volatility3.framework.symbols.windows.extensions.pool module

class ExecutiveObject(context, type_name, object_info, **kwargs)[source]

Bases: volatility3.framework.interfaces.objects.ObjectInterface

This is used as a “mixin” that provides all kernel executive objects with a means of finding their own object header.

Constructs an Object adhering to the ObjectInterface.

Parameters

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: object

A container for proxied methods that the ObjectTemplate of this object will call. This is primarily to keep methods together for easy organization/management, there is no significant need for it to be a separate class.

The methods of this class must be class methods rather than standard methods, to allow for code reuse. Each method also takes a template since the templates may contain the necessary data about the yet-to-be-constructed object. It allows objects to control how their templates respond without needing to write new templates for each and every potential object type.

abstract classmethod children(template)

Returns the children of the template.

Return type

List[Template]

abstract classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

abstract classmethod relative_child_offset(template, child)

Returns the relative offset from the head of the parent data to the child member.

Return type

int

abstract classmethod replace_child(template, old_child, new_child)

Substitutes the old_child for the new_child.

Return type

None

abstract classmethod size(template)

Returns the size of the template object.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type

ObjectInterface

get_object_header()[source]
Return type

OBJECT_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Parameters

member_name (str) – Name to test whether a member exists within the type structure

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping

Returns the volatility specific object information.

Return type

ReadOnlyMapping

abstract write(value)

Writes the new value into the format at the offset the object currently resides at.

class OBJECT_HEADER(context, type_name, object_info, size, members)[source]

Bases: volatility3.framework.objects.StructType

A class for the headers for executive kernel objects, which contains quota information, ownership details, naming data, and ACLs.

Constructs an Object adhering to the ObjectInterface.

Parameters

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

property NameInfo: volatility3.framework.interfaces.objects.ObjectInterface
Return type

ObjectInterface

class VolTemplateProxy

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type

ObjectInterface

get_object_type(type_map, cookie=None)[source]

Across all Windows versions, the _OBJECT_HEADER embeds details on the type of object (i.e. process, file) but the way its embedded differs between versions.

This API abstracts away those details.

Return type

Optional[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]

Determine if the object is valid.

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping

Returns the volatility specific object information.

Return type

ReadOnlyMapping

write(value)

Writes the new value into the format at the offset the object currently resides at.

class POOL_HEADER(context, type_name, object_info, size, members)[source]

Bases: volatility3.framework.objects.StructType

A kernel pool allocation header.

Exists at the base of the allocation and provides a tag that we can scan for.

Constructs an Object adhering to the ObjectInterface.

Parameters

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type

ObjectInterface

get_object(constraint, use_top_down, kernel_symbol_table=None, native_layer_name=None)[source]

Carve an object or data structure from a kernel pool allocation

Parameters

  • constraint (PoolConstraint) – a PoolConstraint object used to get the pool allocation header object

  • use_top_down (bool) – for delineating how a windows version finds the size of the object body

  • kernel_symbol_table (Optional[str]) – in case objects of a different symbol table are scanned for

  • native_layer_name (Optional[str]) – the name of the layer where the data originally lived

Return type

Optional[ObjectInterface]

Returns

An object as found from a POOL_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_free_pool()[source]
is_nonpaged_pool()[source]
is_paged_pool()[source]
member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping

Returns the volatility specific object information.

Return type

ReadOnlyMapping

write(value)

Writes the new value into the format at the offset the object currently resides at.

class POOL_HEADER_VISTA(context, type_name, object_info, size, members)[source]

Bases: volatility3.framework.symbols.windows.extensions.pool.POOL_HEADER

A kernel pool allocation header, updated for Vista and later.

Exists at the base of the allocation and provides a tag that we can scan for.

Constructs an Object adhering to the ObjectInterface.

Parameters

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type

ObjectInterface

get_object(constraint, use_top_down, kernel_symbol_table=None, native_layer_name=None)

Carve an object or data structure from a kernel pool allocation

Parameters

  • constraint (PoolConstraint) – a PoolConstraint object used to get the pool allocation header object

  • use_top_down (bool) – for delineating how a windows version finds the size of the object body

  • kernel_symbol_table (Optional[str]) – in case objects of a different symbol table are scanned for

  • native_layer_name (Optional[str]) – the name of the layer where the data originally lived

Return type

Optional[ObjectInterface]

Returns

An object as found from a POOL_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_free_pool()
is_nonpaged_pool()[source]
is_paged_pool()[source]
member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping

Returns the volatility specific object information.

Return type

ReadOnlyMapping

write(value)

Writes the new value into the format at the offset the object currently resides at.

class POOL_TRACKER_BIG_PAGES(context, type_name, object_info, size, members)[source]

Bases: volatility3.framework.objects.StructType

A kernel big page pool tracker.

Constructs an Object adhering to the ObjectInterface.

Parameters

  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: volatility3.framework.interfaces.objects.ObjectInterface.VolTemplateProxy

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type

ObjectInterface

get_key()[source]

Returns the Key value as a 4 character string

Return type

str

get_number_of_bytes()[source]

Returns the NumberOfBytes value on applicable systems

Return type

Union[int, BaseAbsentValue]

get_pool_type()[source]

Returns the enum name for the PoolType value on applicable systems

Return type

Union[str, BaseAbsentValue]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises

  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]
Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

pool_type_lookup: Dict[str, str] = {}
property vol: volatility3.framework.interfaces.objects.ReadOnlyMapping

Returns the volatility specific object information.

Return type

ReadOnlyMapping

write(value)

Writes the new value into the format at the offset the object currently resides at.