volatility3.plugins.windows package

All Windows OS plugins.

NOTE: This file is important for core plugins to run (which certain components such as the windows registry layers) are dependent upon, please DO NOT alter or remove this file unless you know the consequences of doing so.

The framework is configured this way to allow plugin developers/users to override any plugin functionality whether existing or new.

When overriding the plugins directory, you must include a file like this in any subdirectories that may be necessary.

Subpackages

• volatility3.plugins.windows.registry package
  • Submodules
    • volatility3.plugins.windows.registry.getcellroutine module
      • GetCellRoutine
    • volatility3.plugins.windows.registry.hivelist module
      • HiveGenerator
      • HiveList
    • volatility3.plugins.windows.registry.hivescan module
      • HiveScan
    • volatility3.plugins.windows.registry.printkey module
      • PrintKey
    • volatility3.plugins.windows.registry.userassist module
      • UserAssist

Submodules

• volatility3.plugins.windows.amcache module
  • Amcache
    • Amcache.build_configuration()
    • Amcache.config
    • Amcache.config_path
    • Amcache.context
    • Amcache.generate_timeline()
    • Amcache.get_amcache_hive()
    • Amcache.get_requirements()
    • Amcache.make_subconfig()
    • Amcache.open
    • Amcache.parse_driver_binary_key()
    • Amcache.parse_file_key()
    • Amcache.parse_inventory_app_file_key()
    • Amcache.parse_inventory_app_key()
    • Amcache.parse_programs_key()
    • Amcache.run()
    • Amcache.set_open_method()
    • Amcache.unsatisfied()
    • Amcache.version
  • AmcacheEntryType
    • AmcacheEntryType.Driver
    • AmcacheEntryType.File
    • AmcacheEntryType.Program
    • AmcacheEntryType.as_integer_ratio()
    • AmcacheEntryType.bit_count()
    • AmcacheEntryType.bit_length()
    • AmcacheEntryType.conjugate()
    • AmcacheEntryType.denominator
    • AmcacheEntryType.from_bytes()
    • AmcacheEntryType.imag
    • AmcacheEntryType.numerator
    • AmcacheEntryType.real
    • AmcacheEntryType.to_bytes()
  • Win10DriverBinaryValName
    • Win10DriverBinaryValName.DriverCompany
    • Win10DriverBinaryValName.DriverId
    • Win10DriverBinaryValName.DriverName
    • Win10DriverBinaryValName.DriverTimeStamp
    • Win10DriverBinaryValName.Product
    • Win10DriverBinaryValName.Service
  • Win10InvAppFileValName
    • Win10InvAppFileValName.FileId
    • Win10InvAppFileValName.LinkDate
    • Win10InvAppFileValName.LowerCaseLongPath
    • Win10InvAppFileValName.ProductName
    • Win10InvAppFileValName.ProductVersion
    • Win10InvAppFileValName.ProgramID
    • Win10InvAppFileValName.Publisher
  • Win10InvAppValName
    • Win10InvAppValName.InstallDate
    • Win10InvAppValName.Name
    • Win10InvAppValName.Publisher
    • Win10InvAppValName.RootDirPath
    • Win10InvAppValName.Version
  • Win8FileValName
    • Win8FileValName.Company
    • Win8FileValName.CompileTime
    • Win8FileValName.CreateTime
    • Win8FileValName.LastModTime
    • Win8FileValName.LastModTime2
    • Win8FileValName.PEHeaderChecksum
    • Win8FileValName.Path
    • Win8FileValName.Product
    • Win8FileValName.ProgramID
    • Win8FileValName.SHA1Hash
    • Win8FileValName.Size
    • Win8FileValName.SizeOfImage
    • Win8FileValName.Version
  • Win8ProgramValName
    • Win8ProgramValName.InstallTime
    • Win8ProgramValName.MSIPackageCode
    • Win8ProgramValName.MSIProductCode
    • Win8ProgramValName.PackageCode
    • Win8ProgramValName.Product
    • Win8ProgramValName.ProductCode
    • Win8ProgramValName.Publisher
    • Win8ProgramValName.Version
• volatility3.plugins.windows.bigpools module
  • BigPools
    • BigPools.build_configuration()
    • BigPools.config
    • BigPools.config_path
    • BigPools.context
    • BigPools.get_requirements()
    • BigPools.list_big_pools()
    • BigPools.make_subconfig()
    • BigPools.open
    • BigPools.run()
    • BigPools.set_open_method()
    • BigPools.unsatisfied()
    • BigPools.version
• volatility3.plugins.windows.cachedump module
  • Cachedump
    • Cachedump.build_configuration()
    • Cachedump.config
    • Cachedump.config_path
    • Cachedump.context
    • Cachedump.decrypt_hash()
    • Cachedump.get_nlkm()
    • Cachedump.get_requirements()
    • Cachedump.make_subconfig()
    • Cachedump.open
    • Cachedump.parse_cache_entry()
    • Cachedump.parse_decrypted_cache()
    • Cachedump.run()
    • Cachedump.set_open_method()
    • Cachedump.unsatisfied()
    • Cachedump.version
• volatility3.plugins.windows.callbacks module
  • Callbacks
    • Callbacks.build_configuration()
    • Callbacks.config
    • Callbacks.config_path
    • Callbacks.context
    • Callbacks.create_callback_scan_constraints()
    • Callbacks.create_callback_symbol_table()
    • Callbacks.get_requirements()
    • Callbacks.list_bugcheck_callbacks()
    • Callbacks.list_bugcheck_reason_callbacks()
    • Callbacks.list_notify_routines()
    • Callbacks.list_registry_callbacks()
    • Callbacks.make_subconfig()
    • Callbacks.open
    • Callbacks.run()
    • Callbacks.scan()
    • Callbacks.set_open_method()
    • Callbacks.unsatisfied()
    • Callbacks.version
• volatility3.plugins.windows.cmdline module
  • CmdLine
