volatility3.plugins.windows package
All Windows OS plugins.
NOTE: This file is important for core plugins to run (which certain components such as the windows registry layers) are dependent upon, please DO NOT alter or remove this file unless you know the consequences of doing so.
The framework is configured this way to allow plugin developers/users to override any plugin functionality whether existing or new.
When overriding the plugins directory, you must include a file like this in any subdirectories that may be necessary.
Subpackages
- volatility3.plugins.windows.registry package
Submodules
- volatility3.plugins.windows.bigpools module
- volatility3.plugins.windows.cachedump module
Cachedump
Cachedump.build_configuration()
Cachedump.config
Cachedump.config_path
Cachedump.context
Cachedump.decrypt_hash()
Cachedump.get_nlkm()
Cachedump.get_requirements()
Cachedump.make_subconfig()
Cachedump.open
Cachedump.parse_cache_entry()
Cachedump.parse_decrypted_cache()
Cachedump.run()
Cachedump.set_open_method()
Cachedump.unsatisfied()
Cachedump.version
- volatility3.plugins.windows.callbacks module
Callbacks
Callbacks.build_configuration()
Callbacks.config
Callbacks.config_path
Callbacks.context
Callbacks.create_callback_scan_constraints()
Callbacks.create_callback_symbol_table()
Callbacks.get_requirements()
Callbacks.list_bugcheck_callbacks()
Callbacks.list_bugcheck_reason_callbacks()
Callbacks.list_notify_routines()
Callbacks.list_registry_callbacks()
Callbacks.make_subconfig()
Callbacks.open
Callbacks.run()
Callbacks.scan()
Callbacks.set_open_method()
Callbacks.unsatisfied()
Callbacks.version
- volatility3.plugins.windows.cmdline module
- volatility3.plugins.windows.crashinfo module
- volatility3.plugins.windows.devicetree module
- volatility3.plugins.windows.dlllist module
- volatility3.plugins.windows.driverirp module
- volatility3.plugins.windows.drivermodule module
- volatility3.plugins.windows.driverscan module
DriverScan
DriverScan.build_configuration()
DriverScan.config
DriverScan.config_path
DriverScan.context
DriverScan.get_names_for_driver()
DriverScan.get_requirements()
DriverScan.make_subconfig()
DriverScan.open
DriverScan.run()
DriverScan.scan_drivers()
DriverScan.set_open_method()
DriverScan.unsatisfied()
DriverScan.version
- volatility3.plugins.windows.dumpfiles module
DumpFiles
DumpFiles.build_configuration()
DumpFiles.config
DumpFiles.config_path
DumpFiles.context
DumpFiles.dump_file_producer()
DumpFiles.get_requirements()
DumpFiles.make_subconfig()
DumpFiles.open
DumpFiles.process_file_object()
DumpFiles.run()
DumpFiles.set_open_method()
DumpFiles.unsatisfied()
DumpFiles.version
- volatility3.plugins.windows.envars module
- volatility3.plugins.windows.filescan module
- volatility3.plugins.windows.getservicesids module
GetServiceSIDs
GetServiceSIDs.build_configuration()
GetServiceSIDs.config
GetServiceSIDs.config_path
GetServiceSIDs.context
GetServiceSIDs.get_requirements()
GetServiceSIDs.make_subconfig()
GetServiceSIDs.open
GetServiceSIDs.run()
GetServiceSIDs.set_open_method()
GetServiceSIDs.unsatisfied()
GetServiceSIDs.version
createservicesid()
- volatility3.plugins.windows.getsids module
- volatility3.plugins.windows.handles module
Handles
Handles.build_configuration()
Handles.config
Handles.config_path
Handles.context
Handles.find_cookie()
Handles.find_sar_value()
Handles.get_requirements()
Handles.get_type_map()
Handles.handles()
Handles.make_subconfig()
Handles.open
Handles.run()
Handles.set_open_method()
Handles.unsatisfied()
Handles.version
- volatility3.plugins.windows.hashdump module
Hashdump
Hashdump.almpassword
Hashdump.antpassword
Hashdump.anum
Hashdump.aqwerty
Hashdump.bootkey_perm_table
Hashdump.build_configuration()
Hashdump.config
Hashdump.config_path
Hashdump.context
