volatility3.framework.symbols.windows.pdbutil module

class PDBUtility(*args, **kwargs)[source]

Bases: VersionableInterface

Class to handle and manage all getting symbols based on MZ header

classmethod download_pdb_isf(context, guid, age, pdb_name, progress_callback=None)[source]

Attempts to download the PDB file, convert it to an ISF file and save it to one of the symbol locations.

Return type:

None

classmethod get_guid_from_mz(context, layer_name, offset)[source]

Takes the offset to an MZ header, locates any available pdb headers, and extracts the guid, age and pdb_name from them

Parameters:
  • context (ContextInterface) – The context on which to operate

  • layer_name (str) – The name of the (contiguous) layer within the context that contains the MZ file

  • offset (int) – The offset in the layer at which the MZ file begins

Return type:

Optional[Tuple[str, int, str]]

Returns:

A tuple of the guid, age and pdb_name, or None if no PDB record can be found

classmethod load_windows_symbol_table(context, guid, age, pdb_name, symbol_table_class, config_path='pdbutility', progress_callback=None)[source]

Loads (downloading if necessary) a windows symbol table

classmethod module_from_pdb(context, config_path, layer_name, pdb_name, module_offset=None, module_size=None)[source]

Creates a module in the specified layer_name based on a pdb name.

Searches the memory section of the loaded module for its PDB GUID and loads the associated symbol table into the symbol space.

Parameters:
  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • config_path (str) – The config path where to find symbol files

  • layer_name (str) – The name of the layer on which to operate

  • module_offset (int) – This memory dump’s module image offset

  • module_size (int) – The size of the module for this dump

Return type:

str

Returns:

The name of the constructed and loaded symbol table

classmethod pdbname_scan(ctx, layer_name, page_size, pdb_names, progress_callback=None, start=None, end=None, maximum_invalid_count=100)[source]

Scans through layer_name at ctx looking for RSDS headers that indicate one of four common pdb kernel names (as listed in self.pdb_names) and returns the tuple (GUID, age, pdb_name, signature_offset, mz_offset) :rtype: Generator[Dict[str, Union[bytes, str, int, None]], None, None]

Note

This is automagical and therefore not guaranteed to provide correct results.

The UI should always provide the user an opportunity to specify the appropriate types and PDB values themselves :type layer_name: str :param layer_name: The layer name to scan :type page_size: int :param page_size: Size of page constant :type pdb_names: List[bytes] :param pdb_names: List of pdb names to scan :type progress_callback: Optional[Callable[[float, str], None]] :param progress_callback: Means of providing the user with feedback during long processes :type start: Optional[int] :param start: Start address to start scanning from the pdb_names :type end: Optional[int] :param end: Minimum address to scan the pdb_names :type maximum_invalid_count: int :param maximum_invalid_count: Amount of pages that can be invalid during scanning before aborting signature search

classmethod symbol_table_from_offset(context, layer_name, offset, symbol_table_class='volatility3.framework.symbols.intermed.IntermediateSymbolTable', config_path=None, progress_callback=None)[source]

Produces the name of a symbol table loaded from the offset for an MZ header

Parameters:
  • context (ContextInterface) – The context on which to operate

  • layer_name (str) – The name of the (contiguous) layer within the context that contains the MZ file

  • offset (int) – The offset in the layer at which the MZ file begins

  • symbol_table_class (str) – The class to use when constructing the SymbolTable

  • config_path (str) – New path for the produced symbol table configuration with the config tree

  • progress_callback (Optional[Callable[[float, str], None]]) – Callable called to update ongoing progress

Return type:

Optional[str]

Returns:

None if no pdb information can be determined, else returned the name of the loaded symbols for the MZ

classmethod symbol_table_from_pdb(context, config_path, layer_name, pdb_name, module_offset=None, module_size=None)[source]

Creates symbol table for a module in the specified layer_name.

Searches the memory section of the loaded module for its PDB GUID and loads the associated symbol table into the symbol space.

Parameters:
  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • config_path (str) – The config path where to find symbol files

  • layer_name (str) – The name of the layer on which to operate

  • module_offset (int) – This memory dump’s module image offset

  • module_size (int) – The size of the module for this dump

Return type:

str

Returns:

The name of the constructed and loaded symbol table

version = (1, 0, 1)
class PdbSignatureScanner(pdb_names)[source]

Bases: ScannerInterface

A ScannerInterface based scanner use to identify Windows PDB records.

Parameters:

pdb_names (List[bytes]) – A list of bytestrings, used to match pdb signatures against the pdb names within the records.

Note

The pdb_names must be a list of byte strings, unicode strs will not match against the data scanned

property context: ContextInterface | None
property layer_name: str | None
overlap = 16384

The size of overlap needed for the signature to ensure data cannot hide between two scanned chunks

thread_safe = True

Determines whether the scanner accesses global variables in a thread safe manner (for use with multiprocessing)

version = (0, 0, 0)