volatility3.framework.automagic package
Automagic modules allow the framework to populate configuration elements that a user has not provided.
Automagic objects accept a context and a configurable, and will make appropriate changes to the context in an attempt to fulfill the requirements of the configurable object (or objects upon which that configurable may rely).
Several pre-existing modules include one to stack layers on top of each other (allowing automatic detection and loading of file format types) as well as a module to reconstruct layers based on their provided requirements.
- available(context)[source]
Returns an ordered list of all subclasses of
AutomagicInterface
.The order is based on the priority attributes of the subclasses, in order to ensure the automagics are listed in an appropriate order.
- Parameters:
context (
ContextInterface
) – The context that will contain any automagic configuration values.- Return type:
- choose_automagic(automagics, plugin)[source]
Chooses which automagics to run, maintaining the order they were handed in.
- Return type:
- run(automagics, context, configurable, config_path, progress_callback=None)[source]
Runs through the list of automagics in order, allowing them to make changes to the context.
- Parameters:
automagics (
List
[AutomagicInterface
]) – A list ofAutomagicInterface
objectscontext (
ContextInterface
) – The context (that inherits fromContextInterface
) for modificationconfigurable (
Union
[ConfigurableInterface
,Type
[ConfigurableInterface
]]) – An object that inherits fromConfigurableInterface
config_path (
str
) – The path within the context.config for options required by the configurableprogress_callback (
Optional
[Callable
[[float
,str
],None
]]) – A function that takes a percentage (and an optional description) that will be called periodically
- Return type:
This is where any automagic is allowed to run, and alter the context in order to satisfy/improve all requirements
Returns a list of traceback objects that occurred during the autorun procedure
Note
The order of the automagics list is important. An automagic that populates configurations may be necessary for an automagic that populates the context based on the configuration information.
Submodules
- volatility3.framework.automagic.construct_layers module
ConstructionMagic
ConstructionMagic.build_configuration()
ConstructionMagic.config
ConstructionMagic.config_path
ConstructionMagic.context
ConstructionMagic.exclusion_list
ConstructionMagic.find_requirements()
ConstructionMagic.get_requirements()
ConstructionMagic.make_subconfig()
ConstructionMagic.priority
ConstructionMagic.unsatisfied()
- volatility3.framework.automagic.linux module
LinuxIntelStacker
LinuxSymbolFinder
LinuxSymbolFinder.banner_config_key
LinuxSymbolFinder.banners
LinuxSymbolFinder.build_configuration()
LinuxSymbolFinder.config
LinuxSymbolFinder.config_path
LinuxSymbolFinder.context
LinuxSymbolFinder.exclusion_list
LinuxSymbolFinder.find_aslr()
LinuxSymbolFinder.find_requirements()
LinuxSymbolFinder.get_requirements()
LinuxSymbolFinder.make_subconfig()
LinuxSymbolFinder.operating_system
LinuxSymbolFinder.priority
LinuxSymbolFinder.symbol_class
LinuxSymbolFinder.unsatisfied()
- volatility3.framework.automagic.mac module
MacIntelStacker
MacSymbolFinder
MacSymbolFinder.banner_config_key
MacSymbolFinder.banners
MacSymbolFinder.build_configuration()
MacSymbolFinder.config
MacSymbolFinder.config_path
MacSymbolFinder.context
MacSymbolFinder.exclusion_list
MacSymbolFinder.find_aslr()
MacSymbolFinder.find_requirements()
MacSymbolFinder.get_requirements()
MacSymbolFinder.make_subconfig()
MacSymbolFinder.operating_system
