volatility3.framework.symbols.windows.extensions package
- class CONTROL_AREA(context, type_name, object_info, size, members)[source]
Bases:
StructType
A class for _CONTROL_AREA structures
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- PAGE_MASK = 4095
- PAGE_SIZE = 4096
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_available_pages()[source]
Get the available pages that correspond to a cached file.
The tuples generated are (physical_offset, file_offset, page_size).
- get_subsection()[source]
Get the Subsection object, which is found immediately after the _CONTROL_AREA.
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class DEVICE_OBJECT(context, type_name, object_info, size, members)[source]
Bases:
StructType
,ExecutiveObject
A class for kernel device objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_object_header()
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class DRIVER_OBJECT(context, type_name, object_info, size, members)[source]
Bases:
StructType
,ExecutiveObject
A class for kernel driver objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_object_header()
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class EPROCESS(context, type_name, object_info, size, members)[source]
Bases:
GenericIntelProcess
,ExecutiveObject
A class for executive kernel processes objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- add_process_layer(config_prefix=None, preferred_name=None)[source]
Constructs a new layer based on the process’s DirectoryTableBase.
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- environment_variables()[source]
Generator for environment variables.
The PEB points to our env block - a series of null-terminated unicode strings. Each string cannot be more than 0x7FFF chars. End of the list is a quad-null.
- get_object_header()
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- init_order_modules()[source]
Generator for DLLs in the order that they were initialized
- Return type:
- mem_order_modules()[source]
Generator for DLLs in the order that they appear in memory
- Return type:
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class ERESOURCE(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class ETHREAD(context, type_name, object_info, size, members)[source]
Bases:
StructType
,ExecutiveObject
A class for executive thread objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_object_header()
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class EX_FAST_REF(context, type_name, object_info, size, members)[source]
Bases:
StructType
This is a standard Windows structure that stores a pointer to an object but also leverages the least significant bits to encode additional details.
When dereferencing the pointer, we need to strip off the extra bits.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class FILE_OBJECT(context, type_name, object_info, size, members)[source]
Bases:
StructType
,ExecutiveObject
A class for windows file objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_object_header()
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class KMUTANT(context, type_name, object_info, size, members)[source]
Bases:
StructType
,ExecutiveObject
A class for windows mutant objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_object_header()
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class KSYSTEM_TIME(context, type_name, object_info, size, members)[source]
Bases:
StructType
A system time structure that stores a high and low part.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class KTHREAD(context, type_name, object_info, size, members)[source]
Bases:
StructType
A class for thread control block objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class KTIMER(context, type_name, object_info, size, members)[source]
Bases:
StructType
A class for Kernel Timers
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- VALID_TYPES = {8: 'TimerNotificationObject', 9: 'TimerSynchronizationObject'}
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class LIST_ENTRY(context, type_name, object_info, size, members)[source]
Bases:
StructType
,Iterable
A class for double-linked lists on Windows.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- to_list(symbol_type, member, forward=True, sentinel=True, layer=None)[source]
Returns an iterator of the entries in the list.
- Return type:
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class MMVAD(context, type_name, object_info, size, members)[source]
Bases:
MMVAD_SHORT
A version of the process virtual memory range structure that contains additional fields necessary to map files from disk.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- property Protection
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_commit_charge()
Get the VAD’s commit charge (number of committed pages)
- get_end()
Get the VAD’s ending virtual address. This is the last accessible byte in the range.
- Return type:
- get_left_child()
Get the left child member.
- get_parent()
Get the VAD’s parent member.
- get_private_memory()
Get the VAD’s private memory setting.
- get_protection(protect_values, winnt_protections)
Get the VAD’s protection constants as a string.
- get_right_child()
Get the right child member.
- get_start()
Get the VAD’s starting virtual address. This is the first accessible byte in the range.
