volatility3.framework.symbols.windows.pdbutil module
- class PDBUtility(*args, **kwargs)[source]
Bases:
VersionableInterface
Class to handle and manage all getting symbols based on MZ header
- classmethod download_pdb_isf(context, guid, age, pdb_name, progress_callback=None)[source]
Attempts to download the PDB file, convert it to an ISF file and save it to one of the symbol locations.
- Return type:
- classmethod get_guid_from_mz(context, layer_name, offset)[source]
Takes the offset to an MZ header, locates any available pdb headers, and extracts the guid, age and pdb_name from them
- Parameters:
context (
ContextInterface
) – The context on which to operatelayer_name (
str
) – The name of the (contiguous) layer within the context that contains the MZ fileoffset (
int
) – The offset in the layer at which the MZ file begins
- Return type:
- Returns:
A tuple of the guid, age and pdb_name, or None if no PDB record can be found
- classmethod load_windows_symbol_table(context, guid, age, pdb_name, symbol_table_class, config_path='pdbutility', progress_callback=None)[source]
Loads (downloading if necessary) a windows symbol table
- classmethod module_from_pdb(context, config_path, layer_name, pdb_name, module_offset=None, module_size=None)[source]
Creates a module in the specified layer_name based on a pdb name.
Searches the memory section of the loaded module for its PDB GUID and loads the associated symbol table into the symbol space.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromconfig_path (
str
) – The config path where to find symbol fileslayer_name (
str
) – The name of the layer on which to operatemodule_offset (
int
) – This memory dump’s module image offsetmodule_size (
int
) – The size of the module for this dump
- Return type:
- Returns:
The name of the constructed and loaded symbol table
- classmethod pdbname_scan(ctx, layer_name, page_size, pdb_names, progress_callback=None, start=None, end=None, maximum_invalid_count=100)[source]
Scans through layer_name at ctx looking for RSDS headers that indicate one of four common pdb kernel names (as listed in self.pdb_names) and returns the tuple (GUID, age, pdb_name, signature_offset, mz_offset) :rtype:
Generator
[Dict
[str
,Union
[bytes
,str
,int
,None
]],None
,None
]Note
This is automagical and therefore not guaranteed to provide correct results.
The UI should always provide the user an opportunity to specify the appropriate types and PDB values themselves :type layer_name:
str
:param layer_name: The layer name to scan :type page_size:int
:param page_size: Size of page constant :type pdb_names:List
[bytes
] :param pdb_names: List of pdb names to scan :type progress_callback:Optional
[Callable
[[float
,str
],None
]] :param progress_callback: Means of providing the user with feedback during long processes :type start:Optional
[int
] :param start: Start address to start scanning from the pdb_names :type end:Optional
[int
] :param end: Minimum address to scan the pdb_names :type maximum_invalid_count:int
:param maximum_invalid_count: Amount of pages that can be invalid during scanning before aborting signature search
- classmethod symbol_table_from_offset(context, layer_name, offset, symbol_table_class='volatility3.framework.symbols.intermed.IntermediateSymbolTable', config_path=None, progress_callback=None)[source]
Produces the name of a symbol table loaded from the offset for an MZ header
- Parameters:
context (
ContextInterface
) – The context on which to operatelayer_name (
str
) – The name of the (contiguous) layer within the context that contains the MZ fileoffset (
int
) – The offset in the layer at which the MZ file beginssymbol_table_class (
str
) – The class to use when constructing the SymbolTableconfig_path (
str
) – New path for the produced symbol table configuration with the config treeprogress_callback (
Optional
[Callable
[[float
,str
],None
]]) – Callable called to update ongoing progress
- Return type:
- Returns:
None if no pdb information can be determined, else returned the name of the loaded symbols for the MZ
- classmethod symbol_table_from_pdb(context, config_path, layer_name, pdb_name, module_offset=None, module_size=None)[source]
Creates symbol table for a module in the specified layer_name.
Searches the memory section of the loaded module for its PDB GUID and loads the associated symbol table into the symbol space.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromconfig_path (
str
) – The config path where to find symbol fileslayer_name (
str
) – The name of the layer on which to operatemodule_offset (
int
) – This memory dump’s module image offsetmodule_size (
int
) – The size of the module for this dump
- Return type:
- Returns:
The name of the constructed and loaded symbol table
- version = (1, 0, 1)
- class PdbSignatureScanner(pdb_names)[source]
Bases:
ScannerInterface
A
ScannerInterface
based scanner use to identify Windows PDB records.- Parameters:
pdb_names (
List
[bytes
]) – A list of bytestrings, used to match pdb signatures against the pdb names within the records.
Note
The pdb_names must be a list of byte strings, unicode strs will not match against the data scanned
- property context: ContextInterface | None
- overlap = 16384
The size of overlap needed for the signature to ensure data cannot hide between two scanned chunks
- thread_safe = True
Determines whether the scanner accesses global variables in a thread safe manner (for use with
multiprocessing
)
- version = (0, 0, 0)