volatility3.framework.symbols.windows.versions module

class OsDistinguisher(version_check, fallback_checks)[source]

Bases: object

Distinguishes a symbol table as being above a particular version or point.

This will primarily check the version metadata first and foremost. If that metadata isn’t available then each item in the fallback_checks is tested. If invert is specified then the result will be true if the version is less than that specified, or in the case of fallback, if any of the fallback checks is successful.

A fallback check is made up of:
  • a symbol or type name

  • a member name (implying that the value before was a type name)

  • whether that symbol, type or member must be present or absent for the symbol table to be more above the required point

Note

Specifying that a member must not be present includes the whole type not being present too (ie, either will pass the test)

Parameters:
  • version_check (Callable[[Tuple[int, ...]], bool]) – Function that takes a 4-tuple version and returns whether whether the provided version is above a particular point

  • fallback_checks (List[Tuple[str, Optional[str], bool]]) – A list of symbol/types/members of types, and whether they must be present to be above the required point

Returns:

A function that takes a context and a symbol table name and determines whether that symbol table passes the distinguishing checks