volatility3.framework.symbols.mac.extensions package¶

class fileglob(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_fg_type()[source]¶

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class ifnet(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

sockaddr_dl()[source]¶

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class inpcb(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_ipv4_info()[source]¶

get_ipv6_info()[source]¶

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

get_tcp_state()[source]¶

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class kauth_scope(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_listeners()[source]¶

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class proc(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.symbols.generic.GenericIntelProcess

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

add_process_layer(config_prefix=None, preferred_name=None)[source]¶

Constructs a new layer based on the process’s DTB.

Returns the name of the Layer or None.

Return type: Optional[str]

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_map_iter()[source]¶

Return type: Iterable[ObjectInterface]

get_process_memory_sections(context, config_prefix, rw_no_file=False)[source]¶

Returns a list of sections based on the memory manager’s view of this task’s virtual memory.

Return type: Generator[Tuple[int, int], None, None]

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

get_task()[source]¶

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class queue_entry(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

walk_list(list_head, member_name, type_name, max_size=4096)[source]¶

Walks a queue in a smear-aware and smear-resistant manner

smear is detected by:

the max_size parameter sets an upper bound
each seen entry is only allowed once

attempts to work around smear:

the list is walked in both directions to help find as many elements as possible

Parameters

- the head of the list (list_head) –
- the name of the embedded list member (member_name) –
- the type of each element in the list (type_name) –
- the maximum amount of elements that will be returned (max_size) –

Return type

Iterable[ObjectInterface]

Returns

Each instance of the queue cast as “type_name” type

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class sockaddr(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_address()[source]¶

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class sockaddr_dl(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class socket(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_connection_info()[source]¶

get_converted_connection_info()[source]¶

get_family()[source]¶

get_inpcb()[source]¶

get_protocol_as_string()[source]¶

get_state()[source]¶

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class sysctl_oid(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_ctltype()[source]¶

Returns the type of the sysctl node

Args: None

Returns: CTLTYPE_NODE CTLTYPE_INT CTLTYPE_STRING CTLTYPE_QUAD CTLTYPE_OPAQUE an empty string for nodes not in the above types
Return type: One of

Based on sysctl_sysctl_debug_dump_node

get_perms()[source]¶

Returns the actions allowed on the node

Args: None

Returns: R - readable W - writeable L - self handles locking
Return type: A combination of

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class vm_map_entry(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_object()[source]¶

get_offset()[source]¶

get_path(context, config_prefix)[source]¶

get_perms()[source]¶

get_range_alias()[source]¶

get_special_path()[source]¶

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

get_vnode(context, config_prefix)[source]¶

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

is_suspicious(context, config_prefix)[source]¶: Flags memory regions that are mapped rwx or that map an executable not back from a file on disk.

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class vm_map_object(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_map_object()[source]¶

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class vnode(context, type_name, object_info, size, members)[source]¶

Bases: volatility3.framework.objects.StructType

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

full_path()[source]¶

get_symbol_table_name()¶

Returns the symbol table name for this particular object.

Raises

ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

has_valid_member(member_name)¶

Returns whether the dereferenced type has a valid member.

Parameters: member_name (str) – Name of the member to test access to determine if the member is valid or not
Return type: bool

has_valid_members(member_names)¶

Returns whether the object has all of the members listed in member_names

Parameters: member_names (List[str]) – List of names to test as to members with those names validity
Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.