volatility3.framework.symbols.linux.extensions package

class bpf_prog(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_type()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class bt_sock(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_protocol()[source]
get_state()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class dentry(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

d_ancestor(ancestor_dentry)[source]

Search for an ancestor

Returns the ancestor dentry which is a child of “ancestor_dentry”, if “ancestor_dentry” is an ancestor of “child_dentry”, else None.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_root()[source]
Return type:

bool

is_subdir(old_dentry)[source]

Is this dentry a subdirectory of old_dentry?

Returns true if this dentry is a subdirectory of the parent (at any depth). Otherwise, it returns false.

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

path()[source]

Based on __dentry_path Linux kernel function

Return type:

str

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class files_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_fds()[source]
Return type:

ObjectInterface

get_max_fds()[source]
Return type:

ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class fs_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_root_dentry()[source]
get_root_mnt()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class inet_sock(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_dst_addr()[source]
get_dst_port()[source]
get_family()[source]
get_protocol()[source]
get_src_addr()[source]
get_src_port()[source]
get_state()[source]

Return a string representing the sock state.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class kobject(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

reference_count()[source]
property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class list_head(context, type_name, object_info, size, members)[source]

Bases: StructType, Iterable

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

to_list(symbol_type, member, forward=True, sentinel=True, layer=None)[source]

Returns an iterator of the entries in the list.

Parameters:

  • symbol_type (str) – Type of the list elements

  • member (str) – Name of the list_head member in the list elements

  • forward (bool) – Set false to go backwards

  • sentinel (bool) – Whether self is a “sentinel node”, meaning it is not embedded in a member of the list

  • https (Sentinel nodes are NOT yielded. See) – //en.wikipedia.org/wiki/Sentinel_node for further reference

  • layer (Optional[str]) – Name of layer to read from

Yields:

Objects of the type specified via the “symbol_type” argument.

Return type:

Iterator[ObjectInterface]

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class maple_tree(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

MAPLE_ARANGE_64 = 3
MAPLE_DENSE = 0
MAPLE_LEAF_64 = 1
MAPLE_NODE_POINTER_MASK = 255
MAPLE_NODE_TYPE_MASK = 15
MAPLE_NODE_TYPE_SHIFT = 3
MAPLE_RANGE_64 = 2
MT_FLAGS_HEIGHT_MASK = 124
MT_FLAGS_HEIGHT_OFFSET = 2
class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_slot_iter()[source]

Parse the Maple Tree and return every non zero slot.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class mm_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_maple_tree_iter()[source]

Returns an iterator for the mm_mt member of an mm_struct.

Return type:

Iterable[ObjectInterface]

get_mmap_iter()[source]

Returns an iterator for the mmap list member of an mm_struct.

Return type:

Iterable[ObjectInterface]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vma_iter()[source]

Returns an iterator for the VMAs in an mm_struct. Automatically choosing the mmap or mm_mt as required.

Return type:

Iterable[ObjectInterface]

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class mnt_namespace(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_inode()[source]
get_mount_points()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class module(context, type_name, object_info, size, members)[source]

Bases: GenericIntelProcess

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_core_size()[source]
get_init_size()[source]
get_module_base()[source]
get_module_core()[source]
get_module_init()[source]
get_name()[source]

Get the name of the module as a string

get_sections()[source]

Get sections of the module

get_symbol(wanted_sym_name)[source]

Get value for a given symbol name

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_symbols()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property num_symtab
property section_strtab
property section_symtab
property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class mount(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

MNT_FLAGS = {1: 'nosuid', 2: 'nodev', 4: 'noexec', 8: 'noatime', 16: 'nodiratime', 32: 'relatime'}
MNT_NOATIME = 8
MNT_NODEV = 2
MNT_NODIRATIME = 16
MNT_NOEXEC = 4
MNT_NOSUID = 1
MNT_READONLY = 64
MNT_RELATIME = 32
MNT_SHARED = 4096
MNT_SHRINKABLE = 256
MNT_UNBINDABLE = 8192
MNT_WRITE_HOLD = 512
class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_dentry_current()[source]

Returns the root of the mounted tree

Returns:

A ‘dentry *

get_dentry_parent()[source]

Returns the parent root of the mounted tree

Returns:

A ‘dentry *

get_devname()[source]
Return type:

str

get_dominating_id(root)[source]

Get ID of closest dominating peer group having a representative under the given root.

