volatility3.framework.interfaces.plugins module

Plugins are the functions of the volatility framework.

They are called and carry out some algorithms on data stored in layers using objects constructed from symbols.

class FileHandlerInterface(filename)[source]

Bases: RawIOBase

Class for storing Files in the plugin as a means to output a file when necessary.

This can be used as ContextManager that will close/produce the file automatically when exiting the context block

Creates a FileHandler

Parameters:

filename (str) – The requested name of the filename for the data

abstract close()[source]

Method that commits the file and fixes the final filename for use

closed
fileno()

Returns underlying file descriptor if one exists.

OSError is raised if the IO object does not use a file descriptor.

flush()

Flush write buffers, if applicable.

This is not implemented for read-only and non-blocking streams.

isatty()

Return whether this is an ‘interactive’ stream.

Return False if it can’t be determined.

property preferred_filename

The preferred filename to save the data to. Until this file has been written, this value may not be the final filename the data is written to.

read(size=-1, /)
readable()

Return whether object was opened for reading.

If False, read() will raise OSError.

readall()

Read until EOF, using multiple read() call.

readinto()
readline(size=-1, /)

Read and return a line from the stream.

If size is specified, at most size bytes will be read.

The line terminator is always b’n’ for binary files; for text files, the newlines argument to open can be used to select the line terminator(s) recognized.

readlines(hint=-1, /)

Return a list of lines from the stream.

hint can be specified to control the number of lines read: no more lines will be read if the total size (in bytes/characters) of all lines so far exceeds hint.

static sanitize_filename(filename)[source]

Sanititizes the filename to ensure only a specific whitelist of characters is allowed through

Return type:

str

seek(offset, whence=0, /)

Change the stream position to the given byte offset.

offset

The stream position, relative to ‘whence’.

whence

The relative position to seek from.

The offset is interpreted relative to the position indicated by whence. Values for whence are:

  • os.SEEK_SET or 0 – start of stream (the default); offset should be zero or positive

  • os.SEEK_CUR or 1 – current stream position; offset may be negative

  • os.SEEK_END or 2 – end of stream; offset is usually negative

Return the new absolute position.

seekable()

Return whether object supports random access.

If False, seek(), tell() and truncate() will raise OSError. This method may need to do a test seek().

tell()

Return current stream position.

truncate()

Truncate file to size bytes.

File pointer is left unchanged. Size defaults to the current IO position as reported by tell(). Returns the new size.

writable()

Return whether object was opened for writing.

If False, write() will raise OSError.

write()
writelines(lines, /)

Write a list of lines to stream.

Line separators are not added, so it is usual for each of the lines provided to have a line separator at the end.

class PluginInterface(context, config_path, progress_callback=None)[source]

Bases: ConfigurableInterface, VersionableInterface

Class that defines the basic interface that all Plugins must maintain.

The constructor must only take a context and config_path, so that plugins can be launched automatically. As such all configuration information must be provided through the requirements and configuration information in the context it is passed.

Parameters:
  • context (ContextInterface) – The context that the plugin will operate within

  • config_path (str) – The path to configuration data within the context configuration data

  • progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:

HierarchicalDict

property config: HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str

The configuration path on which this configurable lives.

property context: ContextInterface

The context object that this configurable belongs to/configuration is stored in.

classmethod get_requirements()[source]

Returns a list of Requirement objects for this plugin.

Return type:

List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property open

Returns a context manager and thus can be called like open

abstract run()[source]

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Return type:

TreeGrid

Returns:

A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)[source]

Sets the file handler to be used by this plugin.

Return type:

None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type:

Dict[str, RequirementInterface]

version = (0, 0, 0)