    • CmdLine.build_configuration()
    • CmdLine.config
    • CmdLine.config_path
    • CmdLine.context
    • CmdLine.get_cmdline()
    • CmdLine.get_requirements()
    • CmdLine.make_subconfig()
    • CmdLine.open
    • CmdLine.run()
    • CmdLine.set_open_method()
    • CmdLine.unsatisfied()
    • CmdLine.version
• volatility3.plugins.windows.cmdscan module
  • CmdScan
    • CmdScan.build_configuration()
    • CmdScan.config
    • CmdScan.config_path
    • CmdScan.context
    • CmdScan.get_command_history()
    • CmdScan.get_filtered_vads()
    • CmdScan.get_requirements()
    • CmdScan.make_subconfig()
    • CmdScan.open
    • CmdScan.run()
    • CmdScan.set_open_method()
    • CmdScan.unsatisfied()
    • CmdScan.version
• volatility3.plugins.windows.consoles module
  • Consoles
    • Consoles.build_configuration()
    • Consoles.config
    • Consoles.config_path
    • Consoles.context
    • Consoles.create_conhost_symbol_table()
    • Consoles.determine_conhost_version()
    • Consoles.find_conhost_proc()
    • Consoles.find_conhostexe()
    • Consoles.get_console_info()
    • Consoles.get_console_settings_from_registry()
    • Consoles.get_requirements()
    • Consoles.make_subconfig()
    • Consoles.open
    • Consoles.run()
    • Consoles.set_open_method()
    • Consoles.unsatisfied()
    • Consoles.version
• volatility3.plugins.windows.crashinfo module
  • Crashinfo
    • Crashinfo.build_configuration()
    • Crashinfo.config
    • Crashinfo.config_path
    • Crashinfo.context
    • Crashinfo.get_requirements()
    • Crashinfo.make_subconfig()
    • Crashinfo.open
    • Crashinfo.run()
    • Crashinfo.set_open_method()
    • Crashinfo.unsatisfied()
    • Crashinfo.version
• volatility3.plugins.windows.debugregisters module
  • DebugRegisters
    • DebugRegisters.build_configuration()
    • DebugRegisters.config
    • DebugRegisters.config_path
    • DebugRegisters.context
    • DebugRegisters.get_requirements()
    • DebugRegisters.make_subconfig()
    • DebugRegisters.open
    • DebugRegisters.run()
    • DebugRegisters.set_open_method()
    • DebugRegisters.unsatisfied()
    • DebugRegisters.version
• volatility3.plugins.windows.devicetree module
  • DeviceTree
    • DeviceTree.build_configuration()
    • DeviceTree.config
    • DeviceTree.config_path
    • DeviceTree.context
    • DeviceTree.get_requirements()
    • DeviceTree.make_subconfig()
    • DeviceTree.open
    • DeviceTree.run()
    • DeviceTree.set_open_method()
    • DeviceTree.unsatisfied()
    • DeviceTree.version
• volatility3.plugins.windows.dlllist module
  • DllList
    • DllList.build_configuration()
    • DllList.config
    • DllList.config_path
    • DllList.context
    • DllList.generate_timeline()
    • DllList.get_requirements()
    • DllList.make_subconfig()
    • DllList.open
    • DllList.run()
    • DllList.set_open_method()
    • DllList.unsatisfied()
    • DllList.version
• volatility3.plugins.windows.driverirp module
  • DriverIrp
    • DriverIrp.build_configuration()
    • DriverIrp.config
    • DriverIrp.config_path
    • DriverIrp.context
    • DriverIrp.get_requirements()
    • DriverIrp.make_subconfig()
    • DriverIrp.open
    • DriverIrp.run()
    • DriverIrp.set_open_method()
    • DriverIrp.unsatisfied()
    • DriverIrp.version
• volatility3.plugins.windows.drivermodule module
  • DriverModule
    • DriverModule.build_configuration()
    • DriverModule.config
    • DriverModule.config_path
    • DriverModule.context
    • DriverModule.get_requirements()
    • DriverModule.make_subconfig()
    • DriverModule.open
    • DriverModule.run()
    • DriverModule.set_open_method()
    • DriverModule.unsatisfied()
    • DriverModule.version
• volatility3.plugins.windows.driverscan module
  • DriverScan
    • DriverScan.build_configuration()
    • DriverScan.config
    • DriverScan.config_path
    • DriverScan.context
    • DriverScan.get_names_for_driver()
    • DriverScan.get_requirements()
    • DriverScan.make_subconfig()
    • DriverScan.open
    • DriverScan.run()
    • DriverScan.scan_drivers()
    • DriverScan.set_open_method()
    • DriverScan.unsatisfied()
    • DriverScan.version
• volatility3.plugins.windows.dumpfiles module
  • DumpFiles
    • DumpFiles.build_configuration()
    • DumpFiles.config
    • DumpFiles.config_path
    • DumpFiles.context
    • DumpFiles.dump_file_producer()
    • DumpFiles.get_requirements()
    • DumpFiles.make_subconfig()
    • DumpFiles.open
    • DumpFiles.process_file_object()
    • DumpFiles.run()
    • DumpFiles.set_open_method()
    • DumpFiles.unsatisfied()
    • DumpFiles.version
• volatility3.plugins.windows.envars module
  • Envars
    • Envars.build_configuration()
    • Envars.config
    • Envars.config_path
    • Envars.context
    • Envars.get_requirements()
    • Envars.make_subconfig()
    • Envars.open
    • Envars.run()
    • Envars.set_open_method()
    • Envars.unsatisfied()
    • Envars.version
• volatility3.plugins.windows.filescan module
  • FileScan
    • FileScan.build_configuration()
    • FileScan.config
    • FileScan.config_path
    • FileScan.context
    • FileScan.get_requirements()
    • FileScan.make_subconfig()
    • FileScan.open
    • FileScan.run()
    • FileScan.scan_files()
    • FileScan.set_open_method()
