volatility3.framework.symbols.windows.pdbutil module

class PDBUtility(*args, **kwargs)[source]

Bases: VersionableInterface

Class to handle and manage all getting symbols based on MZ header

classmethod download_pdb_isf(context, guid, age, pdb_name, progress_callback=None)[source]

Attempts to download the PDB file, convert it to an ISF file and save it to one of the symbol locations.

Return type

None

classmethod get_guid_from_mz(context, layer_name, offset)[source]

Takes the offset to an MZ header, locates any available pdb headers, and extracts the guid, age and pdb_name from them

Parameters

  • context (ContextInterface) – The context on which to operate

  • layer_name (str) – The name of the (contiguous) layer within the context that contains the MZ file

  • offset (int) – The offset in the layer at which the MZ file begins

Return type

Optional[Tuple[str, int, str]]

Returns

A tuple of the guid, age and pdb_name, or None if no PDB record can be found

classmethod load_windows_symbol_table(context, guid, age, pdb_name, symbol_table_class, config_path='pdbutility', progress_callback=None)[source]

Loads (downloading if necessary) a windows symbol table

classmethod module_from_pdb(context, config_path, layer_name, pdb_name, module_offset=None, module_size=None)[source]

Creates a module in the specified layer_name based on a pdb name.

Searches the memory section of the loaded module for its PDB GUID and loads the associated symbol table into the symbol space.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • config_path (str) – The config path where to find symbol files

  • layer_name (str) – The name of the layer on which to operate

  • module_offset (Optional[int]) – This memory dump’s module image offset

  • module_size (Optional[int]) – The size of the module for this dump

Return type

str

Returns

The name of the constructed and loaded symbol table

classmethod pdbname_scan(ctx, layer_name, page_size, pdb_names, progress_callback=None, start=None, end=None)[source]

Scans through layer_name at ctx looking for RSDS headers that indicate one of four common pdb kernel names (as listed in self.pdb_names) and returns the tuple (GUID, age, pdb_name, signature_offset, mz_offset)

Note

This is automagical and therefore not guaranteed to provide correct results.

The UI should always provide the user an opportunity to specify the appropriate types and PDB values themselves

Return type

Generator[Dict[str, Union[bytes, str, int, None]], None, None]

classmethod symbol_table_from_offset(context, layer_name, offset, symbol_table_class='volatility3.framework.symbols.intermed.IntermediateSymbolTable', config_path=None, progress_callback=None)[source]

Produces the name of a symbol table loaded from the offset for an MZ header

Parameters

  • context (ContextInterface) – The context on which to operate

  • layer_name (str) – The name of the (contiguous) layer within the context that contains the MZ file

  • offset (int) – The offset in the layer at which the MZ file begins

  • symbol_table_class (str) – The class to use when constructing the SymbolTable

  • config_path (Optional[str]) – New path for the produced symbol table configuration with the config tree

  • progress_callback (Optional[Callable[[float, str], None]]) – Callable called to update ongoing progress

Return type

Optional[str]

Returns

None if no pdb information can be determined, else returned the name of the loaded symbols for the MZ

classmethod symbol_table_from_pdb(context, config_path, layer_name, pdb_name, module_offset=None, module_size=None)[source]

Creates symbol table for a module in the specified layer_name.

Searches the memory section of the loaded module for its PDB GUID and loads the associated symbol table into the symbol space.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • config_path (str) – The config path where to find symbol files

  • layer_name (str) – The name of the layer on which to operate

  • module_offset (Optional[int]) – This memory dump’s module image offset

  • module_size (Optional[int]) – The size of the module for this dump

Return type

str

Returns

The name of the constructed and loaded symbol table

version = (1, 0, 1)
class PdbSignatureScanner(pdb_names)[source]

Bases: ScannerInterface

A ScannerInterface based scanner use to identify Windows PDB records.

Parameters

pdb_names (List[bytes]) – A list of bytestrings, used to match pdb signatures against the pdb names within the records.

Note

The pdb_names must be a list of byte strings, unicode strs will not match against the data scanned

property context: Optional[ContextInterface]
Return type

Optional[ContextInterface]

property layer_name: Optional[str]
Return type

Optional[str]

overlap = 16384

The size of overlap needed for the signature to ensure data cannot hide between two scanned chunks

thread_safe = True

Determines whether the scanner accesses global variables in a thread safe manner (for use with multiprocessing)

version = (0, 0, 0)