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- get_tag()
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- traverse(visited=None, depth=0)
Traverse the VAD tree, determining each underlying VAD node type by looking up the pool tag for the structure and then casting into a new object.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class MMVAD_SHORT(context, type_name, object_info, size, members)[source]
Bases:
StructType
A class that represents process virtual memory ranges.
Each instance is a node in a binary tree structure and is pointed to by VadRoot.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- property Protection
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_end()[source]
Get the VAD’s ending virtual address. This is the last accessible byte in the range.
- Return type:
- get_protection(protect_values, winnt_protections)[source]
Get the VAD’s protection constants as a string.
- get_start()[source]
Get the VAD’s starting virtual address. This is the first accessible byte in the range.
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- traverse(visited=None, depth=0)[source]
Traverse the VAD tree, determining each underlying VAD node type by looking up the pool tag for the structure and then casting into a new object.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class OBJECT_SYMBOLIC_LINK(context, type_name, object_info, size, members)[source]
Bases:
StructType
,ExecutiveObject
A class for kernel link objects.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_object_header()
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class SHARED_CACHE_MAP(context, type_name, object_info, size, members)[source]
Bases:
StructType
A class for _SHARED_CACHE_MAP structures
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- VACB_ARRAY = 128
- VACB_BLOCK = 262144
- VACB_LEVEL_SHIFT = 7
- VACB_OFFSET_SHIFT = 18
- VACB_SIZE_OF_FIRST_LEVEL = 33554432
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_available_pages()[source]
Get the available pages that correspond to a cached file.
The lists generated are (virtual_offset, file_offset, page_size).
- Return type:
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- process_index_array(array_pointer, level, limit, vacb_list=None)[source]
Recursively process the sparse multilevel VACB index array.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class TOKEN(context, type_name, object_info, size, members)[source]
Bases:
StructType
A class for process etoken object.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class UNICODE_STRING(context, type_name, object_info, size, members)[source]
Bases:
StructType
A class for Windows unicode string structures.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- property String: ObjectInterface