Return type:

int

get_flags_access()[source]
Return type:

str

get_flags_opts()[source]
Return type:

Iterable[str]

get_mnt_flags()[source]
get_mnt_mountpoint()[source]

Gets the dentry of the mountpoint

Returns:

A ‘dentry *

get_mnt_parent()[source]

Gets the fs where we are mounted on

Returns:

A ‘mount *

get_mnt_root()[source]
get_mnt_sb()[source]
get_parent_mount()[source]
get_peer_under_root(ns, root)[source]

Return true if path is reachable from root. It mimics the kernel function is_path_reachable(), ref: fs/namespace.c

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vfsmnt_current()[source]

Returns the fs where we are mounted on

Returns:

A ‘vfsmount’

get_vfsmnt_parent()[source]

Gets the parent fs (vfsmount) to where it’s mounted on

Returns:

A ‘vfsmount’

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_parent()[source]

Checks if this mount has a parent

Returns:

‘True’ if this mount has a parent

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_path_reachable(current_dentry, root)[source]

Return true if path is reachable. It mimics the kernel function with same name, ref fs/namespace.c:

is_shared()[source]
Return type:

bool

is_slave()[source]
Return type:

bool

is_unbindable()[source]
Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

next_peer()[source]
property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class net(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_inode()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

Bases: VolTemplateProxy

Returns the template of a child to its parent.

Return type:

Template

Method to list children of a template.

Return type:

List[Template]

Returns whether the object would contain a member called member_name.

Return type:

bool

Returns the relative offset of a child to its parent.

Return type:

int

Replace a child elements within the arguments handed to the template.

Return type:

None

Method to return the size of this type.

Return type:

int

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

Returns whether the object would contain a member called member_name.

Return type:

bool

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

Specifically named method for retrieving members.

Return type:

object

Returns the volatility specific object information.

Writes the new value into the format at the offset the object currently resides at.

class packet_sock(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_protocol()[source]
get_state()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class qstr(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

name_as_str()[source]
Return type:

str

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class sock(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_family()[source]
get_inode()[source]
get_protocol()[source]
get_state()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_type()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class socket(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_inode()[source]
get_state()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class struct_file(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_dentry()[source]
Return type:

ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vfsmnt()[source]

Returns the fs (vfsmount) where this file is mounted

Return type:

ObjectInterface

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class super_block(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

MINORBITS = 20
SB_DIRSYNC = 128
SB_I_VERSION = 8388608
SB_KERNMOUNT = 4194304
SB_LAZYTIME = 33554432
SB_MANDLOCK = 64
SB_NOATIME = 1024
SB_NODEV = 4
SB_NODIRATIME = 2048
SB_NOEXEC = 8
SB_NOSUID = 2
SB_OPTS = {16: 'sync', 64: 'mand', 128: 'dirsync', 33554432: 'lazytime'}
SB_POSIXACL = 65536
SB_RDONLY = 1
SB_SILENT = 32768
SB_SYNCHRONOUS = 16
class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_flags_access()[source]
Return type:

str

get_flags_opts()[source]
Return type:

Iterable[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_type()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

property major: int
member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property minor: int
property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class task_struct(context, type_name, object_info, size, members)[source]

Bases: GenericIntelProcess

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

add_process_layer(config_prefix=None, preferred_name=None)[source]

Constructs a new layer based on the process’s DTB.

Returns the name of the Layer or None.

Return type:

Optional[str]

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_process_memory_sections(heap_only=False)[source]

Returns a list of sections based on the memory manager’s view of this task’s virtual memory.

Return type:

Generator[Tuple[int, int], None, None]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_threads()[source]

Returns a list of the task_struct based on the list_head thread_node structure.

Return type:

Iterable[ObjectInterface]

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

property is_kernel_thread: bool

Checks if this task is a kernel thread.

Returns:

True, if this task is a kernel thread. Otherwise, False.

Return type:

bool

property is_thread_group_leader: bool

Checks if this task is a thread group leader.

Returns:

True, if this task is a thread group leader. Otherwise, False.

Return type:

bool

property is_user_thread: bool

Checks if this task is a user thread.

Returns:

True, if this task is a user thread. Otherwise, False.

