjectInterface
]) – If the object was accessed as a member of a parent object, this is the parent objectnative_layer_name (
Optional
[str
]) – If this object references other objects (such as a pointer), what layer those objects live insize (
Optional
[int
]) – The size that the whole structure consumes in bytes
-
get
(k[, d]) → D[k] if k in D, else d. d defaults to None.¶
-
items
() → a set-like object providing a view on D’s items¶
-
keys
() → a set-like object providing a view on D’s keys¶
-
values
() → an object providing a view on D’s values¶
-
class
ObjectInterface
(context, type_name, object_info, **kwargs)[source]¶ Bases:
object
A base object required to be the ancestor of every object used in volatility.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
[source]¶ Bases:
object
A container for proxied methods that the ObjectTemplate of this object will call. This is primarily to keep methods together for easy organization/management, there is no significant need for it to be a separate class.
The methods of this class must be class methods rather than standard methods, to allow for code reuse. Each method also takes a template since the templates may contain the necessary data about the yet-to-be-constructed object. It allows objects to control how their templates respond without needing to write new templates for each and every potental object type.
-
abstract classmethod
has_member
(template, member_name)[source]¶ Returns whether the object would contain a member called member_name.
- Return type
-
abstract classmethod
relative_child_offset
(template, child)[source]¶ Returns the relative offset from the head of the parent data to the child member.
- Return type
-
abstract classmethod
-
cast
(new_type_name, **additional)[source]¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_symbol_table_name
()[source]¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)[source]¶ Returns whether the object would contain a member called member_name.
-
has_valid_members
(member_names)[source]¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
class
ReadOnlyMapping
(dictionary)[source]¶ Bases:
collections.abc.Mapping
A read-only mapping of various values that offer attribute access as well.
This ensures that the data stored in the mapping should not be modified, making an immutable mapping.
-
get
(k[, d]) → D[k] if k in D, else d. d defaults to None.¶
-
items
() → a set-like object providing a view on D’s items¶
-
keys
() → a set-like object providing a view on D’s keys¶
-
values
() → an object providing a view on D’s values¶
-
-
class
Template
(type_name, **arguments)[source]¶ Bases:
object
Class for all Factories that take offsets, and data layers and produce objects.
This is effectively a class for currying object calls. It creates a callable that can be called with the following parameters:
- Parameters
context – The context containing the memory layers and symbols required to construct the object
object_info – Basic information about the object, see the ObjectInformation class for more information
- Returns
The constructed object
The keyword arguments handed to the constructor, along with the type_name are stored for later retrieval. These will be access as object.vol.<keyword> or template.vol.<keyword> for each object and should contain as least the basic information that each object will require before it is instantiated (so offset and parent are explicitly not recorded here). This dictionary can be updated after construction, but any changes made after that point will not be cloned. This is so that templates such as those for string objects may contain different length limits, without affecting all other strings using the same template from a SymbolTable, constructed at resolution time and then cached.
Stores the keyword arguments for later object creation.
-
property
children
¶ The children of this template (such as member types, sub-types and base-types where they are relevant).
Used to traverse the template tree.
-
clone
()[source]¶ Returns a copy of the original Template as constructed (without update_vol additions having been made)
- Return type
-
abstract
has_member
(member_name)[source]¶ Returns whether the object would contain a member called member_name
- Return type
-
abstract
relative_child_offset
(child)[source]¶ Returns the relative offset of the child member from its parent offset.
- Return type
-
abstract
replace_child
(old_child, new_child)[source]¶ Replaces old_child with new_child in the list of children.
- Return type
-
update_vol
(**new_arguments)[source]¶ Updates the keyword arguments with values that will not be carried across to clones.
- Return type
-
property
vol
¶ Returns a volatility information object, much like the
ObjectInformation
provides.- Return type