volatility3.framework.symbols.windows.extensions.registry module

class CMHIVE(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional): Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_name()[source]

Determine a name for the hive.

Note that some attributes are unpredictably blank across different OS versions while others are populated, so we check all possibilities and take the first one that’s not empty

Return type:: Optional[ObjectInterface]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_valid()[source]

Determine if the object is valid.

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property name: ObjectInterface | None

Determine a name for the hive.

Note that some attributes are unpredictably blank across different OS versions while others are populated, so we check all possibilities and take the first one that’s not empty

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class CM_KEY_BODY(context, type_name, object_info, size, members)[source]

Bases: StructType

This represents an open handle to a registry key and is not tied to the registry hive file format on disk.

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional): Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_full_key_name()[source]

Return type:: str

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class CM_KEY_NODE(context, type_name, object_info, size, members)[source]

Bases: StructType

Extension to allow traversal of registry keys.

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional): Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_key_path()[source]

Return type:: str

get_name()[source]

Gets the name for the current key node

Return type:: ObjectInterface

get_subkeys()[source]

Returns a list of the key nodes.

Return type:: Iterable[ObjectInterface]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_values()[source]

Returns a list of the Value nodes for a key.

Return type:: Iterable[ObjectInterface]

get_volatile()[source]

Return type:: bool

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class CM_KEY_VALUE(context, type_name, object_info, size, members)[source]

Bases: StructType

Extensions to extract data from CM_KEY_VALUE nodes.

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional): Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

decode_data()[source]

Properly decodes the data associated with the value node

Return type:: Union[int, bytes]

get_name()[source]

Gets the name for the current key value

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class HMAP_ENTRY(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional): Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_block_offset()[source]

Return type:: int

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class RegKeyFlags(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]

Bases: IntEnum

KEY_COMP_NAME = 32

KEY_HIVE_ENTRY = 4

KEY_HIVE_EXIT = 2

KEY_IS_VOLATILE = 1

KEY_NO_DELETE = 8

KEY_PREFEF_HANDLE = 64

KEY_SYM_LINK = 16

KEY_VIRTUAL_STORE = 512

KEY_VIRT_MIRRORED = 128

KEY_VIRT_TARGET = 256

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.

>>> (10).as_integer_ratio()
(10, 1)
>>> (-10).as_integer_ratio()
(-10, 1)
>>> (0).as_integer_ratio()
(0, 1)

bit_count()

Number of ones in the binary representation of the absolute value of self.

Also known as the population count.

>>> bin(13)
'0b1101'
>>> (13).bit_count()
3

bit_length()

Number of bits necessary to represent self in binary.

>>> bin(37)
'0b100101'
>>> (37).bit_length()
6

conjugate(): Returns self, the complex conjugate of any int.

denominator: the denominator of a rational number in lowest terms

from_bytes(byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes: Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.
byteorder: The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
signed: Indicates whether two’s complement is used to represent the integer.

imag: the imaginary part of a complex number

numerator: the numerator of a rational number in lowest terms

real: the real part of a complex number

to_bytes(length=1, byteorder='big', *, signed=False)

Return an array of bytes representing an integer.

length: Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.
byteorder: The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
signed: Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.

class RegValueTypes(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]

Bases: Enum

REG_BINARY = 3

REG_DWORD = 4

REG_DWORD_BIG_ENDIAN = 5

REG_EXPAND_SZ = 2

REG_FULL_RESOURCE_DESCRIPTOR = 9

REG_LINK = 6

REG_MULTI_SZ = 7

REG_NONE = 0

REG_QWORD = 11

REG_RESOURCE_LIST = 8

REG_RESOURCE_REQUIREMENTS_LIST = 10

REG_SZ = 1

REG_UNKNOWN = 99999