volatility3.framework.symbols.linux.extensions package

class IDR(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

IDR_BITS = 8

IDR_MASK = 255

INT_SIZE = 4

MAX_IDR_BIT = 2147483648

MAX_IDR_SHIFT = 31

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_entries()[source]

Walks the IDR and yield a pointer associated with each element.

Parameters:: in_use (int, optional) – _description_. Defaults to 0.
Yields:: A pointer associated with each element.
Return type:: Iterable[int]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

idr_find(idr_id)[source]

Finds an ID within the IDR data structure. Based on idr_find_slowpath(), 3.9 <= Kernel < 4.11 :type idr_id: int :param idr_id: The IDR lookup ID

Return type:: Optional[int]
Returns:: A pointer to the given ID element

idr_max(num_layers)[source]

Returns the maximum ID which can be allocated given idr::layers

Parameters:: num_layers (int) – Number of layers
Return type:: int
Returns:: Maximum ID for a given number of layers

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class Timespec64Abstract[source]

Bases: ABC

Abstract class to handle all required timespec64 operations, conversions and adjustments.

negate()[source]

Returns a new Timespec64Concrete object with the values of the current object negated

Return type:: Timespec64Concrete

classmethod new_from_nsec(nsec)[source]

Creates a new instance from an integer in nanoseconds

Return type:: Timespec64Concrete

classmethod new_from_timespec(other)[source]

Creates a new instance from an Timespec64Abstract subclass object

Return type:: Timespec64Concrete

normalize()[source]: Normalize any overflow in tv_sec and tv_nsec.

to_datetime()[source]

Converts this Timespec64Abstract subclass object to a UTC aware datetime

Return type:: datetime

to_timedelta()[source]

Converts this Timespec64Abstract subclass object to timedelta

Return type:: timedelta

class Timespec64Concrete(tv_sec=0, tv_nsec=0)[source]

Bases: Timespec64Abstract

Handle all required timespec64 operations, conversions and adjustments. This is used to dynamically create timespec64-like objects, each with its own variables and the same methods as a timespec64 object extension.

negate()

Returns a new Timespec64Concrete object with the values of the current object negated

Return type:: Timespec64Concrete

classmethod new_from_nsec(nsec)

Creates a new instance from an integer in nanoseconds

Return type:: Timespec64Concrete

classmethod new_from_timespec(other)

Creates a new instance from an Timespec64Abstract subclass object

Return type:: Timespec64Concrete

normalize(): Normalize any overflow in tv_sec and tv_nsec.

to_datetime()

Converts this Timespec64Abstract subclass object to a UTC aware datetime

Return type:: datetime

to_timedelta()

Converts this Timespec64Abstract subclass object to timedelta

Return type:: timedelta

class address_space(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

property i_pages: Returns the appropriate member containing the page cache tree

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class bin_attribute(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

property address: int: Equivalent to module_sect_attr.address: - https://github.com/torvalds/linux/commit/4b2c11e4aaf7e3d7fd9ce8e5995a32ff5e27d74f

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_name()[source]

Performs extraction of the bin_attribute name

Return type:: Optional[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class bpf_prog(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

bpf_jit_binary_hdr_address()[source]

Return the jitted BPF program start address Based on bpf_jit_binary_hdr()

Return type:: int
Returns:: The BPF program address

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_address_region()[source]

Returns the start and end memory addresses of the BPF program. Based on bpf_get_prog_addr_region()

Return type:: Tuple[int, int]
Returns:: A tuple with the addresses representing the memory range (start, end) of the BPF program.

get_name()[source]

Returns a string with the eBPF program name

Return type:: Optional[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_tag()[source]

Returns a string with the eBPF program tag

Return type:: Optional[str]

get_type()[source]

Returns a string with the eBPF program type

Return type:: Optional[str]

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class bpf_prog_aux(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_name()[source]

