volatility3.cli.volshell.windows module
- class Volshell(*args, **kwargs)[source]
Bases:
Volshell
Shell environment to directly interact with a windows memory image.
- Parameters:
context – The context that the plugin will operate within
config_path – The path to configuration data within the context configuration data
progress_callback – A callable that can provide feedback at progress points
- build_configuration()
Constructs a HierarchicalDictionary of all the options required to build this component in the current context.
Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too
- Return type:
- property config: HierarchicalDict
The Hierarchical configuration Dictionary for this Configurable object.
- construct_locals()[source]
Returns a dictionary listing the functions to be added to the environment.
- property context: ContextInterface
The context object that this configurable belongs to/configuration is stored in.
- create_configurable(clazz, **kwargs)[source]
Creates a configurable object, converting arguments to configuration
- property current_kernel_name
- property current_layer
- property current_symbol_table
- disassemble(offset, count=128, layer_name=None, architecture=None)[source]
Disassembles a number of instructions from the code at offset
- display_bytes(offset, count=128, layer_name=None)[source]
Displays byte values and ASCII characters
- display_doublewords(offset, count=128, layer_name=None)[source]
Displays double-word values (4 bytes) and corresponding ASCII characters
- display_plugin_output(plugin, **kwargs)[source]
Displays the output for a particular plugin (with keyword arguments)
- Return type:
- display_quadwords(offset, count=128, layer_name=None)[source]
Displays quad-word values (8 bytes) and corresponding ASCII characters
- display_symbols(symbol_table=None)[source]
Prints an alphabetical list of symbols for a symbol table
- display_type(object, offset=None)[source]
Display Type describes the members of a particular object in alphabetical order
- display_words(offset, count=128, layer_name=None)[source]
Displays word values (2 bytes) and corresponding ASCII characters
- generate_treegrid(plugin, **kwargs)[source]
Generates a TreeGrid based on a specific plugin passing in kwarg configuration values
- property kernel
Returns the current kernel object
- classmethod make_subconfig(context, base_config_path, **kwargs)
Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.
- Parameters:
context (
ContextInterface
) – The context in which to store the new configurationbase_config_path (
str
) – The base configuration path on which to build the new configurationkwargs – Keyword arguments that are used to populate the new configuration path
- Returns:
The newly generated full configuration path
- Return type:
- property open
Returns a context manager and thus can be called like open
- render_treegrid(treegrid, renderer=None)[source]
Renders a treegrid as produced by generate_treegrid
- Return type:
- run(additional_locals=None)[source]
Runs the interactive volshell plugin.
- Return type:
- Returns:
Return a TreeGrid but this is always empty since the point of this plugin is to run interactively
- classmethod unsatisfied(context, config_path)
Returns a list of the names of all unsatisfied requirements.
Since a satisfied set of requirements will return [], it can be used in tests as follows:
unmet = configurable.unsatisfied(context, config_path) if unmet: raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
- Return type:
- version = (0, 0, 0)