volatility3.plugins.windows.pe_symbols module

class ExportSymbolFinder(layer_name, mod_name, module_start, symbol_module)[source]

Bases: PESymbolFinder

PESymbolFinder implementation for PDB modules

cached_int_dict

alias of Dict[str, Optional[int]]

cached_module_lists

alias of Union[Dict[str, List[str]], Dict[str, List[int]]]

cached_str_dict

alias of Dict[str, Optional[str]]

cached_value

alias of Optional[Union[int, str]]

cached_value_dict

alias of Dict[str, Union[Dict[str, List[str]], Dict[str, List[int]]]]

get_address_for_name(name)

Returns the name for the given address within the particular layer and module

Parameters:

str – the name of the symbol to resolve

Returns:

the address of the symbol, if found

Return type:

address

get_name_for_address(address)

Returns the name for the given address within the particular layer and module

Parameters:

address (int) – the address to resolve within the module

Returns:

the name of the symbol, if found

Return type:

str

class PDBSymbolFinder(layer_name, mod_name, module_start, symbol_module)[source]

Bases: PESymbolFinder

PESymbolFinder implementation for PDB modules

cached_int_dict

alias of Dict[str, Optional[int]]

cached_module_lists

alias of Union[Dict[str, List[str]], Dict[str, List[int]]]

cached_str_dict

alias of Dict[str, Optional[str]]

cached_value

alias of Optional[Union[int, str]]

cached_value_dict

alias of Dict[str, Union[Dict[str, List[str]], Dict[str, List[int]]]]

get_address_for_name(name)

Returns the name for the given address within the particular layer and module

Parameters:

str – the name of the symbol to resolve

Returns:

the address of the symbol, if found

Return type:

address

get_name_for_address(address)

Returns the name for the given address within the particular layer and module

Parameters:

address (int) – the address to resolve within the module

Returns:

the name of the symbol, if found

Return type:

str

class PESymbolFinder(layer_name, mod_name, module_start, symbol_module)[source]

Bases: object

Interface for PE symbol finding classes This interface provides a standard way for the calling code to lookup symbols by name or address

cached_int_dict

alias of Dict[str, Optional[int]]

cached_module_lists

alias of Union[Dict[str, List[str]], Dict[str, List[int]]]

cached_str_dict

alias of Dict[str, Optional[str]]

cached_value

alias of Optional[Union[int, str]]

cached_value_dict

alias of Dict[str, Union[Dict[str, List[str]], Dict[str, List[int]]]]

get_address_for_name(name)[source]

Returns the name for the given address within the particular layer and module

Parameters:

str – the name of the symbol to resolve

Returns:

the address of the symbol, if found

Return type:

address

get_name_for_address(address)[source]

Returns the name for the given address within the particular layer and module

Parameters:

address (int) – the address to resolve within the module

Returns:

the name of the symbol, if found

Return type:

str

class PESymbols(context, config_path, progress_callback=None)[source]

Bases: PluginInterface

Prints symbols in PE files in process and kernel memory

Parameters:
  • context (ContextInterface) – The context that the plugin will operate within

  • config_path (str) – The path to configuration data within the context configuration data

  • progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

static addresses_for_process_symbols(context, config_path, layer_name, symbol_table_name, symbols)[source]

Used to easily resolve the addresses of names inside of modules.

See the usage of this function for system call resolution in unhooked_system_calls.py for an easy to understand example.

Parameters:

symbols (Dict[str, Union[Dict[str, List[str]], Dict[str, List[int]]]]) – The dictionary of symbols requested by the caller

Returns:

The dictionary of symbols that were resolved

Return type:

found_symbols_type

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:

HierarchicalDict

property config: HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str

The configuration path on which this configurable lives.

property context: ContextInterface

The context object that this configurable belongs to/configuration is stored in.

static filename_for_path(filepath)[source]

Consistent way to get the filename regardless of platform

Parameters:

str – the file path from filepath_for_address

Returns:

the bsae file name of the full path

Return type:

str

static filepath_for_address(ranges, address)[source]