Returns a string with the eBPF program name

Return type:: Optional[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class cred(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

property egid: int

Returns the effective group ID

Returns:: the effective user ID value
Return type:: int

property euid: int

Returns the effective user ID

Returns:: The effective user ID value

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

property gid: int

Returns the real user ID

Returns:: The real user ID value

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property uid: int

Returns the real user ID

Returns:: The real user ID value

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class dentry(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

d_ancestor(ancestor_dentry)[source]

Search for an ancestor

Returns the ancestor dentry which is a child of “ancestor_dentry”, if “ancestor_dentry” is an ancestor of “child_dentry”, else None.

get_inode()[source]

Returns the inode associated with this dentry

Return type:: Optional[ObjectInterface]

get_subdirs()[source]

Walks dentry subdirs

Yields:: A dentry object
Return type:: Iterable[ObjectInterface]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_root()[source]

Return type:: bool

is_subdir(old_dentry)[source]

Is this dentry a subdirectory of old_dentry?

Returns true if this dentry is a subdirectory of the parent (at any depth). Otherwise, it returns false.

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

path()[source]

Based on __dentry_path Linux kernel function

Return type:: str

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class files_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_fds()[source]

Return type:: ObjectInterface

get_max_fds()[source]

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class fs_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_root_dentry()[source]

get_root_mnt()[source]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class hlist_head(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

to_list(symbol_type, member)[source]

Returns an iterator of the entries in the list.

This is a doubly linked list; however, it is not circular, so the ‘forward’ field doesn’t make sense. Also, the sentinel concept doesn’t make sense here either; unlike list_head, the head and nodes each have their own distinct types. A list_head cannot be a node by itself. - The ‘pprev’ of the first ‘hlist_node’ points to the ‘hlist_head’, not to the last node. - The last element ‘next’ member is NULL

Parameters:

symbol_type (str) – Type of the list elements
member (str) – Name of the list_head member in the list elements

Yields:

Objects of the type specified via the “symbol_type” argument.

Return type:

Iterator[ObjectInterface]

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class inode(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_access_time()[source]

Returns the inode’s last access time This is updated when inode contents are read

Return type:: datetime
Returns:: A datetime with the inode’s last access time

get_change_time()[source]

Returns the inode’s last change time This is updated when the inode metadata changes

Return type:: datetime
Returns:: A datetime with the inode’s last change time

get_contents()[source]

Get the inode cached pages from the page cache

Yields:: page_index (int) – The page index in the Tree. File offset is page_index * PAGE_SIZE. page_content (bytes): The page content
Return type:: Iterable[Tuple[int, bytes]]

get_file_mode()[source]

Returns the inode’s file mode as string of the form ‘-rwxrwxrwx’.

Return type:: str
Returns:: The inode’s file mode string

get_inode_type()[source]

Returns inode type name

Return type:: Optional[str]
Returns:: The inode type name

get_modification_time()[source]

Returns the inode’s last modification time This is updated when the inode contents change

Return type:: datetime
Returns:: A datetime with the inode’s last data modification time

get_pages()[source]

Gets the inode’s cached pages

Yields:: The inode’s cached pages
Return type:: Iterable[ObjectInterface]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

property is_block: bool: Returns True if the inode is a block device

property is_char: bool: Returns True if the inode is a char device

property is_dir: bool: Returns True if the inode is a directory

property is_fifo: bool: Returns True if the inode is a FIFO

property is_link: bool: Returns True if the inode is a symlink

property is_reg: bool: Returns True if the inode is a regular file

property is_sock: bool: Returns True if the inode is a socket

property is_sticky: bool: Returns True if the sticky bit is set

is_valid()[source]

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class kernel_cap_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

classmethod capabilities_to_string(capabilities_bitfield)[source]

Translates a capability bitfield to a list of capability strings.

Parameters:: capabilities_bitfield (int) – The capability bitfield value.
Returns:: A list of capability strings.
Return type:: List[str]

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

enumerate_capabilities()[source]

Returns the list of capability strings.

