volatility3.framework.objects package
- class AggregateType(context, type_name, object_info, size, members)[source]
Bases:
ObjectInterface
Object which can contain members that are other objects.
Keep the number of methods in this class low or very specific, since each one could overload a valid member.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- classmethod child_template(template, child)[source]
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)[source]
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)[source]
Returns the relative offset of a child to its parent.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)[source]
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- class Array(context, type_name, object_info, count=0, subtype=None)[source]
Bases:
ObjectInterface
,Sequence
Object which can contain a fixed number of an object type.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- classmethod child_template(template, child)[source]
Returns the template of the child member.
- Return type:
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)[source]
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- index(value[, start[, stop]]) integer -- return first index of value.
Raises ValueError if the value is not present.
Supporting start and stop arguments is optional, but recommended.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- class BitField(context, type_name, object_info, base_type, start_bit=0, end_bit=0)[source]
Bases:
ObjectInterface
,int
Object containing a field which is made up of bits rather than whole bytes.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- as_integer_ratio()
Return integer ratio.
Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.
>>> (10).as_integer_ratio() (10, 1) >>> (-10).as_integer_ratio() (-10, 1) >>> (0).as_integer_ratio() (0, 1)
- bit_count()
Number of ones in the binary representation of the absolute value of self.
Also known as the population count.
>>> bin(13) '0b1101' >>> (13).bit_count() 3
- bit_length()
Number of bits necessary to represent self in binary.
>>> bin(37) '0b100101' >>> (37).bit_length() 6
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- conjugate()
Returns self, the complex conjugate of any int.
- denominator
the denominator of a rational number in lowest terms
- from_bytes(byteorder='big', *, signed=False)
Return the integer represented by the given array of bytes.
- bytes
Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Indicates whether two’s complement is used to represent the integer.
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- imag
the imaginary part of a complex number
- numerator
the numerator of a rational number in lowest terms
- real
the real part of a complex number
- to_bytes(length=1, byteorder='big', *, signed=False)
Return an array of bytes representing an integer.
- length
Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- class Boolean(context, type_name, object_info, data_format)[source]
Bases:
PrimitiveObject
,int
Primitive Object that handles boolean types.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- as_integer_ratio()
Return integer ratio.
Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.
>>> (10).as_integer_ratio() (10, 1) >>> (-10).as_integer_ratio() (-10, 1) >>> (0).as_integer_ratio() (0, 1)
- bit_count()
Number of ones in the binary representation of the absolute value of self.
Also known as the population count.
>>> bin(13) '0b1101' >>> (13).bit_count() 3
- bit_length()
Number of bits necessary to represent self in binary.
>>> bin(37) '0b100101' >>> (37).bit_length() 6
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- conjugate()
Returns self, the complex conjugate of any int.
- denominator
the denominator of a rational number in lowest terms
- from_bytes(byteorder='big', *, signed=False)
Return the integer represented by the given array of bytes.
- bytes
Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Indicates whether two’s complement is used to represent the integer.
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- imag
the imaginary part of a complex number
- numerator
the numerator of a rational number in lowest terms
- real
the real part of a complex number
- to_bytes(length=1, byteorder='big', *, signed=False)
Return an array of bytes representing an integer.
- length
Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the object into the layer of the context at the current offset.
- Return type:
- class Bytes(context, type_name, object_info, length=1)[source]
Bases:
PrimitiveObject
,bytes
Primitive Object that handles specific series of bytes.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- capitalize() copy of B
Return a copy of B with only its first character capitalized (ASCII) and the rest lower-cased.
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- center(width, fillchar=b' ', /)
Return a centered string of length width.
Padding is done using the specified fill character.
- count(sub[, start[, end]]) int
Return the number of non-overlapping occurrences of subsection sub in bytes B[start:end]. Optional arguments start and end are interpreted as in slice notation.
- decode(encoding='utf-8', errors='strict')
Decode the bytes using the codec registered for encoding.
- encoding
The encoding with which to decode the bytes.
