volatility3.framework.symbols package
- class SymbolSpace[source]
Bases:
SymbolSpaceInterfaceHandles an ordered collection of SymbolTables.
This collection is ordered so that resolution of symbols can proceed down through the ranks if a namespace isn’t specified.
- class UnresolvedTemplate(type_name, **kwargs)[source]
Bases:
ReferenceTemplateClass to highlight when missing symbols are present.
This class is identical to a reference template, but differentiable by its classname. It will output a debug log to indicate when it has been instantiated and with what name.
This class is designed to be output ONLY as part of the SymbolSpace resolution system. Individual SymbolTables that cannot resolve a symbol should still return a SymbolError to indicate this failure in resolution.
Stores the keyword arguments for later object creation.
- child_template(*args, **kwargs)
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- Return type:
- property children: List[Template]
The children of this template (such as member types, sub-types and base-types where they are relevant).
Used to traverse the template tree.
- clone()
Returns a copy of the original Template as constructed (without update_vol additions having been made)
- Return type:
- has_member(*args, **kwargs)
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- Return type:
- relative_child_offset(*args, **kwargs)
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- Return type:
- replace_child(*args, **kwargs)
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- Return type:
- property size: Any
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- update_vol(**new_arguments)
Updates the keyword arguments with values that will not be carried across to clones.
- Return type:
- property vol: ReadOnlyMapping
Returns a volatility information object, much like the
ObjectInformationprovides.
- clear_symbol_cache(table_name=None)[source]
Clears the symbol cache for the specified table name. If no table name is specified, the caches of all symbol tables are cleared.
- Return type:
- free_table_name(prefix='layer')[source]
Returns an unused table name to ensure no collision occurs when inserting a symbol table.
- Return type:
- get(k[, d]) D[k] if k in D, else d. d defaults to None.
- get_enumeration(enum_name)[source]
Look-up a set of enumeration choices from a specific symbol table.
- Return type:
- get_symbol(symbol_name)[source]
Look-up a symbol name across all the contained symbol spaces.
- Return type:
- get_symbols_by_location(offset, size=0, table_name=None)[source]
Returns all symbols that exist at a specific relative address.
- get_type(type_name)[source]
Takes a symbol name and resolves it.
This method ensures that all referenced templates (including self-referential templates) are satisfied as ObjectTemplates
- Return type:
- has_enumeration(name)[source]
Determines whether an enumeration choice exists in the contained symbol tables.
- Return type:
- has_symbol(name)[source]
Determines whether a symbol exists in the contained symbol tables.
- Return type:
- has_type(name)[source]
Determines whether a type exists in the contained symbol tables.
- Return type:
- items() a set-like object providing a view on D's items
- keys() a set-like object providing a view on D's keys
- values() an object providing a view on D's values
- class SymbolType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]
Bases:
Enum- ENUM = 3
- SYMBOL = 2
- TYPE = 1
- symbol_table_is_64bit(context, symbol_table_name)[source]
Returns a boolean as to whether a particular symbol table within a context is 64-bit or not.
- Return type:
Subpackages
- volatility3.framework.symbols.generic package
GenericIntelProcessGenericIntelProcess.VolTemplateProxyGenericIntelProcess.VolTemplateProxy.child_template()GenericIntelProcess.VolTemplateProxy.children()GenericIntelProcess.VolTemplateProxy.has_member()GenericIntelProcess.VolTemplateProxy.relative_child_offset()GenericIntelProcess.VolTemplateProxy.replace_child()GenericIntelProcess.VolTemplateProxy.size()
GenericIntelProcess.cast()GenericIntelProcess.get_symbol_table_name()GenericIntelProcess.has_member()GenericIntelProcess.has_valid_member()GenericIntelProcess.has_valid_members()GenericIntelProcess.member()GenericIntelProcess.volGenericIntelProcess.write()