Returns:: The list of capability strings.
Return type:: List[str]

get_capabilities()[source]

Returns the capability bitfield value

Returns:: The capability bitfield value.
Return type:: int

get_kernel_cap_full()[source]

Return the maximum value allowed for this kernel for a capability

Returns:: The capability full bitfield mask
Return type:: int

classmethod get_last_cap_value()[source]

Returns the latest capability ID supported by the framework.

Returns:: The latest capability ID supported by the framework.
Return type:: int

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_capability(capability)[source]

Checks if the given capability string is enabled.

Parameters:: capability (str) – A string representing the capability i.e. dac_read_search
Raises:: AttributeError – If the given capability is unknown to the framework.
Returns:: “True” if the given capability is enabled.
Return type:: bool

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class kernel_cap_t(context, type_name, object_info, size, members)[source]

Bases: kernel_cap_struct

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

classmethod capabilities_to_string(capabilities_bitfield)

Translates a capability bitfield to a list of capability strings.

Parameters:: capabilities_bitfield (int) – The capability bitfield value.
Returns:: A list of capability strings.
Return type:: List[str]

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

enumerate_capabilities()

Returns the list of capability strings.

Returns:: The list of capability strings.
Return type:: List[str]

get_capabilities()[source]

Returns the capability bitfield value

Returns:: The capability bitfield value.
Return type:: int

get_kernel_cap_full()

Return the maximum value allowed for this kernel for a capability

Returns:: The capability full bitfield mask
Return type:: int

classmethod get_last_cap_value()

Returns the latest capability ID supported by the framework.

Returns:: The latest capability ID supported by the framework.
Return type:: int

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_capability(capability)

Checks if the given capability string is enabled.

Parameters:: capability (str) – A string representing the capability i.e. dac_read_search
Raises:: AttributeError – If the given capability is unknown to the framework.
Returns:: “True” if the given capability is enabled.
Return type:: bool

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class kernel_symbol(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_name()[source]

Return type:: Optional[str]

get_namespace()[source]

Return type:: Optional[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_value()[source]

Return type:: Optional[int]

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class kobject(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

reference_count()[source]

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class latch_tree_root(context, type_name, object_info, size, members)[source]

Bases: StructType

Latched RB-trees implementation

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

find(key, comp_function)[source]

Returns a pointer to the node matching key or None.

Based on latch_tree_find() and __lt_find()

Parameters:

key (int) – Typically an address
comp_function (Callable) – Callback comparison function to provide the order between the search key and an element. It’s works like the kernel’s latch_tree_ops::comp i.e.: comp_function(key, latch_tree_node)

Returns:

A pointer to the node matching key or None.

Return type:

latch_tree_node

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class list_head(context, type_name, object_info, size, members)[source]

Bases: StructType, Iterable

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

to_list(symbol_type, member, forward=True, sentinel=True, layer=None)[source]

Returns an iterator of the entries in the list.

Parameters:

symbol_type (str) – Type of the list elements
member (str) – Name of the list_head member in the list elements
forward (bool) – Set false to go backwards
sentinel (bool) – Whether self is a “sentinel node”, meaning it is not embedded in a member of the list
https (Sentinel nodes are NOT yielded. See) – //en.wikipedia.org/wiki/Sentinel_node for further reference
layer (Optional[str]) – Name of layer to read from

Yields:

Objects of the type specified via the “symbol_type” argument.

Return type:

Iterator[ObjectInterface]

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class maple_tree(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

MAPLE_ARANGE_64 = 3

MAPLE_DENSE = 0

MAPLE_LEAF_64 = 1

MAPLE_NODE_POINTER_MASK = 255

MAPLE_NODE_TYPE_MASK = 15

MAPLE_NODE_TYPE_SHIFT = 3

MAPLE_RANGE_64 = 2

MT_FLAGS_HEIGHT_MASK = 124

MT_FLAGS_HEIGHT_OFFSET = 2

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_slot_iter()[source]: Parse the Maple Tree and return every non zero slot.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class mm_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_maple_tree_iter()[source]

Deprecated: Use either get_vma_iter() or _get_maple_tree_iter().

