volatility3.framework.objects package

class AggregateType(context, type_name, object_info, size, members)[source]

Bases: ObjectInterface

Object which can contain members that are other objects.

Keep the number of methods in this class low or very specific, since each one could overload a valid member.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

classmethod child_template(template, child)[source]

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)[source]

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)[source]

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)[source]

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)[source]

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)[source]

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)[source]

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')[source]

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)[source]

Writes the new value into the format at the offset the object currently resides at.

class Array(context, type_name, object_info, count=0, subtype=None)[source]

Bases: ObjectInterface, Sequence

Object which can contain a fixed number of an object type.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

classmethod child_template(template, child)[source]

Returns the template of the child member.

Return type:

Template

classmethod children(template)[source]

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)[source]

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

classmethod replace_child(template, old_child, new_child)[source]

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)[source]

Returns the size of the array, based on the count and the subtype.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

property count: int

Returns the count dynamically.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

index(value[, start[, stop]]) integer -- return first index of value.

Raises ValueError if the value is not present.

Supporting start and stop arguments is optional, but recommended.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)[source]

Writes the new value into the format at the offset the object currently resides at.

Return type:

None

class BitField(context, type_name, object_info, base_type, start_bit=0, end_bit=0)[source]

Bases: ObjectInterface, int

Object containing a field which is made up of bits rather than whole bytes.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

classmethod children(template)[source]

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

classmethod replace_child(template, old_child, new_child)[source]

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)[source]

Returns the size of the template object.

Return type:

int

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.

>>> (10).as_integer_ratio()
(10, 1)
>>> (-10).as_integer_ratio()
(-10, 1)
>>> (0).as_integer_ratio()
(0, 1)
bit_count()

Number of ones in the binary representation of the absolute value of self.

Also known as the population count.

>>> bin(13)
'0b1101'
>>> (13).bit_count()
3
bit_length()

Number of bits necessary to represent self in binary.

>>> bin(37)
'0b100101'
>>> (37).bit_length()
6
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

conjugate()

Returns self, the complex conjugate of any int.

denominator

the denominator of a rational number in lowest terms

from_bytes(byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

imag

the imaginary part of a complex number

numerator

the numerator of a rational number in lowest terms

real

the real part of a complex number

to_bytes(length=1, byteorder='big', *, signed=False)

Return an array of bytes representing an integer.

length

Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)[source]

Writes the new value into the format at the offset the object currently resides at.

class Boolean(context, type_name, object_info, data_format)[source]

Bases: PrimitiveObject, int

Primitive Object that handles boolean types.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)

Returns the size of the templated object.

Return type:

int

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.

>>> (10).as_integer_ratio()
(10, 1)
>>> (-10).as_integer_ratio()
(-10, 1)
>>> (0).as_integer_ratio()
(0, 1)
bit_count()

Number of ones in the binary representation of the absolute value of self.

Also known as the population count.

>>> bin(13)
'0b1101'
>>> (13).bit_count()
3
bit_length()

Number of bits necessary to represent self in binary.

>>> bin(37)
'0b100101'
>>> (37).bit_length()
6
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

conjugate()

Returns self, the complex conjugate of any int.

denominator

the denominator of a rational number in lowest terms

from_bytes(byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

imag

the imaginary part of a complex number

numerator

the numerator of a rational number in lowest terms

real

the real part of a complex number

to_bytes(length=1, byteorder='big', *, signed=False)

Return an array of bytes representing an integer.

length

Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the object into the layer of the context at the current offset.

Return type:

ObjectInterface

class Bytes(context, type_name, object_info, length=1)[source]

Bases: PrimitiveObject, bytes

Primitive Object that handles specific series of bytes.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)[source]

Returns the size of the template object.

Return type:

int

capitalize() copy of B

Return a copy of B with only its first character capitalized (ASCII) and the rest lower-cased.

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

center(width, fillchar=b' ', /)

Return a centered string of length width.

