volatility3.plugins package

Defines the plugin architecture.

This is the namespace for all volatility plugins, and determines the path for loading plugins

NOTE: This file is important for core plugins to run (which certain components such as the windows registry layers) are dependent upon, please DO NOT alter or remove this file unless you know the consequences of doing so.

The framework is configured this way to allow plugin developers/users to override any plugin functionality whether existing or new.

Subpackages

• volatility3.plugins.linux package
  • Subpackages
    • volatility3.plugins.linux.graphics package
      • Submodules
    • volatility3.plugins.linux.malware package
      • Submodules
    • volatility3.plugins.linux.tracing package
      • Submodules
  • Submodules
    • volatility3.plugins.linux.bash module
      • Bash
    • volatility3.plugins.linux.boottime module
      • Boottime
    • volatility3.plugins.linux.capabilities module
      • Capabilities
      • CapabilitiesData
      • TaskData
    • volatility3.plugins.linux.check_afinfo module
      • Check_afinfo
    • volatility3.plugins.linux.check_creds module
      • Check_creds
    • volatility3.plugins.linux.check_idt module
      • Check_idt
    • volatility3.plugins.linux.check_modules module
      • Check_modules
    • volatility3.plugins.linux.check_syscall module
      • Check_syscall
    • volatility3.plugins.linux.ebpf module
      • EBPF
    • volatility3.plugins.linux.elfs module
      • Elfs
    • volatility3.plugins.linux.envars module
      • Envars
    • volatility3.plugins.linux.hidden_modules module
      • Hidden_modules
    • volatility3.plugins.linux.iomem module
      • IOMem
    • volatility3.plugins.linux.ip module
      • Addr
      • Link
    • volatility3.plugins.linux.kallsyms module
      • Kallsyms
    • volatility3.plugins.linux.keyboard_notifiers module
      • Keyboard_notifiers
    • volatility3.plugins.linux.kmsg module
      • ABCKmsg
      • DescStateEnum
      • Kmsg
      • Kmsg_3_11_to_5_10
      • Kmsg_3_5_to_3_11
      • Kmsg_5_10_to_
      • Kmsg_pre_3_5
    • volatility3.plugins.linux.kthreads module
      • Kthreads
    • volatility3.plugins.linux.library_list module
      • LibraryList
    • volatility3.plugins.linux.lsmod module
      • Lsmod
    • volatility3.plugins.linux.lsof module
      • FDInternal
      • FDUser
      • Lsof
    • volatility3.plugins.linux.malfind module
      • Malfind
    • volatility3.plugins.linux.module_extract module
      • ModuleExtract
    • volatility3.plugins.linux.modxview module
      • Modxview
    • volatility3.plugins.linux.mountinfo module
      • MountInfo
      • MountInfoData
    • volatility3.plugins.linux.netfilter module
      • Netfilter
    • volatility3.plugins.linux.pagecache module
      • Files
      • InodeInternal
      • InodePages
      • InodeUser
      • RecoverFs
    • volatility3.plugins.linux.pidhashtable module
      • PIDHashTable
    • volatility3.plugins.linux.proc module
      • Maps
    • volatility3.plugins.linux.psaux module
      • PsAux
    • volatility3.plugins.linux.pscallstack module
      • PsCallStack
      • StackEntry
    • volatility3.plugins.linux.pslist module
      • PsList
      • TaskFields
    • volatility3.plugins.linux.psscan module
      • DescExitStateEnum
      • PsScan
    • volatility3.plugins.linux.pstree module
      • PsTree
    • volatility3.plugins.linux.ptrace module
      • Ptrace
    • volatility3.plugins.linux.sockscan module
      • Sockscan
    • volatility3.plugins.linux.sockstat module
      • SockHandlers
      • Sockstat
    • volatility3.plugins.linux.tty_check module
      • tty_check
    • volatility3.plugins.linux.vmaregexscan module
      • VmaRegExScan
