volatility3.plugins.windows package

All Windows OS plugins.

NOTE: This file is important for core plugins to run (which certain components such as the windows registry layers) are dependent upon, please DO NOT alter or remove this file unless you know the consequences of doing so.

The framework is configured this way to allow plugin developers/users to override any plugin functionality whether existing or new.

When overriding the plugins directory, you must include a file like this in any subdirectories that may be necessary.

Subpackages

• volatility3.plugins.windows.registry package
  • Submodules
    • volatility3.plugins.windows.registry.hivelist module
      • HiveGenerator
      • HiveList
    • volatility3.plugins.windows.registry.hivescan module
      • HiveScan
    • volatility3.plugins.windows.registry.printkey module
      • PrintKey
    • volatility3.plugins.windows.registry.userassist module
      • UserAssist

Submodules

• volatility3.plugins.windows.bigpools module
  • BigPools
    • BigPools.build_configuration()
    • BigPools.config
    • BigPools.config_path
    • BigPools.context
    • BigPools.get_requirements()
    • BigPools.list_big_pools()
    • BigPools.make_subconfig()
    • BigPools.open
    • BigPools.run()
    • BigPools.set_open_method()
    • BigPools.unsatisfied()
    • BigPools.version
• volatility3.plugins.windows.cachedump module
  • Cachedump
    • Cachedump.build_configuration()
    • Cachedump.config
    • Cachedump.config_path
    • Cachedump.context
    • Cachedump.decrypt_hash()
    • Cachedump.get_nlkm()
    • Cachedump.get_requirements()
    • Cachedump.make_subconfig()
    • Cachedump.open
    • Cachedump.parse_cache_entry()
    • Cachedump.parse_decrypted_cache()
    • Cachedump.run()
    • Cachedump.set_open_method()
    • Cachedump.unsatisfied()
    • Cachedump.version
• volatility3.plugins.windows.callbacks module
  • Callbacks
    • Callbacks.build_configuration()
    • Callbacks.config
    • Callbacks.config_path
    • Callbacks.context
    • Callbacks.create_callback_table()
    • Callbacks.get_requirements()
    • Callbacks.list_bugcheck_callbacks()
    • Callbacks.list_bugcheck_reason_callbacks()
    • Callbacks.list_notify_routines()
    • Callbacks.list_registry_callbacks()
    • Callbacks.make_subconfig()
    • Callbacks.open
    • Callbacks.run()
    • Callbacks.set_open_method()
    • Callbacks.unsatisfied()
    • Callbacks.version
• volatility3.plugins.windows.cmdline module
  • CmdLine
    • CmdLine.build_configuration()
    • CmdLine.config
    • CmdLine.config_path
    • CmdLine.context
    • CmdLine.get_cmdline()
    • CmdLine.get_requirements()
    • CmdLine.make_subconfig()
    • CmdLine.open
    • CmdLine.run()
    • CmdLine.set_open_method()
    • CmdLine.unsatisfied()
    • CmdLine.version
• volatility3.plugins.windows.crashinfo module
  • Crashinfo
    • Crashinfo.build_configuration()
    • Crashinfo.config
    • Crashinfo.config_path
    • Crashinfo.context
    • Crashinfo.get_requirements()
    • Crashinfo.make_subconfig()
    • Crashinfo.open
    • Crashinfo.run()
    • Crashinfo.set_open_method()
    • Crashinfo.unsatisfied()
    • Crashinfo.version
• volatility3.plugins.windows.devicetree module
  • DeviceTree
    • DeviceTree.build_configuration()
    • DeviceTree.config
    • DeviceTree.config_path
    • DeviceTree.context
    • DeviceTree.get_requirements()
    • DeviceTree.make_subconfig()
    • DeviceTree.open
    • DeviceTree.run()
    • DeviceTree.set_open_method()
    • DeviceTree.unsatisfied()
    • DeviceTree.version
