volatility3.framework.interfaces.renderers module

All plugins output a TreeGrid object which must then be rendered (either by a GUI, or as text output, html output or in some other form.

This module defines both the output format (TreeGrid) and the renderer interface which can interact with a TreeGrid to produce suitable output.

class BaseAbsentValue[source]

Bases: object

Class that represents values which are not present for some reason.

class Column(name, type)

Bases: tuple

Create new instance of Column(name, type)

count(value, /)

Return number of occurrences of value.

index(value, start=0, stop=9223372036854775807, /)

Return first index of value.

Raises ValueError if the value is not present.

name: str

Alias for field number 0

type: Any

Alias for field number 1

class ColumnSortKey[source]

Bases: object

ascending: bool = True
class Disassembly(data, offset=0, architecture='intel64')[source]

Bases: object

A class to indicate that the bytes provided should be disassembled (based on the architecture)

possible_architectures = ['intel', 'intel64', 'arm', 'arm64']
class Renderer(options=None)[source]

Bases: object

Class that defines the interface that all output renderers must support.

Accepts an options object to configure the renderers.

abstract get_render_options()[source]

Returns a list of rendering options.

Return type:

List[Any]

abstract render(grid)[source]

Takes a grid object and renders it based on the object’s preferences.

Return type:

None

class TreeGrid(columns, generator)[source]

Bases: object

Class providing the interface for a TreeGrid (which contains TreeNodes)

The structure of a TreeGrid is designed to maintain the structure of the tree in a single object. For this reason each TreeNode does not hold its children, they are managed by the top level object. This leaves the Nodes as simple data carries and prevents them being used to manipulate the tree as a whole. This is a data structure, and is not expected to be modified much once created.

Carrying the children under the parent makes recursion easier, but then every node is its own little tree and must have all the supporting tree functions. It also allows for a node to be present in several different trees, and to create cycles.

Constructs a TreeGrid object using a specific set of columns.

The TreeGrid itself is a root element, that can have children but no values. The TreeGrid does not contain any information about formatting, these are up to the renderers and plugins.

Parameters:
base_types: ClassVar[Tuple] = (<class 'int'>, <class 'str'>, <class 'float'>, <class 'bytes'>, <class 'datetime.datetime'>, <class 'volatility3.framework.interfaces.renderers.Disassembly'>)
abstract children(node)[source]

Returns the subnodes of a particular node in order.

Return type:

List[TreeNode]

abstract property columns: List[Column]

Returns the available columns and their ordering and types.

abstract is_ancestor(node, descendant)[source]

Returns true if descendent is a child, grandchild, etc of node.

Return type:

bool

abstract max_depth()[source]

Returns the maximum depth of the tree.

Return type:

int

static path_depth(node)[source]

Returns the path depth of a particular node.

Return type:

int

abstract populate(function=None, initial_accumulator=None, fail_on_errors=True)[source]

Populates the tree by consuming the TreeGrid’s construction generator Func is called on every node, so can be used to create output on demand.

This is equivalent to a one-time visit.

Return type:

Optional[Exception]

abstract property populated: bool

Indicates that population has completed and the tree may now be manipulated separately.

abstract static sanitize_name(text)[source]

Method used to sanitize column names for TreeNodes.

Return type:

str

abstract values(node)[source]

Returns the values for a particular node.

The values returned are mutable,

Return type:

Tuple[Union[Type[int], Type[str], Type[float], Type[bytes], Type[datetime], Type[BaseAbsentValue], Type[Disassembly]], ...]

abstract visit(node, function, initial_accumulator, sort_key=None)[source]

Visits all the nodes in a tree, calling function on each one.

function should have the signature function(node, accumulator) and return new_accumulator If accumulators are not needed, the function must still accept a second parameter.

The order of that the nodes are visited is always depth first, however, the order children are traversed can be set based on a sort_key function which should accept a node’s values and return something that can be sorted to receive the desired order (similar to the sort/sorted key).

If node is None, then the root node is used.

Parameters:
  • node (Optional[TreeNode]) – The initial node to be visited

  • function (Callable[[TreeNode, TypeVar(_Type)], TypeVar(_Type)]) – The visitor to apply to the nodes under the initial node

  • initial_accumulator (TypeVar(_Type)) – An accumulator that allows data to be transferred between one visitor call to the next

  • sort_key (ColumnSortKey) – Information about the sort order of columns in order to determine the ordering of results

Return type:

None

class TreeNode(path, treegrid, parent, values)[source]

Bases: Sequence

Initializes the TreeNode.

count(value) integer -- return number of occurrences of value
index(value[, start[, stop]]) integer -- return first index of value.

Raises ValueError if the value is not present.

Supporting start and stop arguments is optional, but recommended.

abstract property parent: TreeNode | None

Returns the parent node of this node or None.

abstract property path: str

Returns a path identifying string.

This should be seen as opaque by external classes, Parsing of path locations based on this string are not guaranteed to remain stable.

abstract path_changed(path, added=False)[source]

Updates the path based on the addition or removal of a node higher up in the tree.

This should only be called by the containing TreeGrid and expects to only be called for affected nodes.

Return type:

None

abstract property path_depth: int

Return the path depth of the current node.

abstract property values: List[Type[int] | Type[str] | Type[float] | Type[bytes] | Type[datetime] | Type[BaseAbsentValue] | Type[Disassembly]]

Returns the list of values from the particular node, based on column index.