volatility3.framework.symbols.mac.extensions package¶
- class fileglob(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class ifnet(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class inpcb(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class kauth_scope(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class proc(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.symbols.generic.GenericIntelProcess
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- add_process_layer(config_prefix=None, preferred_name=None)[source]¶
Constructs a new layer based on the process’s DTB.
Returns the name of the Layer or None.
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_process_memory_sections(context, config_prefix, rw_no_file=False)[source]¶
Returns a list of sections based on the memory manager’s view of this task’s virtual memory.
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class queue_entry(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- walk_list(list_head, member_name, type_name, max_size=4096)[source]¶
Walks a queue in a smear-aware and smear-resistant manner
- smear is detected by:
the max_size parameter sets an upper bound
each seen entry is only allowed once
- attempts to work around smear:
the list is walked in both directions to help find as many elements as possible
- Parameters
list (type_name - the type of each element in the) –
member (member_name - the name of the embedded list) –
list –
returned (max_size - the maximum amount of elements that will be) –
- Return type
- Returns
Each instance of the queue cast as “type_name” type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class sockaddr(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class sockaddr_dl(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class socket(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class sysctl_oid(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_ctltype()[source]¶
Returns the type of the sysctl node
Args: None
- Returns
CTLTYPE_NODE CTLTYPE_INT CTLTYPE_STRING CTLTYPE_QUAD CTLTYPE_OPAQUE an empty string for nodes not in the above types
- Return type
One of
Based on sysctl_sysctl_debug_dump_node
- get_perms()[source]¶
Returns the actions allowed on the node
Args: None
- Returns
R - readable W - writeable L - self handles locking
- Return type
A combination of
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class vm_map_entry(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- is_suspicious(context, config_prefix)[source]¶
Flags memory regions that are mapped rwx or that map an executable not back from a file on disk.
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class vm_map_object(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class vnode(context, type_name, object_info, size, members)[source]¶
Bases:
volatility3.framework.objects.StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.