volatility3.framework.symbols.windows.extensions.gui module

class GUIExtensions(*args, **kwargs)[source]

Bases: VersionableInterface

class LARGE_UNICODE_STRING(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for Windows unicode string structures.

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_string()[source]

Return type:: ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class_types = {'_LARGE_UNICODE_STRING': <class 'volatility3.framework.symbols.windows.extensions.gui.GUIExtensions.LARGE_UNICODE_STRING'>, 'tagDESKTOP': <class 'volatility3.framework.symbols.windows.extensions.gui.GUIExtensions.tagDESKTOP'>, 'tagWINDOWSTATION': <class 'volatility3.framework.symbols.windows.extensions.gui.GUIExtensions.tagWINDOWSTATION'>, 'tagWND': <class 'volatility3.framework.symbols.windows.extensions.gui.GUIExtensions.tagWND'>}

class tagDESKTOP(context, type_name, object_info, size, members)[source]

Bases: StructType, ExecutiveObject

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_name(symbol_table_name=None)

Return type:: Optional[str]

get_object_header(symbol_table_name=None)

Return type:: OBJECT_HEADER

get_session_id()[source]

Attempts to return the session ID for this desktop

Return type:: Optional[int]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_threads()[source]

Returns the threads of each desktop along with owning process information

Return type:: Iterator[Tuple[ObjectInterface, str, int]]

get_window_station()[source]

Attempts to return the window station for this desktop

Return type:: Optional[tagWINDOWSTATION]

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_valid()[source]

Enforce a valid session ID and Window station We aren’t interested in terminated desktops as there are so many pointers going from station -> desktop -> windows, that we would just be processing junk. Even if the pointers were still in tact by some miracle, its not that helpful to have a floating desktop appear in the output as you can’t do much with it.

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

windows(window, max_windows=10000)[source]

Enumerates all windows adjacent to and children of window

Parameters:: window – The window to enumerate windows from
Return type:: Generator[Tuple[ObjectInterface, str], None, None]
Returns:: A generator of tuples containing the window and its name

write(value): Writes the new value into the format at the offset the object currently resides at.

class tagWINDOWSTATION(context, type_name, object_info, size, members)[source]

Bases: StructType, ExecutiveObject

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

desktops(symbol_table_name, max_desktops=12)[source]

get_info(kernel_symbol_table_name)[source]

Return type:: Optional[Tuple[str, int]]

get_name(symbol_table_name=None)

Return type:: Optional[str]

get_object_header(symbol_table_name=None)

Return type:: OBJECT_HEADER

get_session_id()[source]

Return type:: Optional[int]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_valid()[source]

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

traverse(max_stations=15)[source]: Traverses the window stations referenced in the list of stations

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

class tagWND(context, type_name, object_info, size, members)[source]

Bases: StructType, ExecutiveObject

Constructs an Object adhering to the ObjectInterface.

Parameters:

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:: Template

classmethod children(template)

Method to list children of a template.

Return type:: List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:: int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:: None

classmethod size(template)

Method to return the size of this type.

Return type:: int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type:: ObjectInterface

get_desktop()[source]

Attempts to return the host desktop (tagDESKTOP) for this window

Return type:: Optional[tagDESKTOP]

get_name()[source]

directName appeared in later Windows 10 versions and is pointer strName is a unicode string directly in the structure

Return type:: Optional[str]

get_object_header(symbol_table_name=None)

Return type:: OBJECT_HEADER

get_process()[source]

Attempts to return the host process (_EPROCESS) for this window

Return type:: Optional[EPROCESS]

get_session_id()[source]

Uses its tagDESKTOP pointer to find its session

Return type:: Optional[int]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_window_procedure()[source]: Attempts to return the window procedure for this windows

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:: bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type:: bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:: member_names (List[str]) – List of names to test as to members with those names validity
Return type:: bool

is_valid()[source]

Enforce a valid sid

Return type:: bool

member(attr='member')

Specifically named method for retrieving members.

Return type:: object

property vol: ReadOnlyMapping: Returns the volatility specific object information.

write(value): Writes the new value into the format at the offset the object currently resides at.

version = (1, 0, 0)