- volatility3.framework.symbols.linux package
LinuxKernelIntermedSymbolsLinuxKernelIntermedSymbols.build_configuration()LinuxKernelIntermedSymbols.clear_symbol_cache()LinuxKernelIntermedSymbols.configLinuxKernelIntermedSymbols.config_pathLinuxKernelIntermedSymbols.contextLinuxKernelIntermedSymbols.create()LinuxKernelIntermedSymbols.del_type_class()LinuxKernelIntermedSymbols.enumerationsLinuxKernelIntermedSymbols.file_symbol_url()LinuxKernelIntermedSymbols.get_enumeration()LinuxKernelIntermedSymbols.get_requirements()LinuxKernelIntermedSymbols.get_symbol()LinuxKernelIntermedSymbols.get_symbol_type()LinuxKernelIntermedSymbols.get_symbols_by_location()LinuxKernelIntermedSymbols.get_symbols_by_type()LinuxKernelIntermedSymbols.get_type()LinuxKernelIntermedSymbols.get_type_class()LinuxKernelIntermedSymbols.make_subconfig()LinuxKernelIntermedSymbols.metadataLinuxKernelIntermedSymbols.nativesLinuxKernelIntermedSymbols.optional_set_type_class()LinuxKernelIntermedSymbols.producerLinuxKernelIntermedSymbols.providesLinuxKernelIntermedSymbols.set_type_class()LinuxKernelIntermedSymbols.symbolsLinuxKernelIntermedSymbols.typesLinuxKernelIntermedSymbols.unsatisfied()
LinuxUtilitiesLinuxUtilities.container_of()LinuxUtilities.do_get_path()LinuxUtilities.files_descriptors_for_process()LinuxUtilities.generate_kernel_handler_info()LinuxUtilities.get_module_from_volobj_type()LinuxUtilities.get_path_mnt()LinuxUtilities.lookup_module_address()LinuxUtilities.mask_mods_list()LinuxUtilities.path_for_file()LinuxUtilities.versionLinuxUtilities.walk_internal_list()
- Subpackages
- volatility3.framework.symbols.linux.extensions package
bpf_progbt_sockcreddentryfiles_structfs_structinet_sockkernel_cap_structkernel_cap_tkobjectlist_headmaple_treemm_structmnt_namespacemodulemountnetnetlink_sockpacket_sockqstrsocksocketstruct_filesuper_blocktask_structunix_sockvfsmountvm_area_structvsock_sockxdp_sock- Submodules
- volatility3.framework.symbols.linux.extensions package
- Submodules
- volatility3.framework.symbols.mac package
MacKernelIntermedSymbolsMacKernelIntermedSymbols.build_configuration()MacKernelIntermedSymbols.clear_symbol_cache()MacKernelIntermedSymbols.configMacKernelIntermedSymbols.config_pathMacKernelIntermedSymbols.contextMacKernelIntermedSymbols.create()MacKernelIntermedSymbols.del_type_class()MacKernelIntermedSymbols.enumerationsMacKernelIntermedSymbols.file_symbol_url()MacKernelIntermedSymbols.get_enumeration()MacKernelIntermedSymbols.get_requirements()MacKernelIntermedSymbols.get_symbol()MacKernelIntermedSymbols.get_symbol_type()MacKernelIntermedSymbols.get_symbols_by_location()MacKernelIntermedSymbols.get_symbols_by_type()MacKernelIntermedSymbols.get_type()MacKernelIntermedSymbols.get_type_class()MacKernelIntermedSymbols.make_subconfig()MacKernelIntermedSymbols.metadataMacKernelIntermedSymbols.nativesMacKernelIntermedSymbols.optional_set_type_class()MacKernelIntermedSymbols.producerMacKernelIntermedSymbols.providesMacKernelIntermedSymbols.set_type_class()MacKernelIntermedSymbols.symbolsMacKernelIntermedSymbols.typesMacKernelIntermedSymbols.unsatisfied()
MacUtilities- Subpackages
- volatility3.framework.symbols.windows package
WindowsKernelIntermedSymbolsWindowsKernelIntermedSymbols.build_configuration()WindowsKernelIntermedSymbols.clear_symbol_cache()WindowsKernelIntermedSymbols.configWindowsKernelIntermedSymbols.config_pathWindowsKernelIntermedSymbols.contextWindowsKernelIntermedSymbols.create()WindowsKernelIntermedSymbols.del_type_class()WindowsKernelIntermedSymbols.enumerationsWindowsKernelIntermedSymbols.file_symbol_url()WindowsKernelIntermedSymbols.get_enumeration()WindowsKernelIntermedSymbols.get_requirements()WindowsKernelIntermedSymbols.get_symbol()WindowsKernelIntermedSymbols.get_symbol_type()WindowsKernelIntermedSymbols.get_symbols_by_location()WindowsKernelIntermedSymbols.get_symbols_by_type()WindowsKernelIntermedSymbols.get_type()WindowsKernelIntermedSymbols.get_type_class()WindowsKernelIntermedSymbols.make_subconfig()WindowsKernelIntermedSymbols.metadataWindowsKernelIntermedSymbols.nativesWindowsKernelIntermedSymbols.optional_set_type_class()WindowsKernelIntermedSymbols.producerWindowsKernelIntermedSymbols.set_type_class()WindowsKernelIntermedSymbols.symbolsWindowsKernelIntermedSymbols.typesWindowsKernelIntermedSymbols.unsatisfied()
