volatility3.framework.symbols.windows.extensions.pe module

class IMAGE_DOS_HEADER(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

fix_image_base(raw_data, nt_header)[source]

Fix the _OPTIONAL_HEADER.ImageBase value (which is either an unsigned long for 32-bit PE’s or unsigned long long for 64-bit PE’s) to match the address where the PE file was carved out of memory.

Parameters:

  • raw_data (bytes) – a bytes object of the PE’s data

  • nt_header (ObjectInterface) – <_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance

Return type:

bytes

Returns:

<bytes> patched with the correct address

get_nt_header()[source]

Carve out the NT header from this DOS header. This reflects on the PE file’s Machine type to create a 32- or 64-bit NT header structure.

Return type:

ObjectInterface

Returns:

<_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

reconstruct()[source]

This method generates the content necessary to reconstruct a PE file from memory. It preserves slack space (similar to the old –memory) and automatically fixes the ImageBase in the output PE file.

Return type:

Generator[Tuple[int, bytes], None, None]

Returns:

<tuple> of (<int> offset, <bytes> data)

replace_header_field(sect, header, item, value)[source]

Replaces a member in an _IMAGE_SECTION_HEADER structure.

Parameters:

  • sect (ObjectInterface) – the section instance

  • header (bytes) – raw data for the section

  • item (ObjectInterface) – the member of the section to replace

  • value (int) – new value for the member

Return type:

bytes

Returns:

The raw data with the replaced header field

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class IMAGE_NT_HEADERS(context, type_name, object_info, size, members)[source]

Bases: StructType

Constructs an Object adhering to the ObjectInterface.

Parameters:

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type:

Template

classmethod children(template)

Method to list children of a template.

Return type:

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type:

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type:

None

classmethod size(template)

Method to return the size of this type.

Return type:

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_sections()[source]

Iterate through the section headers for this PE file.

Yields:

<_IMAGE_SECTION_HEADER> objects

Return type:

Generator[ObjectInterface, None, None]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises:

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type:

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type:

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters:

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type:

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters:

member_names (List[str]) – List of names to test as to members with those names validity

Return type:

bool

member(attr='member')

Specifically named method for retrieving members.

Return type:

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.