volatility3.framework.symbols.windows.extensions package

class CONTROL_AREA(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for _CONTROL_AREA structures

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

PAGE_MASK = 4095
PAGE_SIZE = 4096
class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_available_pages()[source]

Get the available pages that correspond to a cached file.

The tuples generated are (physical_offset, file_offset, page_size).

Return type

Iterable[Tuple[int, int, int]]

get_pte(offset)[source]

Get a PTE object at the requested offset

Return type

ObjectInterface

get_subsection()[source]

Get the Subsection object, which is found immediately after the _CONTROL_AREA.

Return type

ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]

Determine if the object is valid.

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class DEVICE_OBJECT(context, type_name, object_info, size, members)[source]

Bases: StructType, ExecutiveObject

A class for kernel device objects.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_attached_devices()[source]

Enumerate the attached device’s objects

Return type

Generator[ObjectInterface, None, None]

get_device_name()[source]

Get device’s name from the object header.

Return type

str

get_object_header()
Return type

OBJECT_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class DRIVER_OBJECT(context, type_name, object_info, size, members)[source]

Bases: StructType, ExecutiveObject

A class for kernel driver objects.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_devices()[source]

Enumerate the driver’s device objects

Return type

Generator[ObjectInterface, None, None]

get_driver_name()[source]

Get driver’s name from the object header.

Return type

str

get_object_header()
Return type

OBJECT_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]

Determine if the object is valid.

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class EPROCESS(context, type_name, object_info, size, members)[source]

Bases: GenericIntelProcess, ExecutiveObject

A class for executive kernel processes objects.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

add_process_layer(config_prefix=None, preferred_name=None)[source]

Constructs a new layer based on the process’s DirectoryTableBase.

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

environment_variables()[source]

Generator for environment variables.

The PEB points to our env block - a series of null-terminated unicode strings. Each string cannot be more than 0x7FFF chars. End of the list is a quad-null.

get_create_time()[source]
get_exit_time()[source]
get_handle_count()[source]
get_is_wow64()[source]
get_object_header()
Return type

OBJECT_HEADER

get_peb()[source]

Constructs a PEB object

Return type

ObjectInterface

get_session_id()[source]
get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

get_vad_root()[source]
get_wow_64_process()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

init_order_modules()[source]

Generator for DLLs in the order that they were initialized

Return type

Iterable[ObjectInterface]

is_valid()[source]

Determine if the object is valid.

Return type

bool

load_order_modules()[source]

Generator for DLLs in the order that they were loaded.

Return type

Iterable[ObjectInterface]

mem_order_modules()[source]

Generator for DLLs in the order that they appear in memory

Return type

Iterable[ObjectInterface]

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class ETHREAD(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for executive thread objects.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_cross_thread_flags()[source]
Return type

str

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

owning_process()[source]

Return the EPROCESS that owns this thread.

Return type

ObjectInterface

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class EX_FAST_REF(context, type_name, object_info, size, members)[source]

Bases: StructType

This is a standard Windows structure that stores a pointer to an object but also leverages the least significant bits to encode additional details.

When dereferencing the pointer, we need to strip off the extra bits.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

dereference()[source]
Return type

ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class FILE_OBJECT(context, type_name, object_info, size, members)[source]

Bases: StructType, ExecutiveObject

A class for windows file objects.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

access_string()[source]
cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

file_name_with_device()[source]
Return type

Union[str, BaseAbsentValue]

get_object_header()
Return type

OBJECT_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]

Determine if the object is valid.

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class KMUTANT(context, type_name, object_info, size, members)[source]

Bases: StructType, ExecutiveObject

A class for windows mutant objects.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_name()[source]

Get the object’s name from the object header.

Return type

str

get_object_header()
Return type

OBJECT_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]

Determine if the object is valid.

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class KSYSTEM_TIME(context, type_name, object_info, size, members)[source]

Bases: StructType

A system time structure that stores a high and low part.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

get_time()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class KTHREAD(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for thread control block objects.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_state()[source]
Return type

str

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

get_wait_reason()[source]
Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class LIST_ENTRY(context, type_name, object_info, size, members)[source]

Bases: StructType, Iterable

A class for double-linked lists on Windows.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

to_list(symbol_type, member, forward=True, sentinel=True, layer=None)[source]

Returns an iterator of the entries in the list.

Return type

Iterator[ObjectInterface]

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class MMVAD(context, type_name, object_info, size, members)[source]

Bases: MMVAD_SHORT

A version of the process virtual memory range structure that contains additional fields necessary to map files from disk.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_commit_charge()

Get the VAD’s commit charge (number of committed pages)

get_end()

Get the VAD’s ending virtual address. This is the last accessible byte in the range.

Return type

int

get_file_name()[source]

Get the name of the file mapped into the memory range (if any)

get_left_child()

Get the left child member.

get_parent()

Get the VAD’s parent member.

get_private_memory()

Get the VAD’s private memory setting.

get_protection(protect_values, winnt_protections)

Get the VAD’s protection constants as a string.

get_right_child()

Get the right child member.

get_size()

Get the size of the VAD region. The OS ensures page granularity.