    • FileScan.unsatisfied()
    • FileScan.version
• volatility3.plugins.windows.getservicesids module
  • GetServiceSIDs
    • GetServiceSIDs.build_configuration()
    • GetServiceSIDs.config
    • GetServiceSIDs.config_path
    • GetServiceSIDs.context
    • GetServiceSIDs.get_requirements()
    • GetServiceSIDs.make_subconfig()
    • GetServiceSIDs.open
    • GetServiceSIDs.run()
    • GetServiceSIDs.set_open_method()
    • GetServiceSIDs.unsatisfied()
    • GetServiceSIDs.version
  • createservicesid()
• volatility3.plugins.windows.getsids module
  • GetSIDs
    • GetSIDs.build_configuration()
    • GetSIDs.config
    • GetSIDs.config_path
    • GetSIDs.context
    • GetSIDs.get_requirements()
    • GetSIDs.lookup_user_sids()
    • GetSIDs.make_subconfig()
    • GetSIDs.open
    • GetSIDs.run()
    • GetSIDs.set_open_method()
    • GetSIDs.unsatisfied()
    • GetSIDs.version
  • find_sid_re()
• volatility3.plugins.windows.handles module
  • Handles
    • Handles.build_configuration()
    • Handles.config
    • Handles.config_path
    • Handles.context
    • Handles.find_cookie()
    • Handles.find_sar_value()
    • Handles.get_requirements()
    • Handles.get_type_map()
    • Handles.handles()
    • Handles.make_subconfig()
    • Handles.open
    • Handles.run()
    • Handles.set_open_method()
    • Handles.unsatisfied()
    • Handles.version
• volatility3.plugins.windows.hashdump module
  • Hashdump
    • Hashdump.almpassword
    • Hashdump.antpassword
    • Hashdump.anum
    • Hashdump.aqwerty
    • Hashdump.bootkey_perm_table
    • Hashdump.build_configuration()
    • Hashdump.config
    • Hashdump.config_path
    • Hashdump.context
    • Hashdump.decrypt_single_hash()
    • Hashdump.decrypt_single_salted_hash()
    • Hashdump.empty_lm
    • Hashdump.empty_nt
    • Hashdump.get_bootkey()
    • Hashdump.get_hbootkey()
    • Hashdump.get_hive_key()
    • Hashdump.get_requirements()
    • Hashdump.get_user_hashes()
    • Hashdump.get_user_keys()
    • Hashdump.get_user_name()
    • Hashdump.lmkey
    • Hashdump.make_subconfig()
    • Hashdump.odd_parity
    • Hashdump.open
    • Hashdump.run()
    • Hashdump.set_open_method()
    • Hashdump.sid_to_key()
    • Hashdump.sidbytes_to_key()
    • Hashdump.unsatisfied()
    • Hashdump.version
• volatility3.plugins.windows.hollowprocesses module
  • DLLData
    • DLLData.count()
    • DLLData.index()
    • DLLData.path
  • HollowProcesses
    • HollowProcesses.build_configuration()
    • HollowProcesses.config
    • HollowProcesses.config_path
    • HollowProcesses.context
    • HollowProcesses.get_requirements()
    • HollowProcesses.make_subconfig()
    • HollowProcesses.open
    • HollowProcesses.run()
    • HollowProcesses.set_open_method()
    • HollowProcesses.unsatisfied()
    • HollowProcesses.version
  • VadData
    • VadData.count()
    • VadData.index()
    • VadData.path
    • VadData.protection
• volatility3.plugins.windows.iat module
  • IAT
    • IAT.build_configuration()
    • IAT.config
    • IAT.config_path
    • IAT.context
    • IAT.get_requirements()
    • IAT.make_subconfig()
    • IAT.open
    • IAT.run()
    • IAT.set_open_method()
    • IAT.unsatisfied()
    • IAT.version
• volatility3.plugins.windows.info module
  • Info
    • Info.build_configuration()
    • Info.config
    • Info.config_path
    • Info.context
    • Info.get_depends()
    • Info.get_kdbg_structure()
    • Info.get_kernel_module()
    • Info.get_kuser_structure()
    • Info.get_ntheader_structure()
    • Info.get_requirements()
    • Info.get_version_structure()
    • Info.make_subconfig()
    • Info.open
    • Info.run()
    • Info.set_open_method()
    • Info.unsatisfied()
    • Info.version
• volatility3.plugins.windows.joblinks module
  • JobLinks
    • JobLinks.build_configuration()
    • JobLinks.config
    • JobLinks.config_path
    • JobLinks.context
    • JobLinks.get_requirements()
    • JobLinks.make_subconfig()
    • JobLinks.open
    • JobLinks.run()
    • JobLinks.set_open_method()
    • JobLinks.unsatisfied()
    • JobLinks.version
• volatility3.plugins.windows.kpcrs module
  • KPCRs
    • KPCRs.build_configuration()
    • KPCRs.config
    • KPCRs.config_path
    • KPCRs.context
    • KPCRs.get_requirements()
    • KPCRs.list_kpcrs()
    • KPCRs.make_subconfig()
    • KPCRs.open
    • KPCRs.run()
    • KPCRs.set_open_method()
    • KPCRs.unsatisfied()
    • KPCRs.version
• volatility3.plugins.windows.ldrmodules module
  • LdrModules
    • LdrModules.build_configuration()
    • LdrModules.config
    • LdrModules.config_path
    • LdrModules.context
    • LdrModules.get_requirements()
    • LdrModules.make_subconfig()
    • LdrModules.open
    • LdrModules.run()
    • LdrModules.set_open_method()
    • LdrModules.unsatisfied()
    • LdrModules.version
• volatility3.plugins.windows.lsadump module
  • Lsadump
    • Lsadump.build_configuration()
    • Lsadump.config
    • Lsadump.config_path
    • Lsadump.context
    • Lsadump.decrypt_aes()
    • Lsadump.decrypt_secret()
    • Lsadump.get_lsa_key()
    • Lsadump.get_requirements()
    • Lsadump.get_secret_by_name()
    • Lsadump.make_subconfig()
    • Lsadump.open
    • Lsadump.run()
    • Lsadump.set_open_method()
    • Lsadump.unsatisfied()