- Subpackages
- Submodules
Submodules
- volatility3.framework.symbols.intermed module
ISFormatTableISFormatTable.build_configuration()ISFormatTable.clear_symbol_cache()ISFormatTable.configISFormatTable.config_pathISFormatTable.contextISFormatTable.del_type_class()ISFormatTable.enumerationsISFormatTable.get_requirements()ISFormatTable.get_symbol()ISFormatTable.get_symbol_type()ISFormatTable.get_symbols_by_location()ISFormatTable.get_symbols_by_type()ISFormatTable.get_type()ISFormatTable.get_type_class()ISFormatTable.make_subconfig()ISFormatTable.metadataISFormatTable.nativesISFormatTable.optional_set_type_class()ISFormatTable.producerISFormatTable.set_type_class()ISFormatTable.symbolsISFormatTable.typesISFormatTable.unsatisfied()ISFormatTable.version
IntermediateSymbolTableIntermediateSymbolTable.build_configuration()IntermediateSymbolTable.clear_symbol_cache()IntermediateSymbolTable.configIntermediateSymbolTable.config_pathIntermediateSymbolTable.contextIntermediateSymbolTable.create()IntermediateSymbolTable.del_type_class()IntermediateSymbolTable.enumerationsIntermediateSymbolTable.file_symbol_url()IntermediateSymbolTable.get_enumeration()IntermediateSymbolTable.get_requirements()IntermediateSymbolTable.get_symbol()IntermediateSymbolTable.get_symbol_type()IntermediateSymbolTable.get_symbols_by_location()IntermediateSymbolTable.get_symbols_by_type()IntermediateSymbolTable.get_type()IntermediateSymbolTable.get_type_class()IntermediateSymbolTable.make_subconfig()IntermediateSymbolTable.metadataIntermediateSymbolTable.nativesIntermediateSymbolTable.optional_set_type_class()IntermediateSymbolTable.producerIntermediateSymbolTable.set_type_class()IntermediateSymbolTable.symbolsIntermediateSymbolTable.typesIntermediateSymbolTable.unsatisfied()
Version1FormatVersion1Format.build_configuration()Version1Format.clear_symbol_cache()Version1Format.configVersion1Format.config_pathVersion1Format.contextVersion1Format.del_type_class()Version1Format.enumerationsVersion1Format.get_enumeration()Version1Format.get_requirements()Version1Format.get_symbol()Version1Format.get_symbol_type()Version1Format.get_symbols_by_location()Version1Format.get_symbols_by_type()Version1Format.get_type()Version1Format.get_type_class()Version1Format.make_subconfig()Version1Format.metadataVersion1Format.nativesVersion1Format.optional_set_type_class()Version1Format.producerVersion1Format.set_type_class()Version1Format.symbolsVersion1Format.typesVersion1Format.unsatisfied()Version1Format.version
Version2FormatVersion2Format.build_configuration()Version2Format.clear_symbol_cache()Version2Format.configVersion2Format.config_pathVersion2Format.contextVersion2Format.del_type_class()Version2Format.enumerationsVersion2Format.get_enumeration()Version2Format.get_requirements()Version2Format.get_symbol()Version2Format.get_symbol_type()Version2Format.get_symbols_by_location()Version2Format.get_symbols_by_type()Version2Format.get_type()Version2Format.get_type_class()Version2Format.make_subconfig()Version2Format.metadataVersion2Format.nativesVersion2Format.optional_set_type_class()Version2Format.producerVersion2Format.set_type_class()Version2Format.symbolsVersion2Format.typesVersion2Format.unsatisfied()Version2Format.version
Version3FormatVersion3Format.build_configuration()Version3Format.clear_symbol_cache()Version3Format.configVersion3Format.config_pathVersion3Format.contextVersion3Format.del_type_class()Version3Format.enumerationsVersion3Format.get_enumeration()Version3Format.get_requirements()Version3Format.get_symbol()Version3Format.get_symbol_type()Version3Format.get_symbols_by_location()Version3Format.get_symbols_by_type()Version3Format.get_type()Version3Format.get_type_class()Version3Format.make_subconfig()Version3Format.metadataVersion3Format.nativesVersion3Format.optional_set_type_class()Version3Format.producerVersion3Format.set_type_class()Version3Format.symbolsVersion3Format.typesVersion3Format.unsatisfied()Version3Format.version
