volatility3.plugins package

Defines the plugin architecture.

This is the namespace for all volatility plugins, and determines the path for loading plugins

NOTE: This file is important for core plugins to run (which certain components such as the windows registry layers) are dependent upon, please DO NOT alter or remove this file unless you know the consequences of doing so.

The framework is configured this way to allow plugin developers/users to override any plugin functionality whether existing or new.

Subpackages

• volatility3.plugins.linux package
  • Submodules
    • volatility3.plugins.linux.bash module
      • Bash
    • volatility3.plugins.linux.capabilities module
      • Capabilities
      • CapabilitiesData
      • TaskData
    • volatility3.plugins.linux.check_afinfo module
      • Check_afinfo
    • volatility3.plugins.linux.check_creds module
      • Check_creds
    • volatility3.plugins.linux.check_idt module
      • Check_idt
    • volatility3.plugins.linux.check_modules module
      • Check_modules
    • volatility3.plugins.linux.check_syscall module
      • Check_syscall
    • volatility3.plugins.linux.elfs module
      • Elfs
    • volatility3.plugins.linux.envars module
      • Envars
    • volatility3.plugins.linux.iomem module
      • IOMem
    • volatility3.plugins.linux.keyboard_notifiers module
      • Keyboard_notifiers
    • volatility3.plugins.linux.kmsg module
      • ABCKmsg
      • DescStateEnum
      • Kmsg
      • Kmsg_3_11_to_5_10
      • Kmsg_3_5_to_3_11
      • Kmsg_5_10_to_
      • Kmsg_pre_3_5
    • volatility3.plugins.linux.library_list module
      • LibraryList
    • volatility3.plugins.linux.lsmod module
      • Lsmod
    • volatility3.plugins.linux.lsof module
      • Lsof
    • volatility3.plugins.linux.malfind module
      • Malfind
    • volatility3.plugins.linux.mountinfo module
      • MountInfo
      • MountInfoData
    • volatility3.plugins.linux.netfilter module
      • AbstractNetfilter
      • AbstractNetfilterNetDev
      • Netfilter
      • NetfilterImp_4_14_to_4_16
      • NetfilterImp_4_16_to_latest
      • NetfilterImp_4_3_to_4_9
      • NetfilterImp_4_9_to_4_14
      • NetfilterImp_to_4_3
      • NetfilterNetDevImp_4_14_to_latest
      • NetfilterNetDevImp_4_2_to_4_9
      • NetfilterNetDevImp_4_9_to_4_14
      • Proto
    • volatility3.plugins.linux.proc module
      • Maps
    • volatility3.plugins.linux.psaux module
      • PsAux
    • volatility3.plugins.linux.pslist module
      • PsList
    • volatility3.plugins.linux.psscan module
      • DescExitStateEnum
      • PsScan
    • volatility3.plugins.linux.pstree module
      • PsTree
    • volatility3.plugins.linux.sockstat module
      • SockHandlers
      • Sockstat
    • volatility3.plugins.linux.tty_check module
      • tty_check
    • volatility3.plugins.linux.vmayarascan module
      • VmaYaraScan
• volatility3.plugins.mac package
  • Submodules
    • volatility3.plugins.mac.bash module
      • Bash
    • volatility3.plugins.mac.check_syscall module
      • Check_syscall
    • volatility3.plugins.mac.check_sysctl module
      • Check_sysctl
    • volatility3.plugins.mac.check_trap_table module
      • Check_trap_table
    • volatility3.plugins.mac.dmesg module
      • Dmesg
    • volatility3.plugins.mac.ifconfig module
      • Ifconfig
    • volatility3.plugins.mac.kauth_listeners module
      • Kauth_listeners
    • volatility3.plugins.mac.kauth_scopes module
      • Kauth_scopes
    • volatility3.plugins.mac.kevents module
      • Kevents
    • volatility3.plugins.mac.list_files module
      • List_Files
    • volatility3.plugins.mac.lsmod module
      • Lsmod
    • volatility3.plugins.mac.lsof module
      • Lsof
    • volatility3.plugins.mac.malfind module
      • Malfind
    • volatility3.plugins.mac.mount module
      • Mount
    • volatility3.plugins.mac.netstat module
      • Netstat
    • volatility3.plugins.mac.proc_maps module
      • Maps
    • volatility3.plugins.mac.psaux module
      • Psaux
    • volatility3.plugins.mac.pslist module
      • PsList
    • volatility3.plugins.mac.pstree module
      • PsTree
    • volatility3.plugins.mac.socket_filters module
      • Socket_filters
    • volatility3.plugins.mac.timers module
      • Timers
    • volatility3.plugins.mac.trustedbsd module
      • Trustedbsd
    • volatility3.plugins.mac.vfsevents module
      • VFSevents
• volatility3.plugins.windows package