Hashdump.decrypt_single_hash()
Hashdump.decrypt_single_salted_hash()
Hashdump.empty_lm
Hashdump.empty_nt
Hashdump.get_bootkey()
Hashdump.get_hbootkey()
Hashdump.get_hive_key()
Hashdump.get_requirements()
Hashdump.get_user_hashes()
Hashdump.get_user_keys()
Hashdump.get_user_name()
Hashdump.lmkey
Hashdump.make_subconfig()
Hashdump.odd_parity
Hashdump.open
Hashdump.run()
Hashdump.set_open_method()
Hashdump.sid_to_key()
Hashdump.sidbytes_to_key()
Hashdump.unsatisfied()
Hashdump.version
- volatility3.plugins.windows.hollowprocesses module
DLLData
HollowProcesses
HollowProcesses.build_configuration()
HollowProcesses.config
HollowProcesses.config_path
HollowProcesses.context
HollowProcesses.get_requirements()
HollowProcesses.make_subconfig()
HollowProcesses.open
HollowProcesses.run()
HollowProcesses.set_open_method()
HollowProcesses.unsatisfied()
HollowProcesses.version
VadData
- volatility3.plugins.windows.iat module
- volatility3.plugins.windows.info module
Info
Info.build_configuration()
Info.config
Info.config_path
Info.context
Info.get_depends()
Info.get_kdbg_structure()
Info.get_kernel_module()
Info.get_kuser_structure()
Info.get_ntheader_structure()
Info.get_requirements()
Info.get_version_structure()
Info.make_subconfig()
Info.open
Info.run()
Info.set_open_method()
Info.unsatisfied()
Info.version
- volatility3.plugins.windows.joblinks module
- volatility3.plugins.windows.kpcrs module
- volatility3.plugins.windows.ldrmodules module
- volatility3.plugins.windows.lsadump module
Lsadump
Lsadump.build_configuration()
Lsadump.config
Lsadump.config_path
Lsadump.context
Lsadump.decrypt_aes()
Lsadump.decrypt_secret()
Lsadump.get_lsa_key()
Lsadump.get_requirements()
Lsadump.get_secret_by_name()
Lsadump.make_subconfig()
Lsadump.open
Lsadump.run()
Lsadump.set_open_method()
Lsadump.unsatisfied()
Lsadump.version
- volatility3.plugins.windows.malfind module
- volatility3.plugins.windows.mbrscan module
- volatility3.plugins.windows.memmap module
- volatility3.plugins.windows.mftscan module
- volatility3.plugins.windows.modscan module
ModScan
ModScan.build_configuration()
ModScan.config
ModScan.config_path
ModScan.context
ModScan.dump_module()
ModScan.find_session_layer()
ModScan.get_requirements()
ModScan.get_session_layers()
ModScan.list_modules()
ModScan.make_subconfig()
ModScan.open
ModScan.run()
ModScan.scan_modules()
ModScan.set_open_method()
ModScan.unsatisfied()
ModScan.version
- volatility3.plugins.windows.modules module
Modules
Modules.build_configuration()
Modules.config
Modules.config_path
Modules.context
Modules.dump_module()
Modules.find_session_layer()
Modules.get_requirements()
Modules.get_session_layers()
Modules.list_modules()
Modules.make_subconfig()
Modules.open
Modules.run()
Modules.set_open_method()
Modules.unsatisfied()
Modules.version
- volatility3.plugins.windows.mutantscan module
- volatility3.plugins.windows.netscan module
NetScan
NetScan.build_configuration()
NetScan.config
NetScan.config_path
NetScan.context
NetScan.create_netscan_constraints()
NetScan.create_netscan_symbol_table()
NetScan.determine_tcpip_version()
NetScan.generate_timeline()
NetScan.get_requirements()
NetScan.make_subconfig()
NetScan.open
NetScan.run()
NetScan.scan()
NetScan.set_open_method()
NetScan.unsatisfied()
NetScan.version
- volatility3.plugins.windows.netstat module
NetStat
NetStat.build_configuration()
NetStat.config
NetStat.config_path
NetStat.context
NetStat.create_tcpip_symbol_table()
NetStat.enumerate_structures_by_port()
NetStat.find_port_pools()
NetStat.generate_timeline()
NetStat.get_requirements()
NetStat.get_tcpip_module()
NetStat.list_sockets()
NetStat.make_subconfig()
NetStat.open
NetStat.parse_bitmap()
NetStat.parse_hashtable()
NetStat.parse_partitions()
NetStat.read_pointer()
NetStat.run()
NetStat.set_open_method()