Version4FormatVersion4Format.build_configuration()Version4Format.clear_symbol_cache()Version4Format.configVersion4Format.config_pathVersion4Format.contextVersion4Format.del_type_class()Version4Format.enumerationsVersion4Format.format_mappingVersion4Format.get_enumeration()Version4Format.get_requirements()Version4Format.get_symbol()Version4Format.get_symbol_type()Version4Format.get_symbols_by_location()Version4Format.get_symbols_by_type()Version4Format.get_type()Version4Format.get_type_class()Version4Format.make_subconfig()Version4Format.metadataVersion4Format.nativesVersion4Format.optional_set_type_class()Version4Format.producerVersion4Format.set_type_class()Version4Format.symbolsVersion4Format.typesVersion4Format.unsatisfied()Version4Format.version
Version5FormatVersion5Format.build_configuration()Version5Format.clear_symbol_cache()Version5Format.configVersion5Format.config_pathVersion5Format.contextVersion5Format.del_type_class()Version5Format.enumerationsVersion5Format.format_mappingVersion5Format.get_enumeration()Version5Format.get_requirements()Version5Format.get_symbol()Version5Format.get_symbol_type()Version5Format.get_symbols_by_location()Version5Format.get_symbols_by_type()Version5Format.get_type()Version5Format.get_type_class()Version5Format.make_subconfig()Version5Format.metadataVersion5Format.nativesVersion5Format.optional_set_type_class()Version5Format.producerVersion5Format.set_type_class()Version5Format.symbolsVersion5Format.typesVersion5Format.unsatisfied()Version5Format.version
Version6FormatVersion6Format.build_configuration()Version6Format.clear_symbol_cache()Version6Format.configVersion6Format.config_pathVersion6Format.contextVersion6Format.del_type_class()Version6Format.enumerationsVersion6Format.format_mappingVersion6Format.get_enumeration()Version6Format.get_requirements()Version6Format.get_symbol()Version6Format.get_symbol_type()Version6Format.get_symbols_by_location()Version6Format.get_symbols_by_type()Version6Format.get_type()Version6Format.get_type_class()Version6Format.make_subconfig()Version6Format.metadataVersion6Format.nativesVersion6Format.optional_set_type_class()Version6Format.producerVersion6Format.set_type_class()Version6Format.symbolsVersion6Format.typesVersion6Format.unsatisfied()Version6Format.version
Version7FormatVersion7Format.build_configuration()Version7Format.clear_symbol_cache()Version7Format.configVersion7Format.config_pathVersion7Format.contextVersion7Format.del_type_class()Version7Format.enumerationsVersion7Format.format_mappingVersion7Format.get_enumeration()Version7Format.get_requirements()Version7Format.get_symbol()Version7Format.get_symbol_type()Version7Format.get_symbols_by_location()Version7Format.get_symbols_by_type()Version7Format.get_type()Version7Format.get_type_class()Version7Format.make_subconfig()Version7Format.metadataVersion7Format.nativesVersion7Format.optional_set_type_class()Version7Format.producerVersion7Format.set_type_class()Version7Format.symbolsVersion7Format.typesVersion7Format.unsatisfied()Version7Format.version
Version8FormatVersion8Format.build_configuration()Version8Format.clear_symbol_cache()Version8Format.configVersion8Format.config_pathVersion8Format.contextVersion8Format.del_type_class()Version8Format.enumerationsVersion8Format.format_mappingVersion8Format.get_enumeration()Version8Format.get_requirements()Version8Format.get_symbol()Version8Format.get_symbol_type()Version8Format.get_symbols_by_location()Version8Format.get_symbols_by_type()Version8Format.get_type()Version8Format.get_type_class()Version8Format.make_subconfig()Version8Format.metadataVersion8Format.nativesVersion8Format.optional_set_type_class()Version8Format.producerVersion8Format.set_type_class()Version8Format.symbolsVersion8Format.typesVersion8Format.unsatisfied()Version8Format.version
- volatility3.framework.symbols.metadata module
- volatility3.framework.symbols.native module
NativeTableNativeTable.clear_symbol_cache()NativeTable.del_type_class()NativeTable.enumerationsNativeTable.get_enumeration()NativeTable.get_symbol()NativeTable.get_symbol_type()NativeTable.get_symbols_by_location()NativeTable.get_symbols_by_type()NativeTable.get_type()NativeTable.get_type_class()NativeTable.nativesNativeTable.optional_set_type_class()NativeTable.set_type_class()NativeTable.symbolsNativeTable.types
- volatility3.framework.symbols.wrappers module