volatility.framework.symbols.windows.pdbconv module

class ForwardArrayCount(size, element_type)[source]

Bases: object

class PdbReader(context, location, progress_callback=None)[source]

Bases: object

Class to read Microsoft PDB files.

This reads the various streams according to various sources as to how pdb should be read. These sources include:

https://docs.rs/crate/pdb/0.5.0/source/src/ https://github.com/moyix/pdbparse https://llvm.org/docs/PDB/index.html https://github.com/Microsoft/microsoft-pdb/

In order to generate ISF files, we need the type stream (2), and the symbols stream (variable). The MultiStream Format wrapper is handled as a volatility layer, which constructs sublayers for each stream. The streams can then be read contiguously allowing the data to be accessed.

Volatility’s type system is strong when everything must be laid out in advance, but PDB data is reasonably dynamic, particularly when it comes to names. We must therefore parse it after we’ve collected other information already. This is in comparison to something such as Construct/pdbparse which can use just-parsed data to determine dynamically sized data following.

consume_padding(layer_name, offset)[source]

Returns the amount of padding used between fields.

Return type


consume_type(module, offset, length)[source]

Returns a (leaf_type, name, object) Tuple for a type, and the number of bytes consumed.

Return type

Tuple[Tuple[Optional[ObjectInterface], Optional[str], Union[None, List[~T], ObjectInterface]], int]

property context

Convert the bytes to the correct ordering for a GUID.

Return type



Converts a field list into a list of fields.

Return type

Dict[Optional[str], Dict[str, Any]]

determine_extended_value(leaf_type, value, module, length)[source]

Reads a value and potentially consumes more data to construct the value.

Return type

Tuple[str, ObjectInterface, int]


Returns the intermediate format JSON data from this pdb file.


Returns the size of the structure based on the type index provided.

Return type



Takes a type index and returns appropriate dictionary.

Return type

Union[List[Any], Dict[str, Any]]

classmethod load_pdb_layer(context, location)[source]

Loads a PDB file into a layer within the context and returns the name of the new layer.

Note: the context may be changed by this method

Return type

Tuple[str, ContextInterface]


Strips unnecessary components from the start of a symbol name.


Looks up an address using the omap mapping.

static parse_string(structure, parse_as_pascal=False, size=0)[source]

Consumes either a c-string or a pascal string depending on the leaf_type.

Return type


property pdb_layer_name

Reads the TPI and symbol streams to populate the reader’s variables.

Return type



Reads the DBI Stream.

Return type



Read streams to populate the various internal components for a PDB table.


Reads in the pdb information stream.


Reads in the symbol stream.


Reads the TPI type steam.

Return type


replace_forward_references(types, type_references)[source]

Finds all ForwardArrayCounts and calculates them once ForwardReferences have been resolved.

class PdbRetreiver[source]

Bases: object

get_report_hook(progress_callback, url)[source]

Returns a report hook that converts output into a progress_callback.

retreive_pdb(guid, file_name, progress_callback=None)[source]
Return type