- errors
The error handling scheme to use for the handling of decoding errors. The default is ‘strict’ meaning that decoding errors raise a UnicodeDecodeError. Other possible values are ‘ignore’ and ‘replace’ as well as any other name registered with codecs.register_error that can handle UnicodeDecodeErrors.
- endswith(suffix[, start[, end]]) bool
Return True if B ends with the specified suffix, False otherwise. With optional start, test B beginning at that position. With optional end, stop comparing B at that position. suffix can also be a tuple of bytes to try.
- expandtabs(tabsize=8)
Return a copy where all tab characters are expanded using spaces.
If tabsize is not given, a tab size of 8 characters is assumed.
- find(sub[, start[, end]]) int
Return the lowest index in B where subsection sub is found, such that sub is contained within B[start,end]. Optional arguments start and end are interpreted as in slice notation.
Return -1 on failure.
- fromhex()
Create a bytes object from a string of hexadecimal numbers.
Spaces between two numbers are accepted. Example: bytes.fromhex(‘B9 01EF’) -> b’\xb9\x01\xef’.
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- hex()
Create a string of hexadecimal numbers from a bytes object.
- sep
An optional single character or byte to separate hex bytes.
- bytes_per_sep
How many bytes between separators. Positive values count from the right, negative values count from the left.
Example: >>> value = b’xb9x01xef’ >>> value.hex() ‘b901ef’ >>> value.hex(‘:’) ‘b9:01:ef’ >>> value.hex(‘:’, 2) ‘b9:01ef’ >>> value.hex(‘:’, -2) ‘b901:ef’
- index(sub[, start[, end]]) int
Return the lowest index in B where subsection sub is found, such that sub is contained within B[start,end]. Optional arguments start and end are interpreted as in slice notation.
Raises ValueError when the subsection is not found.
- isalnum() bool
Return True if all characters in B are alphanumeric and there is at least one character in B, False otherwise.
- isalpha() bool
Return True if all characters in B are alphabetic and there is at least one character in B, False otherwise.
- isdigit() bool
Return True if all characters in B are digits and there is at least one character in B, False otherwise.
- islower() bool
Return True if all cased characters in B are lowercase and there is at least one cased character in B, False otherwise.
- isspace() bool
Return True if all characters in B are whitespace and there is at least one character in B, False otherwise.
- istitle() bool
Return True if B is a titlecased string and there is at least one character in B, i.e. uppercase characters may only follow uncased characters and lowercase characters only cased ones. Return False otherwise.
- isupper() bool
Return True if all cased characters in B are uppercase and there is at least one cased character in B, False otherwise.
- join(iterable_of_bytes, /)
Concatenate any number of bytes objects.
The bytes whose method is called is inserted in between each pair.
The result is returned as a new bytes object.
Example: b’.’.join([b’ab’, b’pq’, b’rs’]) -> b’ab.pq.rs’.
- ljust(width, fillchar=b' ', /)
Return a left-justified string of length width.
Padding is done using the specified fill character.
- lower() copy of B
Return a copy of B with all ASCII characters converted to lowercase.
- lstrip(bytes=None, /)
Strip leading bytes contained in the argument.
If the argument is omitted or None, strip leading ASCII whitespace.
- static maketrans(frm, to, /)
Return a translation table useable for the bytes or bytearray translate method.
The returned table will be one where each byte in frm is mapped to the byte at the same position in to.
The bytes objects frm and to must be of the same length.
- partition(sep, /)
Partition the bytes into three parts using the given separator.
This will search for the separator sep in the bytes. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.
If the separator is not found, returns a 3-tuple containing the original bytes object and two empty bytes objects.
- removeprefix(prefix, /)
Return a bytes object with the given prefix string removed if present.
If the bytes starts with the prefix string, return bytes[len(prefix):]. Otherwise, return a copy of the original bytes.
- removesuffix(suffix, /)
Return a bytes object with the given suffix string removed if present.
If the bytes ends with the suffix string and that suffix is not empty, return bytes[:-len(prefix)]. Otherwise, return a copy of the original bytes.
- replace(old, new, count=-1, /)
Return a copy with all occurrences of substring old replaced by new.
- count
Maximum number of occurrences to replace. -1 (the default value) means replace all occurrences.