Padding is done using the specified fill character.

count(sub[, start[, end]]) int

Return the number of non-overlapping occurrences of subsection sub in bytes B[start:end]. Optional arguments start and end are interpreted as in slice notation.

decode(encoding='utf-8', errors='strict')

Decode the bytes using the codec registered for encoding.

encoding

The encoding with which to decode the bytes.

errors

The error handling scheme to use for the handling of decoding errors. The default is ‘strict’ meaning that decoding errors raise a UnicodeDecodeError. Other possible values are ‘ignore’ and ‘replace’ as well as any other name registered with codecs.register_error that can handle UnicodeDecodeErrors.

endswith(suffix[, start[, end]]) bool

Return True if B ends with the specified suffix, False otherwise. With optional start, test B beginning at that position. With optional end, stop comparing B at that position. suffix can also be a tuple of bytes to try.

expandtabs(tabsize=8)

Return a copy where all tab characters are expanded using spaces.

If tabsize is not given, a tab size of 8 characters is assumed.

find(sub[, start[, end]]) int

Return the lowest index in B where subsection sub is found, such that sub is contained within B[start,end]. Optional arguments start and end are interpreted as in slice notation.

Return -1 on failure.

fromhex()

Create a bytes object from a string of hexadecimal numbers.

Spaces between two numbers are accepted. Example: bytes.fromhex(‘B9 01EF’) -> b’\xb9\x01\xef’.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

hex()

Create a string of hexadecimal numbers from a bytes object.

sep

An optional single character or byte to separate hex bytes.

bytes_per_sep

How many bytes between separators. Positive values count from the right, negative values count from the left.

Example: >>> value = b’xb9x01xef’ >>> value.hex() ‘b901ef’ >>> value.hex(‘:’) ‘b9:01:ef’ >>> value.hex(‘:’, 2) ‘b9:01ef’ >>> value.hex(‘:’, -2) ‘b901:ef’

index(sub[, start[, end]]) int

Return the lowest index in B where subsection sub is found, such that sub is contained within B[start,end]. Optional arguments start and end are interpreted as in slice notation.

Raises ValueError when the subsection is not found.

isalnum() bool

Return True if all characters in B are alphanumeric and there is at least one character in B, False otherwise.

isalpha() bool

Return True if all characters in B are alphabetic and there is at least one character in B, False otherwise.

isascii() bool

Return True if B is empty or all characters in B are ASCII, False otherwise.

isdigit() bool

Return True if all characters in B are digits and there is at least one character in B, False otherwise.

islower() bool

Return True if all cased characters in B are lowercase and there is at least one cased character in B, False otherwise.

isspace() bool

Return True if all characters in B are whitespace and there is at least one character in B, False otherwise.

istitle() bool

Return True if B is a titlecased string and there is at least one character in B, i.e. uppercase characters may only follow uncased characters and lowercase characters only cased ones. Return False otherwise.

isupper() bool

Return True if all cased characters in B are uppercase and there is at least one cased character in B, False otherwise.

join(iterable_of_bytes, /)

Concatenate any number of bytes objects.

The bytes whose method is called is inserted in between each pair.

The result is returned as a new bytes object.

Example: b’.’.join([b’ab’, b’pq’, b’rs’]) -> b’ab.pq.rs’.

ljust(width, fillchar=b' ', /)

Return a left-justified string of length width.

Padding is done using the specified fill character.

lower() copy of B

Return a copy of B with all ASCII characters converted to lowercase.

lstrip(bytes=None, /)

Strip leading bytes contained in the argument.

If the argument is omitted or None, strip leading ASCII whitespace.

static maketrans(frm, to, /)

Return a translation table useable for the bytes or bytearray translate method.

The returned table will be one where each byte in frm is mapped to the byte at the same position in to.

The bytes objects frm and to must be of the same length.

partition(sep, /)

Partition the bytes into three parts using the given separator.

This will search for the separator sep in the bytes. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.

If the separator is not found, returns a 3-tuple containing the original bytes object and two empty bytes objects.

removeprefix(prefix, /)

Return a bytes object with the given prefix string removed if present.

If the bytes starts with the prefix string, return bytes[len(prefix):]. Otherwise, return a copy of the original bytes.

removesuffix(suffix, /)

Return a bytes object with the given suffix string removed if present.