Return type:: Iterable[ObjectInterface]

get_mmap_iter()[source]

Deprecated: Use either get_vma_iter() or _get_mmap_iter().

Return type:: Iterable[ObjectInterface]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vma_iter()[source]

Returns an iterator for the VMAs in an mm_struct. Automatically choosing the mmap or mm_mt as required.

Yields:: vm_area_struct objects
Return type:: Iterable[ObjectInterface]

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class mnt_namespace(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_inode()[source]

get_mount_points()[source]

Yields the mount points for this mount namespace.

Yields:: mount struct instances
Return type:: Iterator[Optional[ObjectInterface]]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class module(context, type_name, object_info, size, members)[source]

Bases: GenericIntelProcess

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_core_size()[source]

Return type:: int

get_core_text_size()[source]

Return type:: int

get_elf_table_name()[source]

get_init_size()[source]

Return type:: int

get_module_address_boundaries()[source]

Return the module address boundaries based on its symbol addresses

Return type:: Optional[Tuple[int, int]]

get_module_base()[source]

Return type:: int

get_module_core()[source]

Return type:: Pointer

get_module_init()[source]

Return type:: Pointer

get_name()[source]

Get the name of the module as a string

Return type:: Optional[str]

get_sections()[source]

Get a list of section attributes for the given module.

Return type:: Iterable[ObjectInterface]

get_symbol(wanted_sym_name)[source]

Get symbol address for a given symbol name

Return type:: Optional[int]

get_symbol_by_address(wanted_sym_address)[source]

Get symbol name for a given symbol address

Return type:: Optional[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_symbol_type(symbol, symbol_index)[source]

Determines the type of a given ELF symbol.

Parameters:

symbol (ObjectInterface) – The ELF symbol object (elf_sym)
symbol_index (int) – The index of the symbol within the type table

Return type:

Optional[str]

Returns:

A single-character string representing the symbol type

get_symbols()[source]

Get ELF symbol objects for this module

Return type:: Iterable[ObjectInterface]

get_symbols_names_and_addresses(max_symbols=4096)[source]

Get names and addresses for each symbol of the module

Yields:: A tuple for each symbol containing the symbol name and its corresponding value
Return type:: Iterable[Tuple[str, int]]

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_valid()[source]: Determine whether it is a valid module object by verifying the self-referential in module_kobject. This also confirms that the module is actively allocated and not a remnant of freed memory or a failed module load attempt by verifying the module memory section sizes.

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property mod_mem_type: Dict: Return the mod_mem_type enum choices if available or an empty dict if not

property num_symtab: int | None

property number_of_sections: int

property section_strtab: ObjectInterface | None

property section_symtab: ObjectInterface | None

property section_typetab: ObjectInterface | None

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class module_sect_attr(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_name()[source]

Performs careful extraction of the section name The name member has changed type and meaning over time It also was present even in cases with mattr present, which holds the name the kernel uses

Return type:: Optional[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class mount(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

MNT_FLAGS = {1: 'nosuid', 2: 'nodev', 4: 'noexec', 8: 'noatime', 16: 'nodiratime', 32: 'relatime'}

MNT_NOATIME = 8

MNT_NODEV = 2

MNT_NODIRATIME = 16

MNT_NOEXEC = 4

MNT_NOSUID = 1

MNT_READONLY = 64

MNT_RELATIME = 32

MNT_SHARED = 4096

MNT_SHRINKABLE = 256

MNT_UNBINDABLE = 8192

MNT_WRITE_HOLD = 512

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_dentry_current()[source]

Returns the root of the mounted tree

Returns:: A dentry pointer

get_dentry_parent()[source]

Returns the parent root of the mounted tree

Returns:: A dentry pointer

get_devname()[source]

Return type:: str

get_dominating_id(root)[source]

Get ID of closest dominating peer group having a representative under the given root.

