volatility3.framework.symbols.intermed module

class ISFormatTable(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.interfaces.symbols.SymbolTableInterface

Provide a base class to identify all subclasses.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()[source]

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[Any]

Returns an iterator of the Enumeration names.

Return type

Iterable[Any]

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)

Resolves a symbol name into a symbol object.

If the symbol isn’t found, it raises a SymbolError exception

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(name)

Resolves a symbol name into an object template.

If the symbol isn’t found it raises a SymbolError exception

Return type

Template

get_type_class(name)

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a metadata object containing information about the symbol table.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the Symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the Symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (0, 0, 0)
class IntermediateSymbolTable(context, config_path, name, isf_url, native_types=None, table_mapping=None, validate=True, class_types=None, symbol_mask=0)[source]

Bases: volatility3.framework.interfaces.symbols.SymbolTableInterface

The IntermediateSymbolTable class reads a JSON file and conducts common tasks such as validation, construction by looking up a JSON file from the available files and ensuring the appropriate version of the schema and proxy are chosen.

The JSON format itself is made up of various groups (symbols, user_types, base_types, enums and metadata)
  • Symbols link a name to a particular offset relative to the start of a section of memory

  • Base types define the simplest primitive data types, these can make more complex structure

  • User types define the more complex types by specifying members at a relative offset from the start of the type

  • Enums can specify a list of names and values and a type inside which the numeric encoding will fit

  • Metadata defines information about the originating file

These are documented in JSONSchema JSON files located in volatility3/schemas.

Instantiates a SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema. The validation can be disabled by passing validate = False, but this should almost never be done.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url (str) – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • validate (bool) – Determines whether the ISF file will be validated against the appropriate schema

  • class_types (Optional[Mapping[str, Type[ObjectInterface]]]) – A dictionary of type names and classes that override StructType when they are instantiated

  • symbol_mask (int) – An address mask used for all returned symbol offsets from this table (a mask of 0 disables masking)

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache(*args, **kwargs)

Clears the symbol cache of this symbol table.

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

classmethod create(context, config_path, sub_path, filename, native_types=None, table_mapping=None, class_types=None, symbol_mask=0)[source]

Takes a context and loads an intermediate symbol table based on a filename.

Parameters
  • context (ContextInterface) – The context that the current plugin is being run within

  • config_path (str) – The configuration path for reading/storing configuration information this symbol table may use

  • sub_path (str) – The path under a suitable symbol path (defaults to volatility3/symbols and volatility3/framework/symbols) to check

  • filename (str) – Basename of the file to find under the sub_path

  • native_types (Optional[NativeTableInterface]) – Set of native types, defaults to native types read from the intermediate symbol format file

  • table_mapping (Optional[Dict[str, str]]) – a dictionary of table names mentioned within the ISF file, and the tables within the context which they map to

  • symbol_mask (int) – An address mask used for all returned symbol offsets from this table (a mask of 0 disables masking)

Return type

str

Returns

the name of the added symbol table

del_type_class(*args, **kwargs)

Removes the associated class override for a specific Symbol type.

property enumerations

Returns an iterator of the Enumeration names.

classmethod file_symbol_url(sub_path, filename=None)[source]

Returns an iterator of appropriate file-scheme symbol URLs that can be opened by a ResourceAccessor class.

Filter reduces the number of results returned to only those URLs containing that string

Return type

Generator[str, None, None]

get_enumeration(*args, **kwargs)
classmethod get_requirements()[source]

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(*args, **kwargs)

Resolves a symbol name into a symbol object.

If the symbol isn’t found, it raises a SymbolError exception

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(*args, **kwargs)

Resolves a symbol name into an object template.

If the symbol isn’t found it raises a SymbolError exception

get_type_class(*args, **kwargs)

Returns the class associated with a Symbol type.

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata
property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(*args, **kwargs)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name – The name of the type to override the class for

  • clazz – The actual class to override for the provided type name

property symbols

Returns an iterator of the Symbol names.

property types

Returns an iterator of the Symbol type names.

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

class Version1Format(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.symbols.intermed.ISFormatTable

Class for storing intermediate debugging data as objects and classes.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)[source]

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[str]

Returns an iterator of the available enumerations.

Return type

Iterable[str]

get_enumeration(enum_name)[source]

Resolves an individual enumeration.

Return type

Template

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)[source]

Returns the location offset given by the symbol name.

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(type_name)[source]

Resolves an individual symbol.

Return type

Template

get_type_class(name)[source]

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a metadata object containing information about the symbol table.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)[source]

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (0, 0, 1)
class Version2Format(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.symbols.intermed.Version1Format

Class for storing intermediate debugging data as objects and classes.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[str]

Returns an iterator of the available enumerations.

Return type

Iterable[str]

get_enumeration(enum_name)

Resolves an individual enumeration.

Return type

Template

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)

Returns the location offset given by the symbol name.

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(type_name)[source]

Resolves an individual symbol.

Return type

Template

get_type_class(name)

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a metadata object containing information about the symbol table.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (2, 0, 0)
class Version3Format(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.symbols.intermed.Version2Format

Class for storing intermediate debugging data as objects and classes.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[str]

Returns an iterator of the available enumerations.

Return type

Iterable[str]

get_enumeration(enum_name)

Resolves an individual enumeration.

Return type

Template

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)[source]

Returns the symbol given by the symbol name.

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(type_name)

Resolves an individual symbol.