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class VACB(context, type_name, object_info, size, members)[source]
Bases:
StructType
A class for _VACB structures
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- FILEOFFSET_MASK = 18446744073709486080
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
Submodules
- volatility3.framework.symbols.windows.extensions.callbacks module
- volatility3.framework.symbols.windows.extensions.consoles module
ALIAS
COMMAND
COMMAND_HISTORY
COMMAND_HISTORY.CommandCount
COMMAND_HISTORY.ProcessHandle
COMMAND_HISTORY.VolTemplateProxy
COMMAND_HISTORY.cast()
COMMAND_HISTORY.get_application()
COMMAND_HISTORY.get_commands()
COMMAND_HISTORY.get_symbol_table_name()
COMMAND_HISTORY.has_member()
COMMAND_HISTORY.has_valid_member()
COMMAND_HISTORY.has_valid_members()
COMMAND_HISTORY.is_valid()
COMMAND_HISTORY.member()
COMMAND_HISTORY.scan_command_bucket()
COMMAND_HISTORY.vol
COMMAND_HISTORY.write()
CONSOLE_INFORMATION
CONSOLE_INFORMATION.ScreenBuffer
CONSOLE_INFORMATION.VolTemplateProxy
CONSOLE_INFORMATION.VolTemplateProxy.child_template()
CONSOLE_INFORMATION.VolTemplateProxy.children()
CONSOLE_INFORMATION.VolTemplateProxy.has_member()
CONSOLE_INFORMATION.VolTemplateProxy.relative_child_offset()
CONSOLE_INFORMATION.VolTemplateProxy.replace_child()
CONSOLE_INFORMATION.VolTemplateProxy.size()
CONSOLE_INFORMATION.cast()
CONSOLE_INFORMATION.get_exe_aliases()
CONSOLE_INFORMATION.get_histories()
CONSOLE_INFORMATION.get_original_title()
CONSOLE_INFORMATION.get_processes()
CONSOLE_INFORMATION.get_screens()
CONSOLE_INFORMATION.get_symbol_table_name()
CONSOLE_INFORMATION.get_title()
CONSOLE_INFORMATION.has_member()
CONSOLE_INFORMATION.has_valid_member()
CONSOLE_INFORMATION.has_valid_members()
CONSOLE_INFORMATION.is_valid()
CONSOLE_INFORMATION.member()
CONSOLE_INFORMATION.vol
CONSOLE_INFORMATION.write()
EXE_ALIAS_LIST
EXE_ALIAS_LIST.VolTemplateProxy
EXE_ALIAS_LIST.cast()
EXE_ALIAS_LIST.get_aliases()
EXE_ALIAS_LIST.get_exename()
EXE_ALIAS_LIST.get_symbol_table_name()
EXE_ALIAS_LIST.has_member()
EXE_ALIAS_LIST.has_valid_member()
EXE_ALIAS_LIST.has_valid_members()
EXE_ALIAS_LIST.member()
EXE_ALIAS_LIST.vol
EXE_ALIAS_LIST.write()
ROW
SCREEN_INFORMATION
SCREEN_INFORMATION.ScreenX
SCREEN_INFORMATION.ScreenY
SCREEN_INFORMATION.VolTemplateProxy
SCREEN_INFORMATION.VolTemplateProxy.child_template()
SCREEN_INFORMATION.VolTemplateProxy.children()
SCREEN_INFORMATION.VolTemplateProxy.has_member()
SCREEN_INFORMATION.VolTemplateProxy.relative_child_offset()
SCREEN_INFORMATION.VolTemplateProxy.replace_child()
SCREEN_INFORMATION.VolTemplateProxy.size()
SCREEN_INFORMATION.cast()
SCREEN_INFORMATION.get_buffer()
SCREEN_INFORMATION.get_symbol_table_name()
SCREEN_INFORMATION.has_member()
SCREEN_INFORMATION.has_valid_member()
SCREEN_INFORMATION.has_valid_members()
SCREEN_INFORMATION.member()
SCREEN_INFORMATION.vol
