volatility3.framework.symbols.windows.pdbutil module

class PDBUtility[source]

Bases: object

Class to handle and manage all getting symbols based on MZ header

classmethod download_pdb_isf(context, guid, age, pdb_name, progress_callback=None)[source]

Attempts to download the PDB file, convert it to an ISF file and save it to one of the symbol locations.

Return type

None

classmethod get_guid_from_mz(context, layer_name, offset)[source]

Takes the offset to an MZ header, locates any available pdb headers, and extracts the guid, age and pdb_name from them

Parameters

  • context (ContextInterface) – The context on which to operate

  • layer_name (str) – The name of the (contiguous) layer within the context that contains the MZ file

  • offset (int) – The offset in the layer at which the MZ file begins

Return type

Optional[Tuple[str, int, str]]

Returns

A tuple of the guid, age and pdb_name, or None if no PDB record can be found

classmethod load_windows_symbol_table(context, guid, age, pdb_name, symbol_table_class, config_path='pdbutility', progress_callback=None)[source]

Loads (downlading if necessary) a windows symbol table

classmethod pdbname_scan(ctx, layer_name, page_size, pdb_names, progress_callback=None, start=None, end=None)[source]

Scans through layer_name at ctx looking for RSDS headers that indicate one of four common pdb kernel names (as listed in self.pdb_names) and returns the tuple (GUID, age, pdb_name, signature_offset, mz_offset)

Note

This is automagical and therefore not guaranteed to provide correct results.

The UI should always provide the user an opportunity to specify the appropriate types and PDB values themselves

Return type

Generator[Dict[str, Union[bytes, str, int, None]], None, None]

classmethod symbol_table_from_offset(context, layer_name, offset, symbol_table_class='volatility3.framework.symbols.intermed.IntermediateSymbolTable', config_path=None, progress_callback=None)[source]

Produces the name of a symbol table loaded from the offset for an MZ header

Parameters

  • context (ContextInterface) – The context on which to operate

  • layer_name (str) – The name of the (contiguous) layer within the context that contains the MZ file

  • offset (int) – The offset in the layer at which the MZ file begins

  • symbol_table_class (str) – The class to use when constructing the SymbolTable

  • config_path (Optional[str]) – New path for the produced symbol table configuration with the config tree

  • progress_callback (Optional[Callable[[float, str], None]]) – Callable called to update ongoing progress

Return type

Optional[str]

Returns

None if no pdb information can be determined, else returned the name of the loaded symbols for the MZ

class PdbSignatureScanner(pdb_names)[source]

Bases: volatility3.framework.interfaces.layers.ScannerInterface

A ScannerInterface based scanner use to identify Windows PDB records.

Parameters

pdb_names (List[bytes]) – A list of bytestrings, used to match pdb signatures against the pdb names within the records.

Note

The pdb_names must be a list of byte strings, unicode strs will not match against the data scanned

property context
Return type

Optional[ContextInterface]

property layer_name
Return type

Optional[str]

overlap = 16384

The size of overlap needed for the signature to ensure data cannot hide between two scanned chunks

thread_safe = True

Determines whether the scanner accesses global variables in a thread safe manner (for use with multiprocessing)

version = (0, 0, 0)