    • Lsadump.version
• volatility3.plugins.windows.malfind module
  • Malfind
    • Malfind.build_configuration()
    • Malfind.config
    • Malfind.config_path
    • Malfind.context
    • Malfind.get_requirements()
    • Malfind.is_vad_empty()
    • Malfind.list_injections()
    • Malfind.make_subconfig()
    • Malfind.open
    • Malfind.run()
    • Malfind.set_open_method()
    • Malfind.unsatisfied()
    • Malfind.version
• volatility3.plugins.windows.mbrscan module
  • MBRScan
    • MBRScan.build_configuration()
    • MBRScan.config
    • MBRScan.config_path
    • MBRScan.context
    • MBRScan.get_hash()
    • MBRScan.get_requirements()
    • MBRScan.make_subconfig()
    • MBRScan.open
    • MBRScan.run()
    • MBRScan.set_open_method()
    • MBRScan.unsatisfied()
    • MBRScan.version
• volatility3.plugins.windows.memmap module
  • Memmap
    • Memmap.build_configuration()
    • Memmap.config
    • Memmap.config_path
    • Memmap.context
    • Memmap.get_requirements()
    • Memmap.make_subconfig()
    • Memmap.open
    • Memmap.run()
    • Memmap.set_open_method()
    • Memmap.unsatisfied()
    • Memmap.version
• volatility3.plugins.windows.mftscan module
  • ADS
    • ADS.build_configuration()
    • ADS.config
    • ADS.config_path
    • ADS.context
    • ADS.get_requirements()
    • ADS.make_subconfig()
    • ADS.open
    • ADS.run()
    • ADS.set_open_method()
    • ADS.unsatisfied()
    • ADS.version
  • MFTScan
    • MFTScan.build_configuration()
    • MFTScan.config
    • MFTScan.config_path
    • MFTScan.context
    • MFTScan.generate_timeline()
    • MFTScan.get_requirements()
    • MFTScan.make_subconfig()
    • MFTScan.open
    • MFTScan.run()
    • MFTScan.set_open_method()
    • MFTScan.unsatisfied()
    • MFTScan.version
• volatility3.plugins.windows.modscan module
  • ModScan
    • ModScan.build_configuration()
    • ModScan.config
    • ModScan.config_path
    • ModScan.context
    • ModScan.dump_module()
    • ModScan.find_session_layer()
    • ModScan.get_requirements()
    • ModScan.get_session_layers()
    • ModScan.list_modules()
    • ModScan.make_subconfig()
    • ModScan.open
    • ModScan.run()
    • ModScan.scan_modules()
    • ModScan.set_open_method()
    • ModScan.unsatisfied()
    • ModScan.version
• volatility3.plugins.windows.modules module
  • Modules
    • Modules.build_configuration()
    • Modules.config
    • Modules.config_path
    • Modules.context
    • Modules.dump_module()
    • Modules.find_session_layer()
    • Modules.get_requirements()
    • Modules.get_session_layers()
    • Modules.list_modules()
    • Modules.make_subconfig()
    • Modules.open
    • Modules.run()
    • Modules.set_open_method()
    • Modules.unsatisfied()
    • Modules.version
• volatility3.plugins.windows.mutantscan module
  • MutantScan
    • MutantScan.build_configuration()
    • MutantScan.config
    • MutantScan.config_path
    • MutantScan.context
    • MutantScan.get_requirements()
    • MutantScan.make_subconfig()
    • MutantScan.open
    • MutantScan.run()
    • MutantScan.scan_mutants()
    • MutantScan.set_open_method()
    • MutantScan.unsatisfied()
    • MutantScan.version
• volatility3.plugins.windows.netscan module
  • NetScan
    • NetScan.build_configuration()
    • NetScan.config
    • NetScan.config_path
    • NetScan.context
    • NetScan.create_netscan_constraints()
    • NetScan.create_netscan_symbol_table()
    • NetScan.determine_tcpip_version()
    • NetScan.generate_timeline()
    • NetScan.get_requirements()
    • NetScan.make_subconfig()
    • NetScan.open
    • NetScan.run()
    • NetScan.scan()
    • NetScan.set_open_method()
    • NetScan.unsatisfied()
    • NetScan.version
• volatility3.plugins.windows.netstat module
  • NetStat
    • NetStat.build_configuration()
    • NetStat.config
    • NetStat.config_path
    • NetStat.context
    • NetStat.create_tcpip_symbol_table()
    • NetStat.enumerate_structures_by_port()
    • NetStat.find_port_pools()
    • NetStat.generate_timeline()
    • NetStat.get_requirements()
    • NetStat.get_tcpip_module()
    • NetStat.list_sockets()
    • NetStat.make_subconfig()
    • NetStat.open
    • NetStat.parse_bitmap()
    • NetStat.parse_hashtable()
    • NetStat.parse_partitions()
    • NetStat.read_pointer()
    • NetStat.run()
    • NetStat.set_open_method()
    • NetStat.unsatisfied()
    • NetStat.version
• volatility3.plugins.windows.orphan_kernel_threads module
  • Threads
    • Threads.build_configuration()
    • Threads.config
    • Threads.config_path
    • Threads.context
    • Threads.filter_func()
    • Threads.gather_thread_info()
    • Threads.generate_timeline()
    • Threads.get_requirements()
    • Threads.list_orphan_kernel_threads()
    • Threads.make_subconfig()
    • Threads.open
    • Threads.run()
    • Threads.scan_threads()
    • Threads.set_open_method()
    • Threads.unsatisfied()
    • Threads.version
• volatility3.plugins.windows.pe_symbols module
  • ExportSymbolFinder
    • ExportSymbolFinder.cached_int_dict
    • ExportSymbolFinder.cached_module_lists
    • ExportSymbolFinder.cached_str_dict
    • ExportSymbolFinder.cached_value
    • ExportSymbolFinder.cached_value_dict
    • ExportSymbolFinder.get_address_for_name()
    • ExportSymbolFinder.get_name_for_address()