Helper to get the file path for an address

Parameters:
  • ranges (List[Tuple[int, int, str]]) – The set of VADs with mapped files to find the address

  • address (int) – The address to find inside of the VADs set

Returns:

The full path of the file, if found and present

Return type:

str

static find_symbols(context, config_path, wanted_modules, collected_modules)[source]

Loops through each method of symbol analysis until each wanted symbol is found Returns the resolved symbols as a dictionary that includes the name and runtime address

Parameters:
Returns:

The set of found symbols but the ones that could not be resolved

Return type:

Tuple[found_symbols_type, PESymbolFinder.cached_value_dict]

classmethod get_all_vads_with_file_paths(context, layer_name, symbol_table_name)[source]

Yields each set of vads for a process that have a file mapped, along with the process itself and its layer

Parameters:
  • Generator[Tuple[interfaces.objects.ObjectInterface – Yields tuple of process objects, layers, and VADs mapping files

  • str – Yields tuple of process objects, layers, and VADs mapping files

  • ranges_type]] – Yields tuple of process objects, layers, and VADs mapping files

Return type:

Generator[Tuple[ObjectInterface, str, List[Tuple[int, int, str]]], None, None]

static get_kernel_modules(context, layer_name, symbol_table, filter_modules)[source]

Walks the kernel module list and finds the session layer, base, and size of each wanted module

Parameters:

filter_modules (Optional[Dict[str, Union[Dict[str, List[str]], Dict[str, List[int]]]]]) – The modules to filter the gathering to. If left as None, all kernel modules are gathered.

Returns:

The collection of modules found with at least one layer present

Return type:

collected_modules_type

static get_proc_vads_with_file_paths(proc)[source]

Returns a list of the process’ vads that map a file

Parameters:

proc (ObjectInterface) – The process to gather the VADs for

Returns:

The list of VADs for this process that map a file

Return type:

ranges_type

static get_process_modules(context, layer_name, symbol_table, filter_modules)[source]

Walks the process list and each process’ VAD to determine the base address and size of wanted modules

Parameters:

filter_modules (Optional[Dict[str, Union[Dict[str, List[str]], Dict[str, List[int]]]]]) – The modules to filter the gathering to. If left as None, all process modules are gathered.

Returns:

The collection of modules found with at least one layer present

Return type:

collected_modules_type

classmethod get_requirements()[source]

Returns a list of Requirement objects for this plugin.

Return type:

List

static get_vads_for_process_cache(vads_cache, owner_proc)[source]

Creates and utilizes a cache of a process’ VADs for efficient lookups

Returns the vad information of the VAD hosting the address, if found

Parameters:
Returns:

The range holding the address, if found

Return type:

Optional[ranges_type]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property open

Returns a context manager and thus can be called like open

os_module_name = 'ntoskrnl.exe'
static path_and_symbol_for_address(context, config_path, collected_modules, ranges, address)[source]

Method for plugins to determine the file path and symbol name for a given address

See debugregisters.py for an example of how this function is used along with get_vads_for_process_cache for resolving symbols in processes.

Parameters:
  • collected_modules (Dict[str, List[Tuple[str, int, int]]]) – return value from get_kernel_modules or get_process_modules

  • ranges (List[Tuple[int, int, str]]) – the memory ranges to examine in this layer.

  • address (int) – address to resolve to its symbol name

Return type:

Tuple[Optional[str], Optional[str]]

Returns:

Tuple[str|renderers.NotApplicableValue|renderers.NotAvailableValue, str|renderers.NotApplicableValue|renderers.NotAvailableValue]

static range_info_for_address(ranges, address)[source]

Helper for getting the range information for an address. Finds the range holding the address parameter

Parameters:

address (int) – the address to find the range for

Returns:

The starting address, size, and file path of the range

Return type:

Tuple[int, int, str]

run()[source]

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Return type:

TreeGrid

Returns:

A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)

Sets the file handler to be used by this plugin.

Return type:

None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type:

Dict[str, RequirementInterface]

version = (1, 0, 0)