volatility3.framework.symbols.linux.extensions.elf module

class elf(context, type_name, object_info, size, members)[source]

Bases: StructType

Class used to create elf objects. It overrides the typename to Elf32_ or Elf64_, depending on the corresponding value on e_ident

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type

ObjectInterface

get_program_headers()[source]
get_section_headers()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

get_symbols()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]

Determine whether it is a valid object

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

Return type

ReadOnlyMapping

write(value)

Writes the new value into the format at the offset the object currently resides at.

class elf_phdr(*args, **kwargs)[source]

Bases: StructType

An elf program header

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context – The context associated with the object

  • type_name – The name of the type structure for the object

  • object_info – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type

ObjectInterface

dynamic_sections()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

get_vaddr()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property parent_e_type
property parent_offset
property type_prefix
property vol: ReadOnlyMapping

Returns the volatility specific object information.

Return type

ReadOnlyMapping

write(value)

Writes the new value into the format at the offset the object currently resides at.

class elf_sym(*args, **kwargs)[source]

Bases: StructType

An elf symbol entry

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context – The context associated with the object

  • type_name – The name of the type structure for the object

  • object_info – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

property cached_strtab
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type

ObjectInterface

get_name()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

Return type

ReadOnlyMapping

write(value)

Writes the new value into the format at the offset the object currently resides at.