  • PDBSymbolFinder
    • PDBSymbolFinder.cached_int_dict
    • PDBSymbolFinder.cached_module_lists
    • PDBSymbolFinder.cached_str_dict
    • PDBSymbolFinder.cached_value
    • PDBSymbolFinder.cached_value_dict
    • PDBSymbolFinder.get_address_for_name()
    • PDBSymbolFinder.get_name_for_address()
  • PESymbolFinder
    • PESymbolFinder.cached_int_dict
    • PESymbolFinder.cached_module_lists
    • PESymbolFinder.cached_str_dict
    • PESymbolFinder.cached_value
    • PESymbolFinder.cached_value_dict
    • PESymbolFinder.get_address_for_name()
    • PESymbolFinder.get_name_for_address()
  • PESymbols
    • PESymbols.addresses_for_process_symbols()
    • PESymbols.build_configuration()
    • PESymbols.config
    • PESymbols.config_path
    • PESymbols.context
    • PESymbols.filename_for_path()
    • PESymbols.filepath_for_address()
    • PESymbols.find_symbols()
    • PESymbols.get_all_vads_with_file_paths()
    • PESymbols.get_kernel_modules()
    • PESymbols.get_proc_vads_with_file_paths()
    • PESymbols.get_process_modules()
    • PESymbols.get_requirements()
    • PESymbols.get_vads_for_process_cache()
    • PESymbols.make_subconfig()
    • PESymbols.open
    • PESymbols.os_module_name
    • PESymbols.path_and_symbol_for_address()
    • PESymbols.range_info_for_address()
    • PESymbols.run()
    • PESymbols.set_open_method()
    • PESymbols.unsatisfied()
    • PESymbols.version
• volatility3.plugins.windows.pedump module
  • PEDump
    • PEDump.build_configuration()
    • PEDump.config
    • PEDump.config_path
    • PEDump.context
    • PEDump.dump_kernel_pe_at_base()
    • PEDump.dump_ldr_entry()
    • PEDump.dump_pe()
    • PEDump.dump_pe_at_base()
    • PEDump.dump_processes()
    • PEDump.get_requirements()
    • PEDump.make_subconfig()
    • PEDump.open
    • PEDump.run()
    • PEDump.set_open_method()
    • PEDump.unsatisfied()
    • PEDump.version
• volatility3.plugins.windows.poolscanner module
  • PoolConstraint
  • PoolHeaderScanner
    • PoolHeaderScanner.context
    • PoolHeaderScanner.layer_name
    • PoolHeaderScanner.thread_safe
    • PoolHeaderScanner.version
  • PoolScanner
    • PoolScanner.build_configuration()
    • PoolScanner.builtin_constraints()
    • PoolScanner.config
    • PoolScanner.config_path
    • PoolScanner.context
    • PoolScanner.generate_pool_scan()
    • PoolScanner.get_pool_header_table()
    • PoolScanner.get_requirements()
    • PoolScanner.make_subconfig()
    • PoolScanner.open
    • PoolScanner.pool_scan()
    • PoolScanner.run()
    • PoolScanner.set_open_method()
    • PoolScanner.unsatisfied()
    • PoolScanner.version
  • PoolType
    • PoolType.FREE
    • PoolType.NONPAGED
    • PoolType.PAGED
    • PoolType.as_integer_ratio()
    • PoolType.bit_count()
    • PoolType.bit_length()
    • PoolType.conjugate()
    • PoolType.denominator
    • PoolType.from_bytes()
    • PoolType.imag
    • PoolType.numerator
    • PoolType.real
    • PoolType.to_bytes()
• volatility3.plugins.windows.privileges module
  • Privs
    • Privs.build_configuration()
    • Privs.config
    • Privs.config_path
    • Privs.context
    • Privs.get_requirements()
    • Privs.make_subconfig()
    • Privs.open
    • Privs.run()
    • Privs.set_open_method()
    • Privs.unsatisfied()
    • Privs.version
• volatility3.plugins.windows.processghosting module
  • ProcessGhosting
    • ProcessGhosting.build_configuration()
    • ProcessGhosting.config
    • ProcessGhosting.config_path
    • ProcessGhosting.context
    • ProcessGhosting.get_requirements()
    • ProcessGhosting.make_subconfig()
    • ProcessGhosting.open
    • ProcessGhosting.run()
    • ProcessGhosting.set_open_method()
    • ProcessGhosting.unsatisfied()
    • ProcessGhosting.version
• volatility3.plugins.windows.pslist module
  • PsList
    • PsList.PHYSICAL_DEFAULT
    • PsList.build_configuration()
    • PsList.config
    • PsList.config_path
    • PsList.context
    • PsList.create_active_process_filter()
    • PsList.create_name_filter()
    • PsList.create_pid_filter()
    • PsList.generate_timeline()
    • PsList.get_requirements()
    • PsList.list_processes()
    • PsList.make_subconfig()
    • PsList.open
    • PsList.process_dump()
    • PsList.run()
    • PsList.set_open_method()
    • PsList.unsatisfied()
    • PsList.version
• volatility3.plugins.windows.psscan module
  • PsScan
    • PsScan.build_configuration()
    • PsScan.config
    • PsScan.config_path
    • PsScan.context
    • PsScan.create_offset_filter()
    • PsScan.generate_timeline()
    • PsScan.get_osversion()
    • PsScan.get_requirements()
    • PsScan.make_subconfig()
    • PsScan.open
    • PsScan.physical_offset_from_virtual()
    • PsScan.run()
    • PsScan.scan_processes()
    • PsScan.set_open_method()
    • PsScan.unsatisfied()
    • PsScan.version
    • PsScan.virtual_process_from_physical()
• volatility3.plugins.windows.pstree module
  • PsTree
    • PsTree.build_configuration()
    • PsTree.config
    • PsTree.config_path
    • PsTree.context
    • PsTree.find_level()
    • PsTree.get_requirements()
    • PsTree.make_subconfig()
    • PsTree.open
    • PsTree.run()
    • PsTree.set_open_method()
    • PsTree.unsatisfied()
    • PsTree.version
• volatility3.plugins.windows.psxview module
