volatility3.framework.objects.utility module
- address_to_string(context, layer_name, address, count, errors='replace', block_size=32)[source]
- Reads a null-terminated string from a given specified memory address, processing
it in blocks for efficiency.
- Parameters:
context (
ContextInterface) – The context used to retrieve memory layers and symbol tableslayer_name (
str) – The name of the memory layer to read fromaddress (
int) – The address where the string is located in memorycount (
int) – The number of bytes to readerrors (
str) – The error handling scheme to use for encoding errors. Defaults to “replace”block_size – Reading block size. Defaults to 32
- Return type:
- Returns:
The decoded string extracted from memory.
- array_of_pointers(array, count, subtype, context)[source]
Takes an object, and recasts it as an array of pointers to subtype.
- Return type:
- array_to_string(array, count=None, errors='replace', block_size=32)[source]
Takes a Volatility ‘Array’ of characters and returns a Python string.
- Parameters:
array (
Array) – The Volatility Array object containing character elements.count (
Optional[int]) – Optional maximum number of characters to convert. If None, the function processes the entire array.errors (
str) – Specifies error handling behavior for decoding, defaulting to “replace”.block_size – Reading block size. Defaults to 32
- Return type:
- Returns:
A decoded string representation of the character array.
- pointer_to_string(pointer, count, errors='replace', block_size=32)[source]
Takes a Volatility ‘Pointer’ to characters and returns a Python string.
- Parameters:
pointer (
Pointer) – A Pointer object containing character elements.count (
int) – Optional maximum number of characters to convert. If None, the function processes the entire array.errors (
str) – Specifies error handling behavior for decoding, defaulting to “replace”.block_size – Reading block size. Defaults to 32
- Return type:
- Returns:
A decoded string representation of the data referenced by the pointer.