Return type

int

get_start()

Get the VAD’s starting virtual address. This is the first accessible byte in the range.

Return type

int

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

get_tag()
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

traverse(visited=None, depth=0)

Traverse the VAD tree, determining each underlying VAD node type by looking up the pool tag for the structure and then casting into a new object.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class MMVAD_SHORT(context, type_name, object_info, size, members)[source]

Bases: StructType

A class that represents process virtual memory ranges.

Each instance is a node in a binary tree structure and is pointed to by VadRoot.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_commit_charge()[source]

Get the VAD’s commit charge (number of committed pages)

get_end()[source]

Get the VAD’s ending virtual address. This is the last accessible byte in the range.

Return type

int

get_file_name()[source]

Only long(er) vads have mapped files.

get_left_child()[source]

Get the left child member.

get_parent()[source]

Get the VAD’s parent member.

get_private_memory()[source]

Get the VAD’s private memory setting.

get_protection(protect_values, winnt_protections)[source]

Get the VAD’s protection constants as a string.

get_right_child()[source]

Get the right child member.

get_size()[source]

Get the size of the VAD region. The OS ensures page granularity.

Return type

int

get_start()[source]

Get the VAD’s starting virtual address. This is the first accessible byte in the range.

Return type

int

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

get_tag()[source]
has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

traverse(visited=None, depth=0)[source]

Traverse the VAD tree, determining each underlying VAD node type by looking up the pool tag for the structure and then casting into a new object.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

Bases: StructType, ExecutiveObject

A class for kernel link objects.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_create_time()[source]
Return type

str

get_object_header()
Return type

OBJECT_HEADER

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]

Determine if the object is valid.

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class SHARED_CACHE_MAP(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for _SHARED_CACHE_MAP structures

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

VACB_ARRAY = 128
VACB_BLOCK = 262144
VACB_LEVEL_SHIFT = 7
VACB_OFFSET_SHIFT = 18
VACB_SIZE_OF_FIRST_LEVEL = 33554432
class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_available_pages()[source]

Get the available pages that correspond to a cached file.

The lists generated are (virtual_offset, file_offset, page_size).

Return type

List

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

is_valid()[source]

Determine if the object is valid.

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

process_index_array(array_pointer, level, limit, vacb_list=None)[source]

Recursively process the sparse multilevel VACB index array.

Parameters
  • array_pointer (ObjectInterface) – The address of a possible index array

  • level (int) – The current level

  • limit (int) – The level where we abandon all hope. Ideally this is 7

  • vacb_list (Optional[List]) – An array of collected VACBs

Return type

List

Returns

Collected VACBs

save_vacb(vacb_obj, vacb_list)[source]
property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class TOKEN(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for process etoken object.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_sids()[source]

Yield a sid for the current token object.

Return type

Iterable[str]

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

privileges()[source]

Return a list of privileges for the current token object.

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class UNICODE_STRING(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for Windows unicode string structures.

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

property String: ObjectInterface
class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_string()[source]
Return type

ObjectInterface

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

class VACB(context, type_name, object_info, size, members)[source]

Bases: StructType

A class for _VACB structures

Constructs an Object adhering to the ObjectInterface.

Parameters
  • context (ContextInterface) – The context associated with the object

  • type_name (str) – The name of the type structure for the object

  • object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

FILEOFFSET_MASK = 18446744073709486080
class VolTemplateProxy

Bases: VolTemplateProxy

classmethod child_template(template, child)

Returns the template of a child to its parent.

Return type

Template

classmethod children(template)

Method to list children of a template.

Return type

List[Template]

classmethod has_member(template, member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

classmethod relative_child_offset(template, child)

Returns the relative offset of a child to its parent.

Return type

int

classmethod replace_child(template, old_child, new_child)

Replace a child elements within the arguments handed to the template.

Return type

None

classmethod size(template)

Method to return the size of this type.

Return type

int

cast(new_type_name, **additional)

Returns a new object at the offset and from the layer that the current object inhabits. :rtype: ObjectInterface

Note

If new type name does not include a symbol table, the symbol table for the current object is used

get_file_offset()[source]
Return type

int

get_symbol_table_name()

Returns the symbol table name for this particular object.

Raises
  • ValueError – If the object’s symbol does not contain an explicit table

  • KeyError – If the table_name is not valid within the object’s context

Return type

str

has_member(member_name)

Returns whether the object would contain a member called member_name.

Return type

bool

has_valid_member(member_name)

Returns whether the dereferenced type has a valid member.

Parameters

member_name (str) – Name of the member to test access to determine if the member is valid or not

Return type

bool

has_valid_members(member_names)

Returns whether the object has all of the members listed in member_names

Parameters

member_names (List[str]) – List of names to test as to members with those names validity

Return type

bool

member(attr='member')

Specifically named method for retrieving members.

Return type

object

property vol: ReadOnlyMapping

Returns the volatility specific object information.

write(value)

Writes the new value into the format at the offset the object currently resides at.

Submodules