volatility3.framework.symbols package
- class SymbolSpace[source]
Bases:
SymbolSpaceInterface
Handles an ordered collection of SymbolTables.
This collection is ordered so that resolution of symbols can proceed down through the ranks if a namespace isn’t specified.
- class UnresolvedTemplate(type_name, **kwargs)[source]
Bases:
ReferenceTemplate
Class to highlight when missing symbols are present.
This class is identical to a reference template, but differentiable by its classname. It will output a debug log to indicate when it has been instantiated and with what name.
This class is designed to be output ONLY as part of the SymbolSpace resolution system. Individual SymbolTables that cannot resolve a symbol should still return a SymbolError to indicate this failure in resolution.
Stores the keyword arguments for later object creation.
- child_template(*args, **kwargs)
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- Return type:
- property children: List[Template]
The children of this template (such as member types, sub-types and base-types where they are relevant).
Used to traverse the template tree.
- clone()
Returns a copy of the original Template as constructed (without update_vol additions having been made)
- Return type:
- has_member(*args, **kwargs)
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- Return type:
- relative_child_offset(*args, **kwargs)
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- Return type:
- replace_child(*args, **kwargs)
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- Return type:
- property size: Any
Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.
- update_vol(**new_arguments)
Updates the keyword arguments with values that will not be carried across to clones.
- Return type:
- property vol: ReadOnlyMapping
Returns a volatility information object, much like the
ObjectInformation
provides.
- clear_symbol_cache(table_name=None)[source]
Clears the symbol cache for the specified table name. If no table name is specified, the caches of all symbol tables are cleared.
- Return type:
- free_table_name(prefix='layer')[source]
Returns an unused table name to ensure no collision occurs when inserting a symbol table.
- Return type:
- get(k[, d]) D[k] if k in D, else d. d defaults to None.
- get_enumeration(enum_name)[source]
Look-up a set of enumeration choices from a specific symbol table.
- Return type:
- get_symbol(symbol_name)[source]
Look-up a symbol name across all the contained symbol spaces.
- Return type:
- get_symbols_by_location(offset, size=0, table_name=None)[source]
Returns all symbols that exist at a specific relative address.
- get_type(type_name)[source]
Takes a symbol name and resolves it.
This method ensures that all referenced templates (including self-referential templates) are satisfied as ObjectTemplates
- Return type:
- has_enumeration(name)[source]
Determines whether an enumeration choice exists in the contained symbol tables.
- Return type:
- has_symbol(name)[source]
Determines whether a symbol exists in the contained symbol tables.
- Return type:
- has_type(name)[source]
Determines whether a type exists in the contained symbol tables.
- Return type:
- items() a set-like object providing a view on D's items
- keys() a set-like object providing a view on D's keys
- values() an object providing a view on D's values
- class SymbolType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]
Bases:
Enum
- ENUM = 3
- SYMBOL = 2
- TYPE = 1
- symbol_table_is_64bit(context, symbol_table_name)[source]
Returns a boolean as to whether a particular symbol table within a context is 64-bit or not.
- Return type:
Subpackages
- volatility3.framework.symbols.generic package
GenericIntelProcess
GenericIntelProcess.VolTemplateProxy
GenericIntelProcess.VolTemplateProxy.child_template()
GenericIntelProcess.VolTemplateProxy.children()
GenericIntelProcess.VolTemplateProxy.has_member()
GenericIntelProcess.VolTemplateProxy.relative_child_offset()
GenericIntelProcess.VolTemplateProxy.replace_child()
GenericIntelProcess.VolTemplateProxy.size()
GenericIntelProcess.cast()
GenericIntelProcess.get_symbol_table_name()
GenericIntelProcess.has_member()
GenericIntelProcess.has_valid_member()
GenericIntelProcess.has_valid_members()
GenericIntelProcess.member()
GenericIntelProcess.vol
GenericIntelProcess.write()
