volatility3.framework.interfaces.objects module
Objects are the core of volatility, and provide pythonic access to interpreted values of data from a layer.
- class ObjectInformation(layer_name, offset, member_name=None, parent=None, native_layer_name=None, size=None)[source]
Bases:
ReadOnlyMapping
Contains common information useful/pertinent only to an individual object (like an instance)
This typically contains information such as the layer the object belongs to, the offset where it was constructed, and if it is a subordinate object, its parent.
This is primarily used to reduce the number of parameters passed to object constructors and keep them all together in a single place. These values are based on the
ReadOnlyMapping
class, to prevent their modification.Constructs a container for basic information about an object.
- Parameters:
layer_name (
str
) – Layer from which the data for the object will be readoffset (
int
) – Offset within the layer at which the data for the object will be readmember_name (
Optional
[str
]) – If the object was accessed as a member of a parent object, this was the name used to access itparent (
Optional
[ObjectInterface
]) – If the object was accessed as a member of a parent object, this is the parent objectnative_layer_name (
Optional
[str
]) – If this object references other objects (such as a pointer), what layer those objects live insize (
Optional
[int
]) – The size that the whole structure consumes in bytes
- get(k[, d]) D[k] if k in D, else d. d defaults to None.
- items() a set-like object providing a view on D's items
- keys() a set-like object providing a view on D's keys
- values() an object providing a view on D's values
- class ObjectInterface(context, type_name, object_info, **kwargs)[source]
Bases:
object
A base object required to be the ancestor of every object used in volatility.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
object
A container for proxied methods that the ObjectTemplate of this object will call. This is primarily to keep methods together for easy organization/management, there is no significant need for it to be a separate class.
The methods of this class must be class methods rather than standard methods, to allow for code reuse. Each method also takes a template since the templates may contain the necessary data about the yet-to-be-constructed object. It allows objects to control how their templates respond without needing to write new templates for each and every potential object type.
- abstract classmethod child_template(template, child)[source]
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod has_member(template, member_name)[source]
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)[source]
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- cast(new_type_name, **additional)[source]
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()[source]
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)[source]
Returns whether the object would contain a member called member_name.
- has_valid_members(member_names)[source]
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- class ReadOnlyMapping(dictionary)[source]
Bases:
Mapping
A read-only mapping of various values that offer attribute access as well.
This ensures that the data stored in the mapping should not be modified, making an immutable mapping.
- get(k[, d]) D[k] if k in D, else d. d defaults to None.
- items() a set-like object providing a view on D's items
- keys() a set-like object providing a view on D's keys
- values() an object providing a view on D's values
- class Template(type_name, **arguments)[source]
Bases:
object
Class for all Factories that take offsets, and data layers and produce objects.
This is effectively a class for currying object calls. It creates a callable that can be called with the following parameters:
- Parameters:
context – The context containing the memory layers and symbols required to construct the object
object_info – Basic information about the object, see the ObjectInformation class for more information
- Returns:
The constructed object
The keyword arguments handed to the constructor, along with the type_name are stored for later retrieval. These will be access as object.vol.<keyword> or template.vol.<keyword> for each object and should contain as least the basic information that each object will require before it is instantiated (so offset and parent are explicitly not recorded here). This dictionary can be updated after construction, but any changes made after that point will not be cloned. This is so that templates such as those for string objects may contain different length limits, without affecting all other strings using the same template from a SymbolTable, constructed at resolution time and then cached.
Stores the keyword arguments for later object creation.
- abstract child_template(child)[source]
Returns the child member template from its parent.
- Return type:
- property children: List[Template]
The children of this template (such as member types, sub-types and base-types where they are relevant).
Used to traverse the template tree.
- clone()[source]
Returns a copy of the original Template as constructed (without update_vol additions having been made)
- Return type:
- abstract has_member(member_name)[source]
Returns whether the object would contain a member called member_name
- Return type:
- abstract relative_child_offset(child)[source]
Returns the relative offset of the child member from its parent offset.
- Return type:
- abstract replace_child(old_child, new_child)[source]
Replaces old_child with new_child in the list of children.
- Return type:
- update_vol(**new_arguments)[source]
Updates the keyword arguments with values that will not be carried across to clones.
- Return type:
- property vol: ReadOnlyMapping
Returns a volatility information object, much like the
ObjectInformation
provides.