Return type:: int

get_flags_access()[source]

Return type:: str

get_flags_opts()[source]

Return type:: Iterable[str]

get_mnt_flags()[source]

get_mnt_mountpoint()[source]

Gets the dentry of the mountpoint

Returns:: A dentry pointer

get_mnt_parent()[source]

Gets the fs where we are mounted on

Returns:: A mount pointer

get_mnt_root()[source]

get_mnt_sb()[source]

Returns a pointer to the super_block

Return type:: int

get_parent_mount()[source]

get_peer_under_root(ns, root)[source]: Return true if path is reachable from root. It mimics the kernel function is_path_reachable(), ref: fs/namespace.c

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vfsmnt_current()[source]

Returns the fs where we are mounted on

Returns:: A ‘vfsmount’

get_vfsmnt_parent()[source]

Gets the parent fs (vfsmount) to where it’s mounted on

Returns:: A ‘vfsmount’

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_parent()[source]

Checks if this mount has a parent

Returns:: ‘True’ if this mount has a parent
Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_path_reachable(current_dentry, root)[source]: Return true if path is reachable. It mimics the kernel function with same name, ref fs/namespace.c:

is_shared()[source]

Return type:: bool

is_slave()[source]

Return type:: bool

is_unbindable()[source]

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

next_peer()[source]

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class page(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_content()[source]

Returns the page content

Return type:: Optional[bytes]
Returns:: The page content

get_flags_list()[source]

Returns a list of page flags

Return type:: List[str]
Returns:: List of page flags

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_valid()[source]

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property pageflags_enum: Dict

Returns ‘pageflags’ enumeration key/values

Returns:: A dictionary with the pageflags enumeration key/values

to_paddr()[source]

Converts a page’s virtual address to its physical address using the current CPU memory model.

Returns:: page physical address
Return type:: int

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class qstr(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

name_as_str()[source]

Return type:: str

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class rb_root(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_nodes()[source]

Yields a pointer to each node in the Red-Black tree

Yields:: A pointer to every node in the Red-Black tree
Return type:: Iterator[int]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class scatterlist(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

SG_CHAIN = 1

SG_END = 2

SG_PAGE_LINK_MASK = 3

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

for_each_sg()[source]

Iterate over each struct in the scatterlist.

Return type:: Optional[Iterator[ObjectInterface]]

get_content()[source]

Traverse a scatterlist to gather content located at each dma_address position.

Return type:: Optional[Iterator[bytes]]
Returns:: An iterator of bytes

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class struct_file(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_dentry()[source]

Returns a pointer to the dentry associated with this file

Return type:: ObjectInterface

get_inode()[source]

Returns an inode associated with this file

Return type:: Optional[ObjectInterface]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vfsmnt()[source]

Returns the fs (vfsmount) where this file is mounted

Return type:: ObjectInterface

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class super_block(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

MINORBITS = 20

SB_DIRSYNC = 128

SB_I_VERSION = 8388608

SB_KERNMOUNT = 4194304

SB_LAZYTIME = 33554432

SB_MANDLOCK = 64

SB_NOATIME = 1024

SB_NODEV = 4

SB_NODIRATIME = 2048

SB_NOEXEC = 8

SB_NOSUID = 2

SB_OPTS = {16: 'sync', 64: 'mand', 128: 'dirsync', 33554432: 'lazytime'}

SB_POSIXACL = 65536

SB_RDONLY = 1

SB_SILENT = 32768

SB_SYNCHRONOUS = 16

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_flags_access()[source]

Return type:: str

get_flags_opts()[source]

Return type:: Iterable[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_type()[source]

Gets the superblock filesystem type string

Return type:: Optional[str]

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

property major: int

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property minor: int

property uuid: str

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class task_struct(context, type_name, object_info, size, members)[source]

Bases: GenericIntelProcess

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

add_process_layer(config_prefix=None, preferred_name=None)[source]

Constructs a new layer based on the process’s DTB.

Returns the name of the Layer or None.

Return type:: Optional[str]

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_address_space_layer()[source]

Returns the task layer for this task’s address space.