• volatility3.plugins.windows.dlllist module
  • DllList
    • DllList.build_configuration()
    • DllList.config
    • DllList.config_path
    • DllList.context
    • DllList.dump_pe()
    • DllList.generate_timeline()
    • DllList.get_requirements()
    • DllList.make_subconfig()
    • DllList.open
    • DllList.run()
    • DllList.set_open_method()
    • DllList.unsatisfied()
    • DllList.version
• volatility3.plugins.windows.driverirp module
  • DriverIrp
    • DriverIrp.build_configuration()
    • DriverIrp.config
    • DriverIrp.config_path
    • DriverIrp.context
    • DriverIrp.get_requirements()
    • DriverIrp.make_subconfig()
    • DriverIrp.open
    • DriverIrp.run()
    • DriverIrp.set_open_method()
    • DriverIrp.unsatisfied()
    • DriverIrp.version
• volatility3.plugins.windows.drivermodule module
  • DriverModule
    • DriverModule.build_configuration()
    • DriverModule.config
    • DriverModule.config_path
    • DriverModule.context
    • DriverModule.get_requirements()
    • DriverModule.make_subconfig()
    • DriverModule.open
    • DriverModule.run()
    • DriverModule.set_open_method()
    • DriverModule.unsatisfied()
    • DriverModule.version
• volatility3.plugins.windows.driverscan module
  • DriverScan
    • DriverScan.build_configuration()
    • DriverScan.config
    • DriverScan.config_path
    • DriverScan.context
    • DriverScan.get_names_for_driver()
    • DriverScan.get_requirements()
    • DriverScan.make_subconfig()
    • DriverScan.open
    • DriverScan.run()
    • DriverScan.scan_drivers()
    • DriverScan.set_open_method()
    • DriverScan.unsatisfied()
    • DriverScan.version
• volatility3.plugins.windows.dumpfiles module
  • DumpFiles
    • DumpFiles.build_configuration()
    • DumpFiles.config
    • DumpFiles.config_path
    • DumpFiles.context
    • DumpFiles.dump_file_producer()
    • DumpFiles.get_requirements()
    • DumpFiles.make_subconfig()
    • DumpFiles.open
    • DumpFiles.process_file_object()
    • DumpFiles.run()
    • DumpFiles.set_open_method()
    • DumpFiles.unsatisfied()
    • DumpFiles.version
• volatility3.plugins.windows.envars module
  • Envars
    • Envars.build_configuration()
    • Envars.config
    • Envars.config_path
    • Envars.context
    • Envars.get_requirements()
    • Envars.make_subconfig()
    • Envars.open
    • Envars.run()
    • Envars.set_open_method()
    • Envars.unsatisfied()
    • Envars.version
• volatility3.plugins.windows.filescan module
  • FileScan
    • FileScan.build_configuration()
    • FileScan.config
    • FileScan.config_path
    • FileScan.context
    • FileScan.get_requirements()
    • FileScan.make_subconfig()
    • FileScan.open
    • FileScan.run()
    • FileScan.scan_files()
    • FileScan.set_open_method()
    • FileScan.unsatisfied()
    • FileScan.version
• volatility3.plugins.windows.getservicesids module
  • GetServiceSIDs
    • GetServiceSIDs.build_configuration()
    • GetServiceSIDs.config
    • GetServiceSIDs.config_path
    • GetServiceSIDs.context
    • GetServiceSIDs.get_requirements()
    • GetServiceSIDs.make_subconfig()
    • GetServiceSIDs.open
    • GetServiceSIDs.run()
    • GetServiceSIDs.set_open_method()
    • GetServiceSIDs.unsatisfied()
    • GetServiceSIDs.version
  • createservicesid()
• volatility3.plugins.windows.getsids module
  • GetSIDs
    • GetSIDs.build_configuration()
    • GetSIDs.config
    • GetSIDs.config_path
    • GetSIDs.context
    • GetSIDs.get_requirements()
    • GetSIDs.lookup_user_sids()
    • GetSIDs.make_subconfig()
    • GetSIDs.open
    • GetSIDs.run()