MacSymbolFinder.priority
MacSymbolFinder.symbol_class
MacSymbolFinder.unsatisfied()
- volatility3.framework.automagic.module module
- volatility3.framework.automagic.pdbscan module
KernelPDBScanner
KernelPDBScanner.build_configuration()
KernelPDBScanner.check_kernel_offset()
KernelPDBScanner.config
KernelPDBScanner.config_path
KernelPDBScanner.context
KernelPDBScanner.determine_valid_kernel()
KernelPDBScanner.exclusion_list
KernelPDBScanner.find_requirements()
KernelPDBScanner.find_virtual_layers_from_req()
KernelPDBScanner.get_physical_layer_name()
KernelPDBScanner.get_requirements()
KernelPDBScanner.make_subconfig()
KernelPDBScanner.max_pdb_size
KernelPDBScanner.method_fixed_mapping()
KernelPDBScanner.method_kdbg_offset()
KernelPDBScanner.method_module_offset()
KernelPDBScanner.method_slow_scan()
KernelPDBScanner.methods
KernelPDBScanner.priority
KernelPDBScanner.recurse_symbol_fulfiller()
KernelPDBScanner.set_kernel_virtual_offset()
KernelPDBScanner.unsatisfied()
- volatility3.framework.automagic.stacker module
LayerStacker
LayerStacker.build_configuration()
LayerStacker.config
LayerStacker.config_path
LayerStacker.context
LayerStacker.create_stackers_list()
LayerStacker.exclusion_list
LayerStacker.find_requirements()
LayerStacker.find_suitable_requirements()
LayerStacker.get_requirements()
LayerStacker.make_subconfig()
LayerStacker.priority
LayerStacker.stack()
LayerStacker.stack_layer()
LayerStacker.unsatisfied()
choose_os_stackers()
- volatility3.framework.automagic.symbol_cache module
CacheManagerInterface
CacheManagerInterface.add_identifier()
CacheManagerInterface.find_location()
CacheManagerInterface.get_hash()
CacheManagerInterface.get_identifier()
CacheManagerInterface.get_identifier_dictionary()
CacheManagerInterface.get_identifiers()
CacheManagerInterface.get_local_locations()
CacheManagerInterface.get_location_statistics()
CacheManagerInterface.update()
CacheManagerInterface.version
IdentifierProcessor
LinuxIdentifier
MacIdentifier
RemoteIdentifierFormat
SqliteCache
SqliteCache.add_identifier()
SqliteCache.find_location()
SqliteCache.get_hash()
SqliteCache.get_identifier()
SqliteCache.get_identifier_dictionary()
SqliteCache.get_identifiers()
SqliteCache.get_local_locations()
SqliteCache.get_location_statistics()
SqliteCache.is_url_local()
SqliteCache.update()
SqliteCache.version
SymbolCacheMagic
SymbolCacheMagic.build_configuration()
SymbolCacheMagic.config
SymbolCacheMagic.config_path
SymbolCacheMagic.context
SymbolCacheMagic.exclusion_list
SymbolCacheMagic.find_requirements()
SymbolCacheMagic.get_requirements()
SymbolCacheMagic.make_subconfig()
SymbolCacheMagic.priority
SymbolCacheMagic.unsatisfied()
WindowsIdentifier
- volatility3.framework.automagic.symbol_finder module
SymbolFinder
SymbolFinder.banner_config_key
SymbolFinder.banners
SymbolFinder.build_configuration()
SymbolFinder.config
SymbolFinder.config_path
SymbolFinder.context
SymbolFinder.exclusion_list
SymbolFinder.find_aslr
SymbolFinder.find_requirements()
SymbolFinder.get_requirements()
SymbolFinder.make_subconfig()
SymbolFinder.operating_system
SymbolFinder.priority
SymbolFinder.symbol_class
SymbolFinder.unsatisfied()
- volatility3.framework.automagic.windows module
DtbSelfRef32bit
DtbSelfRef64bit
DtbSelfRef64bitOldWindows
DtbSelfRefPae
DtbSelfReferential
PageMapScanner
WinSwapLayers
WinSwapLayers.build_configuration()
WinSwapLayers.config
WinSwapLayers.config_path
WinSwapLayers.context
WinSwapLayers.exclusion_list
WinSwapLayers.find_requirements()
WinSwapLayers.find_swap_requirement()
WinSwapLayers.get_requirements()
WinSwapLayers.make_subconfig()
WinSwapLayers.priority
WinSwapLayers.unsatisfied()
WindowsIntelStacker