    • volatility3.plugins.linux.vmayarascan module
      • VmaYaraScan
    • volatility3.plugins.linux.vmcoreinfo module
      • VMCoreInfo
• volatility3.plugins.mac package
  • Submodules
    • volatility3.plugins.mac.bash module
      • Bash
    • volatility3.plugins.mac.check_syscall module
      • Check_syscall
    • volatility3.plugins.mac.check_sysctl module
      • Check_sysctl
    • volatility3.plugins.mac.check_trap_table module
      • Check_trap_table
    • volatility3.plugins.mac.dmesg module
      • Dmesg
    • volatility3.plugins.mac.ifconfig module
      • Ifconfig
    • volatility3.plugins.mac.kauth_listeners module
      • Kauth_listeners
    • volatility3.plugins.mac.kauth_scopes module
      • Kauth_scopes
    • volatility3.plugins.mac.kevents module
      • Kevents
    • volatility3.plugins.mac.list_files module
      • List_Files
    • volatility3.plugins.mac.lsmod module
      • Lsmod
    • volatility3.plugins.mac.lsof module
      • Lsof
    • volatility3.plugins.mac.malfind module
      • Malfind
    • volatility3.plugins.mac.mount module
      • Mount
    • volatility3.plugins.mac.netstat module
      • Netstat
    • volatility3.plugins.mac.proc_maps module
      • Maps
    • volatility3.plugins.mac.psaux module
      • Psaux
    • volatility3.plugins.mac.pslist module
      • PsList
    • volatility3.plugins.mac.pstree module
      • PsTree
    • volatility3.plugins.mac.socket_filters module
      • Socket_filters
    • volatility3.plugins.mac.timers module
      • Timers
    • volatility3.plugins.mac.trustedbsd module
      • Trustedbsd
    • volatility3.plugins.mac.vfsevents module
      • VFSevents
• volatility3.plugins.windows package
  • Subpackages
    • volatility3.plugins.windows.malware package
      • Submodules
    • volatility3.plugins.windows.registry package
      • Submodules
  • Submodules
    • volatility3.plugins.windows.amcache module
      • Amcache
    • volatility3.plugins.windows.bigpools module
      • BigPools
    • volatility3.plugins.windows.cachedump module
      • Cachedump
    • volatility3.plugins.windows.callbacks module
      • Callbacks
    • volatility3.plugins.windows.cmdline module
      • CmdLine
    • volatility3.plugins.windows.cmdscan module
      • CmdScan
    • volatility3.plugins.windows.consoles module
      • Consoles
    • volatility3.plugins.windows.crashinfo module
      • Crashinfo
    • volatility3.plugins.windows.debugregisters module
      • DebugRegisters
    • volatility3.plugins.windows.deskscan module
      • DeskScan
    • volatility3.plugins.windows.desktops module
      • Desktops
    • volatility3.plugins.windows.devicetree module
      • DeviceTree
    • volatility3.plugins.windows.direct_system_calls module
      • DirectSystemCalls
      • syscall_finder_type
    • volatility3.plugins.windows.dlllist module
      • DllList
    • volatility3.plugins.windows.driverirp module
      • DriverIrp
    • volatility3.plugins.windows.drivermodule module
      • DriverModule
    • volatility3.plugins.windows.driverscan module
      • DriverScan
    • volatility3.plugins.windows.dumpfiles module
      • DumpFiles
    • volatility3.plugins.windows.envars module
      • Envars
    • volatility3.plugins.windows.etwpatch module
      • EtwPatch
    • volatility3.plugins.windows.filescan module
      • FileScan
    • volatility3.plugins.windows.getservicesids module
      • GetServiceSIDs
      • createservicesid()
    • volatility3.plugins.windows.getsids module
      • GetSIDs
      • find_sid_re()
    • volatility3.plugins.windows.handles module
      • Handles
    • volatility3.plugins.windows.hashdump module
      • Hashdump
    • volatility3.plugins.windows.hollowprocesses module
      • HollowProcesses
    • volatility3.plugins.windows.iat module
