volatility3.framework.symbols.windows.pdbconv module
- class PdbReader(context, location, database_name=None, progress_callback=None)[source]
Bases:
object
Class to read Microsoft PDB files.
This reads the various streams according to various sources as to how pdb should be read. These sources include:
https://docs.rs/crate/pdb/0.5.0/source/src/ https://github.com/moyix/pdbparse https://llvm.org/docs/PDB/index.html https://github.com/Microsoft/microsoft-pdb/
In order to generate ISF files, we need the type stream (2), and the symbols stream (variable). The MultiStream Format wrapper is handled as a volatility layer, which constructs sublayers for each stream. The streams can then be read contiguously allowing the data to be accessed.
Volatility’s type system is strong when everything must be laid out in advance, but PDB data is reasonably dynamic, particularly when it comes to names. We must therefore parse it after we’ve collected other information already. This is in comparison to something such as Construct/pdbparse which can use just-parsed data to determine dynamically sized data following.
- consume_padding(layer_name, offset)[source]
Returns the amount of padding used between fields.
- Return type:
- consume_type(module, offset, length)[source]
Returns a (leaf_type, name, object) Tuple for a type, and the number of bytes consumed.
- property context
- convert_bytes_to_guid(original)[source]
Convert the bytes to the correct ordering for a GUID.
- Return type:
- determine_extended_value(leaf_type, value, module, length)[source]
Reads a value and potentially consumes more data to construct the value.
- Return type:
- get_size_from_index(index)[source]
Returns the size of the structure based on the type index provided.
- Return type:
- classmethod load_pdb_layer(context, location)[source]
Loads a PDB file into a layer within the context and returns the name of the new layer.
Note: the context may be changed by this method
- Return type:
- static parse_string(structure, parse_as_pascal=False, size=0)[source]
Consumes either a c-string or a pascal string depending on the leaf_type.
- Return type:
- property pdb_layer_name
- process_types(type_references)[source]
Reads the TPI and symbol streams to populate the reader’s variables.
- Return type:
- read_necessary_streams()[source]
Read streams to populate the various internal components for a PDB table.
- replace_forward_references(types, type_references)[source]
Finds all ForwardArrayCounts and calculates them once ForwardReferences have been resolved.
- type_handlers = {'LF_ARGLIST': ('LF_ENUM', True, None), 'LF_ARRAY': ('LF_ARRAY', True, 'size'), 'LF_ARRAY_ST': ('LF_ARRAY', True, 'size'), 'LF_BITFIELD': ('LF_BITFIELD', False, None), 'LF_BUILDINFO': ('LF_BUILDINFO', False, None), 'LF_CLASS': ('LF_STRUCTURE', True, 'size'), 'LF_CLASS_ST': ('LF_STRUCTURE', True, 'size'), 'LF_CLASS_VS19': ('LF_STRUCTURE_VS19', True, 'size'), 'LF_ENUM': ('LF_ENUM', True, None), 'LF_ENUMERATE': ('LF_ENUMERATE', True, 'value'), 'LF_FIELDLIST': ('LF_FIELDLIST', False, None), 'LF_FUNC_ID': ('LF_FUNC_ID', True, None), 'LF_INTERFACE': ('LF_STRUCTURE', True, 'size'), 'LF_MEMBER': ('LF_MEMBER', True, 'offset'), 'LF_MEMBER_ST': ('LF_MEMBER', True, 'offset'), 'LF_MODIFIER': ('LF_MODIFIER', False, None), 'LF_POINTER': ('LF_POINTER', False, None), 'LF_PROCEDURE': ('LF_PROCEDURE', False, None), 'LF_STRIDED_ARRAY': ('LF_ARRAY', True, 'size'), 'LF_STRING_ID': ('LF_STRING_ID', True, None), 'LF_STRUCTURE': ('LF_STRUCTURE', True, 'size'), 'LF_STRUCTURE_ST': ('LF_STRUCTURE', True, 'size'), 'LF_STRUCTURE_VS19': ('LF_STRUCTURE_VS19', True, 'size'), 'LF_UDT_MOD_SRC_LINE': ('LF_UDT_MOD_SRC_LINE', False, None), 'LF_UDT_SRC_LINE': ('LF_UDT_SRC_LINE', False, None), 'LF_UNION': ('LF_UNION', True, None)}