Return type:: Optional[TranslationLayerInterface]

get_boottime(root_time_namespace=True)[source]

Returns the boot time in UTC as a datetime.

Parameters:: root_time_namespace (bool) – If True, it returns the boot time as seen from the root time namespace. Otherwise, it returns the boot time relative to the task’s time namespace.
Return type:: Optional[datetime]
Returns:: A datetime with the UTC boot time.

get_create_time()[source]

Retrieves the task’s start time from its time namespace. :param context: The context to retrieve required elements (layers, symbol tables) from :param vmlinux_module_name: The name of the kernel module on which to operate :param task: A reference task

Return type:: Optional[datetime]
Returns:: A datetime with task’s start time

get_parent_pid()[source]

Returns the parent process ID (PPID)

This method replicates the Linux kernel’s getppid syscall behavior. Avoid using task.parent; instead, use this function for accurate results.

Return type:: int

get_process_memory_sections(heap_only=False)[source]

Returns a list of sections based on the memory manager’s view of this task’s virtual memory.

Return type:: Generator[Tuple[int, int], None, None]

get_ptrace_tracee_flags()[source]

Returns a string with the ptrace flags

Return type:: Optional[str]

get_ptrace_tracee_tids()[source]

Returns the list of TIDs being traced by this task

Return type:: List[int]

get_ptrace_tracer_tid()[source]

Returns the tracer’s TID tracing this task

Return type:: Optional[int]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_threads()[source]

Returns each thread in this process

Return type:: Iterable[ObjectInterface]

get_time_namespace()[source]

Returns the task’s time namespace

Return type:: Optional[ObjectInterface]

get_time_namespace_id()[source]

Returns the task’s time namespace ID.

Return type:: int

get_time_namespace_monotonic_offset()[source]

Gets task’s time namespace monotonic offset

Return type:: Optional[ObjectInterface]
Returns:: a kernel’s timespec64 object with the monotonic offset

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

property is_being_ptraced: bool: Returns True if this task is being traced using ptrace

property is_kernel_thread: bool

Checks if this task is a kernel thread.

Returns:: True, if this task is a kernel thread. Otherwise, False.
Return type:: bool

property is_ptracing: bool: Returns True if this task is tracing other tasks using ptrace

property is_thread_group_leader: bool

Checks if this task is a thread group leader.

Returns:: True, if this task is a thread group leader. Otherwise, False.
Return type:: bool

property is_user_thread: bool

Checks if this task is a user thread.

Returns:: True, if this task is a user thread. Otherwise, False.
Return type:: bool

is_valid()[source]

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property state

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class timespec64(context, type_name, object_info, size, members)[source]

Bases: Timespec64Abstract, StructType

Handle all required timespec64 operations, conversions and adjustments. This works as an extension of the timespec64 object while maintaining the same methods as a Timespec64Concrete object.

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

negate()

Returns a new Timespec64Concrete object with the values of the current object negated

Return type:: Timespec64Concrete

classmethod new_from_nsec(nsec)

Creates a new instance from an integer in nanoseconds

Return type:: Timespec64Concrete

classmethod new_from_timespec(other)

Creates a new instance from an Timespec64Abstract subclass object

Return type:: Timespec64Concrete

normalize(): Normalize any overflow in tv_sec and tv_nsec.

to_datetime()

Converts this Timespec64Abstract subclass object to a UTC aware datetime

Return type:: datetime

to_timedelta()

Converts this Timespec64Abstract subclass object to timedelta

Return type:: timedelta

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class vfsmount(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_dentry_current()[source]

Returns the root of the mounted tree

Returns:: A dentry pointer

get_dentry_parent()[source]

Returns the parent root of the mounted tree

Returns:: A dentry pointer

get_devname()[source]

Return type:: str

get_flags_access()[source]

Return type:: str

get_flags_opts()[source]

Return type:: Iterable[str]

get_mnt_flags()[source]

get_mnt_mountpoint()[source]

Gets the dentry of the mountpoint

Returns:: A dentry pointer

get_mnt_parent()[source]

Gets the mnt_parent member.

