volatility3.plugins.windows.pe_symbols module
- class ExportSymbolFinder(layer_name, mod_name, module_start, symbol_module)[source]
Bases:
PESymbolFinder
PESymbolFinder implementation for PDB modules
- get_address_for_name(name)
Returns the name for the given address within the particular layer and module
- Parameters:
str – the name of the symbol to resolve
- Returns:
the address of the symbol, if found
- Return type:
address
- class PDBSymbolFinder(layer_name, mod_name, module_start, symbol_module)[source]
Bases:
PESymbolFinder
PESymbolFinder implementation for PDB modules
- get_address_for_name(name)
Returns the name for the given address within the particular layer and module
- Parameters:
str – the name of the symbol to resolve
- Returns:
the address of the symbol, if found
- Return type:
address
- class PESymbolFinder(layer_name, mod_name, module_start, symbol_module)[source]
Bases:
object
Interface for PE symbol finding classes This interface provides a standard way for the calling code to lookup symbols by name or address
- class PESymbols(context, config_path, progress_callback=None)[source]
Bases:
PluginInterface
Prints symbols in PE files in process and kernel memory
- Parameters:
- static addresses_for_process_symbols(context, config_path, layer_name, symbol_table_name, symbols)[source]
Used to easily resolve the addresses of names inside of modules.
See the usage of this function for system call resolution in unhooked_system_calls.py for an easy to understand example.
- build_configuration()
Constructs a HierarchicalDictionary of all the options required to build this component in the current context.
Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too
- Return type:
- property config: HierarchicalDict
The Hierarchical configuration Dictionary for this Configurable object.
- property context: ContextInterface
The context object that this configurable belongs to/configuration is stored in.
- static filename_for_path(filepath)[source]
Consistent way to get the filename regardless of platform
- Parameters:
str – the file path from filepath_for_address
- Returns:
the bsae file name of the full path
- Return type:
- static find_symbols(context, config_path, wanted_modules, collected_modules)[source]
Loops through each method of symbol analysis until each wanted symbol is found Returns the resolved symbols as a dictionary that includes the name and runtime address
- Parameters:
- Returns:
The set of found symbols but the ones that could not be resolved
- Return type:
Tuple[found_symbols_type, PESymbolFinder.cached_value_dict]
- classmethod get_all_vads_with_file_paths(context, layer_name, symbol_table_name)[source]
Yields each set of vads for a process that have a file mapped, along with the process itself and its layer
- Parameters:
Generator[Tuple[interfaces.objects.ObjectInterface – Yields tuple of process objects, layers, and VADs mapping files
str – Yields tuple of process objects, layers, and VADs mapping files
ranges_type]] – Yields tuple of process objects, layers, and VADs mapping files
- Return type:
Generator
[Tuple
[ObjectInterface
,str
,List
[Tuple
[int
,int
,str
]]],None
,None
]
- static get_kernel_modules(context, layer_name, symbol_table, filter_modules)[source]
Walks the kernel module list and finds the session layer, base, and size of each wanted module
- Parameters:
filter_modules (
Optional
[Dict
[str
,Union
[Dict
[str
,List
[str
]],Dict
[str
,List
[int
]]]]]) – The modules to filter the gathering to. If left as None, all kernel modules are gathered.- Returns:
The collection of modules found with at least one layer present
- Return type:
collected_modules_type
- static get_proc_vads_with_file_paths(proc)[source]
Returns a list of the process’ vads that map a file
- Parameters:
proc (
ObjectInterface
) – The process to gather the VADs for- Returns:
The list of VADs for this process that map a file
- Return type:
ranges_type
- static get_process_modules(context, layer_name, symbol_table, filter_modules)[source]
Walks the process list and each process’ VAD to determine the base address and size of wanted modules
- Parameters:
filter_modules (
Optional
[Dict
[str
,Union
[Dict
[str
,List
[str
]],Dict
[str
,List
[int
]]]]]) – The modules to filter the gathering to. If left as None, all process modules are gathered.- Returns:
The collection of modules found with at least one layer present
- Return type:
collected_modules_type
- classmethod get_requirements()[source]
Returns a list of Requirement objects for this plugin.
- Return type:
- static get_vads_for_process_cache(vads_cache, owner_proc)[source]
Creates and utilizes a cache of a process’ VADs for efficient lookups
Returns the vad information of the VAD hosting the address, if found
- classmethod make_subconfig(context, base_config_path, **kwargs)
Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.
- Parameters:
context (
ContextInterface
) – The context in which to store the new configurationbase_config_path (
str
) – The base configuration path on which to build the new configurationkwargs – Keyword arguments that are used to populate the new configuration path
- Returns:
The newly generated full configuration path
- Return type:
- property open
Returns a context manager and thus can be called like open
- os_module_name = 'ntoskrnl.exe'
- static path_and_symbol_for_address(context, config_path, collected_modules, ranges, address)[source]
Method for plugins to determine the file path and symbol name for a given address
See debugregisters.py for an example of how this function is used along with get_vads_for_process_cache for resolving symbols in processes.
- Parameters:
- Return type:
- Returns:
Tuple[str|renderers.NotApplicableValue|renderers.NotAvailableValue, str|renderers.NotApplicableValue|renderers.NotAvailableValue]
- static range_info_for_address(ranges, address)[source]
Helper for getting the range information for an address. Finds the range holding the address parameter
- run()[source]
Executes the functionality of the code.
Note
This method expects self.validate to have been called to ensure all necessary options have been provided
- Return type:
- Returns:
A TreeGrid object that can then be passed to a Renderer.
- classmethod unsatisfied(context, config_path)
Returns a list of the names of all unsatisfied requirements.
Since a satisfied set of requirements will return [], it can be used in tests as follows:
unmet = configurable.unsatisfied(context, config_path) if unmet: raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
- Return type:
- version = (1, 0, 0)