If the optional argument count is given, only the first count occurrences are replaced.
- rfind(sub[, start[, end]]) int
Return the highest index in B where subsection sub is found, such that sub is contained within B[start,end]. Optional arguments start and end are interpreted as in slice notation.
Return -1 on failure.
- rindex(sub[, start[, end]]) int
Return the highest index in B where subsection sub is found, such that sub is contained within B[start,end]. Optional arguments start and end are interpreted as in slice notation.
Raise ValueError when the subsection is not found.
- rjust(width, fillchar=b' ', /)
Return a right-justified string of length width.
Padding is done using the specified fill character.
- rpartition(sep, /)
Partition the bytes into three parts using the given separator.
This will search for the separator sep in the bytes, starting at the end. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.
If the separator is not found, returns a 3-tuple containing two empty bytes objects and the original bytes object.
- rsplit(sep=None, maxsplit=-1)
Return a list of the sections in the bytes, using sep as the delimiter.
- sep
The delimiter according which to split the bytes. None (the default value) means split on ASCII whitespace characters (space, tab, return, newline, formfeed, vertical tab).
- maxsplit
Maximum number of splits to do. -1 (the default value) means no limit.
Splitting is done starting at the end of the bytes and working to the front.
- rstrip(bytes=None, /)
Strip trailing bytes contained in the argument.
If the argument is omitted or None, strip trailing ASCII whitespace.
- split(sep=None, maxsplit=-1)
Return a list of the sections in the bytes, using sep as the delimiter.
- sep
The delimiter according which to split the bytes. None (the default value) means split on ASCII whitespace characters (space, tab, return, newline, formfeed, vertical tab).
- maxsplit
Maximum number of splits to do. -1 (the default value) means no limit.
- splitlines(keepends=False)
Return a list of the lines in the bytes, breaking at line boundaries.
Line breaks are not included in the resulting list unless keepends is given and true.
- startswith(prefix[, start[, end]]) bool
Return True if B starts with the specified prefix, False otherwise. With optional start, test B beginning at that position. With optional end, stop comparing B at that position. prefix can also be a tuple of bytes to try.
- strip(bytes=None, /)
Strip leading and trailing bytes contained in the argument.
If the argument is omitted or None, strip leading and trailing ASCII whitespace.
- swapcase() copy of B
Return a copy of B with uppercase ASCII characters converted to lowercase ASCII and vice versa.
- title() copy of B
Return a titlecased version of B, i.e. ASCII words start with uppercase characters, all remaining cased characters have lowercase.
- translate(table, /, delete=b'')
Return a copy with each character mapped by the given translation table.
- table
Translation table, which must be a bytes object of length 256.
All characters occurring in the optional argument delete are removed. The remaining characters are mapped through the given translation table.
- upper() copy of B
Return a copy of B with all ASCII characters converted to uppercase.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the object into the layer of the context at the current offset.
- Return type:
- zfill(width, /)
Pad a numeric string with zeros on the left, to fill a field of the given width.
The original string is never truncated.
- class Char(context, type_name, object_info, data_format)[source]
Bases:
PrimitiveObject
,int
Primitive Object that handles characters.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- as_integer_ratio()
Return integer ratio.
Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.
>>> (10).as_integer_ratio() (10, 1) >>> (-10).as_integer_ratio() (-10, 1) >>> (0).as_integer_ratio() (0, 1)
- bit_count()
Number of ones in the binary representation of the absolute value of self.
Also known as the population count.
>>> bin(13) '0b1101' >>> (13).bit_count() 3
- bit_length()
Number of bits necessary to represent self in binary.
>>> bin(37) '0b100101' >>> (37).bit_length() 6
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- conjugate()
Returns self, the complex conjugate of any int.
- denominator
the denominator of a rational number in lowest terms
- from_bytes(byteorder='big', *, signed=False)
Return the integer represented by the given array of bytes.
- bytes
Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Indicates whether two’s complement is used to represent the integer.
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- imag
the imaginary part of a complex number
- numerator
the numerator of a rational number in lowest terms
- real
the real part of a complex number
- to_bytes(length=1, byteorder='big', *, signed=False)
Return an array of bytes representing an integer.
