volatility3.framework.symbols.windows.extensions.registry module¶
- class CMHIVE(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_name()[source]¶
Determine a name for the hive.
Note that some attributes are unpredictably blank across different OS versions while others are populated, so we check all possibilities and take the first one that’s not empty
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property name: Optional[volatility3.framework.interfaces.objects.ObjectInterface]¶
Determine a name for the hive.
Note that some attributes are unpredictably blank across different OS versions while others are populated, so we check all possibilities and take the first one that’s not empty
- Return type
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class CM_KEY_BODY(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
This represents an open handle to a registry key and is not tied to the registry hive file format on disk.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class CM_KEY_NODE(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Extension to allow traversal of registry keys.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class CM_KEY_VALUE(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Extensions to extract data from CM_KEY_VALUE nodes.
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class HMAP_ENTRY(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class RegKeyFlags(value)[source]¶
Bases:
enum.IntEnum
An enumeration.
- KEY_COMP_NAME = 32¶
- KEY_HIVE_ENTRY = 4¶
- KEY_HIVE_EXIT = 2¶
- KEY_IS_VOLATILE = 1¶
- KEY_NO_DELETE = 8¶
- KEY_PREFEF_HANDLE = 64¶
- KEY_SYM_LINK = 16¶
- KEY_VIRTUAL_STORE = 512¶
- KEY_VIRT_MIRRORED = 128¶
- KEY_VIRT_TARGET = 256¶
- class RegValueTypes(value)[source]¶
Bases:
enum.Enum
An enumeration.
- REG_BINARY = 3¶
- REG_DWORD = 4¶
- REG_DWORD_BIG_ENDIAN = 5¶
- REG_EXPAND_SZ = 2¶
- REG_FULL_RESOURCE_DESCRIPTOR = 9¶
- REG_LINK = 6¶
- REG_MULTI_SZ = 7¶
- REG_NONE = 0¶
- REG_QWORD = 11¶
- REG_RESOURCE_LIST = 8¶
- REG_RESOURCE_REQUIREMENTS_LIST = 10¶
- REG_SZ = 1¶
- REG_UNKNOWN = 99999¶