SCREEN_INFORMATION.write()
- volatility3.framework.symbols.windows.extensions.crash module
SUMMARY_DUMP
SUMMARY_DUMP.VolTemplateProxy
SUMMARY_DUMP.cast()
SUMMARY_DUMP.get_buffer()
SUMMARY_DUMP.get_buffer_char()
SUMMARY_DUMP.get_buffer_long()
SUMMARY_DUMP.get_symbol_table_name()
SUMMARY_DUMP.has_member()
SUMMARY_DUMP.has_valid_member()
SUMMARY_DUMP.has_valid_members()
SUMMARY_DUMP.member()
SUMMARY_DUMP.vol
SUMMARY_DUMP.write()
- volatility3.framework.symbols.windows.extensions.kdbg module
KDDEBUGGER_DATA64
KDDEBUGGER_DATA64.VolTemplateProxy
KDDEBUGGER_DATA64.cast()
KDDEBUGGER_DATA64.get_build_lab()
KDDEBUGGER_DATA64.get_csdversion()
KDDEBUGGER_DATA64.get_symbol_table_name()
KDDEBUGGER_DATA64.has_member()
KDDEBUGGER_DATA64.has_valid_member()
KDDEBUGGER_DATA64.has_valid_members()
KDDEBUGGER_DATA64.member()
KDDEBUGGER_DATA64.vol
KDDEBUGGER_DATA64.write()
- volatility3.framework.symbols.windows.extensions.mbr module
PARTITION_ENTRY
PARTITION_ENTRY.VolTemplateProxy
PARTITION_ENTRY.cast()
PARTITION_ENTRY.get_bootable_flag()
PARTITION_ENTRY.get_ending_chs()
PARTITION_ENTRY.get_ending_cylinder()
PARTITION_ENTRY.get_ending_sector()
PARTITION_ENTRY.get_partition_type()
PARTITION_ENTRY.get_size_in_sectors()
PARTITION_ENTRY.get_starting_chs()
PARTITION_ENTRY.get_starting_cylinder()
PARTITION_ENTRY.get_starting_lba()
PARTITION_ENTRY.get_starting_sector()
PARTITION_ENTRY.get_symbol_table_name()
PARTITION_ENTRY.has_member()
PARTITION_ENTRY.has_valid_member()
PARTITION_ENTRY.has_valid_members()
PARTITION_ENTRY.is_bootable()
PARTITION_ENTRY.member()
PARTITION_ENTRY.vol
PARTITION_ENTRY.write()
PARTITION_TABLE
PARTITION_TABLE.VolTemplateProxy
PARTITION_TABLE.cast()
PARTITION_TABLE.get_disk_signature()
PARTITION_TABLE.get_symbol_table_name()
PARTITION_TABLE.has_member()
PARTITION_TABLE.has_valid_member()
PARTITION_TABLE.has_valid_members()
PARTITION_TABLE.member()
PARTITION_TABLE.vol
PARTITION_TABLE.write()
- volatility3.framework.symbols.windows.extensions.mft module
MFTAttribute
MFTAttribute.VolTemplateProxy
MFTAttribute.cast()
MFTAttribute.get_resident_filecontent()
MFTAttribute.get_resident_filename()
MFTAttribute.get_symbol_table_name()
MFTAttribute.has_member()
MFTAttribute.has_valid_member()
MFTAttribute.has_valid_members()
MFTAttribute.member()
MFTAttribute.vol
MFTAttribute.write()
MFTEntry
MFTFileName
- volatility3.framework.symbols.windows.extensions.network module
- volatility3.framework.symbols.windows.extensions.pe module
IMAGE_DOS_HEADER
IMAGE_DOS_HEADER.VolTemplateProxy
IMAGE_DOS_HEADER.cast()
IMAGE_DOS_HEADER.fix_image_base()
IMAGE_DOS_HEADER.get_nt_header()
IMAGE_DOS_HEADER.get_symbol_table_name()
IMAGE_DOS_HEADER.has_member()
IMAGE_DOS_HEADER.has_valid_member()
IMAGE_DOS_HEADER.has_valid_members()
IMAGE_DOS_HEADER.member()
IMAGE_DOS_HEADER.reconstruct()