NetStat.unsatisfied()
NetStat.version
- volatility3.plugins.windows.pedump module
PEDump
PEDump.build_configuration()
PEDump.config
PEDump.config_path
PEDump.context
PEDump.dump_kernel_pe_at_base()
PEDump.dump_ldr_entry()
PEDump.dump_pe()
PEDump.dump_pe_at_base()
PEDump.dump_processes()
PEDump.get_requirements()
PEDump.make_subconfig()
PEDump.open
PEDump.run()
PEDump.set_open_method()
PEDump.unsatisfied()
PEDump.version
- volatility3.plugins.windows.poolscanner module
PoolConstraint
PoolHeaderScanner
PoolScanner
PoolScanner.build_configuration()
PoolScanner.builtin_constraints()
PoolScanner.config
PoolScanner.config_path
PoolScanner.context
PoolScanner.generate_pool_scan()
PoolScanner.get_pool_header_table()
PoolScanner.get_requirements()
PoolScanner.make_subconfig()
PoolScanner.open
PoolScanner.pool_scan()
PoolScanner.run()
PoolScanner.set_open_method()
PoolScanner.unsatisfied()
PoolScanner.version
PoolType
- volatility3.plugins.windows.privileges module
- volatility3.plugins.windows.processghosting module
ProcessGhosting
ProcessGhosting.build_configuration()
ProcessGhosting.config
ProcessGhosting.config_path
ProcessGhosting.context
ProcessGhosting.get_requirements()
ProcessGhosting.make_subconfig()
ProcessGhosting.open
ProcessGhosting.run()
ProcessGhosting.set_open_method()
ProcessGhosting.unsatisfied()
ProcessGhosting.version
- volatility3.plugins.windows.pslist module
PsList
PsList.PHYSICAL_DEFAULT
PsList.build_configuration()
PsList.config
PsList.config_path
PsList.context
PsList.create_active_process_filter()
PsList.create_name_filter()
PsList.create_pid_filter()
PsList.generate_timeline()
PsList.get_requirements()
PsList.list_processes()
PsList.make_subconfig()
PsList.open
PsList.process_dump()
PsList.run()
PsList.set_open_method()
PsList.unsatisfied()
PsList.version
- volatility3.plugins.windows.psscan module
PsScan
PsScan.build_configuration()
PsScan.config
PsScan.config_path
PsScan.context
PsScan.create_offset_filter()
PsScan.generate_timeline()
PsScan.get_osversion()
PsScan.get_requirements()
PsScan.make_subconfig()
PsScan.open
PsScan.physical_offset_from_virtual()
PsScan.run()
PsScan.scan_processes()
PsScan.set_open_method()
PsScan.unsatisfied()
PsScan.version
PsScan.virtual_process_from_physical()
- volatility3.plugins.windows.pstree module
- volatility3.plugins.windows.psxview module
- volatility3.plugins.windows.sessions module
- volatility3.plugins.windows.shimcachemem module
ShimcacheMem
ShimcacheMem.NT_KRNL_MODS
ShimcacheMem.build_configuration()
ShimcacheMem.config
ShimcacheMem.config_path
ShimcacheMem.context
ShimcacheMem.create_shimcache_table()
ShimcacheMem.find_shimcache_win_2k3_to_7()
ShimcacheMem.find_shimcache_win_8_or_later()
ShimcacheMem.find_shimcache_win_xp()
ShimcacheMem.generate_timeline()
ShimcacheMem.get_module_section_range()
ShimcacheMem.get_requirements()
ShimcacheMem.make_subconfig()
ShimcacheMem.open
ShimcacheMem.run()
ShimcacheMem.set_open_method()
ShimcacheMem.try_get_shim_head_at_offset()
ShimcacheMem.unsatisfied()
ShimcacheMem.version
- volatility3.plugins.windows.skeleton_key_check module
Skeleton_Key_Check
Skeleton_Key_Check.build_configuration()
Skeleton_Key_Check.config
Skeleton_Key_Check.config_path
Skeleton_Key_Check.context
Skeleton_Key_Check.get_requirements()
Skeleton_Key_Check.make_subconfig()
Skeleton_Key_Check.open
Skeleton_Key_Check.run()
Skeleton_Key_Check.set_open_method()
Skeleton_Key_Check.unsatisfied()
Skeleton_Key_Check.version
- volatility3.plugins.windows.ssdt module
- volatility3.plugins.windows.strings module
- volatility3.plugins.windows.suspicious_threads module
SupsiciousThreads
SupsiciousThreads.build_configuration()
SupsiciousThreads.config
SupsiciousThreads.config_path
SupsiciousThreads.context
SupsiciousThreads.get_requirements()