If the bytes ends with the suffix string and that suffix is not empty, return bytes[:-len(prefix)]. Otherwise, return a copy of the original bytes.

replace(old, new, count=-1, /)

Return a copy with all occurrences of substring old replaced by new.

count

Maximum number of occurrences to replace. -1 (the default value) means replace all occurrences.

If the optional argument count is given, only the first count occurrences are replaced.

rfind(sub[, start[, end]]) int

Return the highest index in B where subsection sub is found, such that sub is contained within B[start,end]. Optional arguments start and end are interpreted as in slice notation.

Return -1 on failure.

rindex(sub[, start[, end]]) int

Return the highest index in B where subsection sub is found, such that sub is contained within B[start,end]. Optional arguments start and end are interpreted as in slice notation.

Raise ValueError when the subsection is not found.

rjust(width, fillchar=b' ', /)

Return a right-justified string of length width.

Padding is done using the specified fill character.

rpartition(sep, /)

Partition the bytes into three parts using the given separator.

This will search for the separator sep in the bytes, starting at the end. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.

If the separator is not found, returns a 3-tuple containing two empty bytes objects and the original bytes object.

rsplit(sep=None, maxsplit=-1)

Return a list of the sections in the bytes, using sep as the delimiter.

sep

The delimiter according which to split the bytes. None (the default value) means split on ASCII whitespace characters (space, tab, return, newline, formfeed, vertical tab).

maxsplit

Maximum number of splits to do. -1 (the default value) means no limit.

Splitting is done starting at the end of the bytes and working to the front.

rstrip(bytes=None, /)

Strip trailing bytes contained in the argument.

If the argument is omitted or None, strip trailing ASCII whitespace.

split(sep=None, maxsplit=-1)

Return a list of the sections in the bytes, using sep as the delimiter.

sep

The delimiter according which to split the bytes. None (the default value) means split on ASCII whitespace characters (space, tab, return, newline, formfeed, vertical tab).

maxsplit

Maximum number of splits to do. -1 (the default value) means no limit.

splitlines(keepends=False)

Return a list of the lines in the bytes, breaking at line boundaries.

Line breaks are not included in the resulting list unless keepends is given and true.

startswith(prefix[, start[, end]]) bool

Return True if B starts with the specified prefix, False otherwise. With optional start, test B beginning at that position. With optional end, stop comparing B at that position. prefix can also be a tuple of bytes to try.

strip(bytes=None, /)

Strip leading and trailing bytes contained in the argument.

If the argument is omitted or None, strip leading and trailing ASCII whitespace.

swapcase() copy of B

Return a copy of B with uppercase ASCII characters converted to lowercase ASCII and vice versa.

title() copy of B

Return a titlecased version of B, i.e. ASCII words start with uppercase characters, all remaining cased characters have lowercase.

translate(table, /, delete=b'')

Return a copy with each character mapped by the given translation table.

table

Translation table, which must be a bytes object of length 256.

All characters occurring in the optional argument delete are removed. The remaining characters are mapped through the given translation table.

upper() copy of B

Return a copy of B with all ASCII characters converted to uppercase.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the object into the layer of the context at the current offset.

Return type:

ObjectInterface

zfill(width, /)

Pad a numeric string with zeros on the left, to fill a field of the given width.

The original string is never truncated.

class Char(context, type_name, object_info, data_format)[source]

Bases: PrimitiveObject, int

Primitive Object that handles characters.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)

Returns the size of the templated object.

Return type:

int

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.

>>> (10).as_integer_ratio()
(10, 1)
>>> (-10).as_integer_ratio()
(-10, 1)
>>> (0).as_integer_ratio()
(0, 1)
bit_count()

Number of ones in the binary representation of the absolute value of self.

Also known as the population count.

>>> bin(13)
'0b1101'
>>> (13).bit_count()
3
bit_length()

Number of bits necessary to represent self in binary.