  • Subpackages
    • volatility3.plugins.windows.registry package
      • Submodules
  • Submodules
    • volatility3.plugins.windows.bigpools module
      • BigPools
    • volatility3.plugins.windows.cachedump module
      • Cachedump
    • volatility3.plugins.windows.callbacks module
      • Callbacks
    • volatility3.plugins.windows.cmdline module
      • CmdLine
    • volatility3.plugins.windows.crashinfo module
      • Crashinfo
    • volatility3.plugins.windows.devicetree module
      • DeviceTree
    • volatility3.plugins.windows.dlllist module
      • DllList
    • volatility3.plugins.windows.driverirp module
      • DriverIrp
    • volatility3.plugins.windows.drivermodule module
      • DriverModule
    • volatility3.plugins.windows.driverscan module
      • DriverScan
    • volatility3.plugins.windows.dumpfiles module
      • DumpFiles
    • volatility3.plugins.windows.envars module
      • Envars
    • volatility3.plugins.windows.filescan module
      • FileScan
    • volatility3.plugins.windows.getservicesids module
      • GetServiceSIDs
      • createservicesid()
    • volatility3.plugins.windows.getsids module
      • GetSIDs
      • find_sid_re()
    • volatility3.plugins.windows.handles module
      • Handles
    • volatility3.plugins.windows.hashdump module
      • Hashdump
    • volatility3.plugins.windows.hollowprocesses module
      • DLLData
      • HollowProcesses
      • VadData
    • volatility3.plugins.windows.iat module
      • IAT
    • volatility3.plugins.windows.info module
      • Info
    • volatility3.plugins.windows.joblinks module
      • JobLinks
    • volatility3.plugins.windows.kpcrs module
      • KPCRs
    • volatility3.plugins.windows.ldrmodules module
      • LdrModules
    • volatility3.plugins.windows.lsadump module
      • Lsadump
    • volatility3.plugins.windows.malfind module
      • Malfind
    • volatility3.plugins.windows.mbrscan module
      • MBRScan
    • volatility3.plugins.windows.memmap module
      • Memmap
    • volatility3.plugins.windows.mftscan module
      • ADS
      • MFTScan
    • volatility3.plugins.windows.modscan module
      • ModScan
    • volatility3.plugins.windows.modules module
      • Modules
    • volatility3.plugins.windows.mutantscan module
      • MutantScan
    • volatility3.plugins.windows.netscan module
      • NetScan
    • volatility3.plugins.windows.netstat module
      • NetStat
    • volatility3.plugins.windows.pedump module
      • PEDump
    • volatility3.plugins.windows.poolscanner module
      • PoolConstraint
      • PoolHeaderScanner
      • PoolScanner
      • PoolType
    • volatility3.plugins.windows.privileges module
      • Privs
    • volatility3.plugins.windows.processghosting module
      • ProcessGhosting
    • volatility3.plugins.windows.pslist module
      • PsList
    • volatility3.plugins.windows.psscan module
      • PsScan
    • volatility3.plugins.windows.pstree module
      • PsTree
    • volatility3.plugins.windows.psxview module
      • PsXView
    • volatility3.plugins.windows.sessions module
      • Sessions
    • volatility3.plugins.windows.shimcachemem module
      • ShimcacheMem
    • volatility3.plugins.windows.skeleton_key_check module
      • Skeleton_Key_Check
    • volatility3.plugins.windows.ssdt module
      • SSDT
    • volatility3.plugins.windows.strings module
      • Strings
    • volatility3.plugins.windows.suspicious_threads module
      • SupsiciousThreads
    • volatility3.plugins.windows.svcdiff module
      • SvcDiff
    • volatility3.plugins.windows.svclist module
      • SvcList
    • volatility3.plugins.windows.svcscan module
      • ServiceBinaryInfo
      • SvcScan
    • volatility3.plugins.windows.symlinkscan module
      • SymlinkScan
    • volatility3.plugins.windows.thrdscan module
      • ThrdScan
    • volatility3.plugins.windows.threads module
      • Threads
    • volatility3.plugins.windows.timers module
      • Timers
    • volatility3.plugins.windows.truecrypt module
      • Passphrase
    • volatility3.plugins.windows.unloadedmodules module
      • UnloadedModules
    • volatility3.plugins.windows.vadinfo module
      • VadInfo
    • volatility3.plugins.windows.vadwalk module
      • VadWalk
    • volatility3.plugins.windows.vadyarascan module
      • VadYaraScan
    • volatility3.plugins.windows.verinfo module
      • VerInfo
    • volatility3.plugins.windows.virtmap module
      • VirtMap