      • IAT
    • volatility3.plugins.windows.indirect_system_calls module
      • IndirectSystemCalls
    • volatility3.plugins.windows.info module
      • Info
    • volatility3.plugins.windows.joblinks module
      • JobLinks
    • volatility3.plugins.windows.kpcrs module
      • KPCRs
    • volatility3.plugins.windows.ldrmodules module
      • LdrModules
    • volatility3.plugins.windows.lsadump module
      • Lsadump
    • volatility3.plugins.windows.malfind module
      • Malfind
    • volatility3.plugins.windows.mbrscan module
      • MBRScan
    • volatility3.plugins.windows.memmap module
      • Memmap
    • volatility3.plugins.windows.mftscan module
      • ADS
      • MFTScan
      • ResidentData
    • volatility3.plugins.windows.modscan module
      • ModScan
    • volatility3.plugins.windows.modules module
      • Modules
    • volatility3.plugins.windows.mutantscan module
      • MutantScan
    • volatility3.plugins.windows.netscan module
      • NetScan
    • volatility3.plugins.windows.netstat module
      • NetStat
    • volatility3.plugins.windows.orphan_kernel_threads module
      • Threads
    • volatility3.plugins.windows.pe_symbols module
      • ExportSymbolFinder
      • PDBSymbolFinder
      • PESymbolFinder
      • PESymbols
    • volatility3.plugins.windows.pedump module
      • PEDump
    • volatility3.plugins.windows.poolscanner module
      • PoolConstraint
      • PoolHeaderScanner
      • PoolScanner
      • PoolType
    • volatility3.plugins.windows.privileges module
      • Privs
    • volatility3.plugins.windows.processghosting module
      • ProcessGhosting
    • volatility3.plugins.windows.pslist module
      • PsList
    • volatility3.plugins.windows.psscan module
      • PsScan
    • volatility3.plugins.windows.pstree module
      • PsTree
    • volatility3.plugins.windows.psxview module
      • PsXView
    • volatility3.plugins.windows.scheduled_tasks module
      • ScheduledTasks
    • volatility3.plugins.windows.sessions module
      • Sessions
    • volatility3.plugins.windows.shimcachemem module
      • ShimcacheMem
    • volatility3.plugins.windows.skeleton_key_check module
      • Skeleton_Key_Check
    • volatility3.plugins.windows.ssdt module
      • SSDT
    • volatility3.plugins.windows.strings module
      • Strings
    • volatility3.plugins.windows.suspended_threads module
      • SuspendedThreads
    • volatility3.plugins.windows.suspicious_threads module
      • SuspiciousThreads
    • volatility3.plugins.windows.svcdiff module
      • SvcDiff
    • volatility3.plugins.windows.svclist module
      • SvcList
    • volatility3.plugins.windows.svcscan module
      • ServiceBinaryInfo
      • SvcScan
    • volatility3.plugins.windows.symlinkscan module
      • SymlinkScan
    • volatility3.plugins.windows.thrdscan module
      • ThrdScan
    • volatility3.plugins.windows.threads module
      • Threads
    • volatility3.plugins.windows.timers module
      • Timers
    • volatility3.plugins.windows.truecrypt module
      • Passphrase
    • volatility3.plugins.windows.unhooked_system_calls module
      • unhooked_system_calls
    • volatility3.plugins.windows.unloadedmodules module
      • UnloadedModules
    • volatility3.plugins.windows.vadinfo module
      • VadInfo
    • volatility3.plugins.windows.vadregexscan module
      • VadRegExScan
    • volatility3.plugins.windows.vadwalk module
      • VadWalk
    • volatility3.plugins.windows.vadyarascan module
      • VadYaraScan
    • volatility3.plugins.windows.verinfo module
      • VerInfo
    • volatility3.plugins.windows.virtmap module
      • VirtMap
    • volatility3.plugins.windows.windows module
      • Windows
    • volatility3.plugins.windows.windowstations module
      • WindowStations