>>> bin(37)
'0b100101'
>>> (37).bit_length()
6
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

conjugate()

Returns self, the complex conjugate of any int.

denominator

the denominator of a rational number in lowest terms

from_bytes(byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

imag

the imaginary part of a complex number

numerator

the numerator of a rational number in lowest terms

real

the real part of a complex number

to_bytes(length=1, byteorder='big', *, signed=False)

Return an array of bytes representing an integer.

length

Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the object into the layer of the context at the current offset.

Return type:

ObjectInterface

class ClassType(context, type_name, object_info, size, members)[source]

Bases: AggregateType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class DataFormatInfo(length, byteorder, signed)

Bases: tuple

Create new instance of DataFormatInfo(length, byteorder, signed)

byteorder

Alias for field number 1

count(value, /)

Return number of occurrences of value.

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

length

Alias for field number 0

signed

Alias for field number 2

class Enumeration(context, type_name, object_info, base_type, choices)[source]

Bases: ObjectInterface, int

Returns an object made up of choices.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

classmethod children(template)[source]

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod lookup(template, value)[source]

Looks up an individual value and returns the associated name.

If multiple identifiers map to the same value, the first matching identifier will be returned

Return type:

str

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

classmethod replace_child(template, old_child, new_child)[source]

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)[source]

Returns the size of the template object.

Return type:

int

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.

>>> (10).as_integer_ratio()
(10, 1)
>>> (-10).as_integer_ratio()
(-10, 1)
>>> (0).as_integer_ratio()
(0, 1)
bit_count()

Number of ones in the binary representation of the absolute value of self.

Also known as the population count.

>>> bin(13)
'0b1101'
>>> (13).bit_count()
3
bit_length()

Number of bits necessary to represent self in binary.

>>> bin(37)
'0b100101'
>>> (37).bit_length()
6
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

property choices: Dict[str, int]
conjugate()

Returns self, the complex conjugate of any int.

denominator

the denominator of a rational number in lowest terms

property description: str

Returns the chosen name for the value this object contains.

from_bytes(byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

imag

the imaginary part of a complex number

property is_valid_choice: bool

Returns whether the value for the object is a valid choice

lookup(value=None)[source]

Looks up an individual value and returns the associated name.

If multiple identifiers map to the same value, the first matching identifier will be returned

Return type:

str

numerator

the numerator of a rational number in lowest terms

real

the real part of a complex number

to_bytes(length=1, byteorder='big', *, signed=False)

Return an array of bytes representing an integer.

length

Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)[source]

Writes the new value into the format at the offset the object currently resides at.

class Float(context, type_name, object_info, data_format)[source]

Bases: PrimitiveObject, float

Primitive Object that handles double or floating point numbers.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)

Returns the size of the templated object.

Return type:

int

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original float and with a positive denominator.

Raise OverflowError on infinities and a ValueError on NaNs.

>>> (10.0).as_integer_ratio()
(10, 1)
>>> (0.0).as_integer_ratio()
(0, 1)
>>> (-.25).as_integer_ratio()
(-1, 4)
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

conjugate()

Return self, the complex conjugate of any float.

fromhex()

Create a floating-point number from a hexadecimal string.

>>> float.fromhex('0x1.ffffp10')
2047.984375
>>> float.fromhex('-0x1p-1074')
-5e-324
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

hex()

Return a hexadecimal representation of a floating-point number.

>>> (-0.1).hex()
'-0x1.999999999999ap-4'
>>> 3.14159.hex()
'0x1.921f9f01b866ep+1'
imag

the imaginary part of a complex number

is_integer()

Return True if the float is an integer.

real

the real part of a complex number

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the object into the layer of the context at the current offset.

Return type:

ObjectInterface

class Function(context, type_name, object_info, **kwargs)[source]

Bases: ObjectInterface

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: object

A container for proxied methods that the ObjectTemplate of this object will call. This is primarily to keep methods together for easy organization/management, there is no significant need for it to be a separate class.

The methods of this class must be class methods rather than standard methods, to allow for code reuse. Each method also takes a template since the templates may contain the necessary data about the yet-to-be-constructed object. It allows objects to control how their templates respond without needing to write new templates for each and every potential object type.