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class unix_sock(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_inode()[source]
get_name()[source]
get_protocol()[source]
get_state()[source]

Return a string representing the sock state.

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class vfsmount(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_dentry_current()[source]

Returns the root of the mounted tree

Returns:

A ‘dentry *

get_dentry_parent()[source]

Returns the parent root of the mounted tree

Returns:

A ‘dentry *

get_devname()[source]
Return type:

str

get_flags_access()[source]
Return type:

str

get_flags_opts()[source]
Return type:

Iterable[str]

get_mnt_flags()[source]
get_mnt_mountpoint()[source]

Gets the dentry of the mountpoint

Returns:

A ‘dentry *

get_mnt_parent()[source]

Gets the mnt_parent member.

Returns:

A ‘vfsmount *’ For kernels >= 3.3.8: A ‘mount *

Return type:

For kernels < 3.3.8

get_mnt_root()[source]
get_mnt_sb()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vfsmnt_current()[source]

Returns the current fs where we are mounted on

Returns:

A ‘vfsmount *

get_vfsmnt_parent()[source]

Gets the parent fs (vfsmount) to where it’s mounted on

Returns:

A ‘vfsmount *’ For kernels >= 3.3.8: A ‘vfsmount’

Return type:

For kernels < 3.3.8

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_parent()[source]
Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_equal(vfsmount_ptr)[source]

Helper to make sure it is comparing two pointers to ‘vfsmount’.

Depending on the kernel version, the calling object (self) could be a ‘vfsmount ‘ (<3.3.8) or a ‘vfsmount’ (>=3.3.8). This way we trust in the framework “auto” dereferencing ability to assure that when we reach this point ‘self’ will be a ‘vfsmount’ already and self.vol.offset a ‘vfsmount *’ and not a ‘vfsmount *’. The argument must be a ‘vfsmount *’. Typically, it’s called from do_get_path().

Parameters:

vfsmount_ptr (vfsmount *) – A pointer to a ‘vfsmount’

Raises:

exceptions.VolatilityException – If vfsmount_ptr is not a ‘vfsmount *

Returns:

‘True’ if the given argument points to the the same ‘vfsmount’ as ‘self’.

Return type:

bool

is_shared()[source]
Return type:

bool

is_slave()[source]
Return type:

bool

is_unbindable()[source]
Return type:

bool

is_valid()[source]
member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class vm_area_struct(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

extended_flags = {1: 'VM_READ', 2: 'VM_WRITE', 4: 'VM_EXEC', 8: 'VM_SHARED', 16: 'VM_MAYREAD', 32: 'VM_MAYWRITE', 64: 'VM_MAYEXEC', 128: 'VM_MAYSHARE', 256: 'VM_GROWSDOWN', 512: 'VM_NOHUGEPAGE', 1024: 'VM_PFNMAP', 2048: 'VM_DENYWRITE', 4096: 'VM_EXECUTABLE', 8192: 'VM_LOCKED', 16384: 'VM_IO', 32768: 'VM_SEQ_READ', 65536: 'VM_RAND_READ', 131072: 'VM_DONTCOPY', 262144: 'VM_DONTEXPAND', 524288: 'VM_RESERVED', 1048576: 'VM_ACCOUNT', 2097152: 'VM_NORESERVE', 4194304: 'VM_HUGETLB', 8388608: 'VM_NONLINEAR', 16777216: 'VM_MAPPED_COP__VM_HUGEPAGE', 33554432: 'VM_INSERTPAGE', 67108864: 'VM_ALWAYSDUMP', 134217728: 'VM_CAN_NONLINEAR', 268435456: 'VM_MIXEDMAP', 536870912: 'VM_SAO', 1073741824: 'VM_PFN_AT_MMAP', 2147483648: 'VM_MERGEABLE'}
get_flags()[source]
Return type:

str

get_name(context, task)[source]
get_page_offset()[source]
Return type:

int

get_protection()[source]
Return type:

str

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_suspicious()[source]
member(attr='member')

Specifically named method for retrieving members.

Return type:

object

perm_flags = {1: 'r', 2: 'w', 4: 'x'}
property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class vsock_sock(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_protocol()[source]
get_state()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class xdp_sock(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_protocol()[source]
get_state()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

Submodules