Submodules

• volatility3.plugins.banners module
  • Banners
    • Banners.build_configuration()
    • Banners.config
    • Banners.config_path
    • Banners.context
    • Banners.get_requirements()
    • Banners.locate_banners()
    • Banners.locate_windows_banners()
    • Banners.make_subconfig()
    • Banners.open
    • Banners.run()
    • Banners.set_open_method()
    • Banners.unsatisfied()
    • Banners.version
• volatility3.plugins.configwriter module
  • ConfigWriter
    • ConfigWriter.build_configuration()
    • ConfigWriter.config
    • ConfigWriter.config_path
    • ConfigWriter.context
    • ConfigWriter.get_requirements()
    • ConfigWriter.make_subconfig()
    • ConfigWriter.open
    • ConfigWriter.run()
    • ConfigWriter.set_open_method()
    • ConfigWriter.unsatisfied()
    • ConfigWriter.version
• volatility3.plugins.frameworkinfo module
  • FrameworkInfo
    • FrameworkInfo.build_configuration()
    • FrameworkInfo.config
    • FrameworkInfo.config_path
    • FrameworkInfo.context
    • FrameworkInfo.get_requirements()
    • FrameworkInfo.make_subconfig()
    • FrameworkInfo.open
    • FrameworkInfo.run()
    • FrameworkInfo.set_open_method()
    • FrameworkInfo.unsatisfied()
    • FrameworkInfo.version
• volatility3.plugins.isfinfo module
  • IsfInfo
    • IsfInfo.build_configuration()
    • IsfInfo.config
    • IsfInfo.config_path
    • IsfInfo.context
    • IsfInfo.get_requirements()
    • IsfInfo.list_all_isf_files()
    • IsfInfo.make_subconfig()
    • IsfInfo.open
    • IsfInfo.run()
    • IsfInfo.set_open_method()
    • IsfInfo.unsatisfied()
    • IsfInfo.version
• volatility3.plugins.layerwriter module
  • LayerWriter
    • LayerWriter.build_configuration()
    • LayerWriter.config
    • LayerWriter.config_path
    • LayerWriter.context
    • LayerWriter.default_block_size
    • LayerWriter.get_requirements()
    • LayerWriter.make_subconfig()
    • LayerWriter.open
    • LayerWriter.run()
    • LayerWriter.set_open_method()
    • LayerWriter.unsatisfied()
    • LayerWriter.version
    • LayerWriter.write_layer()
• volatility3.plugins.regexscan module
  • RegExScan
    • RegExScan.MAXSIZE_DEFAULT
    • RegExScan.build_configuration()
    • RegExScan.config
    • RegExScan.config_path
    • RegExScan.context
    • RegExScan.get_requirements()
    • RegExScan.make_subconfig()
    • RegExScan.open
    • RegExScan.run()
    • RegExScan.set_open_method()
    • RegExScan.unsatisfied()
    • RegExScan.version
• volatility3.plugins.timeliner module
  • TimeLinerInterface
    • TimeLinerInterface.generate_timeline()
    • TimeLinerInterface.version
  • TimeLinerType
    • TimeLinerType.ACCESSED
    • TimeLinerType.CHANGED
    • TimeLinerType.CREATED
    • TimeLinerType.MODIFIED
    • TimeLinerType.as_integer_ratio()
    • TimeLinerType.bit_count()
    • TimeLinerType.bit_length()
    • TimeLinerType.conjugate()
    • TimeLinerType.denominator
    • TimeLinerType.from_bytes()
    • TimeLinerType.imag
    • TimeLinerType.numerator
    • TimeLinerType.real
    • TimeLinerType.to_bytes()
  • Timeliner
    • Timeliner.build_configuration()
    • Timeliner.config
    • Timeliner.config_path
    • Timeliner.context
    • Timeliner.get_requirements()
    • Timeliner.get_usable_plugins()
    • Timeliner.make_subconfig()
    • Timeliner.open
    • Timeliner.run()
    • Timeliner.set_open_method()
    • Timeliner.unsatisfied()
    • Timeliner.version
• volatility3.plugins.vmscan module
  • PageStartScanner
    • PageStartScanner.context
    • PageStartScanner.layer_name
    • PageStartScanner.thread_safe
    • PageStartScanner.version
  • VMCSTest
    • VMCSTest.VMCS_ABORT_INVALID
    • VMCSTest.VMCS_CR3_IS_ZERO
    • VMCSTest.VMCS_GUEST_CR4_RESERVED
    • VMCSTest.VMCS_HOST_CR4_NO_VTX
    • VMCSTest.VMCS_LINK_PTR_IS_NOT_FS
    • VMCSTest.as_integer_ratio()
    • VMCSTest.bit_count()
    • VMCSTest.bit_length()
    • VMCSTest.conjugate()
    • VMCSTest.denominator
    • VMCSTest.from_bytes()
    • VMCSTest.imag
    • VMCSTest.numerator
    • VMCSTest.real
    • VMCSTest.to_bytes()
  • Vmscan
    • Vmscan.STRICTLY_REQUIRED_TESTS
    • Vmscan.build_configuration()
    • Vmscan.config
    • Vmscan.config_path
    • Vmscan.context
    • Vmscan.get_requirements()
    • Vmscan.make_subconfig()
    • Vmscan.open
    • Vmscan.run()
    • Vmscan.set_open_method()
    • Vmscan.unsatisfied()
    • Vmscan.version
• volatility3.plugins.yarascan module
  • YaraScan
    • YaraScan.build_configuration()
    • YaraScan.config
    • YaraScan.config_path
    • YaraScan.context
    • YaraScan.get_requirements()
    • YaraScan.get_yarascan_option_requirements()
    • YaraScan.make_subconfig()
    • YaraScan.open
    • YaraScan.process_yara_options()
    • YaraScan.run()
    • YaraScan.set_open_method()
    • YaraScan.unsatisfied()
    • YaraScan.version
    • YaraScan.yara_returns_instances()
  • YaraScanner
    • YaraScanner.context
    • YaraScanner.from_compiled_file()
    • YaraScanner.from_file()
    • YaraScanner.get_rule()
    • YaraScanner.layer_name
    • YaraScanner.thread_safe
    • YaraScanner.version