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

abstract classmethod size(template)

Returns the size of the template object.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

property vol: ReadOnlyMapping

Returns the volatility specific object information.

abstract write(value)

Writes the new value into the format at the offset the object currently resides at.

class Integer(context, type_name, object_info, data_format)[source]

Bases: PrimitiveObject, int

Primitive Object that handles standard numeric types.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)

Returns the size of the templated object.

Return type:

int

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.

>>> (10).as_integer_ratio()
(10, 1)
>>> (-10).as_integer_ratio()
(-10, 1)
>>> (0).as_integer_ratio()
(0, 1)
bit_count()

Number of ones in the binary representation of the absolute value of self.

Also known as the population count.

>>> bin(13)
'0b1101'
>>> (13).bit_count()
3
bit_length()

Number of bits necessary to represent self in binary.

>>> bin(37)
'0b100101'
>>> (37).bit_length()
6
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

conjugate()

Returns self, the complex conjugate of any int.

denominator

the denominator of a rational number in lowest terms

from_bytes(byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

imag

the imaginary part of a complex number

numerator

the numerator of a rational number in lowest terms

real

the real part of a complex number

to_bytes(length=1, byteorder='big', *, signed=False)

Return an array of bytes representing an integer.

length

Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the object into the layer of the context at the current offset.

Return type:

ObjectInterface

class Pointer(context, type_name, object_info, data_format, subtype=None)[source]

Bases: Integer

Pointer which points to another object.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

classmethod children(template)[source]

Returns the children of the template.

Return type:

List[Template]

classmethod has_member(template, member_name)[source]

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

classmethod replace_child(template, old_child, new_child)[source]

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)[source]

Returns the size of the template object.

Return type:

int

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.

>>> (10).as_integer_ratio()
(10, 1)
>>> (-10).as_integer_ratio()
(-10, 1)
>>> (0).as_integer_ratio()
(0, 1)
bit_count()

Number of ones in the binary representation of the absolute value of self.

Also known as the population count.

>>> bin(13)
'0b1101'
>>> (13).bit_count()
3
bit_length()

Number of bits necessary to represent self in binary.

>>> bin(37)
'0b100101'
>>> (37).bit_length()
6
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

conjugate()

Returns self, the complex conjugate of any int.

denominator

the denominator of a rational number in lowest terms

dereference(layer_name=None)[source]

Dereferences the pointer.

Layer_name is identifies the appropriate layer within the context that the pointer points to. If layer_name is None, it defaults to the same layer that the pointer is currently instantiated in.

Return type:

ObjectInterface

from_bytes(byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)[source]

Returns whether the dereferenced type has this member.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

imag

the imaginary part of a complex number

is_readable(layer_name=None)[source]

Determines whether the address of this pointer can be read from memory.

Return type:

bool

numerator

the numerator of a rational number in lowest terms

real

the real part of a complex number

to_bytes(length=1, byteorder='big', *, signed=False)

Return an array of bytes representing an integer.

length

Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the object into the layer of the context at the current offset.

Return type:

ObjectInterface

class PrimitiveObject(context, type_name, object_info, data_format)[source]

Bases: ObjectInterface

PrimitiveObject is an interface for any objects that should simulate a Python primitive.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)[source]

Returns the size of the templated object.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)[source]

Writes the object into the layer of the context at the current offset.

Return type:

ObjectInterface

class String(context, type_name, object_info, max_length=1, encoding='utf-8', errors='strict')[source]

Bases: PrimitiveObject, str

Primitive Object that handles string values.

Parameters:

max_length (int) – specifies the maximum possible length that the string could hold within memory (for multibyte characters, this will not be the maximum length of the string)

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)[source]

Returns the size of the templated object.

Return type:

int

capitalize()

Return a capitalized version of the string.

More specifically, make the first character have upper case and the rest lower case.

casefold()

Return a version of the string suitable for caseless comparisons.

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

center(width, fillchar=' ', /)

Return a centered string of length width.

