volatility3.framework.symbols.windows.extensions.pe module¶
-
class
IMAGE_DOS_HEADER
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
fix_image_base
(raw_data, nt_header)[source]¶ Fix the _OPTIONAL_HEADER.ImageBase value (which is either an unsigned long for 32-bit PE’s or unsigned long long for 64-bit PE’s) to match the address where the PE file was carved out of memory.
- Parameters
raw_data (
bytes
) – a bytes object of the PE’s datant_header (
ObjectInterface
) – <_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance
- Return type
- Returns
<bytes> patched with the correct address
-
get_nt_header
()[source]¶ Carve out the NT header from this DOS header. This reflects on the PE file’s Machine type to create a 32- or 64-bit NT header structure.
- Return type
- Returns
<_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
reconstruct
()[source]¶ This method generates the content necessary to reconstruct a PE file from memory. It preserves slack space (similar to the old –memory) and automatically fixes the ImageBase in the output PE file.
-
replace_header_field
(sect, header, item, value)[source]¶ Replaces a member in an _IMAGE_SECTION_HEADER structure.
- Parameters
sect (
ObjectInterface
) – the section instanceheader (
bytes
) – raw data for the sectionitem (
ObjectInterface
) – the member of the section to replacevalue (
int
) – new value for the member
- Return type
- Returns
The raw data with the replaced header field
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.
-
class
IMAGE_NT_HEADERS
(context, type_name, object_info, size, members)[source]¶ Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
-
class
VolTemplateProxy
¶ Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
-
classmethod
has_member
(template, member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
classmethod
relative_child_offset
(template, child)¶ Returns the relative offset of a child to its parent.
- Return type
-
classmethod
replace_child
(template, old_child, new_child)¶ Replace a child elements within the arguments handed to the template.
- Return type
-
classmethod
-
cast
(new_type_name, **additional)¶ Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
-
get_sections
()[source]¶ Iterate through the section headers for this PE file.
- Yields
<_IMAGE_SECTION_HEADER> objects
- Return type
-
get_symbol_table_name
()¶ Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
-
has_member
(member_name)¶ Returns whether the object would contain a member called member_name.
- Return type
-
has_valid_member
(member_name)¶ Returns whether the dereferenced type has a valid member.
-
has_valid_members
(member_names)¶ Returns whether the object has all of the members listed in member_names
-
property
vol
¶ Returns the volatility specific object information.
- Return type
-
write
(value)¶ Writes the new value into the format at the offset the object currently resides at.