IMAGE_DOS_HEADER.replace_header_field()
IMAGE_DOS_HEADER.vol
IMAGE_DOS_HEADER.write()
IMAGE_NT_HEADERS
IMAGE_NT_HEADERS.VolTemplateProxy
IMAGE_NT_HEADERS.cast()
IMAGE_NT_HEADERS.get_sections()
IMAGE_NT_HEADERS.get_symbol_table_name()
IMAGE_NT_HEADERS.has_member()
IMAGE_NT_HEADERS.has_valid_member()
IMAGE_NT_HEADERS.has_valid_members()
IMAGE_NT_HEADERS.member()
IMAGE_NT_HEADERS.vol
IMAGE_NT_HEADERS.write()
- volatility3.framework.symbols.windows.extensions.pool module
ExecutiveObject
OBJECT_HEADER
OBJECT_HEADER.NameInfo
OBJECT_HEADER.VolTemplateProxy
OBJECT_HEADER.cast()
OBJECT_HEADER.get_object_type()
OBJECT_HEADER.get_symbol_table_name()
OBJECT_HEADER.has_member()
OBJECT_HEADER.has_valid_member()
OBJECT_HEADER.has_valid_members()
OBJECT_HEADER.is_valid()
OBJECT_HEADER.member()
OBJECT_HEADER.vol
OBJECT_HEADER.write()
POOL_HEADER
POOL_HEADER.VolTemplateProxy
POOL_HEADER.cast()
POOL_HEADER.get_object()
POOL_HEADER.get_symbol_table_name()
POOL_HEADER.has_member()
POOL_HEADER.has_valid_member()
POOL_HEADER.has_valid_members()
POOL_HEADER.is_free_pool()
POOL_HEADER.is_nonpaged_pool()
POOL_HEADER.is_paged_pool()
POOL_HEADER.member()
POOL_HEADER.vol
POOL_HEADER.write()
POOL_HEADER_VISTA
POOL_HEADER_VISTA.VolTemplateProxy
POOL_HEADER_VISTA.cast()
POOL_HEADER_VISTA.get_object()
POOL_HEADER_VISTA.get_symbol_table_name()
POOL_HEADER_VISTA.has_member()
POOL_HEADER_VISTA.has_valid_member()
POOL_HEADER_VISTA.has_valid_members()
POOL_HEADER_VISTA.is_free_pool()
POOL_HEADER_VISTA.is_nonpaged_pool()
POOL_HEADER_VISTA.is_paged_pool()
POOL_HEADER_VISTA.member()
POOL_HEADER_VISTA.vol
POOL_HEADER_VISTA.write()
POOL_TRACKER_BIG_PAGES
POOL_TRACKER_BIG_PAGES.VolTemplateProxy
POOL_TRACKER_BIG_PAGES.VolTemplateProxy.child_template()
POOL_TRACKER_BIG_PAGES.VolTemplateProxy.children()
POOL_TRACKER_BIG_PAGES.VolTemplateProxy.has_member()
POOL_TRACKER_BIG_PAGES.VolTemplateProxy.relative_child_offset()
POOL_TRACKER_BIG_PAGES.VolTemplateProxy.replace_child()
POOL_TRACKER_BIG_PAGES.VolTemplateProxy.size()
POOL_TRACKER_BIG_PAGES.cast()
POOL_TRACKER_BIG_PAGES.get_key()
POOL_TRACKER_BIG_PAGES.get_number_of_bytes()
POOL_TRACKER_BIG_PAGES.get_pool_type()
POOL_TRACKER_BIG_PAGES.get_symbol_table_name()
POOL_TRACKER_BIG_PAGES.has_member()
POOL_TRACKER_BIG_PAGES.has_valid_member()
POOL_TRACKER_BIG_PAGES.has_valid_members()
POOL_TRACKER_BIG_PAGES.is_free()
POOL_TRACKER_BIG_PAGES.is_valid()
POOL_TRACKER_BIG_PAGES.member()
POOL_TRACKER_BIG_PAGES.pool_type_lookup
POOL_TRACKER_BIG_PAGES.vol
POOL_TRACKER_BIG_PAGES.write()
- volatility3.framework.symbols.windows.extensions.registry module
CMHIVE
CM_KEY_BODY
CM_KEY_NODE
CM_KEY_NODE.VolTemplateProxy
CM_KEY_NODE.cast()
CM_KEY_NODE.get_key_path()
CM_KEY_NODE.get_name()
CM_KEY_NODE.get_subkeys()
CM_KEY_NODE.get_symbol_table_name()
CM_KEY_NODE.get_values()
CM_KEY_NODE.get_volatile()