Submodules

• volatility3.plugins.banners module
  • Banners
    • Banners.build_configuration()
    • Banners.config
    • Banners.config_path
    • Banners.context
    • Banners.get_requirements()
    • Banners.locate_banners()
    • Banners.make_subconfig()
    • Banners.open
    • Banners.run()
    • Banners.set_open_method()
    • Banners.unsatisfied()
    • Banners.version
• volatility3.plugins.configwriter module
  • ConfigWriter
    • ConfigWriter.build_configuration()
    • ConfigWriter.config
    • ConfigWriter.config_path
    • ConfigWriter.context
    • ConfigWriter.get_requirements()
    • ConfigWriter.make_subconfig()
    • ConfigWriter.open
    • ConfigWriter.run()
    • ConfigWriter.set_open_method()
    • ConfigWriter.unsatisfied()
    • ConfigWriter.version
• volatility3.plugins.frameworkinfo module
  • FrameworkInfo
    • FrameworkInfo.build_configuration()
    • FrameworkInfo.config
    • FrameworkInfo.config_path
    • FrameworkInfo.context
    • FrameworkInfo.get_requirements()
    • FrameworkInfo.make_subconfig()
    • FrameworkInfo.open
    • FrameworkInfo.run()
    • FrameworkInfo.set_open_method()
    • FrameworkInfo.unsatisfied()
    • FrameworkInfo.version
• volatility3.plugins.isfinfo module
  • IsfInfo
    • IsfInfo.build_configuration()
    • IsfInfo.config
    • IsfInfo.config_path
    • IsfInfo.context
    • IsfInfo.get_requirements()
    • IsfInfo.list_all_isf_files()
    • IsfInfo.make_subconfig()
    • IsfInfo.open
    • IsfInfo.run()
    • IsfInfo.set_open_method()
    • IsfInfo.unsatisfied()
    • IsfInfo.version
• volatility3.plugins.layerwriter module
  • LayerWriter
    • LayerWriter.build_configuration()
    • LayerWriter.config
    • LayerWriter.config_path
    • LayerWriter.context
    • LayerWriter.default_block_size
    • LayerWriter.get_requirements()
    • LayerWriter.make_subconfig()
    • LayerWriter.open
    • LayerWriter.run()
    • LayerWriter.set_open_method()
    • LayerWriter.unsatisfied()
    • LayerWriter.version
    • LayerWriter.write_layer()
• volatility3.plugins.timeliner module
  • TimeLinerInterface
    • TimeLinerInterface.generate_timeline()
  • TimeLinerType
    • TimeLinerType.ACCESSED
    • TimeLinerType.CHANGED
    • TimeLinerType.CREATED
    • TimeLinerType.MODIFIED
    • TimeLinerType.as_integer_ratio()
    • TimeLinerType.bit_count()
    • TimeLinerType.bit_length()
    • TimeLinerType.conjugate()
    • TimeLinerType.denominator
    • TimeLinerType.from_bytes()
    • TimeLinerType.imag
    • TimeLinerType.numerator
    • TimeLinerType.real
    • TimeLinerType.to_bytes()
  • Timeliner
    • Timeliner.build_configuration()
    • Timeliner.config
    • Timeliner.config_path
    • Timeliner.context
    • Timeliner.get_requirements()
    • Timeliner.get_usable_plugins()
    • Timeliner.make_subconfig()
    • Timeliner.open
    • Timeliner.run()
    • Timeliner.set_open_method()
    • Timeliner.unsatisfied()
    • Timeliner.version
• volatility3.plugins.vmscan module
  • PageStartScanner
    • PageStartScanner.context
    • PageStartScanner.layer_name
    • PageStartScanner.thread_safe
    • PageStartScanner.version
  • VMCSTest
    • VMCSTest.VMCS_ABORT_INVALID
    • VMCSTest.VMCS_CR3_IS_ZERO
    • VMCSTest.VMCS_GUEST_CR4_RESERVED
    • VMCSTest.VMCS_HOST_CR4_NO_VTX
    • VMCSTest.VMCS_LINK_PTR_IS_NOT_FS
    • VMCSTest.as_integer_ratio()
    • VMCSTest.bit_count()
    • VMCSTest.bit_length()
    • VMCSTest.conjugate()
    • VMCSTest.denominator
    • VMCSTest.from_bytes()
    • VMCSTest.imag
    • VMCSTest.numerator
    • VMCSTest.real
    • VMCSTest.to_bytes()
  • Vmscan
    • Vmscan.STRICTLY_REQUIRED_TESTS
    • Vmscan.build_configuration()
    • Vmscan.config
    • Vmscan.config_path
    • Vmscan.context
    • Vmscan.get_requirements()
    • Vmscan.make_subconfig()
    • Vmscan.open
    • Vmscan.run()
    • Vmscan.set_open_method()
    • Vmscan.unsatisfied()
    • Vmscan.version
• volatility3.plugins.yarascan module
  • YaraScan
    • YaraScan.build_configuration()
    • YaraScan.config
    • YaraScan.config_path
    • YaraScan.context
    • YaraScan.get_requirements()
    • YaraScan.get_yarascan_option_requirements()
    • YaraScan.make_subconfig()
    • YaraScan.open
    • YaraScan.process_yara_options()
    • YaraScan.run()
    • YaraScan.set_open_method()
    • YaraScan.unsatisfied()
    • YaraScan.version
    • YaraScan.yara_returns_instances()
  • YaraScanner
    • YaraScanner.context
    • YaraScanner.layer_name
    • YaraScanner.thread_safe
    • YaraScanner.version