- length
Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the object into the layer of the context at the current offset.
- Return type:
- class ClassType(context, type_name, object_info, size, members)[source]
Bases:
AggregateType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class DataFormatInfo(length, byteorder, signed)
Bases:
tuple
Create new instance of DataFormatInfo(length, byteorder, signed)
- byteorder
Alias for field number 1
- count(value, /)
Return number of occurrences of value.
- index(value, start=0, stop=9223372036854775807, /)
Return first index of value.
Raises ValueError if the value is not present.
- length
Alias for field number 0
- signed
Alias for field number 2
- class Enumeration(context, type_name, object_info, base_type, choices)[source]
Bases:
ObjectInterface
,int
Returns an object made up of choices.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod lookup(template, value)[source]
Looks up an individual value and returns the associated name.
If multiple identifiers map to the same value, the first matching identifier will be returned
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- as_integer_ratio()
Return integer ratio.
Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.
>>> (10).as_integer_ratio() (10, 1) >>> (-10).as_integer_ratio() (-10, 1) >>> (0).as_integer_ratio() (0, 1)
- bit_count()
Number of ones in the binary representation of the absolute value of self.
Also known as the population count.
>>> bin(13) '0b1101' >>> (13).bit_count() 3
- bit_length()
Number of bits necessary to represent self in binary.
>>> bin(37) '0b100101' >>> (37).bit_length() 6
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- conjugate()
Returns self, the complex conjugate of any int.
- denominator
the denominator of a rational number in lowest terms
- from_bytes(byteorder='big', *, signed=False)
Return the integer represented by the given array of bytes.
- bytes
Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Indicates whether two’s complement is used to represent the integer.
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- imag
the imaginary part of a complex number
- lookup(value=None)[source]
Looks up an individual value and returns the associated name.
If multiple identifiers map to the same value, the first matching identifier will be returned
- Return type:
- numerator
the numerator of a rational number in lowest terms
- real
the real part of a complex number
- to_bytes(length=1, byteorder='big', *, signed=False)
Return an array of bytes representing an integer.
- length
Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- class Float(context, type_name, object_info, data_format)[source]
Bases:
PrimitiveObject
,float
Primitive Object that handles double or floating point numbers.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- as_integer_ratio()
Return integer ratio.
Return a pair of integers, whose ratio is exactly equal to the original float and with a positive denominator.
Raise OverflowError on infinities and a ValueError on NaNs.
>>> (10.0).as_integer_ratio() (10, 1) >>> (0.0).as_integer_ratio() (0, 1) >>> (-.25).as_integer_ratio() (-1, 4)
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- conjugate()
Return self, the complex conjugate of any float.
- fromhex()
Create a floating-point number from a hexadecimal string.
>>> float.fromhex('0x1.ffffp10') 2047.984375 >>> float.fromhex('-0x1p-1074') -5e-324
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- hex()
Return a hexadecimal representation of a floating-point number.
>>> (-0.1).hex() '-0x1.999999999999ap-4' >>> 3.14159.hex() '0x1.921f9f01b866ep+1'
- imag
the imaginary part of a complex number
- is_integer()
Return True if the float is an integer.
- real
the real part of a complex number
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the object into the layer of the context at the current offset.
- Return type:
- class Function(context, type_name, object_info, **kwargs)[source]
Bases:
ObjectInterface
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
object
A container for proxied methods that the ObjectTemplate of this object will call. This is primarily to keep methods together for easy organization/management, there is no significant need for it to be a separate class.
The methods of this class must be class methods rather than standard methods, to allow for code reuse. Each method also takes a template since the templates may contain the necessary data about the yet-to-be-constructed object. It allows objects to control how their templates respond without needing to write new templates for each and every potential object type.
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- abstract write(value)
Writes the new value into the format at the offset the object currently resides at.
- class Integer(context, type_name, object_info, data_format)[source]
Bases:
PrimitiveObject
,int
Primitive Object that handles standard numeric types.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- as_integer_ratio()
Return integer ratio.
Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.