- volatility3.framework.symbols.linux package
LinuxKernelIntermedSymbols
LinuxKernelIntermedSymbols.build_configuration()
LinuxKernelIntermedSymbols.clear_symbol_cache()
LinuxKernelIntermedSymbols.config
LinuxKernelIntermedSymbols.config_path
LinuxKernelIntermedSymbols.context
LinuxKernelIntermedSymbols.create()
LinuxKernelIntermedSymbols.del_type_class()
LinuxKernelIntermedSymbols.enumerations
LinuxKernelIntermedSymbols.file_symbol_url()
LinuxKernelIntermedSymbols.get_enumeration()
LinuxKernelIntermedSymbols.get_requirements()
LinuxKernelIntermedSymbols.get_symbol()
LinuxKernelIntermedSymbols.get_symbol_type()
LinuxKernelIntermedSymbols.get_symbols_by_location()
LinuxKernelIntermedSymbols.get_symbols_by_type()
LinuxKernelIntermedSymbols.get_type()
LinuxKernelIntermedSymbols.get_type_class()
LinuxKernelIntermedSymbols.make_subconfig()
LinuxKernelIntermedSymbols.metadata
LinuxKernelIntermedSymbols.natives
LinuxKernelIntermedSymbols.optional_set_type_class()
LinuxKernelIntermedSymbols.producer
LinuxKernelIntermedSymbols.provides
LinuxKernelIntermedSymbols.set_type_class()
LinuxKernelIntermedSymbols.symbols
LinuxKernelIntermedSymbols.types
LinuxKernelIntermedSymbols.unsatisfied()
LinuxUtilities
LinuxUtilities.container_of()
LinuxUtilities.do_get_path()
LinuxUtilities.files_descriptors_for_process()
LinuxUtilities.generate_kernel_handler_info()
LinuxUtilities.get_module_from_volobj_type()
LinuxUtilities.get_path_mnt()
LinuxUtilities.lookup_module_address()
LinuxUtilities.mask_mods_list()
LinuxUtilities.path_for_file()
LinuxUtilities.version
LinuxUtilities.walk_internal_list()
- Subpackages
- volatility3.framework.symbols.linux.extensions package
bpf_prog
bt_sock
cred
dentry
files_struct
fs_struct
inet_sock
kernel_cap_struct
kernel_cap_t
kobject
list_head
maple_tree
mm_struct
mnt_namespace
module
mount
net
netlink_sock
packet_sock
qstr
sock
socket
struct_file
super_block
task_struct
unix_sock
vfsmount
vm_area_struct
vsock_sock
xdp_sock
- Submodules
- volatility3.framework.symbols.linux.extensions package
- Submodules
- volatility3.framework.symbols.mac package
MacKernelIntermedSymbols
MacKernelIntermedSymbols.build_configuration()
MacKernelIntermedSymbols.clear_symbol_cache()
MacKernelIntermedSymbols.config
MacKernelIntermedSymbols.config_path
MacKernelIntermedSymbols.context
MacKernelIntermedSymbols.create()
MacKernelIntermedSymbols.del_type_class()
MacKernelIntermedSymbols.enumerations
MacKernelIntermedSymbols.file_symbol_url()
MacKernelIntermedSymbols.get_enumeration()
MacKernelIntermedSymbols.get_requirements()
MacKernelIntermedSymbols.get_symbol()
MacKernelIntermedSymbols.get_symbol_type()
MacKernelIntermedSymbols.get_symbols_by_location()
MacKernelIntermedSymbols.get_symbols_by_type()
MacKernelIntermedSymbols.get_type()
MacKernelIntermedSymbols.get_type_class()
MacKernelIntermedSymbols.make_subconfig()
MacKernelIntermedSymbols.metadata
MacKernelIntermedSymbols.natives
MacKernelIntermedSymbols.optional_set_type_class()
MacKernelIntermedSymbols.producer
MacKernelIntermedSymbols.provides
MacKernelIntermedSymbols.set_type_class()
MacKernelIntermedSymbols.symbols
MacKernelIntermedSymbols.types
MacKernelIntermedSymbols.unsatisfied()
MacUtilities
- Subpackages
- volatility3.framework.symbols.windows package
WindowsKernelIntermedSymbols
WindowsKernelIntermedSymbols.build_configuration()
WindowsKernelIntermedSymbols.clear_symbol_cache()
WindowsKernelIntermedSymbols.config
WindowsKernelIntermedSymbols.config_path
WindowsKernelIntermedSymbols.context
WindowsKernelIntermedSymbols.create()
WindowsKernelIntermedSymbols.del_type_class()
WindowsKernelIntermedSymbols.enumerations
WindowsKernelIntermedSymbols.file_symbol_url()
WindowsKernelIntermedSymbols.get_enumeration()
WindowsKernelIntermedSymbols.get_requirements()
WindowsKernelIntermedSymbols.get_symbol()
WindowsKernelIntermedSymbols.get_symbol_type()
WindowsKernelIntermedSymbols.get_symbols_by_location()
WindowsKernelIntermedSymbols.get_symbols_by_type()
WindowsKernelIntermedSymbols.get_type()
WindowsKernelIntermedSymbols.get_type_class()
WindowsKernelIntermedSymbols.make_subconfig()
WindowsKernelIntermedSymbols.metadata
WindowsKernelIntermedSymbols.natives
WindowsKernelIntermedSymbols.optional_set_type_class()
WindowsKernelIntermedSymbols.producer
WindowsKernelIntermedSymbols.set_type_class()
WindowsKernelIntermedSymbols.symbols