    • GetSIDs.set_open_method()
    • GetSIDs.unsatisfied()
    • GetSIDs.version
  • find_sid_re()
• volatility3.plugins.windows.handles module
  • Handles
    • Handles.build_configuration()
    • Handles.config
    • Handles.config_path
    • Handles.context
    • Handles.find_cookie()
    • Handles.find_sar_value()
    • Handles.get_requirements()
    • Handles.get_type_map()
    • Handles.handles()
    • Handles.make_subconfig()
    • Handles.open
    • Handles.run()
    • Handles.set_open_method()
    • Handles.unsatisfied()
    • Handles.version
• volatility3.plugins.windows.hashdump module
  • Hashdump
    • Hashdump.almpassword
    • Hashdump.antpassword
    • Hashdump.anum
    • Hashdump.aqwerty
    • Hashdump.bootkey_perm_table
    • Hashdump.build_configuration()
    • Hashdump.config
    • Hashdump.config_path
    • Hashdump.context
    • Hashdump.decrypt_single_hash()
    • Hashdump.decrypt_single_salted_hash()
    • Hashdump.empty_lm
    • Hashdump.empty_nt
    • Hashdump.get_bootkey()
    • Hashdump.get_hbootkey()
    • Hashdump.get_hive_key()
    • Hashdump.get_requirements()
    • Hashdump.get_user_hashes()
    • Hashdump.get_user_keys()
    • Hashdump.get_user_name()
    • Hashdump.lmkey
    • Hashdump.make_subconfig()
    • Hashdump.odd_parity
    • Hashdump.open
    • Hashdump.run()
    • Hashdump.set_open_method()
    • Hashdump.sid_to_key()
    • Hashdump.sidbytes_to_key()
    • Hashdump.unsatisfied()
    • Hashdump.version
• volatility3.plugins.windows.info module
  • Info
    • Info.build_configuration()
    • Info.config
    • Info.config_path
    • Info.context
    • Info.get_depends()
    • Info.get_kdbg_structure()
    • Info.get_kernel_module()
    • Info.get_kuser_structure()
    • Info.get_ntheader_structure()
    • Info.get_requirements()
    • Info.get_version_structure()
    • Info.make_subconfig()
    • Info.open
    • Info.run()
    • Info.set_open_method()
    • Info.unsatisfied()
    • Info.version
• volatility3.plugins.windows.joblinks module
  • JobLinks
    • JobLinks.build_configuration()
    • JobLinks.config
    • JobLinks.config_path
    • JobLinks.context
    • JobLinks.get_requirements()
    • JobLinks.make_subconfig()
    • JobLinks.open
    • JobLinks.run()
    • JobLinks.set_open_method()
    • JobLinks.unsatisfied()
    • JobLinks.version
• volatility3.plugins.windows.ldrmodules module
  • LdrModules
    • LdrModules.build_configuration()
    • LdrModules.config
    • LdrModules.config_path
    • LdrModules.context
    • LdrModules.get_requirements()
    • LdrModules.make_subconfig()
    • LdrModules.open
    • LdrModules.run()
    • LdrModules.set_open_method()
    • LdrModules.unsatisfied()
    • LdrModules.version
• volatility3.plugins.windows.lsadump module
  • Lsadump
    • Lsadump.build_configuration()
    • Lsadump.config
    • Lsadump.config_path
    • Lsadump.context
    • Lsadump.decrypt_aes()
    • Lsadump.decrypt_secret()
    • Lsadump.get_lsa_key()
    • Lsadump.get_requirements()
    • Lsadump.get_secret_by_name()
    • Lsadump.make_subconfig()
    • Lsadump.open
    • Lsadump.run()
    • Lsadump.set_open_method()
    • Lsadump.unsatisfied()
    • Lsadump.version
• volatility3.plugins.windows.malfind module
  • Malfind
    • Malfind.build_configuration()
    • Malfind.config
    • Malfind.config_path
    • Malfind.context
    • Malfind.get_requirements()
    • Malfind.is_vad_empty()
    • Malfind.list_injections()
    • Malfind.make_subconfig()
    • Malfind.open
    • Malfind.run()
    • Malfind.set_open_method()
    • Malfind.unsatisfied()
