volatility3.framework.interfaces.objects module

Objects are the core of volatility, and provide pythonic access to interpreted values of data from a layer.

class ObjectInformation(layer_name, offset, member_name=None, parent=None, native_layer_name=None, size=None)[source]

Bases: ReadOnlyMapping

Contains common information useful/pertinent only to an individual object (like an instance)

This typically contains information such as the layer the object belongs to, the offset where it was constructed, and if it is a subordinate object, its parent.

This is primarily used to reduce the number of parameters passed to object constructors and keep them all together in a single place. These values are based on the ReadOnlyMapping class, to prevent their modification.

Constructs a container for basic information about an object.

Parameters:
  • layer_name (str) – Layer from which the data for the object will be read

  • offset (int) – Offset within the layer at which the data for the object will be read

  • member_name (Optional[str]) – If the object was accessed as a member of a parent object, this was the name used to access it

  • parent (Optional[ObjectInterface]) – If the object was accessed as a member of a parent object, this is the parent object

  • native_layer_name (Optional[str]) – If this object references other objects (such as a pointer), what layer those objects live in

  • size (Optional[int]) – The size that the whole structure consumes in bytes

get(k[, d]) D[k] if k in D, else d.  d defaults to None.
items() a set-like object providing a view on D's items
keys() a set-like object providing a view on D's keys
values() an object providing a view on D's values
class ObjectInterface(context, type_name, object_info, **kwargs)[source]

Bases: object

A base object required to be the ancestor of every object used in volatility.

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy[source]

Bases: object

A container for proxied methods that the ObjectTemplate of this object will call. This is primarily to keep methods together for easy organization/management, there is no significant need for it to be a separate class.

The methods of this class must be class methods rather than standard methods, to allow for code reuse. Each method also takes a template since the templates may contain the necessary data about the yet-to-be-constructed object. It allows objects to control how their templates respond without needing to write new templates for each and every potential object type.

abstract classmethod child_template(template, child)[source]

Returns the template of the child member from the parent.

Return type:

Template

abstract classmethod children(template)[source]

Returns the children of the template.

Return type:

List[Template]

abstract classmethod has_member(template, member_name)[source]

Returns whether the object would contain a member called member_name.

Return type:

bool

abstract classmethod relative_child_offset(template, child)[source]

Returns the relative offset from the head of the parent data to the child member.

Return type:

int

abstract classmethod replace_child(template, old_child, new_child)[source]

Substitutes the old_child for the new_child.

Return type:

None

abstract classmethod size(template)[source]

Returns the size of the template object.

Return type:

int

cast(new_type_name, **additional)[source]

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()[source]

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)[source]

Returns whether the object would contain a member called member_name.

Parameters:

member_name (str) – Name to test whether a member exists within the type structure

Return type:

bool

has_valid_member(member_name)[source]

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)[source]

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

property vol: ReadOnlyMapping

Returns the volatility specific object information.

abstract write(value)[source]

Writes the new value into the format at the offset the object currently resides at.

class ReadOnlyMapping(dictionary)[source]

Bases: Mapping

A read-only mapping of various values that offer attribute access as well.

This ensures that the data stored in the mapping should not be modified, making an immutable mapping.

get(k[, d]) D[k] if k in D, else d.  d defaults to None.
items() a set-like object providing a view on D's items
keys() a set-like object providing a view on D's keys
values() an object providing a view on D's values
class Template(type_name, **arguments)[source]

Bases: object

Class for all Factories that take offsets, and data layers and produce objects.

This is effectively a class for currying object calls. It creates a callable that can be called with the following parameters:

Parameters:
  • context – The context containing the memory layers and symbols required to construct the object

  • object_info – Basic information about the object, see the ObjectInformation class for more information

Returns:

The constructed object

The keyword arguments handed to the constructor, along with the type_name are stored for later retrieval. These will be access as object.vol.<keyword> or template.vol.<keyword> for each object and should contain as least the basic information that each object will require before it is instantiated (so offset and parent are explicitly not recorded here). This dictionary can be updated after construction, but any changes made after that point will not be cloned. This is so that templates such as those for string objects may contain different length limits, without affecting all other strings using the same template from a SymbolTable, constructed at resolution time and then cached.

Stores the keyword arguments for later object creation.

abstract child_template(child)[source]

Returns the child member template from its parent.

Return type:

Template

property children: List[Template]

The children of this template (such as member types, sub-types and base-types where they are relevant).

Used to traverse the template tree.

clone()[source]

Returns a copy of the original Template as constructed (without update_vol additions having been made)

Return type:

Template

abstract has_member(member_name)[source]

Returns whether the object would contain a member called member_name

Return type:

bool

abstract relative_child_offset(child)[source]

Returns the relative offset of the child member from its parent offset.

Return type:

int

abstract replace_child(old_child, new_child)[source]

Replaces old_child with new_child in the list of children.

Return type:

None

abstract property size: int

Returns the size of the template.

update_vol(**new_arguments)[source]

Updates the keyword arguments with values that will not be carried across to clones.

Return type:

None

property vol: ReadOnlyMapping

Returns a volatility information object, much like the ObjectInformation provides.