volatility3.framework.symbols.windows package
- class WindowsKernelIntermedSymbols(*args, **kwargs)[source]
Bases:
IntermediateSymbolTable
Instantiates a SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema. The validation can be disabled by passing validate = False, but this should almost never be done.
- Parameters:
context – The volatility context for the symbol table
config_path – The configuration path for the symbol table
name – The name for the symbol table (this is used in symbols e.g. table!symbol )
isf_url – The URL pointing to the ISF file location
native_types – The NativeSymbolTable that contains the native types for this symbol table
table_mapping – A dictionary linking names referenced in the file with symbol tables in the context
validate – Determines whether the ISF file will be validated against the appropriate schema
class_types – A dictionary of type names and classes that override StructType when they are instantiated
symbol_mask – An address mask used for all returned symbol offsets from this table (a mask of 0 disables masking)
- build_configuration()
Constructs a HierarchicalDictionary of all the options required to build this component in the current context.
Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too
- Return type:
- clear_symbol_cache(*args, **kwargs)
Clears the symbol cache of this symbol table.
- property config: HierarchicalDict
The Hierarchical configuration Dictionary for this Configurable object.
- property context: ContextInterface
The context object that this configurable belongs to/configuration is stored in.
- classmethod create(context, config_path, sub_path, filename, native_types=None, table_mapping=None, class_types=None, symbol_mask=0)
Takes a context and loads an intermediate symbol table based on a filename.
- Parameters:
context (
ContextInterface
) – The context that the current plugin is being run withinconfig_path (
str
) – The configuration path for reading/storing configuration information this symbol table may usesub_path (
str
) – The path under a suitable symbol path (defaults to volatility3/symbols and volatility3/framework/symbols) to checkfilename (
str
) – Basename of the file to find under the sub_pathnative_types (
Optional
[NativeTableInterface
]) – Set of native types, defaults to native types read from the intermediate symbol format filetable_mapping (
Optional
[Dict
[str
,str
]]) – a dictionary of table names mentioned within the ISF file, and the tables within the context which they map tosymbol_mask (
int
) – An address mask used for all returned symbol offsets from this table (a mask of 0 disables masking)
- Return type:
- Returns:
the name of the added symbol table
- del_type_class(*args, **kwargs)
Removes the associated class override for a specific Symbol type.
- property enumerations
Returns an iterator of the Enumeration names.
- classmethod file_symbol_url(sub_path, filename=None)
Returns an iterator of appropriate file-scheme symbol URLs that can be opened by a ResourceAccessor class.
Filter reduces the number of results returned to only those URLs containing that string
- get_enumeration(*args, **kwargs)
- classmethod get_requirements()
Returns a list of RequirementInterface objects required by this object.
- Return type:
- get_symbol(*args, **kwargs)
Resolves a symbol name into a symbol object.
If the symbol isn’t found, it raises a SymbolError exception
- get_symbol_type(name)
Resolves a symbol name into a symbol and then resolves the symbol’s type.
- get_symbols_by_location(offset, size=0)
Returns the name of all symbols in this table that live at a particular offset.
- get_symbols_by_type(type_name)
Returns the name of all symbols in this table that have type matching type_name.
- get_type(*args, **kwargs)
Resolves a symbol name into an object template.
If the symbol isn’t found it raises a SymbolError exception
- get_type_class(*args, **kwargs)
Returns the class associated with a Symbol type.
- classmethod make_subconfig(context, base_config_path, **kwargs)
Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.
- Parameters:
context (
ContextInterface
) – The context in which to store the new configurationbase_config_path (
str
) – The base configuration path on which to build the new configurationkwargs – Keyword arguments that are used to populate the new configuration path
- Returns:
The newly generated full configuration path
- Return type:
- property metadata
- property natives: NativeTableInterface
Returns None or a NativeTable for handling space specific native types.