    • Malfind.version
• volatility3.plugins.windows.mbrscan module
  • MBRScan
    • MBRScan.build_configuration()
    • MBRScan.config
    • MBRScan.config_path
    • MBRScan.context
    • MBRScan.get_hash()
    • MBRScan.get_requirements()
    • MBRScan.make_subconfig()
    • MBRScan.open
    • MBRScan.run()
    • MBRScan.set_open_method()
    • MBRScan.unsatisfied()
    • MBRScan.version
• volatility3.plugins.windows.memmap module
  • Memmap
    • Memmap.build_configuration()
    • Memmap.config
    • Memmap.config_path
    • Memmap.context
    • Memmap.get_requirements()
    • Memmap.make_subconfig()
    • Memmap.open
    • Memmap.run()
    • Memmap.set_open_method()
    • Memmap.unsatisfied()
    • Memmap.version
• volatility3.plugins.windows.mftscan module
  • ADS
    • ADS.build_configuration()
    • ADS.config
    • ADS.config_path
    • ADS.context
    • ADS.get_requirements()
    • ADS.make_subconfig()
    • ADS.open
    • ADS.run()
    • ADS.set_open_method()
    • ADS.unsatisfied()
    • ADS.version
  • MFTScan
    • MFTScan.build_configuration()
    • MFTScan.config
    • MFTScan.config_path
    • MFTScan.context
    • MFTScan.generate_timeline()
    • MFTScan.get_requirements()
    • MFTScan.make_subconfig()
    • MFTScan.open
    • MFTScan.run()
    • MFTScan.set_open_method()
    • MFTScan.unsatisfied()
    • MFTScan.version
• volatility3.plugins.windows.modscan module
  • ModScan
    • ModScan.build_configuration()
    • ModScan.config
    • ModScan.config_path
    • ModScan.context
    • ModScan.find_session_layer()
    • ModScan.get_requirements()
    • ModScan.get_session_layers()
    • ModScan.make_subconfig()
    • ModScan.open
    • ModScan.run()
    • ModScan.scan_modules()
    • ModScan.set_open_method()
    • ModScan.unsatisfied()
    • ModScan.version
• volatility3.plugins.windows.modules module
  • Modules
    • Modules.build_configuration()
    • Modules.config
    • Modules.config_path
    • Modules.context
    • Modules.find_session_layer()
    • Modules.get_requirements()
    • Modules.get_session_layers()
    • Modules.list_modules()
    • Modules.make_subconfig()
    • Modules.open
    • Modules.run()
    • Modules.set_open_method()
    • Modules.unsatisfied()
    • Modules.version
• volatility3.plugins.windows.mutantscan module
  • MutantScan
    • MutantScan.build_configuration()
    • MutantScan.config
    • MutantScan.config_path
    • MutantScan.context
    • MutantScan.get_requirements()
    • MutantScan.make_subconfig()
    • MutantScan.open
    • MutantScan.run()
    • MutantScan.scan_mutants()
    • MutantScan.set_open_method()
    • MutantScan.unsatisfied()
    • MutantScan.version
• volatility3.plugins.windows.netscan module
  • NetScan
    • NetScan.build_configuration()
    • NetScan.config
    • NetScan.config_path
    • NetScan.context
    • NetScan.create_netscan_constraints()
    • NetScan.create_netscan_symbol_table()
    • NetScan.determine_tcpip_version()
    • NetScan.generate_timeline()
    • NetScan.get_requirements()
    • NetScan.make_subconfig()
    • NetScan.open
    • NetScan.run()
    • NetScan.scan()
    • NetScan.set_open_method()
    • NetScan.unsatisfied()
    • NetScan.version
• volatility3.plugins.windows.netstat module
  • NetStat
    • NetStat.build_configuration()
    • NetStat.config
    • NetStat.config_path
    • NetStat.context
    • NetStat.create_tcpip_symbol_table()
    • NetStat.enumerate_structures_by_port()
    • NetStat.find_port_pools()
    • NetStat.generate_timeline()
    • NetStat.get_requirements()