WindowsKernelIntermedSymbols.types
WindowsKernelIntermedSymbols.unsatisfied()
- Subpackages
- Submodules
Submodules
- volatility3.framework.symbols.intermed module
ISFormatTable
ISFormatTable.build_configuration()
ISFormatTable.clear_symbol_cache()
ISFormatTable.config
ISFormatTable.config_path
ISFormatTable.context
ISFormatTable.del_type_class()
ISFormatTable.enumerations
ISFormatTable.get_requirements()
ISFormatTable.get_symbol()
ISFormatTable.get_symbol_type()
ISFormatTable.get_symbols_by_location()
ISFormatTable.get_symbols_by_type()
ISFormatTable.get_type()
ISFormatTable.get_type_class()
ISFormatTable.make_subconfig()
ISFormatTable.metadata
ISFormatTable.natives
ISFormatTable.optional_set_type_class()
ISFormatTable.producer
ISFormatTable.set_type_class()
ISFormatTable.symbols
ISFormatTable.types
ISFormatTable.unsatisfied()
ISFormatTable.version
IntermediateSymbolTable
IntermediateSymbolTable.build_configuration()
IntermediateSymbolTable.clear_symbol_cache()
IntermediateSymbolTable.config
IntermediateSymbolTable.config_path
IntermediateSymbolTable.context
IntermediateSymbolTable.create()
IntermediateSymbolTable.del_type_class()
IntermediateSymbolTable.enumerations
IntermediateSymbolTable.file_symbol_url()
IntermediateSymbolTable.get_enumeration()
IntermediateSymbolTable.get_requirements()
IntermediateSymbolTable.get_symbol()
IntermediateSymbolTable.get_symbol_type()
IntermediateSymbolTable.get_symbols_by_location()
IntermediateSymbolTable.get_symbols_by_type()
IntermediateSymbolTable.get_type()
IntermediateSymbolTable.get_type_class()
IntermediateSymbolTable.make_subconfig()
IntermediateSymbolTable.metadata
IntermediateSymbolTable.natives
IntermediateSymbolTable.optional_set_type_class()
IntermediateSymbolTable.producer
IntermediateSymbolTable.set_type_class()
IntermediateSymbolTable.symbols
IntermediateSymbolTable.types
IntermediateSymbolTable.unsatisfied()
Version1Format
Version1Format.build_configuration()
Version1Format.clear_symbol_cache()
Version1Format.config
Version1Format.config_path
Version1Format.context
Version1Format.del_type_class()
Version1Format.enumerations
Version1Format.get_enumeration()
Version1Format.get_requirements()
Version1Format.get_symbol()
Version1Format.get_symbol_type()
Version1Format.get_symbols_by_location()
Version1Format.get_symbols_by_type()
Version1Format.get_type()
Version1Format.get_type_class()
Version1Format.make_subconfig()
Version1Format.metadata
Version1Format.natives
Version1Format.optional_set_type_class()
Version1Format.producer
Version1Format.set_type_class()
Version1Format.symbols
Version1Format.types
Version1Format.unsatisfied()
Version1Format.version
Version2Format
Version2Format.build_configuration()
Version2Format.clear_symbol_cache()
Version2Format.config
Version2Format.config_path
Version2Format.context
Version2Format.del_type_class()
Version2Format.enumerations
Version2Format.get_enumeration()
Version2Format.get_requirements()
Version2Format.get_symbol()
Version2Format.get_symbol_type()
Version2Format.get_symbols_by_location()
Version2Format.get_symbols_by_type()
Version2Format.get_type()
Version2Format.get_type_class()
Version2Format.make_subconfig()
Version2Format.metadata
Version2Format.natives
Version2Format.optional_set_type_class()
Version2Format.producer
Version2Format.set_type_class()
Version2Format.symbols
Version2Format.types
Version2Format.unsatisfied()
Version2Format.version
Version3Format
Version3Format.build_configuration()
Version3Format.clear_symbol_cache()
Version3Format.config
Version3Format.config_path
Version3Format.context
Version3Format.del_type_class()
Version3Format.enumerations
Version3Format.get_enumeration()
Version3Format.get_requirements()
Version3Format.get_symbol()
Version3Format.get_symbol_type()
Version3Format.get_symbols_by_location()
Version3Format.get_symbols_by_type()
Version3Format.get_type()
Version3Format.get_type_class()
Version3Format.make_subconfig()
Version3Format.metadata
Version3Format.natives
Version3Format.optional_set_type_class()
Version3Format.producer
Version3Format.set_type_class()
Version3Format.symbols
Version3Format.types
Version3Format.unsatisfied()
Version3Format.version
Version4Format
Version4Format.build_configuration()
Version4Format.clear_symbol_cache()
Version4Format.config
Version4Format.config_path
Version4Format.context