Padding is done using the specified fill character (default is a space).

count(sub[, start[, end]]) int

Return the number of non-overlapping occurrences of substring sub in string S[start:end]. Optional arguments start and end are interpreted as in slice notation.

encode(encoding='utf-8', errors='strict')

Encode the string using the codec registered for encoding.

encoding

The encoding in which to encode the string.

errors

The error handling scheme to use for encoding errors. The default is ‘strict’ meaning that encoding errors raise a UnicodeEncodeError. Other possible values are ‘ignore’, ‘replace’ and ‘xmlcharrefreplace’ as well as any other name registered with codecs.register_error that can handle UnicodeEncodeErrors.

endswith(suffix[, start[, end]]) bool

Return True if S ends with the specified suffix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. suffix can also be a tuple of strings to try.

expandtabs(tabsize=8)

Return a copy where all tab characters are expanded using spaces.

If tabsize is not given, a tab size of 8 characters is assumed.

find(sub[, start[, end]]) int

Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.

Return -1 on failure.

format(*args, **kwargs) str

Return a formatted version of S, using substitutions from args and kwargs. The substitutions are identified by braces (‘{’ and ‘}’).

format_map(mapping) str

Return a formatted version of S, using substitutions from mapping. The substitutions are identified by braces (‘{’ and ‘}’).

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

index(sub[, start[, end]]) int

Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.

Raises ValueError when the substring is not found.

isalnum()

Return True if the string is an alpha-numeric string, False otherwise.

A string is alpha-numeric if all characters in the string are alpha-numeric and there is at least one character in the string.

isalpha()

Return True if the string is an alphabetic string, False otherwise.

A string is alphabetic if all characters in the string are alphabetic and there is at least one character in the string.

isascii()

Return True if all characters in the string are ASCII, False otherwise.

ASCII characters have code points in the range U+0000-U+007F. Empty string is ASCII too.

isdecimal()

Return True if the string is a decimal string, False otherwise.

A string is a decimal string if all characters in the string are decimal and there is at least one character in the string.

isdigit()

Return True if the string is a digit string, False otherwise.

A string is a digit string if all characters in the string are digits and there is at least one character in the string.

isidentifier()

Return True if the string is a valid Python identifier, False otherwise.

Call keyword.iskeyword(s) to test whether string s is a reserved identifier, such as “def” or “class”.

islower()

Return True if the string is a lowercase string, False otherwise.

A string is lowercase if all cased characters in the string are lowercase and there is at least one cased character in the string.

isnumeric()

Return True if the string is a numeric string, False otherwise.

A string is numeric if all characters in the string are numeric and there is at least one character in the string.

isprintable()

Return True if the string is printable, False otherwise.

A string is printable if all of its characters are considered printable in repr() or if it is empty.

isspace()

Return True if the string is a whitespace string, False otherwise.

A string is whitespace if all characters in the string are whitespace and there is at least one character in the string.

istitle()

Return True if the string is a title-cased string, False otherwise.

In a title-cased string, upper- and title-case characters may only follow uncased characters and lowercase characters only cased ones.

isupper()

Return True if the string is an uppercase string, False otherwise.

A string is uppercase if all cased characters in the string are uppercase and there is at least one cased character in the string.

join(iterable, /)

Concatenate any number of strings.

The string whose method is called is inserted in between each given string. The result is returned as a new string.

Example: ‘.’.join([‘ab’, ‘pq’, ‘rs’]) -> ‘ab.pq.rs’

ljust(width, fillchar=' ', /)

Return a left-justified string of length width.

Padding is done using the specified fill character (default is a space).

lower()

Return a copy of the string converted to lowercase.

lstrip(chars=None, /)

Return a copy of the string with leading whitespace removed.

If chars is given and not None, remove characters in chars instead.

static maketrans()

Return a translation table usable for str.translate().

If there is only one argument, it must be a dictionary mapping Unicode ordinals (integers) or characters to Unicode ordinals, strings or None. Character keys will be then converted to ordinals. If there are two arguments, they must be strings of equal length, and in the resulting dictionary, each character in x will be mapped to the character at the same position in y. If there is a third argument, it must be a string, whose characters will be mapped to None in the result.

partition(sep, /)

Partition the string into three parts using the given separator.

This will search for the separator in the string. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.

If the separator is not found, returns a 3-tuple containing the original string and two empty strings.

removeprefix(prefix, /)

Return a str with the given prefix string removed if present.