- optional_set_type_class(name, clazz)
Calls the set_type_class function but does not throw an exception. Returns whether setting the type class was successful. :type name:
str
:param name: The name of the type to override the class for :type clazz:Type
[ObjectInterface
] :param clazz: The actual class to override for the provided type name- Return type:
- property producer
- set_type_class(*args, **kwargs)
Overrides the object class for a specific Symbol type.
Name must be present in self.types
- Parameters:
name – The name of the type to override the class for
clazz – The actual class to override for the provided type name
- property symbols
Returns an iterator of the Symbol names.
- property types
Returns an iterator of the Symbol type names.
- classmethod unsatisfied(context, config_path)
Returns a list of the names of all unsatisfied requirements.
Since a satisfied set of requirements will return [], it can be used in tests as follows:
unmet = configurable.unsatisfied(context, config_path) if unmet: raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
- Return type:
Subpackages
- volatility3.framework.symbols.windows.extensions package
CONTROL_AREA
CONTROL_AREA.PAGE_MASK
CONTROL_AREA.PAGE_SIZE
CONTROL_AREA.VolTemplateProxy
CONTROL_AREA.cast()
CONTROL_AREA.get_available_pages()
CONTROL_AREA.get_pte()
CONTROL_AREA.get_subsection()
CONTROL_AREA.get_symbol_table_name()
CONTROL_AREA.has_member()
CONTROL_AREA.has_valid_member()
CONTROL_AREA.has_valid_members()
CONTROL_AREA.is_valid()
CONTROL_AREA.member()
CONTROL_AREA.vol
CONTROL_AREA.write()
DEVICE_OBJECT
DEVICE_OBJECT.VolTemplateProxy
DEVICE_OBJECT.cast()
DEVICE_OBJECT.get_attached_devices()
DEVICE_OBJECT.get_device_name()
DEVICE_OBJECT.get_object_header()
DEVICE_OBJECT.get_symbol_table_name()
DEVICE_OBJECT.has_member()
DEVICE_OBJECT.has_valid_member()
DEVICE_OBJECT.has_valid_members()
DEVICE_OBJECT.member()
DEVICE_OBJECT.vol
DEVICE_OBJECT.write()
DRIVER_OBJECT
DRIVER_OBJECT.VolTemplateProxy
DRIVER_OBJECT.cast()
DRIVER_OBJECT.get_devices()
DRIVER_OBJECT.get_driver_name()
DRIVER_OBJECT.get_object_header()
DRIVER_OBJECT.get_symbol_table_name()
DRIVER_OBJECT.has_member()
DRIVER_OBJECT.has_valid_member()
DRIVER_OBJECT.has_valid_members()
DRIVER_OBJECT.is_valid()
DRIVER_OBJECT.member()
DRIVER_OBJECT.vol
DRIVER_OBJECT.write()
EPROCESS
EPROCESS.VolTemplateProxy
EPROCESS.add_process_layer()
EPROCESS.cast()
EPROCESS.environment_variables()
EPROCESS.get_create_time()
EPROCESS.get_exit_time()
EPROCESS.get_handle_count()
EPROCESS.get_is_wow64()
EPROCESS.get_object_header()
EPROCESS.get_peb()
EPROCESS.get_session_id()
EPROCESS.get_symbol_table_name()
EPROCESS.get_vad_root()
EPROCESS.get_wow_64_process()
EPROCESS.has_member()
EPROCESS.has_valid_member()
EPROCESS.has_valid_members()
EPROCESS.init_order_modules()