SupsiciousThreads.make_subconfig()
SupsiciousThreads.open
SupsiciousThreads.run()
SupsiciousThreads.set_open_method()
SupsiciousThreads.unsatisfied()
SupsiciousThreads.version
- volatility3.plugins.windows.svcdiff module
SvcDiff
SvcDiff.build_configuration()
SvcDiff.config
SvcDiff.config_path
SvcDiff.context
SvcDiff.enumerate_vista_or_later_header()
SvcDiff.get_prereq_info()
SvcDiff.get_record_tuple()
SvcDiff.get_requirements()
SvcDiff.make_subconfig()
SvcDiff.open
SvcDiff.run()
SvcDiff.service_diff()
SvcDiff.service_scan()
SvcDiff.set_open_method()
SvcDiff.unsatisfied()
SvcDiff.version
- volatility3.plugins.windows.svclist module
SvcList
SvcList.build_configuration()
SvcList.config
SvcList.config_path
SvcList.context
SvcList.enumerate_vista_or_later_header()
SvcList.get_prereq_info()
SvcList.get_record_tuple()
SvcList.get_requirements()
SvcList.make_subconfig()
SvcList.open
SvcList.run()
SvcList.service_list()
SvcList.service_scan()
SvcList.set_open_method()
SvcList.unsatisfied()
SvcList.version
- volatility3.plugins.windows.svcscan module
ServiceBinaryInfo
SvcScan
SvcScan.build_configuration()
SvcScan.config
SvcScan.config_path
SvcScan.context
SvcScan.enumerate_vista_or_later_header()
SvcScan.get_prereq_info()
SvcScan.get_record_tuple()
SvcScan.get_requirements()
SvcScan.make_subconfig()
SvcScan.open
SvcScan.run()
SvcScan.service_scan()
SvcScan.set_open_method()
SvcScan.unsatisfied()
SvcScan.version
- volatility3.plugins.windows.symlinkscan module
SymlinkScan
SymlinkScan.build_configuration()
SymlinkScan.config
SymlinkScan.config_path
SymlinkScan.context
SymlinkScan.generate_timeline()
SymlinkScan.get_requirements()
SymlinkScan.make_subconfig()
SymlinkScan.open
SymlinkScan.run()
SymlinkScan.scan_symlinks()
SymlinkScan.set_open_method()
SymlinkScan.unsatisfied()
SymlinkScan.version
- volatility3.plugins.windows.thrdscan module
ThrdScan
ThrdScan.build_configuration()
ThrdScan.config
ThrdScan.config_path
ThrdScan.context
ThrdScan.filter_func()
ThrdScan.gather_thread_info()
ThrdScan.generate_timeline()
ThrdScan.get_requirements()
ThrdScan.make_subconfig()
ThrdScan.open
ThrdScan.run()
ThrdScan.scan_threads()
ThrdScan.set_open_method()
ThrdScan.unsatisfied()
ThrdScan.version
- volatility3.plugins.windows.threads module
Threads
Threads.build_configuration()
Threads.config
Threads.config_path
Threads.context
Threads.filter_func()
Threads.gather_thread_info()
Threads.generate_timeline()
Threads.get_requirements()
Threads.list_process_threads()
Threads.list_threads()
Threads.make_subconfig()
Threads.open
Threads.run()
Threads.scan_threads()
Threads.set_open_method()
Threads.unsatisfied()
Threads.version
- volatility3.plugins.windows.timers module
- volatility3.plugins.windows.truecrypt module
- volatility3.plugins.windows.unloadedmodules module
UnloadedModules
UnloadedModules.build_configuration()
UnloadedModules.config
UnloadedModules.config_path
UnloadedModules.context
UnloadedModules.create_unloadedmodules_table()
UnloadedModules.generate_timeline()
UnloadedModules.get_requirements()
UnloadedModules.list_unloadedmodules()
UnloadedModules.make_subconfig()
UnloadedModules.open
UnloadedModules.run()
UnloadedModules.set_open_method()
UnloadedModules.unsatisfied()
UnloadedModules.version
- volatility3.plugins.windows.vadinfo module
VadInfo
VadInfo.MAXSIZE_DEFAULT
VadInfo.build_configuration()
VadInfo.config
VadInfo.config_path
VadInfo.context
VadInfo.get_requirements()
VadInfo.list_vads()
VadInfo.make_subconfig()
VadInfo.open
VadInfo.protect_values()
VadInfo.run()
VadInfo.set_open_method()
VadInfo.unsatisfied()
VadInfo.vad_dump()
VadInfo.version
- volatility3.plugins.windows.vadwalk module
- volatility3.plugins.windows.vadyarascan module
- volatility3.plugins.windows.verinfo module
- volatility3.plugins.windows.virtmap module