volatility3.framework.automagic package

Automagic modules allow the framework to populate configuration elements that a user has not provided.

Automagic objects accept a context and a configurable, and will make appropriate changes to the context in an attempt to fulfill the requirements of the configurable object (or objects upon which that configurable may rely).

Several pre-existing modules include one to stack layers on top of each other (allowing automatic detection and loading of file format types) as well as a module to reconstruct layers based on their provided requirements.

available(context)

Returns an ordered list of all subclasses of AutomagicInterface.

The order is based on the priority attributes of the subclasses, in order to ensure the automagics are listed in an appropriate order.

Parameters:

context (ContextInterface) – The context that will contain any automagic configuration values.

Return type:

List[AutomagicInterface]

choose_automagic(automagics, plugin)

Chooses which automagics to run, maintaining the order they were handed in.

Return type:

List[Type[AutomagicInterface]]

run(automagics, context, configurable, config_path, progress_callback=None)

Runs through the list of automagics in order, allowing them to make changes to the context.

Parameters:

• automagics (List[AutomagicInterface]) – A list of AutomagicInterface objects

• context (ContextInterface) – The context (that inherits from ContextInterface) for modification

• configurable (Union[ConfigurableInterface, Type[ConfigurableInterface]]) – An object that inherits from ConfigurableInterface

• config_path (str) – The path within the context.config for options required by the configurable

• progress_callback (Optional[Callable[[float, str], None]]) – A function that takes a percentage (and an optional description) that will be called periodically

Return type:

List[TracebackException]

This is where any automagic is allowed to run, and alter the context in order to satisfy/improve all requirements

Returns a list of traceback objects that occurred during the autorun procedure

Note

The order of the automagics list is important. An automagic that populates configurations may be necessary for an automagic that populates the context based on the configuration information.

