volatility3.framework.symbols.mac.extensions package

class fileglob(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_fg_type()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class ifnet(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

sockaddr_dl()[source]
property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class inpcb(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_ipv4_info()[source]
get_ipv6_info()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_tcp_state()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class kauth_scope(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_listeners()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class proc(context, type_name, object_info, size, members)[source]

Bases: GenericIntelProcess

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

add_process_layer(config_prefix=None, preferred_name=None)[source]

Constructs a new layer based on the process’s DTB.

Returns the name of the Layer or None.

Return type:

Optional[str]

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_map_iter()[source]
Return type:

Iterable[ObjectInterface]

get_process_memory_sections(context, config_prefix, rw_no_file=False)[source]

Returns a list of sections based on the memory manager’s view of this task’s virtual memory.

Return type:

Generator[Tuple[int, int], None, None]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_task()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class queue_entry(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

walk_list(list_head, member_name, type_name, max_size=4096)[source]

Walks a queue in a smear-aware and smear-resistant manner

smear is detected by:
  • the max_size parameter sets an upper bound

  • each seen entry is only allowed once

attempts to work around smear:
  • the list is walked in both directions to help find as many elements as possible

Parameters:
  • list (type_name - the type of each element in the) –

  • member (member_name - the name of the embedded list) –

  • list

  • returned (max_size - the maximum amount of elements that will be) –

Return type:

Iterable[ObjectInterface]

Returns:

Each instance of the queue cast as “type_name” type

write(value)

Writes the new value into the format at the offset the object currently resides at.

class sockaddr(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_address()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class sockaddr_dl(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class socket(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_connection_info()[source]
get_converted_connection_info()[source]
get_family()[source]
get_inpcb()[source]
get_protocol_as_string()[source]
get_state()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class sysctl_oid(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_ctltype()[source]

Returns the type of the sysctl node

Args: None

Returns:

CTLTYPE_NODE CTLTYPE_INT CTLTYPE_STRING CTLTYPE_QUAD CTLTYPE_OPAQUE an empty string for nodes not in the above types

Return type:

One of

Based on sysctl_sysctl_debug_dump_node

get_perms()[source]

Returns the actions allowed on the node

Args: None

Returns:

R - readable W - writeable L - self handles locking

Return type:

A combination of

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class vm_map_entry(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_object()[source]
get_offset()[source]
get_path(context, config_prefix)[source]
get_perms()[source]
get_range_alias()[source]
get_special_path()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

get_vnode(context, config_prefix)[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

is_suspicious(context, config_prefix)[source]

Flags memory regions that are mapped rwx or that map an executable not back from a file on disk.

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class vm_map_object(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_map_object()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class vnode(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

full_path()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.