volatility3.framework.symbols.windows.extensions.pool module

class ExecutiveObject(context, type_name, object_info, **kwargs)[source]

Bases: ObjectInterface

This is used as a “mixin” that provides all kernel executive objects with a means of finding their own object header.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: object

A container for proxied methods that the ObjectTemplate of this object will call. This is primarily to keep methods together for easy organization/management, there is no significant need for it to be a separate class.

The methods of this class must be class methods rather than standard methods, to allow for code reuse. Each method also takes a template since the templates may contain the necessary data about the yet-to-be-constructed object. It allows objects to control how their templates respond without needing to write new templates for each and every potential object type.

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

abstract classmethod size(template)

Returns the size of the template object.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_object_header()[source]
Return type:

OBJECT_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

property vol: ReadOnlyMapping

Returns the volatility specific object information.

abstract write(value)

Writes the new value into the format at the offset the object currently resides at.

class OBJECT_HEADER(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for the headers for executive kernel objects, which contains quota information, ownership details, naming data, and ACLs.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

property NameInfo: ObjectInterface
class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_object_type(type_map, cookie=None)[source]

Across all Windows versions, the _OBJECT_HEADER embeds details on the type of object (i.e. process, file) but the way its embedded differs between versions.

This API abstracts away those details.

Return type:

Optional[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_valid()[source]

Determine if the object is valid.

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class POOL_HEADER(context, type_name, object_info, size, members)[source]

Bases: StructType

A kernel pool allocation header.

Exists at the base of the allocation and provides a tag that we can scan for.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_object(constraint, use_top_down, kernel_symbol_table=None, native_layer_name=None)[source]

Carve an object or data structure from a kernel pool allocation

Parameters:
  • constraint (PoolConstraint) – a PoolConstraint object used to get the pool allocation header object

  • use_top_down (bool) – for delineating how a windows version finds the size of the object body

  • kernel_symbol_table (Optional[str]) – in case objects of a different symbol table are scanned for

  • native_layer_name (Optional[str]) – the name of the layer where the data originally lived

Return type:

Optional[ObjectInterface]

Returns:

An object as found from a POOL_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_free_pool()[source]
is_nonpaged_pool()[source]
is_paged_pool()[source]
member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class POOL_HEADER_VISTA(context, type_name, object_info, size, members)[source]

Bases: POOL_HEADER

A kernel pool allocation header, updated for Vista and later.

Exists at the base of the allocation and provides a tag that we can scan for.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_object(constraint, use_top_down, kernel_symbol_table=None, native_layer_name=None)

Carve an object or data structure from a kernel pool allocation

Parameters:
  • constraint (PoolConstraint) – a PoolConstraint object used to get the pool allocation header object

  • use_top_down (bool) – for delineating how a windows version finds the size of the object body

  • kernel_symbol_table (Optional[str]) – in case objects of a different symbol table are scanned for

  • native_layer_name (Optional[str]) – the name of the layer where the data originally lived

Return type:

Optional[ObjectInterface]

Returns:

An object as found from a POOL_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_free_pool()
is_nonpaged_pool()[source]
is_paged_pool()[source]
member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class POOL_TRACKER_BIG_PAGES(context, type_name, object_info, size, members)[source]

Bases: StructType

A kernel big page pool tracker.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_key()[source]

Returns the Key value as a 4 character string

Return type:

str

get_number_of_bytes()[source]

Returns the NumberOfBytes value on applicable systems

Return type:

Union[int, BaseAbsentValue]

get_pool_type()[source]

Returns the enum name for the PoolType value on applicable systems

Return type:

Union[str, BaseAbsentValue]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_free()[source]

Returns if the allocation is freed (True) or in-use (False)

Return type:

bool

is_valid()[source]
Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

pool_type_lookup: Dict[str, str] = {}
property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.