Return type

Template

get_type_class(name)

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a metadata object containing information about the symbol table.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (2, 1, 0)
class Version4Format(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.symbols.intermed.Version3Format

Class for storing intermediate debugging data as objects and classes.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[str]

Returns an iterator of the available enumerations.

Return type

Iterable[str]

format_mapping = {'bool': <class 'volatility3.framework.objects.Boolean'>, 'char': <class 'volatility3.framework.objects.Char'>, 'float': <class 'volatility3.framework.objects.Float'>, 'int': <class 'volatility3.framework.objects.Integer'>, 'void': <class 'volatility3.framework.objects.Integer'>}
get_enumeration(enum_name)

Resolves an individual enumeration.

Return type

Template

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)

Returns the symbol given by the symbol name.

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(type_name)

Resolves an individual symbol.

Return type

Template

get_type_class(name)

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a metadata object containing information about the symbol table.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (4, 0, 0)
class Version5Format(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.symbols.intermed.Version4Format

Class for storing intermediate debugging data as objects and classes.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[str]

Returns an iterator of the available enumerations.

Return type

Iterable[str]

format_mapping = {'bool': <class 'volatility3.framework.objects.Boolean'>, 'char': <class 'volatility3.framework.objects.Char'>, 'float': <class 'volatility3.framework.objects.Float'>, 'int': <class 'volatility3.framework.objects.Integer'>, 'void': <class 'volatility3.framework.objects.Integer'>}
get_enumeration(enum_name)

Resolves an individual enumeration.

Return type

Template

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)[source]

Returns the symbol given by the symbol name.

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(type_name)

Resolves an individual symbol.

Return type

Template

get_type_class(name)

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a metadata object containing information about the symbol table.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (4, 1, 0)
class Version6Format(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.symbols.intermed.Version5Format

Class for storing intermediate debugging data as objects and classes.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[str]

Returns an iterator of the available enumerations.

Return type

Iterable[str]

format_mapping = {'bool': <class 'volatility3.framework.objects.Boolean'>, 'char': <class 'volatility3.framework.objects.Char'>, 'float': <class 'volatility3.framework.objects.Float'>, 'int': <class 'volatility3.framework.objects.Integer'>, 'void': <class 'volatility3.framework.objects.Integer'>}
get_enumeration(enum_name)

Resolves an individual enumeration.

Return type

Template

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)

Returns the symbol given by the symbol name.

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(type_name)

Resolves an individual symbol.

Return type

Template

get_type_class(name)

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a MetadataInterface object.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (6, 0, 0)
class Version7Format(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.symbols.intermed.Version6Format

Class for storing intermediate debugging data as objects and classes.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[str]

Returns an iterator of the available enumerations.

Return type

Iterable[str]

format_mapping = {'bool': <class 'volatility3.framework.objects.Boolean'>, 'char': <class 'volatility3.framework.objects.Char'>, 'float': <class 'volatility3.framework.objects.Float'>, 'int': <class 'volatility3.framework.objects.Integer'>, 'void': <class 'volatility3.framework.objects.Integer'>}
get_enumeration(enum_name)

Resolves an individual enumeration.

Return type

Template

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)

Returns the symbol given by the symbol name.

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(type_name)

Resolves an individual symbol.

Return type

Template

get_type_class(name)

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a MetadataInterface object.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (6, 1, 0)
class Version8Format(context, config_path, name, json_object, native_types=None, table_mapping=None)[source]

Bases: volatility3.framework.symbols.intermed.Version7Format

Class for storing intermediate debugging data as objects and classes.

Instantiates an SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema.

Parameters
  • context (ContextInterface) – The volatility context for the symbol table

  • config_path (str) – The configuration path for the symbol table

  • name (str) – The name for the symbol table (this is used in symbols e.g. table!symbol )

  • isf_url – The URL pointing to the ISF file location

  • native_types (Optional[NativeTableInterface]) – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping (Optional[Dict[str, str]]) – A dictionary linking names referenced in the file with symbol tables in the context

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

clear_symbol_cache()

Clears the symbol cache of the symbol table.

Return type

None

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

del_type_class(name)

Removes the associated class override for a specific Symbol type.

Return type

None

property enumerations: Iterable[str]

Returns an iterator of the available enumerations.

Return type

Iterable[str]

format_mapping = {'bool': <class 'volatility3.framework.objects.Boolean'>, 'char': <class 'volatility3.framework.objects.Char'>, 'float': <class 'volatility3.framework.objects.Float'>, 'int': <class 'volatility3.framework.objects.Integer'>, 'void': <class 'volatility3.framework.objects.Integer'>}
get_enumeration(enum_name)

Resolves an individual enumeration.

Return type

Template

classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type

List[RequirementInterface]

get_symbol(name)

Returns the symbol given by the symbol name.

Return type

SymbolInterface

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type

Iterable[str]

get_type(type_name)[source]

Resolves an individual symbol.

Return type

Template

get_type_class(name)

Returns the class associated with a Symbol type.

Return type

Type[ObjectInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property metadata: Optional[volatility3.framework.interfaces.symbols.MetadataInterface]

Returns a MetadataInterface object.

Return type

Optional[MetadataInterface]

property natives: volatility3.framework.interfaces.symbols.NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

Return type

NativeTableInterface

set_type_class(name, clazz)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters
  • name (str) – The name of the type to override the class for

  • clazz (Type[ObjectInterface]) – The actual class to override for the provided type name

Return type

None

property symbols: Iterable[str]

Returns an iterator of the symbol names.

Return type

Iterable[str]

property types: Iterable[str]

Returns an iterator of the symbol type names.

Return type

Iterable[str]

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (6, 2, 0)