CM_KEY_NODE.has_member()
CM_KEY_NODE.has_valid_member()
CM_KEY_NODE.has_valid_members()
CM_KEY_NODE.member()
CM_KEY_NODE.vol
CM_KEY_NODE.write()
CM_KEY_VALUE
CM_KEY_VALUE.VolTemplateProxy
CM_KEY_VALUE.cast()
CM_KEY_VALUE.decode_data()
CM_KEY_VALUE.get_name()
CM_KEY_VALUE.get_symbol_table_name()
CM_KEY_VALUE.get_type()
CM_KEY_VALUE.has_member()
CM_KEY_VALUE.has_valid_member()
CM_KEY_VALUE.has_valid_members()
CM_KEY_VALUE.member()
CM_KEY_VALUE.vol
CM_KEY_VALUE.write()
HMAP_ENTRY
RegKeyFlags
RegKeyFlags.KEY_COMP_NAME
RegKeyFlags.KEY_HIVE_ENTRY
RegKeyFlags.KEY_HIVE_EXIT
RegKeyFlags.KEY_IS_VOLATILE
RegKeyFlags.KEY_NO_DELETE
RegKeyFlags.KEY_PREFEF_HANDLE
RegKeyFlags.KEY_SYM_LINK
RegKeyFlags.KEY_VIRTUAL_STORE
RegKeyFlags.KEY_VIRT_MIRRORED
RegKeyFlags.KEY_VIRT_TARGET
RegKeyFlags.as_integer_ratio()
RegKeyFlags.bit_count()
RegKeyFlags.bit_length()
RegKeyFlags.conjugate()
RegKeyFlags.denominator
RegKeyFlags.from_bytes()
RegKeyFlags.imag
RegKeyFlags.numerator
RegKeyFlags.real
RegKeyFlags.to_bytes()
RegValueTypes
RegValueTypes.REG_BINARY
RegValueTypes.REG_DWORD
RegValueTypes.REG_DWORD_BIG_ENDIAN
RegValueTypes.REG_EXPAND_SZ
RegValueTypes.REG_FULL_RESOURCE_DESCRIPTOR
RegValueTypes.REG_LINK
RegValueTypes.REG_MULTI_SZ
RegValueTypes.REG_NONE
RegValueTypes.REG_QWORD
RegValueTypes.REG_RESOURCE_LIST
RegValueTypes.REG_RESOURCE_REQUIREMENTS_LIST
RegValueTypes.REG_SZ
RegValueTypes.REG_UNKNOWN
- volatility3.framework.symbols.windows.extensions.services module
SERVICE_HEADER
SERVICE_RECORD
SERVICE_RECORD.VolTemplateProxy
SERVICE_RECORD.cast()
SERVICE_RECORD.get_binary()
SERVICE_RECORD.get_display()
SERVICE_RECORD.get_name()
SERVICE_RECORD.get_pid()
SERVICE_RECORD.get_symbol_table_name()
SERVICE_RECORD.get_type()
SERVICE_RECORD.has_member()
SERVICE_RECORD.has_valid_member()
SERVICE_RECORD.has_valid_members()
SERVICE_RECORD.is_valid()
SERVICE_RECORD.member()
SERVICE_RECORD.traverse()
SERVICE_RECORD.vol
SERVICE_RECORD.write()
- volatility3.framework.symbols.windows.extensions.shimcache module
RTL_AVL_TABLE
SHIM_CACHE_ENTRY
SHIM_CACHE_ENTRY.VolTemplateProxy
SHIM_CACHE_ENTRY.cast()
SHIM_CACHE_ENTRY.exec_flag
SHIM_CACHE_ENTRY.file_path
SHIM_CACHE_ENTRY.file_size
SHIM_CACHE_ENTRY.get_symbol_table_name()
SHIM_CACHE_ENTRY.has_member()
SHIM_CACHE_ENTRY.has_valid_member()
SHIM_CACHE_ENTRY.has_valid_members()
SHIM_CACHE_ENTRY.is_valid()
SHIM_CACHE_ENTRY.last_modified
SHIM_CACHE_ENTRY.last_update
SHIM_CACHE_ENTRY.member()
SHIM_CACHE_ENTRY.vol
SHIM_CACHE_ENTRY.write()
SHIM_CACHE_HANDLE
SHIM_CACHE_HANDLE.VolTemplateProxy
SHIM_CACHE_HANDLE.cast()
SHIM_CACHE_HANDLE.get_symbol_table_name()
SHIM_CACHE_HANDLE.has_member()
SHIM_CACHE_HANDLE.has_valid_member()
SHIM_CACHE_HANDLE.has_valid_members()
SHIM_CACHE_HANDLE.head
SHIM_CACHE_HANDLE.is_valid()
SHIM_CACHE_HANDLE.member()
SHIM_CACHE_HANDLE.vol
SHIM_CACHE_HANDLE.write()