>>> (10).as_integer_ratio() (10, 1) >>> (-10).as_integer_ratio() (-10, 1) >>> (0).as_integer_ratio() (0, 1)
- bit_count()
Number of ones in the binary representation of the absolute value of self.
Also known as the population count.
>>> bin(13) '0b1101' >>> (13).bit_count() 3
- bit_length()
Number of bits necessary to represent self in binary.
>>> bin(37) '0b100101' >>> (37).bit_length() 6
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- conjugate()
Returns self, the complex conjugate of any int.
- denominator
the denominator of a rational number in lowest terms
- from_bytes(byteorder='big', *, signed=False)
Return the integer represented by the given array of bytes.
- bytes
Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Indicates whether two’s complement is used to represent the integer.
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- imag
the imaginary part of a complex number
- numerator
the numerator of a rational number in lowest terms
- real
the real part of a complex number
- to_bytes(length=1, byteorder='big', *, signed=False)
Return an array of bytes representing an integer.
- length
Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the object into the layer of the context at the current offset.
- Return type:
- class Pointer(context, type_name, object_info, data_format, subtype=None)[source]
Bases:
Integer
Pointer which points to another object.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- classmethod has_member(template, member_name)[source]
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- as_integer_ratio()
Return integer ratio.
Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.
>>> (10).as_integer_ratio() (10, 1) >>> (-10).as_integer_ratio() (-10, 1) >>> (0).as_integer_ratio() (0, 1)
- bit_count()
Number of ones in the binary representation of the absolute value of self.
Also known as the population count.
>>> bin(13) '0b1101' >>> (13).bit_count() 3
- bit_length()
Number of bits necessary to represent self in binary.
>>> bin(37) '0b100101' >>> (37).bit_length() 6
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- conjugate()
Returns self, the complex conjugate of any int.
- denominator
the denominator of a rational number in lowest terms
- dereference(layer_name=None)[source]
Dereferences the pointer.
Layer_name is identifies the appropriate layer within the context that the pointer points to. If layer_name is None, it defaults to the same layer that the pointer is currently instantiated in.
- Return type:
- from_bytes(byteorder='big', *, signed=False)
Return the integer represented by the given array of bytes.
- bytes
Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Indicates whether two’s complement is used to represent the integer.
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)[source]
Returns whether the dereferenced type has this member.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- imag
the imaginary part of a complex number
- is_readable(layer_name=None)[source]
Determines whether the address of this pointer can be read from memory.
- Return type:
- numerator
the numerator of a rational number in lowest terms
- real
the real part of a complex number
- to_bytes(length=1, byteorder='big', *, signed=False)
Return an array of bytes representing an integer.
- length
Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.
- byteorder
The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
- signed
Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the object into the layer of the context at the current offset.
- Return type:
- class PrimitiveObject(context, type_name, object_info, data_format)[source]
Bases:
ObjectInterface
PrimitiveObject is an interface for any objects that should simulate a Python primitive.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- class String(context, type_name, object_info, max_length=1, encoding='utf-8', errors='strict')[source]
Bases:
PrimitiveObject
,str
Primitive Object that handles string values.
- Parameters:
max_length (
int
) – specifies the maximum possible length that the string could hold within memory (for multibyte characters, this will not be the maximum length of the string)
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- capitalize()
Return a capitalized version of the string.
More specifically, make the first character have upper case and the rest lower case.
- casefold()
Return a version of the string suitable for caseless comparisons.
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- center(width, fillchar=' ', /)
Return a centered string of length width.
Padding is done using the specified fill character (default is a space).
- count(sub[, start[, end]]) int
Return the number of non-overlapping occurrences of substring sub in string S[start:end]. Optional arguments start and end are interpreted as in slice notation.
- encode(encoding='utf-8', errors='strict')
Encode the string using the codec registered for encoding.
- encoding
The encoding in which to encode the string.
- errors
The error handling scheme to use for encoding errors. The default is ‘strict’ meaning that encoding errors raise a UnicodeEncodeError. Other possible values are ‘ignore’, ‘replace’ and ‘xmlcharrefreplace’ as well as any other name registered with codecs.register_error that can handle UnicodeEncodeErrors.