Version4Format.del_type_class()
Version4Format.enumerations
Version4Format.format_mapping
Version4Format.get_enumeration()
Version4Format.get_requirements()
Version4Format.get_symbol()
Version4Format.get_symbol_type()
Version4Format.get_symbols_by_location()
Version4Format.get_symbols_by_type()
Version4Format.get_type()
Version4Format.get_type_class()
Version4Format.make_subconfig()
Version4Format.metadata
Version4Format.natives
Version4Format.optional_set_type_class()
Version4Format.producer
Version4Format.set_type_class()
Version4Format.symbols
Version4Format.types
Version4Format.unsatisfied()
Version4Format.version
Version5Format
Version5Format.build_configuration()
Version5Format.clear_symbol_cache()
Version5Format.config
Version5Format.config_path
Version5Format.context
Version5Format.del_type_class()
Version5Format.enumerations
Version5Format.format_mapping
Version5Format.get_enumeration()
Version5Format.get_requirements()
Version5Format.get_symbol()
Version5Format.get_symbol_type()
Version5Format.get_symbols_by_location()
Version5Format.get_symbols_by_type()
Version5Format.get_type()
Version5Format.get_type_class()
Version5Format.make_subconfig()
Version5Format.metadata
Version5Format.natives
Version5Format.optional_set_type_class()
Version5Format.producer
Version5Format.set_type_class()
Version5Format.symbols
Version5Format.types
Version5Format.unsatisfied()
Version5Format.version
Version6Format
Version6Format.build_configuration()
Version6Format.clear_symbol_cache()
Version6Format.config
Version6Format.config_path
Version6Format.context
Version6Format.del_type_class()
Version6Format.enumerations
Version6Format.format_mapping
Version6Format.get_enumeration()
Version6Format.get_requirements()
Version6Format.get_symbol()
Version6Format.get_symbol_type()
Version6Format.get_symbols_by_location()
Version6Format.get_symbols_by_type()
Version6Format.get_type()
Version6Format.get_type_class()
Version6Format.make_subconfig()
Version6Format.metadata
Version6Format.natives
Version6Format.optional_set_type_class()
Version6Format.producer
Version6Format.set_type_class()
Version6Format.symbols
Version6Format.types
Version6Format.unsatisfied()
Version6Format.version
Version7Format
Version7Format.build_configuration()
Version7Format.clear_symbol_cache()
Version7Format.config
Version7Format.config_path
Version7Format.context
Version7Format.del_type_class()
Version7Format.enumerations
Version7Format.format_mapping
Version7Format.get_enumeration()
Version7Format.get_requirements()
Version7Format.get_symbol()
Version7Format.get_symbol_type()
Version7Format.get_symbols_by_location()
Version7Format.get_symbols_by_type()
Version7Format.get_type()
Version7Format.get_type_class()
Version7Format.make_subconfig()
Version7Format.metadata
Version7Format.natives
Version7Format.optional_set_type_class()
Version7Format.producer
Version7Format.set_type_class()
Version7Format.symbols
Version7Format.types
Version7Format.unsatisfied()
Version7Format.version
Version8Format
Version8Format.build_configuration()
Version8Format.clear_symbol_cache()
Version8Format.config
Version8Format.config_path
Version8Format.context
Version8Format.del_type_class()
Version8Format.enumerations
Version8Format.format_mapping
Version8Format.get_enumeration()
Version8Format.get_requirements()
Version8Format.get_symbol()
Version8Format.get_symbol_type()
Version8Format.get_symbols_by_location()
Version8Format.get_symbols_by_type()
Version8Format.get_type()
Version8Format.get_type_class()
Version8Format.make_subconfig()
Version8Format.metadata
Version8Format.natives
Version8Format.optional_set_type_class()
Version8Format.producer
Version8Format.set_type_class()
Version8Format.symbols
Version8Format.types
Version8Format.unsatisfied()
Version8Format.version
- volatility3.framework.symbols.metadata module
- volatility3.framework.symbols.native module
NativeTable
NativeTable.clear_symbol_cache()
NativeTable.del_type_class()
NativeTable.enumerations
NativeTable.get_enumeration()
NativeTable.get_symbol()
NativeTable.get_symbol_type()
NativeTable.get_symbols_by_location()
NativeTable.get_symbols_by_type()
NativeTable.get_type()
NativeTable.get_type_class()
NativeTable.natives
NativeTable.optional_set_type_class()
NativeTable.set_type_class()
NativeTable.symbols
NativeTable.types
- volatility3.framework.symbols.wrappers module