  • PsXView
    • PsXView.build_configuration()
    • PsXView.config
    • PsXView.config_path
    • PsXView.context
    • PsXView.get_requirements()
    • PsXView.make_subconfig()
    • PsXView.open
    • PsXView.run()
    • PsXView.set_open_method()
    • PsXView.unsatisfied()
    • PsXView.valid_proc_name_chars
    • PsXView.version
• volatility3.plugins.windows.scheduled_tasks module
  • ActionSet
    • ActionSet.actions
    • ActionSet.context
    • ActionSet.decode()
  • ActionType
    • ActionType.ComHandler
    • ActionType.Email
    • ActionType.Exe
    • ActionType.MessageBox
  • DynamicInfo
    • DynamicInfo.creation_time
    • DynamicInfo.decode()
    • DynamicInfo.last_error_code
    • DynamicInfo.last_run_time
    • DynamicInfo.last_successful_run_time
  • JobBucket
    • JobBucket.crc32
    • JobBucket.display_name
    • JobBucket.flags
    • JobBucket.optional_settings
    • JobBucket.principal_id
    • JobBucket.user_info
  • Months
    • Months.April
    • Months.August
    • Months.December
    • Months.February
    • Months.January
    • Months.July
    • Months.June
    • Months.March
    • Months.May
    • Months.November
    • Months.October
    • Months.September
  • OptionalSettings
    • OptionalSettings.Deadline
    • OptionalSettings.DeleteExpiredTaskAfter
    • OptionalSettings.Exclusive
    • OptionalSettings.ExecutionTimeLimitSeconds
    • OptionalSettings.IdleDurationSeconds
    • OptionalSettings.NetworkId
    • OptionalSettings.Periodicity
    • OptionalSettings.Priority
    • OptionalSettings.Privileges
    • OptionalSettings.RestartOnFailureDelay
    • OptionalSettings.RestartOnFailureRetries
    • OptionalSettings.idleWaitTimeoutSeconds
  • Privileges
    • Privileges.SeAssignPrimaryTokenPrivilege
    • Privileges.SeAuditPrivilege
    • Privileges.SeBackupPrivilege
    • Privileges.SeChangeNotifyPrivilege
    • Privileges.SeCreateGlobalPrivilege
    • Privileges.SeCreatePagefilePrivilege
    • Privileges.SeCreatePermanentPrivilege
    • Privileges.SeCreateSymbolicLinkPrivilege
    • Privileges.SeCreateTokenPrivilege
    • Privileges.SeDebugPrivilege
    • Privileges.SeDelegateSessionUserImpersonatePrivilege
    • Privileges.SeEnableDelegationPrivilege
    • Privileges.SeImpersonatePrivilege
    • Privileges.SeIncreaseBasePriorityPrivilege
    • Privileges.SeIncreaseQuotaPrivilege
    • Privileges.SeIncreaseWorkingSetPrivilege
    • Privileges.SeLoadDriverPrivilege
    • Privileges.SeLockMemoryPrivilege
    • Privileges.SeMachineAccountPrivilege
    • Privileges.SeManageVolumePrivilege
    • Privileges.SeProfileSingleProcessPrivilege
    • Privileges.SeRelabelPrivilege
    • Privileges.SeRemoteShutdownPrivilege
    • Privileges.SeRestorePrivilege
    • Privileges.SeSecurityPrivilege
    • Privileges.SeShutdownPrivilege
    • Privileges.SeSyncAgentPrivilege
    • Privileges.SeSystemEnvironmentPrivilege
    • Privileges.SeSystemProfilePrivilege
    • Privileges.SeSystemtimePrivilege
    • Privileges.SeTakeOwnershipPrivilege
    • Privileges.SeTcbPrivilege
    • Privileges.SeTimeZonePrivilege
    • Privileges.SeTrustedCredManAccessPrivilege
    • Privileges.SeUndockPrivilege
  • ScheduledTasks
    • ScheduledTasks.build_configuration()
    • ScheduledTasks.config
    • ScheduledTasks.config_path
    • ScheduledTasks.context
    • ScheduledTasks.generate_timeline()
    • ScheduledTasks.get_requirements()
    • ScheduledTasks.get_software_hive()
    • ScheduledTasks.make_subconfig()
    • ScheduledTasks.open
    • ScheduledTasks.parse_actions_value()
    • ScheduledTasks.parse_dynamic_info_value()
    • ScheduledTasks.parse_triggers_value()
    • ScheduledTasks.run()
    • ScheduledTasks.set_open_method()
    • ScheduledTasks.unsatisfied()
    • ScheduledTasks.version
  • SessionState
    • SessionState.ConsoleConnect
    • SessionState.ConsoleDisconnect
    • SessionState.RemoteConnect
    • SessionState.RemoteDisconnect
    • SessionState.SessionLock
    • SessionState.SessionUnlock
    • SessionState.Unknown
  • SidType
    • SidType.Alias
    • SidType.Computer
    • SidType.DeletedAccount
    • SidType.Domain
    • SidType.Group
    • SidType.Invalid
    • SidType.Label
    • SidType.LogonSession
    • SidType.Unknown
    • SidType.User
    • SidType.WellKnownGroup
  • TaskAction
    • TaskAction.action
    • TaskAction.action_args
    • TaskAction.action_type
    • TaskAction.decode_messagebox_action()
    • TaskAction.working_directory
  • TaskSchedulerTimePeriod
    • TaskSchedulerTimePeriod.days
    • TaskSchedulerTimePeriod.hours
    • TaskSchedulerTimePeriod.minutes
    • TaskSchedulerTimePeriod.months
    • TaskSchedulerTimePeriod.seconds
    • TaskSchedulerTimePeriod.weeks
    • TaskSchedulerTimePeriod.years
  • TaskTrigger
    • TaskTrigger.description
    • TaskTrigger.enabled
    • TaskTrigger.end_boundary
    • TaskTrigger.repetition_interval_seconds
    • TaskTrigger.start_boundary
    • TaskTrigger.trigger_type
  • TimeMode
    • TimeMode.Daily
    • TimeMode.DaysInMonths
    • TimeMode.DaysInWeeksInMonths
    • TimeMode.Once
    • TimeMode.Unknown
    • TimeMode.Weekly
  • TriggerSet
    • TriggerSet.decode()
    • TriggerSet.job_bucket
    • TriggerSet.triggers
  • TriggerType
    • TriggerType.Boot
