volatility3.framework.symbols package

class SymbolSpace[source]

Bases: SymbolSpaceInterface

Handles an ordered collection of SymbolTables.

This collection is ordered so that resolution of symbols can proceed down through the ranks if a namespace isn’t specified.

class UnresolvedTemplate(type_name, **kwargs)[source]

Bases: ReferenceTemplate

Class to highlight when missing symbols are present.

This class is identical to a reference template, but differentiable by its classname. It will output a debug log to indicate when it has been instantiated and with what name.

This class is designed to be output ONLY as part of the SymbolSpace resolution system. Individual SymbolTables that cannot resolve a symbol should still return a SymbolError to indicate this failure in resolution.

Stores the keyword arguments for later object creation.

child_template(*args, **kwargs)

Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.

Return type

Any

property children: List[Template]

The children of this template (such as member types, sub-types and base-types where they are relevant).

Used to traverse the template tree.

Return type

List[Template]

clone()

Returns a copy of the original Template as constructed (without update_vol additions having been made)

Return type

Template

has_member(*args, **kwargs)

Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.

Return type

Any

relative_child_offset(*args, **kwargs)

Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.

Return type

Any

replace_child(*args, **kwargs)

Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.

Return type

Any

property size: Any

Referenced symbols must be appropriately resolved before they can provide information such as size This is because the size request has no context within which to determine the actual symbol structure.

Return type

Any

update_vol(**new_arguments)

Updates the keyword arguments with values that will not be carried across to clones.

Return type

None

property vol: ReadOnlyMapping

Returns a volatility information object, much like the ObjectInformation provides.

Return type

ReadOnlyMapping

append(value)[source]

Adds a symbol_list to the end of the space.

Return type

None

clear_symbol_cache(table_name=None)[source]

Clears the symbol cache for the specified table name. If no table name is specified, the caches of all symbol tables are cleared.

Return type

None

free_table_name(prefix='layer')[source]

Returns an unused table name to ensure no collision occurs when inserting a symbol table.

Return type

str

get(k[, d]) D[k] if k in D, else d.  d defaults to None.
get_enumeration(enum_name)[source]

Look-up a set of enumeration choices from a specific symbol table.

Return type

Template

get_symbol(symbol_name)[source]

Look-up a symbol name across all the contained symbol spaces.

Return type

SymbolInterface

get_symbols_by_location(offset, size=0, table_name=None)[source]

Returns all symbols that exist at a specific relative address.

Return type

Iterable[str]

get_symbols_by_type(type_name)[source]

Returns all symbols based on the type of the symbol.

Return type

Iterable[str]

get_type(type_name)[source]

Takes a symbol name and resolves it.

This method ensures that all referenced templates (including self-referential templates) are satisfied as ObjectTemplates

Return type

Template

has_enumeration(name)[source]

Determines whether an enumeration choice exists in the contained symbol tables.

Return type

bool

has_symbol(name)[source]

Determines whether a symbol exists in the contained symbol tables.

Return type

bool

has_type(name)[source]

Determines whether a type exists in the contained symbol tables.

Return type

bool

items() a set-like object providing a view on D's items
keys() a set-like object providing a view on D's keys
remove(key)[source]

Removes a named symbol_list from the space.

Return type

None

values() an object providing a view on D's values
class SymbolType(value)[source]

Bases: Enum

An enumeration.

ENUM = 3
SYMBOL = 2
TYPE = 1
symbol_table_is_64bit(context, symbol_table_name)[source]

Returns a boolean as to whether a particular symbol table within a context is 64-bit or not.

Return type

bool

Subpackages

Submodules