If the string starts with the prefix string, return string[len(prefix):]. Otherwise, return a copy of the original string.

removesuffix(suffix, /)

Return a str with the given suffix string removed if present.

If the string ends with the suffix string and that suffix is not empty, return string[:-len(suffix)]. Otherwise, return a copy of the original string.

replace(old, new, count=-1, /)

Return a copy with all occurrences of substring old replaced by new.

count

Maximum number of occurrences to replace. -1 (the default value) means replace all occurrences.

If the optional argument count is given, only the first count occurrences are replaced.

rfind(sub[, start[, end]]) int

Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.

Return -1 on failure.

rindex(sub[, start[, end]]) int

Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.

Raises ValueError when the substring is not found.

rjust(width, fillchar=' ', /)

Return a right-justified string of length width.

Padding is done using the specified fill character (default is a space).

rpartition(sep, /)

Partition the string into three parts using the given separator.

This will search for the separator in the string, starting at the end. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.

If the separator is not found, returns a 3-tuple containing two empty strings and the original string.

rsplit(sep=None, maxsplit=-1)

Return a list of the substrings in the string, using sep as the separator string.

sep

The separator used to split the string.

When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.

maxsplit

Maximum number of splits (starting from the left). -1 (the default value) means no limit.

Splitting starts at the end of the string and works to the front.

rstrip(chars=None, /)

Return a copy of the string with trailing whitespace removed.

If chars is given and not None, remove characters in chars instead.

split(sep=None, maxsplit=-1)

Return a list of the substrings in the string, using sep as the separator string.

sep

The separator used to split the string.

When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.

maxsplit

Maximum number of splits (starting from the left). -1 (the default value) means no limit.

Note, str.split() is mainly useful for data that has been intentionally delimited. With natural text that includes punctuation, consider using the regular expression module.

splitlines(keepends=False)

Return a list of the lines in the string, breaking at line boundaries.

Line breaks are not included in the resulting list unless keepends is given and true.

startswith(prefix[, start[, end]]) bool

Return True if S starts with the specified prefix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. prefix can also be a tuple of strings to try.

strip(chars=None, /)

Return a copy of the string with leading and trailing whitespace removed.

If chars is given and not None, remove characters in chars instead.

swapcase()

Convert uppercase characters to lowercase and lowercase characters to uppercase.

title()

Return a version of the string where each word is titlecased.

More specifically, words start with uppercased characters and all remaining cased characters have lower case.

translate(table, /)

Replace each character in the string using the given translation table.

table

Translation table, which must be a mapping of Unicode ordinals to Unicode ordinals, strings, or None.

The table must implement lookup/indexing via __getitem__, for instance a dictionary or list. If this operation raises LookupError, the character is left untouched. Characters mapped to None are deleted.

upper()

Return a copy of the string converted to uppercase.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the object into the layer of the context at the current offset.

Return type:

ObjectInterface

zfill(width, /)

Pad a numeric string with zeros on the left, to fill a field of the given width.

The string is never truncated.

class StructType(context, type_name, object_info, size, members)[source]

Bases: AggregateType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class UnionType(context, type_name, object_info, size, members)[source]

Bases: AggregateType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class Void(context, type_name, object_info, **kwargs)[source]

Bases: ObjectInterface

Returns an object to represent void/unknown types.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: VolTemplateProxy

abstract classmethod child_template(template, child)

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type:

None

classmethod size(template)[source]

Dummy size for Void objects.

According to http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf, void is an incomplete type, and therefore sizeof(void) should fail. However, we need to be able to construct voids to be able to cast them, so we return a useless size. It shouldn’t cause errors, but it also shouldn’t be common, it is logged at the lowest level.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)[source]

Dummy method that does nothing for Void objects.

Return type:

None

convert_data_to_value(data, struct_type, data_format)[source]

Converts a series of bytes to a particular type of value.

Return type:

Union[int, float, bytes, str, bool]

convert_value_to_data(value, struct_type, data_format)[source]

Converts a particular value to a series of bytes.

Return type:

bytes

Submodules