    • TriggerType.Event
    • TriggerType.Idle
    • TriggerType.Logon
    • TriggerType.Registration
    • TriggerType.Session
    • TriggerType.Time
    • TriggerType.WindowsNotificationFacility
  • UserInfo
    • UserInfo.sid
    • UserInfo.sid_type
    • UserInfo.username
  • Weekday
    • Weekday.Friday
    • Weekday.Monday
    • Weekday.Saturday
    • Weekday.Sunday
    • Weekday.Thursday
    • Weekday.Tuesday
    • Weekday.Wednesday
  • decode_sid()
• volatility3.plugins.windows.sessions module
  • Sessions
    • Sessions.build_configuration()
    • Sessions.config
    • Sessions.config_path
    • Sessions.context
    • Sessions.generate_timeline()
    • Sessions.get_requirements()
    • Sessions.make_subconfig()
    • Sessions.open
    • Sessions.run()
    • Sessions.set_open_method()
    • Sessions.unsatisfied()
    • Sessions.version
• volatility3.plugins.windows.shimcachemem module
  • ShimcacheMem
    • ShimcacheMem.NT_KRNL_MODS
    • ShimcacheMem.build_configuration()
    • ShimcacheMem.config
    • ShimcacheMem.config_path
    • ShimcacheMem.context
    • ShimcacheMem.create_shimcache_table()
    • ShimcacheMem.find_shimcache_win_2k3_to_7()
    • ShimcacheMem.find_shimcache_win_8_or_later()
    • ShimcacheMem.find_shimcache_win_xp()
    • ShimcacheMem.generate_timeline()
    • ShimcacheMem.get_module_section_range()
    • ShimcacheMem.get_requirements()
    • ShimcacheMem.make_subconfig()
    • ShimcacheMem.open
    • ShimcacheMem.run()
    • ShimcacheMem.set_open_method()
    • ShimcacheMem.try_get_shim_head_at_offset()
    • ShimcacheMem.unsatisfied()
    • ShimcacheMem.version
• volatility3.plugins.windows.skeleton_key_check module
  • Skeleton_Key_Check
    • Skeleton_Key_Check.build_configuration()
    • Skeleton_Key_Check.config
    • Skeleton_Key_Check.config_path
    • Skeleton_Key_Check.context
    • Skeleton_Key_Check.get_requirements()
    • Skeleton_Key_Check.make_subconfig()
    • Skeleton_Key_Check.open
    • Skeleton_Key_Check.run()
    • Skeleton_Key_Check.set_open_method()
    • Skeleton_Key_Check.unsatisfied()
    • Skeleton_Key_Check.version
• volatility3.plugins.windows.ssdt module
  • SSDT
    • SSDT.build_configuration()
    • SSDT.build_module_collection()
    • SSDT.config
    • SSDT.config_path
    • SSDT.context
    • SSDT.get_requirements()
    • SSDT.make_subconfig()
    • SSDT.open
    • SSDT.run()
    • SSDT.set_open_method()
    • SSDT.unsatisfied()
    • SSDT.version
• volatility3.plugins.windows.strings module
  • Strings
    • Strings.build_configuration()
    • Strings.config
    • Strings.config_path
    • Strings.context
    • Strings.generate_mapping()
    • Strings.get_requirements()
    • Strings.make_subconfig()
    • Strings.open
    • Strings.run()
    • Strings.set_open_method()
    • Strings.strings_pattern
    • Strings.unsatisfied()
    • Strings.version
• volatility3.plugins.windows.suspicious_threads module
  • SuspiciousThreads
    • SuspiciousThreads.build_configuration()
    • SuspiciousThreads.config
    • SuspiciousThreads.config_path
    • SuspiciousThreads.context
    • SuspiciousThreads.get_requirements()
    • SuspiciousThreads.make_subconfig()
    • SuspiciousThreads.open
    • SuspiciousThreads.run()
    • SuspiciousThreads.set_open_method()
    • SuspiciousThreads.unsatisfied()
    • SuspiciousThreads.version
• volatility3.plugins.windows.svcdiff module
  • SvcDiff
    • SvcDiff.build_configuration()
    • SvcDiff.config
    • SvcDiff.config_path
    • SvcDiff.context
    • SvcDiff.enumerate_vista_or_later_header()
    • SvcDiff.get_prereq_info()
    • SvcDiff.get_record_tuple()
    • SvcDiff.get_requirements()
    • SvcDiff.make_subconfig()
    • SvcDiff.open
    • SvcDiff.run()
    • SvcDiff.service_diff()
    • SvcDiff.service_scan()
    • SvcDiff.set_open_method()
    • SvcDiff.unsatisfied()
    • SvcDiff.version
• volatility3.plugins.windows.svclist module
  • SvcList
    • SvcList.build_configuration()
    • SvcList.config
    • SvcList.config_path
    • SvcList.context
    • SvcList.enumerate_vista_or_later_header()
    • SvcList.get_prereq_info()
    • SvcList.get_record_tuple()
    • SvcList.get_requirements()
    • SvcList.make_subconfig()
    • SvcList.open
    • SvcList.run()
    • SvcList.service_list()
    • SvcList.service_scan()
    • SvcList.set_open_method()
    • SvcList.unsatisfied()
    • SvcList.version
• volatility3.plugins.windows.svcscan module
  • ServiceBinaryInfo
    • ServiceBinaryInfo.binary
    • ServiceBinaryInfo.count()
    • ServiceBinaryInfo.dll
    • ServiceBinaryInfo.index()
  • SvcScan
    • SvcScan.build_configuration()
    • SvcScan.config
    • SvcScan.config_path
    • SvcScan.context
    • SvcScan.enumerate_vista_or_later_header()
    • SvcScan.get_prereq_info()
    • SvcScan.get_record_tuple()
    • SvcScan.get_requirements()
    • SvcScan.make_subconfig()
    • SvcScan.open
    • SvcScan.run()
    • SvcScan.service_scan()
    • SvcScan.set_open_method()
    • SvcScan.unsatisfied()
    • SvcScan.version
• volatility3.plugins.windows.symlinkscan module
  • SymlinkScan
    • SymlinkScan.build_configuration()
    • SymlinkScan.config
    • SymlinkScan.config_path
    • SymlinkScan.context
    • SymlinkScan.generate_timeline()
    • SymlinkScan.get_requirements()