Submodules

• volatility3.framework.automagic.construct_layers module
  • ConstructionMagic
    • ConstructionMagic.build_configuration()
    • ConstructionMagic.config
    • ConstructionMagic.config_path
    • ConstructionMagic.context
    • ConstructionMagic.exclusion_list
    • ConstructionMagic.find_requirements()
    • ConstructionMagic.get_requirements()
    • ConstructionMagic.make_subconfig()
    • ConstructionMagic.priority
    • ConstructionMagic.unsatisfied()
• volatility3.framework.automagic.linux module
  • LinuxIntelStacker
    • LinuxIntelStacker.exclusion_list
    • LinuxIntelStacker.find_aslr()
    • LinuxIntelStacker.stack()
    • LinuxIntelStacker.stack_order
    • LinuxIntelStacker.stacker_slow_warning()
    • LinuxIntelStacker.virtual_to_physical_address()
  • LinuxIntelVMCOREINFOStacker
    • LinuxIntelVMCOREINFOStacker.exclusion_list
    • LinuxIntelVMCOREINFOStacker.stack()
    • LinuxIntelVMCOREINFOStacker.stack_order
    • LinuxIntelVMCOREINFOStacker.stacker_slow_warning()
  • LinuxSymbolFinder
    • LinuxSymbolFinder.banner_config_key
    • LinuxSymbolFinder.banners
    • LinuxSymbolFinder.build_configuration()
    • LinuxSymbolFinder.config
    • LinuxSymbolFinder.config_path
    • LinuxSymbolFinder.context
    • LinuxSymbolFinder.exclusion_list
    • LinuxSymbolFinder.find_aslr()
    • LinuxSymbolFinder.find_requirements()
    • LinuxSymbolFinder.get_requirements()
    • LinuxSymbolFinder.make_subconfig()
    • LinuxSymbolFinder.operating_system
    • LinuxSymbolFinder.priority
    • LinuxSymbolFinder.symbol_class
    • LinuxSymbolFinder.unsatisfied()
• volatility3.framework.automagic.mac module
  • MacIntelStacker
    • MacIntelStacker.exclusion_list
    • MacIntelStacker.find_aslr()
    • MacIntelStacker.stack()
    • MacIntelStacker.stack_order
    • MacIntelStacker.stacker_slow_warning()
    • MacIntelStacker.virtual_to_physical_address()
  • MacSymbolFinder
    • MacSymbolFinder.banner_config_key
    • MacSymbolFinder.banners
    • MacSymbolFinder.build_configuration()
    • MacSymbolFinder.config
    • MacSymbolFinder.config_path
    • MacSymbolFinder.context
    • MacSymbolFinder.exclusion_list
    • MacSymbolFinder.find_aslr()
    • MacSymbolFinder.find_requirements()
    • MacSymbolFinder.get_requirements()
    • MacSymbolFinder.make_subconfig()
    • MacSymbolFinder.operating_system
    • MacSymbolFinder.priority
    • MacSymbolFinder.symbol_class
    • MacSymbolFinder.unsatisfied()
• volatility3.framework.automagic.module module
  • KernelModule
    • KernelModule.build_configuration()
    • KernelModule.config
    • KernelModule.config_path
    • KernelModule.context
    • KernelModule.exclusion_list
    • KernelModule.find_requirements()
    • KernelModule.get_requirements()
    • KernelModule.make_subconfig()
    • KernelModule.priority
    • KernelModule.unsatisfied()
• volatility3.framework.automagic.pdbscan module
  • KernelPDBScanner
    • KernelPDBScanner.build_configuration()
    • KernelPDBScanner.check_kernel_offset()
    • KernelPDBScanner.config
    • KernelPDBScanner.config_path
    • KernelPDBScanner.context
    • KernelPDBScanner.determine_valid_kernel()
    • KernelPDBScanner.exclusion_list
    • KernelPDBScanner.find_requirements()
    • KernelPDBScanner.find_virtual_layers_from_req()
    • KernelPDBScanner.get_physical_layer_name()
    • KernelPDBScanner.get_requirements()
    • KernelPDBScanner.make_subconfig()
    • KernelPDBScanner.max_pdb_size
    • KernelPDBScanner.method_fixed_mapping()
    • KernelPDBScanner.method_kdbg_offset()
    • KernelPDBScanner.method_low_stub_offset()
    • KernelPDBScanner.method_module_offset()
    • KernelPDBScanner.method_slow_scan()
    • KernelPDBScanner.methods
    • KernelPDBScanner.priority
    • KernelPDBScanner.recurse_symbol_fulfiller()
    • KernelPDBScanner.set_kernel_virtual_offset()
    • KernelPDBScanner.unsatisfied()
• volatility3.framework.automagic.stacker module
  • LayerStacker
    • LayerStacker.build_configuration()
    • LayerStacker.config
    • LayerStacker.config_path
    • LayerStacker.context
    • LayerStacker.create_stackers_list()
    • LayerStacker.exclusion_list
    • LayerStacker.find_requirements()
    • LayerStacker.find_suitable_requirements()
    • LayerStacker.get_requirements()
    • LayerStacker.make_subconfig()
    • LayerStacker.priority
    • LayerStacker.stack()
    • LayerStacker.stack_layer()
    • LayerStacker.unsatisfied()
  • choose_os_stackers()
• volatility3.framework.automagic.symbol_cache module
  • CacheManagerInterface
    • CacheManagerInterface.add_identifier()
    • CacheManagerInterface.find_location()
    • CacheManagerInterface.get_hash()
    • CacheManagerInterface.get_identifier()
    • CacheManagerInterface.get_identifier_dictionary()
    • CacheManagerInterface.get_identifiers()
    • CacheManagerInterface.get_local_locations()
    • CacheManagerInterface.get_location_statistics()
    • CacheManagerInterface.update()
    • CacheManagerInterface.version
  • IdentifierProcessor
    • IdentifierProcessor.get_identifier()
    • IdentifierProcessor.operating_system
  • LinuxIdentifier
    • LinuxIdentifier.get_identifier()
    • LinuxIdentifier.operating_system
  • MacIdentifier
    • MacIdentifier.get_identifier()
    • MacIdentifier.operating_system
  • RemoteIdentifierFormat
    • RemoteIdentifierFormat.process()
    • RemoteIdentifierFormat.process_v1()
  • SqliteCache
    • SqliteCache.add_identifier()
    • SqliteCache.find_location()
    • SqliteCache.get_hash()
    • SqliteCache.get_identifier()
    • SqliteCache.get_identifier_dictionary()
    • SqliteCache.get_identifiers()
    • SqliteCache.get_local_locations()
    • SqliteCache.get_location_statistics()
    • SqliteCache.is_url_local()
    • SqliteCache.update()
    • SqliteCache.version
  • SymbolCacheMagic
    • SymbolCacheMagic.build_configuration()
    • SymbolCacheMagic.config
    • SymbolCacheMagic.config_path
    • SymbolCacheMagic.context
    • SymbolCacheMagic.exclusion_list
    • SymbolCacheMagic.find_requirements()
    • SymbolCacheMagic.get_requirements()
    • SymbolCacheMagic.make_subconfig()
    • SymbolCacheMagic.priority
    • SymbolCacheMagic.unsatisfied()
  • WindowsIdentifier
    • WindowsIdentifier.generate()
    • WindowsIdentifier.get_identifier()
    • WindowsIdentifier.operating_system
    • WindowsIdentifier.separator
  • load_cache_manager()
• volatility3.framework.automagic.symbol_finder module
  • SymbolFinder
    • SymbolFinder.banner_config_key
    • SymbolFinder.banners
    • SymbolFinder.build_configuration()
    • SymbolFinder.config
    • SymbolFinder.config_path
    • SymbolFinder.context
    • SymbolFinder.exclusion_list
    • SymbolFinder.find_aslr
    • SymbolFinder.find_requirements()
    • SymbolFinder.get_requirements()
    • SymbolFinder.make_subconfig()
    • SymbolFinder.operating_system
    • SymbolFinder.priority
    • SymbolFinder.symbol_class
    • SymbolFinder.unsatisfied()
• volatility3.framework.automagic.windows module
  • DtbSelfRef32bit
  • DtbSelfRef64bit
  • DtbSelfRef64bitOldWindows
  • DtbSelfRefPae
  • DtbSelfReferential
  • PageMapScanner
    • PageMapScanner.context
    • PageMapScanner.layer_name
    • PageMapScanner.overlap
    • PageMapScanner.tests
    • PageMapScanner.thread_safe
    • PageMapScanner.version
  • WinSwapLayers
    • WinSwapLayers.build_configuration()
    • WinSwapLayers.config
    • WinSwapLayers.config_path
    • WinSwapLayers.context
    • WinSwapLayers.exclusion_list
    • WinSwapLayers.find_requirements()
    • WinSwapLayers.find_swap_requirement()
    • WinSwapLayers.get_requirements()
    • WinSwapLayers.make_subconfig()
    • WinSwapLayers.priority
    • WinSwapLayers.unsatisfied()
  • WindowsIntelStacker
    • WindowsIntelStacker.exclusion_list
    • WindowsIntelStacker.stack()
    • WindowsIntelStacker.stack_order
    • WindowsIntelStacker.stacker_slow_warning()
    • WindowsIntelStacker.test_sets