    • NetStat.get_tcpip_module()
    • NetStat.list_sockets()
    • NetStat.make_subconfig()
    • NetStat.open
    • NetStat.parse_bitmap()
    • NetStat.parse_hashtable()
    • NetStat.parse_partitions()
    • NetStat.read_pointer()
    • NetStat.run()
    • NetStat.set_open_method()
    • NetStat.unsatisfied()
    • NetStat.version
• volatility3.plugins.windows.poolscanner module
  • PoolConstraint
  • PoolHeaderScanner
    • PoolHeaderScanner.context
    • PoolHeaderScanner.layer_name
    • PoolHeaderScanner.thread_safe
    • PoolHeaderScanner.version
  • PoolScanner
    • PoolScanner.build_configuration()
    • PoolScanner.builtin_constraints()
    • PoolScanner.config
    • PoolScanner.config_path
    • PoolScanner.context
    • PoolScanner.generate_pool_scan()
    • PoolScanner.get_pool_header_table()
    • PoolScanner.get_requirements()
    • PoolScanner.make_subconfig()
    • PoolScanner.open
    • PoolScanner.pool_scan()
    • PoolScanner.run()
    • PoolScanner.set_open_method()
    • PoolScanner.unsatisfied()
    • PoolScanner.version
  • PoolType
    • PoolType.FREE
    • PoolType.NONPAGED
    • PoolType.PAGED
    • PoolType.as_integer_ratio()
    • PoolType.bit_count()
    • PoolType.bit_length()
    • PoolType.conjugate()
    • PoolType.denominator
    • PoolType.from_bytes()
    • PoolType.imag
    • PoolType.numerator
    • PoolType.real
    • PoolType.to_bytes()
• volatility3.plugins.windows.privileges module
  • Privs
    • Privs.build_configuration()
    • Privs.config
    • Privs.config_path
    • Privs.context
    • Privs.get_requirements()
    • Privs.make_subconfig()
    • Privs.open
    • Privs.run()
    • Privs.set_open_method()
    • Privs.unsatisfied()
    • Privs.version
• volatility3.plugins.windows.pslist module
  • PsList
    • PsList.PHYSICAL_DEFAULT
    • PsList.build_configuration()
    • PsList.config
    • PsList.config_path
    • PsList.context
    • PsList.create_name_filter()
    • PsList.create_pid_filter()
    • PsList.generate_timeline()
    • PsList.get_requirements()
    • PsList.list_processes()
    • PsList.make_subconfig()
    • PsList.open
    • PsList.process_dump()
    • PsList.run()
    • PsList.set_open_method()
    • PsList.unsatisfied()
    • PsList.version
• volatility3.plugins.windows.psscan module
  • PsScan
    • PsScan.build_configuration()
    • PsScan.config
    • PsScan.config_path
    • PsScan.context
    • PsScan.generate_timeline()
    • PsScan.get_osversion()
    • PsScan.get_requirements()
    • PsScan.make_subconfig()
    • PsScan.open
    • PsScan.run()
    • PsScan.scan_processes()
    • PsScan.set_open_method()
    • PsScan.unsatisfied()
    • PsScan.version
    • PsScan.virtual_process_from_physical()
• volatility3.plugins.windows.pstree module
  • PsTree
    • PsTree.build_configuration()
    • PsTree.config
    • PsTree.config_path
    • PsTree.context
    • PsTree.find_level()
    • PsTree.get_requirements()
    • PsTree.make_subconfig()
    • PsTree.open
    • PsTree.run()
    • PsTree.set_open_method()
    • PsTree.unsatisfied()
    • PsTree.version
• volatility3.plugins.windows.sessions module
  • Sessions
    • Sessions.build_configuration()
    • Sessions.config
    • Sessions.config_path
    • Sessions.context
    • Sessions.generate_timeline()
    • Sessions.get_requirements()
    • Sessions.make_subconfig()
    • Sessions.open
    • Sessions.run()
    • Sessions.set_open_method()
    • Sessions.unsatisfied()
    • Sessions.version
• volatility3.plugins.windows.skeleton_key_check module
  • Skeleton_Key_Check
    • Skeleton_Key_Check.build_configuration()