- endswith(suffix[, start[, end]]) bool
Return True if S ends with the specified suffix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. suffix can also be a tuple of strings to try.
- expandtabs(tabsize=8)
Return a copy where all tab characters are expanded using spaces.
If tabsize is not given, a tab size of 8 characters is assumed.
- find(sub[, start[, end]]) int
Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Return -1 on failure.
- format(*args, **kwargs) str
Return a formatted version of S, using substitutions from args and kwargs. The substitutions are identified by braces (‘{’ and ‘}’).
- format_map(mapping) str
Return a formatted version of S, using substitutions from mapping. The substitutions are identified by braces (‘{’ and ‘}’).
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- index(sub[, start[, end]]) int
Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Raises ValueError when the substring is not found.
- isalnum()
Return True if the string is an alpha-numeric string, False otherwise.
A string is alpha-numeric if all characters in the string are alpha-numeric and there is at least one character in the string.
- isalpha()
Return True if the string is an alphabetic string, False otherwise.
A string is alphabetic if all characters in the string are alphabetic and there is at least one character in the string.
- isascii()
Return True if all characters in the string are ASCII, False otherwise.
ASCII characters have code points in the range U+0000-U+007F. Empty string is ASCII too.
- isdecimal()
Return True if the string is a decimal string, False otherwise.
A string is a decimal string if all characters in the string are decimal and there is at least one character in the string.
- isdigit()
Return True if the string is a digit string, False otherwise.
A string is a digit string if all characters in the string are digits and there is at least one character in the string.
- isidentifier()
Return True if the string is a valid Python identifier, False otherwise.
Call keyword.iskeyword(s) to test whether string s is a reserved identifier, such as “def” or “class”.
- islower()
Return True if the string is a lowercase string, False otherwise.
A string is lowercase if all cased characters in the string are lowercase and there is at least one cased character in the string.
- isnumeric()
Return True if the string is a numeric string, False otherwise.
A string is numeric if all characters in the string are numeric and there is at least one character in the string.
- isprintable()
Return True if the string is printable, False otherwise.
A string is printable if all of its characters are considered printable in repr() or if it is empty.
- isspace()
Return True if the string is a whitespace string, False otherwise.
A string is whitespace if all characters in the string are whitespace and there is at least one character in the string.
- istitle()
Return True if the string is a title-cased string, False otherwise.
In a title-cased string, upper- and title-case characters may only follow uncased characters and lowercase characters only cased ones.
- isupper()
Return True if the string is an uppercase string, False otherwise.
A string is uppercase if all cased characters in the string are uppercase and there is at least one cased character in the string.
- join(iterable, /)
Concatenate any number of strings.
The string whose method is called is inserted in between each given string. The result is returned as a new string.
Example: ‘.’.join([‘ab’, ‘pq’, ‘rs’]) -> ‘ab.pq.rs’
- ljust(width, fillchar=' ', /)
Return a left-justified string of length width.
Padding is done using the specified fill character (default is a space).
- lower()
Return a copy of the string converted to lowercase.
- lstrip(chars=None, /)
Return a copy of the string with leading whitespace removed.
If chars is given and not None, remove characters in chars instead.
- static maketrans()
Return a translation table usable for str.translate().
If there is only one argument, it must be a dictionary mapping Unicode ordinals (integers) or characters to Unicode ordinals, strings or None. Character keys will be then converted to ordinals. If there are two arguments, they must be strings of equal length, and in the resulting dictionary, each character in x will be mapped to the character at the same position in y. If there is a third argument, it must be a string, whose characters will be mapped to None in the result.
- partition(sep, /)
Partition the string into three parts using the given separator.
This will search for the separator in the string. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.
If the separator is not found, returns a 3-tuple containing the original string and two empty strings.
- removeprefix(prefix, /)
Return a str with the given prefix string removed if present.
If the string starts with the prefix string, return string[len(prefix):]. Otherwise, return a copy of the original string.
- removesuffix(suffix, /)
Return a str with the given suffix string removed if present.
