volatility3.framework.symbols.mac.extensions package
- class fileglob(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class ifnet(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class inpcb(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class kauth_scope(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class proc(context, type_name, object_info, size, members)[source]
Bases:
GenericIntelProcess
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- add_process_layer(config_prefix=None, preferred_name=None)[source]
Constructs a new layer based on the process’s DTB.
Returns the name of the Layer or None.
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_process_memory_sections(context, config_prefix, rw_no_file=False)[source]
Returns a list of sections based on the memory manager’s view of this task’s virtual memory.
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class queue_entry(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- walk_list(list_head, member_name, type_name, max_size=4096)[source]
Walks a queue in a smear-aware and smear-resistant manner
- smear is detected by:
the max_size parameter sets an upper bound
each seen entry is only allowed once
- attempts to work around smear:
the list is walked in both directions to help find as many elements as possible
- Parameters:
list (type_name - the type of each element in the) –
member (member_name - the name of the embedded list) –
list –
returned (max_size - the maximum amount of elements that will be) –
- Return type:
- Returns:
Each instance of the queue cast as “type_name” type
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class sockaddr(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class sockaddr_dl(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class socket(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class sysctl_oid(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_ctltype()[source]
Returns the type of the sysctl node
Args: None
- Returns:
CTLTYPE_NODE CTLTYPE_INT CTLTYPE_STRING CTLTYPE_QUAD CTLTYPE_OPAQUE an empty string for nodes not in the above types
- Return type:
One of
Based on sysctl_sysctl_debug_dump_node
- get_perms()[source]
Returns the actions allowed on the node
Args: None
- Returns:
R - readable W - writeable L - self handles locking
- Return type:
A combination of
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class vm_map_entry(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- is_suspicious(context, config_prefix)[source]
Flags memory regions that are mapped rwx or that map an executable not back from a file on disk.
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class vm_map_object(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.
- class vnode(context, type_name, object_info, size, members)[source]
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters:
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy
Bases:
VolTemplateProxy
- classmethod child_template(template, child)
Returns the template of a child to its parent.
- Return type:
- classmethod has_member(template, member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- classmethod relative_child_offset(template, child)
Returns the relative offset of a child to its parent.
- Return type:
- classmethod replace_child(template, old_child, new_child)
Replace a child elements within the arguments handed to the template.
- Return type:
- cast(new_type_name, **additional)
Returns a new object at the offset and from the layer that the current object inhabits. :rtype:
ObjectInterface
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- get_symbol_table_name()
Returns the symbol table name for this particular object.
- Raises:
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type:
- has_member(member_name)
Returns whether the object would contain a member called member_name.
- Return type:
- has_valid_member(member_name)
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping
Returns the volatility specific object information.
- write(value)
Writes the new value into the format at the offset the object currently resides at.