volatility3.framework.symbols.windows.extensions.pe module¶
- class IMAGE_DOS_HEADER(context, type_name, object_info, size, members)[source]¶
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
VolTemplateProxy
- classmethod child_template(template, child)¶
Returns the template of a child to its parent.
- Return type
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- fix_image_base(raw_data, nt_header)[source]¶
Fix the _OPTIONAL_HEADER.ImageBase value (which is either an unsigned long for 32-bit PE’s or unsigned long long for 64-bit PE’s) to match the address where the PE file was carved out of memory.
- Parameters
raw_data (
bytes
) – a bytes object of the PE’s datant_header (
ObjectInterface
) – <_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance
- Return type
- Returns
<bytes> patched with the correct address
- get_nt_header()[source]¶
Carve out the NT header from this DOS header. This reflects on the PE file’s Machine type to create a 32- or 64-bit NT header structure.
- Return type
- Returns
<_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- reconstruct()[source]¶
This method generates the content necessary to reconstruct a PE file from memory. It preserves slack space (similar to the old –memory) and automatically fixes the ImageBase in the output PE file.
- replace_header_field(sect, header, item, value)[source]¶
Replaces a member in an _IMAGE_SECTION_HEADER structure.
- Parameters
sect (
ObjectInterface
) – the section instanceheader (
bytes
) – raw data for the sectionitem (
ObjectInterface
) – the member of the section to replacevalue (
int
) – new value for the member
- Return type
- Returns
The raw data with the replaced header field
- property vol: ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.
- class IMAGE_NT_HEADERS(context, type_name, object_info, size, members)[source]¶
Bases:
StructType
Constructs an Object adhering to the ObjectInterface.
- Parameters
context (
ContextInterface
) – The context associated with the objecttype_name (
str
) – The name of the type structure for the objectobject_info (
ObjectInformation
) – Basic information relevant to the object (layer, offset, member_name, parent, etc)
- class VolTemplateProxy¶
Bases:
VolTemplateProxy
- classmethod child_template(template, child)¶
Returns the template of a child to its parent.
- Return type
- classmethod has_member(template, member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- classmethod relative_child_offset(template, child)¶
Returns the relative offset of a child to its parent.
- Return type
- classmethod replace_child(template, old_child, new_child)¶
Replace a child elements within the arguments handed to the template.
- Return type
- cast(new_type_name, **additional)¶
Returns a new object at the offset and from the layer that the current object inhabits.
Note
If new type name does not include a symbol table, the symbol table for the current object is used
- Return type
- get_sections()[source]¶
Iterate through the section headers for this PE file.
- Yields
<_IMAGE_SECTION_HEADER> objects
- Return type
- get_symbol_table_name()¶
Returns the symbol table name for this particular object.
- Raises
ValueError – If the object’s symbol does not contain an explicit table
KeyError – If the table_name is not valid within the object’s context
- Return type
- has_member(member_name)¶
Returns whether the object would contain a member called member_name.
- Return type
- has_valid_member(member_name)¶
Returns whether the dereferenced type has a valid member.
- has_valid_members(member_names)¶
Returns whether the object has all of the members listed in member_names
- property vol: ReadOnlyMapping¶
Returns the volatility specific object information.
- Return type
- write(value)¶
Writes the new value into the format at the offset the object currently resides at.