If the string ends with the suffix string and that suffix is not empty, return string[:-len(suffix)]. Otherwise, return a copy of the original string.
- replace(old, new, count=-1, /)
Return a copy with all occurrences of substring old replaced by new.
- count
Maximum number of occurrences to replace. -1 (the default value) means replace all occurrences.
If the optional argument count is given, only the first count occurrences are replaced.
- rfind(sub[, start[, end]]) int
Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Return -1 on failure.
- rindex(sub[, start[, end]]) int
Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Raises ValueError when the substring is not found.
- rjust(width, fillchar=' ', /)
Return a right-justified string of length width.
Padding is done using the specified fill character (default is a space).
- rpartition(sep, /)
Partition the string into three parts using the given separator.
This will search for the separator in the string, starting at the end. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.
If the separator is not found, returns a 3-tuple containing two empty strings and the original string.
- rsplit(sep=None, maxsplit=-1)
Return a list of the substrings in the string, using sep as the separator string.
- sep
The separator used to split the string.
When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.
- maxsplit
Maximum number of splits (starting from the left). -1 (the default value) means no limit.
Splitting starts at the end of the string and works to the front.
- rstrip(chars=None, /)
Return a copy of the string with trailing whitespace removed.
If chars is given and not None, remove characters in chars instead.
- split(sep=None, maxsplit=-1)
Return a list of the substrings in the string, using sep as the separator string.
- sep
The separator used to split the string.
When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.
- maxsplit
Maximum number of splits (starting from the left). -1 (the default value) means no limit.
Note, str.split() is mainly useful for data that has been intentionally delimited. With natural text that includes punctuation, consider using the regular expression module.
- splitlines(keepends=False)
Return a list of the lines in the string, breaking at line boundaries.
Line breaks are not included in the resulting list unless keepends is given and true.
- startswith(prefix[, start[, end]]) bool
Return True if S starts with the specified prefix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. prefix can also be a tuple of strings to try.
- strip(chars=None, /)
Return a copy of the string with leading and trailing whitespace removed.
If chars is given and not None, remove characters in chars instead.
- swapcase()
Convert uppercase characters to lowercase and lowercase characters to uppercase.
- title()
Return a version of the string where each word is titlecased.
More specifically, words start with uppercased characters and all remaining cased characters have lower case.
- translate(table, /)
Replace each character in the string using the given translation table.
- table
Translation table, which must be a mapping of Unicode ordinals to Unicode ordinals, strings, or None.
The table must implement lookup/indexing via __getitem__, for instance a dictionary or list. If this operation raises LookupError, the character is left untouched. Characters mapped to None are deleted.
- upper()
Return a copy of the string converted to uppercase.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the object into the layer of the context at the current offset.
- Return type:
- zfill(width, /)
Pad a numeric string with zeros on the left, to fill a field of the given width.
The string is never truncated.
- class StructType(context, type_name, object_info, size, members)[source]
Bases:
AggregateType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class UnionType(context, type_name, object_info, size, members)[source]
Bases:
AggregateType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class Void(context, type_name, object_info, **kwargs)[source]
Bases:
ObjectInterface
Returns an object to represent void/unknown types.
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy[source]
Bases:
VolTemplateProxy
- abstract classmethod child_template(template, child)
Returns the template of the child member from the parent.
- Return type:
- abstract classmethod children(template)
Returns the children of the template.
- abstract classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- abstract classmethod relative_child_offset(template, child)
Returns the relative offset from the head of the parent data to the child member.
- Return type:
- abstract classmethod replace_child(template, old_child, new_child)
Substitutes the old_child for the new_child.
- Return type:
- classmethod size(template)[source]
Dummy size for Void objects.
According to http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf, void is an incomplete type, and therefore sizeof(void) should fail. However, we need to be able to construct voids to be able to cast them, so we return a useless size. It shouldn’t cause errors, but it also shouldn’t be common, it is logged at the lowest level.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- convert_data_to_value(data, struct_type, data_format)[source]
Converts a series of bytes to a particular type of value.
- convert_value_to_data(value, struct_type, data_format)[source]
Converts a particular value to a series of bytes.
- Return type: