volatility3.framework.objects.utility module

address_to_string(context, layer_name, address, count, errors='replace', block_size=32, encoding='utf-8')[source]
Reads a null-terminated string from a given specified memory address, processing

it in blocks for efficiency.

Parameters:

  • context (ContextInterface) – The context used to retrieve memory layers and symbol tables

  • layer_name (str) – The name of the memory layer to read from

  • address (int) – The address where the string is located in memory

  • count (int) – The number of bytes to read

  • errors (str) – The error handling scheme to use for encoding errors. Defaults to “replace”

  • block_size – Reading block size. Defaults to 32

Return type:

str

Returns:

The decoded string extracted from memory.

array_of_pointers(array, count, subtype, context)[source]

Takes an object, and recasts it as an array of pointers to subtype.

Return type:

ObjectInterface

array_to_string(array, count=None, errors='replace', block_size=32, encoding='utf-8')[source]

Takes a Volatility ‘Array’ of characters and returns a Python string.

Parameters:

  • array (Array) – The Volatility Array object containing character elements.

  • count (Optional[int]) – Optional maximum number of characters to convert. If None, the function processes the entire array.

  • errors (str) – Specifies error handling behavior for decoding, defaulting to “replace”.

  • block_size – Reading block size. Defaults to 32

Return type:

str

Returns:

A decoded string representation of the character array.

bswap_32(value)[source]
Return type:

int

bswap_64(value)[source]
Return type:

int

bytes_to_decoded_string(data, encoding, errors, return_truncated=True)[source]
Parameters:

  • data (bytes) – The bytes buffer containing the string of a string at offset 0

  • encoding (str) – An encoding value for the encoding parameter of bytes.decode

  • errors (str) – An errors value for the errors parameter of bytes.decode

  • return_truncated (bool) – Dictates whether truncated strings should be returned or

  • truncated (if a ValueError should be thrown if a)

Returns:

The decoded string starting at offset of data

Return type:

bytes

This function takes a bytes buffer that contains at a string of unknown length starting at the first byte, and returns the properly decoded string

It starts by using Python’s bytes.decode to attempt to decode the entire string It then finds the termination character (� or ) and splices the string Finally, it returns this spliced string after its been decoded with the

caller-specified encoding

dynamically_sized_array_of_pointers(context, array, subtype, iterator_guard_value, stop_value=0, stop_on_invalid_pointers=True)[source]

Iterates over a dynamically sized array of pointers (e.g. NULL-terminated). Array iteration should always be performed with an arbitrary guard value as maximum size, to prevent running forever in case something unexpected happens.

Args:

context: The context on which to operate. array: The object to cast to an array. iterator_guard_value: Stop iterating when the iterator index is greater than this value. This is an extra-safety against smearing. subtype: The subtype of the array’s pointers. stop_value: Stop value used to determine when to terminate iteration once it is encountered. Defaults to 0 (NULL-terminated arrays). stop_on_invalid_pointers: Determines whether to stop iterating or not when an invalid pointer is encountered. This can be useful for arrays

that are known to have smeared entries before the end.

Returns:

An array of pointer objects

Return type:

ObjectInterface

gather_contiguous_bytes_from_address(context, data_layer, starting_address, count)[source]

This method reconstructs a string from memory while also carefully examining each page

It goes page-by-page reading the bytes. This is done by calculating page boundaries and then only reading one page at a time.

If a page is missing, the code initially catches the exception. If data is non-empty (meaning at least one read succeeded), then we return what was read If the first page fails, then we re-raise the exception

Return type:

bytes

pointer_to_string(pointer, count, errors='replace', block_size=32, encoding='utf-8')[source]

Takes a Volatility ‘Pointer’ to characters and returns a Python string.

Parameters:

  • pointer (Pointer) – A Pointer object containing character elements.

  • count (int) – Optional maximum number of characters to convert. If None, the function processes the entire array.

  • errors (str) – Specifies error handling behavior for decoding, defaulting to “replace”.

  • block_size – Reading block size. Defaults to 32

Return type:

str

Returns:

A decoded string representation of the data referenced by the pointer.

rol(value, count, max_bits=64)[source]

A rotate-left instruction in Python

Return type:

int