EPROCESS.is_valid()
EPROCESS.load_order_modules()
EPROCESS.mem_order_modules()
EPROCESS.member()
EPROCESS.vol
EPROCESS.write()
ERESOURCE
ETHREAD
ETHREAD.VolTemplateProxy
ETHREAD.cast()
ETHREAD.get_create_time()
ETHREAD.get_cross_thread_flags()
ETHREAD.get_exit_time()
ETHREAD.get_object_header()
ETHREAD.get_symbol_table_name()
ETHREAD.has_member()
ETHREAD.has_valid_member()
ETHREAD.has_valid_members()
ETHREAD.is_valid()
ETHREAD.member()
ETHREAD.owning_process()
ETHREAD.vol
ETHREAD.write()
EX_FAST_REF
FILE_OBJECT
FILE_OBJECT.VolTemplateProxy
FILE_OBJECT.access_string()
FILE_OBJECT.cast()
FILE_OBJECT.file_name_with_device()
FILE_OBJECT.get_object_header()
FILE_OBJECT.get_symbol_table_name()
FILE_OBJECT.has_member()
FILE_OBJECT.has_valid_member()
FILE_OBJECT.has_valid_members()
FILE_OBJECT.is_valid()
FILE_OBJECT.member()
FILE_OBJECT.vol
FILE_OBJECT.write()
KMUTANT
KSYSTEM_TIME
KTHREAD
KTIMER
KTIMER.VALID_TYPES
KTIMER.VolTemplateProxy
KTIMER.cast()
KTIMER.get_dpc()
KTIMER.get_due_time()
KTIMER.get_raw_dpc()
KTIMER.get_signaled()
KTIMER.get_symbol_table_name()
KTIMER.has_member()
KTIMER.has_valid_member()
KTIMER.has_valid_members()
KTIMER.member()
KTIMER.valid_type()
KTIMER.vol
KTIMER.write()
LIST_ENTRY
MMVAD
MMVAD.Protection
MMVAD.VolTemplateProxy
MMVAD.cast()
MMVAD.get_commit_charge()
MMVAD.get_end()
MMVAD.get_file_name()
MMVAD.get_left_child()
MMVAD.get_parent()
MMVAD.get_private_memory()
MMVAD.get_protection()
MMVAD.get_right_child()
MMVAD.get_size()
MMVAD.get_start()
MMVAD.get_symbol_table_name()
MMVAD.get_tag()
MMVAD.has_member()
MMVAD.has_valid_member()
MMVAD.has_valid_members()
MMVAD.member()
MMVAD.traverse()
MMVAD.vol
MMVAD.write()
MMVAD_SHORT
MMVAD_SHORT.Protection
MMVAD_SHORT.VolTemplateProxy
MMVAD_SHORT.cast()
MMVAD_SHORT.get_commit_charge()
MMVAD_SHORT.get_end()
MMVAD_SHORT.get_file_name()
MMVAD_SHORT.get_left_child()
MMVAD_SHORT.get_parent()
MMVAD_SHORT.get_private_memory()
MMVAD_SHORT.get_protection()
MMVAD_SHORT.get_right_child()
MMVAD_SHORT.get_size()
MMVAD_SHORT.get_start()
MMVAD_SHORT.get_symbol_table_name()
MMVAD_SHORT.get_tag()
MMVAD_SHORT.has_member()
MMVAD_SHORT.has_valid_member()
MMVAD_SHORT.has_valid_members()
MMVAD_SHORT.member()
MMVAD_SHORT.traverse()
MMVAD_SHORT.vol
MMVAD_SHORT.write()
OBJECT_SYMBOLIC_LINK
OBJECT_SYMBOLIC_LINK.VolTemplateProxy
OBJECT_SYMBOLIC_LINK.VolTemplateProxy.child_template()
OBJECT_SYMBOLIC_LINK.VolTemplateProxy.children()
OBJECT_SYMBOLIC_LINK.VolTemplateProxy.has_member()
OBJECT_SYMBOLIC_LINK.VolTemplateProxy.relative_child_offset()
OBJECT_SYMBOLIC_LINK.VolTemplateProxy.replace_child()
OBJECT_SYMBOLIC_LINK.VolTemplateProxy.size()
OBJECT_SYMBOLIC_LINK.cast()
OBJECT_SYMBOLIC_LINK.get_create_time()
OBJECT_SYMBOLIC_LINK.get_link_name()
OBJECT_SYMBOLIC_LINK.get_object_header()