Returns:: A vfsmount pointer For kernels >= 3.3: A mount pointer
Return type:: For kernels < 3.3

get_mnt_root()[source]

get_mnt_sb()[source]: Returns a pointer to the super_block

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vfsmnt_current()[source]

Returns the current fs where we are mounted on

Returns:: A vfsmount pointer

get_vfsmnt_parent()[source]

Gets the parent fs (vfsmount) to where it’s mounted on

Returns:: A vfsmount pointer For kernels >= 3.3: A vfsmount object
Return type:: For kernels < 3.3

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_parent()[source]

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_equal(vfsmount_ptr)[source]

Helper to make sure it is comparing two pointers to ‘vfsmount’.

Depending on the kernel version, see 3376f34fff5be9954fd9a9c4fd68f4a0a36d480e, the calling object (self) could be a ‘vfsmount *’ (<3.3) or a ‘vfsmount’ (>=3.3). This way we trust in the framework “auto” dereferencing ability to assure that when we reach this point ‘self’ will be a ‘vfsmount’ already and self.vol.offset a ‘vfsmount *’ and not a ‘vfsmount **’. The argument must be a ‘vfsmount *’. Typically, it’s called from do_get_path().

Parameters:: vfsmount_ptr – A pointer to a ‘vfsmount’
Raises:: exceptions.VolatilityException – If vfsmount_ptr is not a ‘vfsmount *’
Return type:: bool
Returns:: ‘True’ if the given argument points to the same ‘vfsmount’ as ‘self’.

is_shared()[source]

Return type:: bool

is_slave()[source]

Return type:: bool

is_unbindable()[source]

Return type:: bool

is_valid()[source]

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class vm_area_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

extended_flags = {1: 'VM_READ', 2: 'VM_WRITE', 4: 'VM_EXEC', 8: 'VM_SHARED', 16: 'VM_MAYREAD', 32: 'VM_MAYWRITE', 64: 'VM_MAYEXEC', 128: 'VM_MAYSHARE', 256: 'VM_GROWSDOWN', 512: 'VM_NOHUGEPAGE', 1024: 'VM_PFNMAP', 2048: 'VM_DENYWRITE', 4096: 'VM_EXECUTABLE', 8192: 'VM_LOCKED', 16384: 'VM_IO', 32768: 'VM_SEQ_READ', 65536: 'VM_RAND_READ', 131072: 'VM_DONTCOPY', 262144: 'VM_DONTEXPAND', 524288: 'VM_RESERVED', 1048576: 'VM_ACCOUNT', 2097152: 'VM_NORESERVE', 4194304: 'VM_HUGETLB', 8388608: 'VM_NONLINEAR', 16777216: 'VM_MAPPED_COP__VM_HUGEPAGE', 33554432: 'VM_INSERTPAGE', 67108864: 'VM_ALWAYSDUMP', 134217728: 'VM_CAN_NONLINEAR', 268435456: 'VM_MIXEDMAP', 536870912: 'VM_SAO', 1073741824: 'VM_PFN_AT_MMAP', 2147483648: 'VM_MERGEABLE'}

get_flags()[source]

Return type:: str

get_malicious_pages(proclayer)[source]

Identifies and returns a list of potentially malicious memory pages.

A page is considered malicious if it is:

Executable (protection flags match ‘r-x’)
Dirty (modified since process start, according to proclayer.is_dirty())

Parameters:: proclayer – The process’s memory layer
Returns:: A list of virtual addresses for pages flagged as potentially malicious.
Return type:: List[int]

get_name(context, task)[source]

Return type:: Optional[str]

get_page_offset()[source]

Return type:: int

get_protection()[source]

Return type:: str

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_suspicious(proclayer=None)[source]

is_valid()[source]

Validate a VMA struct to prevent processing smeared entries.

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

perm_flags = {1: 'r', 2: 'w', 4: 'x'}

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

volatility3.framework.symbols.linux.extensions package

Submodules