volatility3.framework.symbols.windows.pdbconv module

class ForwardArrayCount(size, element_type)[source]

Bases: object

class PdbReader(context, location, database_name=None, progress_callback=None)[source]

Bases: object

Class to read Microsoft PDB files.

This reads the various streams according to various sources as to how pdb should be read. These sources include:

https://docs.rs/crate/pdb/0.5.0/source/src/ https://github.com/moyix/pdbparse https://llvm.org/docs/PDB/index.html https://github.com/Microsoft/microsoft-pdb/

In order to generate ISF files, we need the type stream (2), and the symbols stream (variable). The MultiStream Format wrapper is handled as a volatility layer, which constructs sublayers for each stream. The streams can then be read contiguously allowing the data to be accessed.

Volatility’s type system is strong when everything must be laid out in advance, but PDB data is reasonably dynamic, particularly when it comes to names. We must therefore parse it after we’ve collected other information already. This is in comparison to something such as Construct/pdbparse which can use just-parsed data to determine dynamically sized data following.

consume_padding(layer_name, offset)[source]

Returns the amount of padding used between fields.

Return type:

int

consume_type(module, offset, length)[source]

Returns a (leaf_type, name, object) Tuple for a type, and the number of bytes consumed.

Return type:

Tuple[Tuple[Optional[ObjectInterface], Optional[str], Union[None, List, ObjectInterface]], int]

property context
convert_bytes_to_guid(original)[source]

Convert the bytes to the correct ordering for a GUID.

Return type:

str

convert_fields(fields)[source]

Converts a field list into a list of fields.

Return type:

Dict[Optional[str], Dict[str, Any]]

determine_extended_value(leaf_type, value, module, length)[source]

Reads a value and potentially consumes more data to construct the value.

Return type:

Tuple[str, ObjectInterface, int]

get_json()[source]

Returns the intermediate format JSON data from this pdb file.

get_size_from_index(index)[source]

Returns the size of the structure based on the type index provided.

Return type:

int

get_type_from_index(index)[source]

Takes a type index and returns appropriate dictionary.

Return type:

Union[List[Any], Dict[str, Any]]

classmethod load_pdb_layer(context, location)[source]

Loads a PDB file into a layer within the context and returns the name of the new layer.

Note: the context may be changed by this method

Return type:

Tuple[str, ContextInterface]

name_strip(name)[source]

Strips unnecessary components from the start of a symbol name.

omap_lookup(address)[source]

Looks up an address using the omap mapping.

static parse_string(structure, parse_as_pascal=False, size=0)[source]

Consumes either a c-string or a pascal string depending on the leaf_type.

Return type:

str

property pdb_layer_name
process_types(type_references)[source]

Reads the TPI and symbol streams to populate the reader’s variables.

Return type:

None

read_dbi_stream()[source]

Reads the DBI Stream.

Return type:

None

read_ipi_stream()[source]
read_necessary_streams()[source]

Read streams to populate the various internal components for a PDB table.

read_pdb_info_stream()[source]

Reads in the pdb information stream.

read_symbol_stream()[source]

Reads in the symbol stream.

read_tpi_stream()[source]

Reads the TPI type steam.

Return type:

None

replace_forward_references(types, type_references)[source]

Finds all ForwardArrayCounts and calculates them once ForwardReferences have been resolved.

reset()[source]
type_handlers = {'LF_ARGLIST': ('LF_ENUM', True, None), 'LF_ARRAY': ('LF_ARRAY', True, 'size'), 'LF_ARRAY_ST': ('LF_ARRAY', True, 'size'), 'LF_BITFIELD': ('LF_BITFIELD', False, None), 'LF_BUILDINFO': ('LF_BUILDINFO', False, None), 'LF_CLASS': ('LF_STRUCTURE', True, 'size'), 'LF_CLASS_ST': ('LF_STRUCTURE', True, 'size'), 'LF_CLASS_VS19': ('LF_STRUCTURE_VS19', True, 'size'), 'LF_ENUM': ('LF_ENUM', True, None), 'LF_ENUMERATE': ('LF_ENUMERATE', True, 'value'), 'LF_FIELDLIST': ('LF_FIELDLIST', False, None), 'LF_FUNC_ID': ('LF_FUNC_ID', True, None), 'LF_INTERFACE': ('LF_STRUCTURE', True, 'size'), 'LF_MEMBER': ('LF_MEMBER', True, 'offset'), 'LF_MEMBER_ST': ('LF_MEMBER', True, 'offset'), 'LF_MODIFIER': ('LF_MODIFIER', False, None), 'LF_POINTER': ('LF_POINTER', False, None), 'LF_PROCEDURE': ('LF_PROCEDURE', False, None), 'LF_STRIDED_ARRAY': ('LF_ARRAY', True, 'size'), 'LF_STRING_ID': ('LF_STRING_ID', True, None), 'LF_STRUCTURE': ('LF_STRUCTURE', True, 'size'), 'LF_STRUCTURE_ST': ('LF_STRUCTURE', True, 'size'), 'LF_STRUCTURE_VS19': ('LF_STRUCTURE_VS19', True, 'size'), 'LF_UDT_MOD_SRC_LINE': ('LF_UDT_MOD_SRC_LINE', False, None), 'LF_UDT_SRC_LINE': ('LF_UDT_SRC_LINE', False, None), 'LF_UNION': ('LF_UNION', True, None)}
class PdbRetreiver[source]

Bases: object

retreive_pdb(guid, file_name, progress_callback=None)[source]
Return type:

Optional[str]