    • SymlinkScan.make_subconfig()
    • SymlinkScan.open
    • SymlinkScan.run()
    • SymlinkScan.scan_symlinks()
    • SymlinkScan.set_open_method()
    • SymlinkScan.unsatisfied()
    • SymlinkScan.version
• volatility3.plugins.windows.thrdscan module
  • ThrdScan
    • ThrdScan.build_configuration()
    • ThrdScan.config
    • ThrdScan.config_path
    • ThrdScan.context
    • ThrdScan.filter_func()
    • ThrdScan.gather_thread_info()
    • ThrdScan.generate_timeline()
    • ThrdScan.get_requirements()
    • ThrdScan.make_subconfig()
    • ThrdScan.open
    • ThrdScan.run()
    • ThrdScan.scan_threads()
    • ThrdScan.set_open_method()
    • ThrdScan.unsatisfied()
    • ThrdScan.version
• volatility3.plugins.windows.threads module
  • Threads
    • Threads.build_configuration()
    • Threads.config
    • Threads.config_path
    • Threads.context
    • Threads.filter_func()
    • Threads.gather_thread_info()
    • Threads.generate_timeline()
    • Threads.get_requirements()
    • Threads.list_process_threads()
    • Threads.list_threads()
    • Threads.make_subconfig()
    • Threads.open
    • Threads.run()
    • Threads.scan_threads()
    • Threads.set_open_method()
    • Threads.unsatisfied()
    • Threads.version
• volatility3.plugins.windows.timers module
  • Timers
    • Timers.build_configuration()
    • Timers.config
    • Timers.config_path
    • Timers.context
    • Timers.get_requirements()
    • Timers.list_timers()
    • Timers.make_subconfig()
    • Timers.open
    • Timers.run()
    • Timers.set_open_method()
    • Timers.unsatisfied()
    • Timers.version
• volatility3.plugins.windows.truecrypt module
  • Passphrase
    • Passphrase.build_configuration()
    • Passphrase.config
    • Passphrase.config_path
    • Passphrase.context
    • Passphrase.get_requirements()
    • Passphrase.make_subconfig()
    • Passphrase.open
    • Passphrase.run()
    • Passphrase.scan_module()
    • Passphrase.set_open_method()
    • Passphrase.unsatisfied()
    • Passphrase.version
• volatility3.plugins.windows.unhooked_system_calls module
  • unhooked_system_calls
    • unhooked_system_calls.build_configuration()
    • unhooked_system_calls.config
    • unhooked_system_calls.config_path
    • unhooked_system_calls.context
    • unhooked_system_calls.get_requirements()
    • unhooked_system_calls.make_subconfig()
    • unhooked_system_calls.open
    • unhooked_system_calls.run()
    • unhooked_system_calls.set_open_method()
    • unhooked_system_calls.system_calls
    • unhooked_system_calls.unsatisfied()
    • unhooked_system_calls.version
• volatility3.plugins.windows.unloadedmodules module
  • UnloadedModules
    • UnloadedModules.build_configuration()
    • UnloadedModules.config
    • UnloadedModules.config_path
    • UnloadedModules.context
    • UnloadedModules.create_unloadedmodules_table()
    • UnloadedModules.generate_timeline()
    • UnloadedModules.get_requirements()
    • UnloadedModules.list_unloadedmodules()
    • UnloadedModules.make_subconfig()
    • UnloadedModules.open
    • UnloadedModules.run()
    • UnloadedModules.set_open_method()
    • UnloadedModules.unsatisfied()
    • UnloadedModules.version
• volatility3.plugins.windows.vadinfo module
  • VadInfo
    • VadInfo.MAXSIZE_DEFAULT
    • VadInfo.build_configuration()
    • VadInfo.config
    • VadInfo.config_path
    • VadInfo.context
    • VadInfo.get_requirements()
    • VadInfo.list_vads()
    • VadInfo.make_subconfig()
    • VadInfo.open
    • VadInfo.protect_values()
    • VadInfo.run()
    • VadInfo.set_open_method()
    • VadInfo.unsatisfied()
    • VadInfo.vad_dump()
    • VadInfo.version
• volatility3.plugins.windows.vadwalk module
  • VadWalk
    • VadWalk.build_configuration()
    • VadWalk.config
    • VadWalk.config_path
    • VadWalk.context
    • VadWalk.get_requirements()
    • VadWalk.make_subconfig()
    • VadWalk.open
    • VadWalk.run()
    • VadWalk.set_open_method()
    • VadWalk.unsatisfied()
    • VadWalk.version
• volatility3.plugins.windows.vadyarascan module
  • VadYaraScan
    • VadYaraScan.build_configuration()
    • VadYaraScan.config
    • VadYaraScan.config_path
    • VadYaraScan.context
    • VadYaraScan.get_requirements()
    • VadYaraScan.get_vad_maps()
    • VadYaraScan.make_subconfig()
    • VadYaraScan.open
    • VadYaraScan.run()
    • VadYaraScan.set_open_method()
    • VadYaraScan.unsatisfied()
    • VadYaraScan.version
• volatility3.plugins.windows.verinfo module
  • VerInfo
    • VerInfo.build_configuration()
    • VerInfo.config
    • VerInfo.config_path
    • VerInfo.context
    • VerInfo.find_version_info()
    • VerInfo.get_requirements()
    • VerInfo.get_version_information()
    • VerInfo.make_subconfig()
    • VerInfo.open
    • VerInfo.run()
    • VerInfo.set_open_method()
    • VerInfo.unsatisfied()
    • VerInfo.version
• volatility3.plugins.windows.virtmap module
  • VirtMap
    • VirtMap.build_configuration()
    • VirtMap.config
    • VirtMap.config_path
    • VirtMap.context
    • VirtMap.determine_map()
    • VirtMap.get_requirements()
    • VirtMap.make_subconfig()
    • VirtMap.open
    • VirtMap.run()
    • VirtMap.scannable_sections()
    • VirtMap.set_open_method()
    • VirtMap.unsatisfied()
    • VirtMap.version