OBJECT_SYMBOLIC_LINK.get_symbol_table_name()
OBJECT_SYMBOLIC_LINK.has_member()
OBJECT_SYMBOLIC_LINK.has_valid_member()
OBJECT_SYMBOLIC_LINK.has_valid_members()
OBJECT_SYMBOLIC_LINK.is_valid()
OBJECT_SYMBOLIC_LINK.member()
OBJECT_SYMBOLIC_LINK.vol
OBJECT_SYMBOLIC_LINK.write()
SHARED_CACHE_MAP
SHARED_CACHE_MAP.VACB_ARRAY
SHARED_CACHE_MAP.VACB_BLOCK
SHARED_CACHE_MAP.VACB_LEVEL_SHIFT
SHARED_CACHE_MAP.VACB_OFFSET_SHIFT
SHARED_CACHE_MAP.VACB_SIZE_OF_FIRST_LEVEL
SHARED_CACHE_MAP.VolTemplateProxy
SHARED_CACHE_MAP.cast()
SHARED_CACHE_MAP.get_available_pages()
SHARED_CACHE_MAP.get_symbol_table_name()
SHARED_CACHE_MAP.has_member()
SHARED_CACHE_MAP.has_valid_member()
SHARED_CACHE_MAP.has_valid_members()
SHARED_CACHE_MAP.is_valid()
SHARED_CACHE_MAP.member()
SHARED_CACHE_MAP.process_index_array()
SHARED_CACHE_MAP.save_vacb()
SHARED_CACHE_MAP.vol
SHARED_CACHE_MAP.write()
TOKEN
UNICODE_STRING
UNICODE_STRING.String
UNICODE_STRING.VolTemplateProxy
UNICODE_STRING.cast()
UNICODE_STRING.get_string()
UNICODE_STRING.get_symbol_table_name()
UNICODE_STRING.has_member()
UNICODE_STRING.has_valid_member()
UNICODE_STRING.has_valid_members()
UNICODE_STRING.member()
UNICODE_STRING.vol
UNICODE_STRING.write()
VACB
- Submodules
- volatility3.framework.symbols.windows.extensions.callbacks module
- volatility3.framework.symbols.windows.extensions.crash module
- volatility3.framework.symbols.windows.extensions.kdbg module
- volatility3.framework.symbols.windows.extensions.mbr module
- volatility3.framework.symbols.windows.extensions.mft module
- volatility3.framework.symbols.windows.extensions.network module
- volatility3.framework.symbols.windows.extensions.pe module
- volatility3.framework.symbols.windows.extensions.pool module
- volatility3.framework.symbols.windows.extensions.registry module
- volatility3.framework.symbols.windows.extensions.services module
- volatility3.framework.symbols.windows.extensions.shimcache module
Submodules
- volatility3.framework.symbols.windows.pdbconv module
ForwardArrayCount
PdbReader
PdbReader.consume_padding()
PdbReader.consume_type()
PdbReader.context
PdbReader.convert_bytes_to_guid()
PdbReader.convert_fields()
PdbReader.determine_extended_value()
PdbReader.get_json()
PdbReader.get_size_from_index()
PdbReader.get_type_from_index()
PdbReader.load_pdb_layer()
PdbReader.name_strip()
PdbReader.omap_lookup()
PdbReader.parse_string()
PdbReader.pdb_layer_name
PdbReader.process_types()
PdbReader.read_dbi_stream()
PdbReader.read_ipi_stream()
PdbReader.read_necessary_streams()
PdbReader.read_pdb_info_stream()
PdbReader.read_symbol_stream()
PdbReader.read_tpi_stream()
PdbReader.replace_forward_references()
PdbReader.reset()
PdbReader.type_handlers
PdbRetreiver
- volatility3.framework.symbols.windows.pdbutil module
- volatility3.framework.symbols.windows.versions module