    • Skeleton_Key_Check.config
    • Skeleton_Key_Check.config_path
    • Skeleton_Key_Check.context
    • Skeleton_Key_Check.get_requirements()
    • Skeleton_Key_Check.make_subconfig()
    • Skeleton_Key_Check.open
    • Skeleton_Key_Check.run()
    • Skeleton_Key_Check.set_open_method()
    • Skeleton_Key_Check.unsatisfied()
    • Skeleton_Key_Check.version
• volatility3.plugins.windows.ssdt module
  • SSDT
    • SSDT.build_configuration()
    • SSDT.build_module_collection()
    • SSDT.config
    • SSDT.config_path
    • SSDT.context
    • SSDT.get_requirements()
    • SSDT.make_subconfig()
    • SSDT.open
    • SSDT.run()
    • SSDT.set_open_method()
    • SSDT.unsatisfied()
    • SSDT.version
• volatility3.plugins.windows.strings module
  • Strings
    • Strings.build_configuration()
    • Strings.config
    • Strings.config_path
    • Strings.context
    • Strings.generate_mapping()
    • Strings.get_requirements()
    • Strings.make_subconfig()
    • Strings.open
    • Strings.run()
    • Strings.set_open_method()
    • Strings.strings_pattern
    • Strings.unsatisfied()
    • Strings.version
• volatility3.plugins.windows.svcscan module
  • SvcScan
    • SvcScan.build_configuration()
    • SvcScan.config
    • SvcScan.config_path
    • SvcScan.context
    • SvcScan.create_service_table()
    • SvcScan.get_record_tuple()
    • SvcScan.get_requirements()
    • SvcScan.make_subconfig()
    • SvcScan.open
    • SvcScan.run()
    • SvcScan.set_open_method()
    • SvcScan.unsatisfied()
    • SvcScan.version
• volatility3.plugins.windows.symlinkscan module
  • SymlinkScan
    • SymlinkScan.build_configuration()
    • SymlinkScan.config
    • SymlinkScan.config_path
    • SymlinkScan.context
    • SymlinkScan.generate_timeline()
    • SymlinkScan.get_requirements()
    • SymlinkScan.make_subconfig()
    • SymlinkScan.open
    • SymlinkScan.run()
    • SymlinkScan.scan_symlinks()
    • SymlinkScan.set_open_method()
    • SymlinkScan.unsatisfied()
    • SymlinkScan.version
• volatility3.plugins.windows.vadinfo module
  • VadInfo
    • VadInfo.MAXSIZE_DEFAULT
    • VadInfo.build_configuration()
    • VadInfo.config
    • VadInfo.config_path
    • VadInfo.context
    • VadInfo.get_requirements()
    • VadInfo.list_vads()
    • VadInfo.make_subconfig()
    • VadInfo.open
    • VadInfo.protect_values()
    • VadInfo.run()
    • VadInfo.set_open_method()
    • VadInfo.unsatisfied()
    • VadInfo.vad_dump()
    • VadInfo.version
• volatility3.plugins.windows.vadwalk module
  • VadWalk
    • VadWalk.build_configuration()
    • VadWalk.config
    • VadWalk.config_path
    • VadWalk.context
    • VadWalk.get_requirements()
    • VadWalk.make_subconfig()
    • VadWalk.open
    • VadWalk.run()
    • VadWalk.set_open_method()
    • VadWalk.unsatisfied()
    • VadWalk.version
• volatility3.plugins.windows.vadyarascan module
  • VadYaraScan
    • VadYaraScan.build_configuration()
    • VadYaraScan.config
    • VadYaraScan.config_path
    • VadYaraScan.context
    • VadYaraScan.get_requirements()
    • VadYaraScan.get_vad_maps()
    • VadYaraScan.make_subconfig()
    • VadYaraScan.open
    • VadYaraScan.run()
    • VadYaraScan.set_open_method()
    • VadYaraScan.unsatisfied()
    • VadYaraScan.version
• volatility3.plugins.windows.verinfo module
  • VerInfo
    • VerInfo.build_configuration()
    • VerInfo.config
    • VerInfo.config_path
    • VerInfo.context
    • VerInfo.find_version_info()
    • VerInfo.get_requirements()
    • VerInfo.get_version_information()
    • VerInfo.make_subconfig()
    • VerInfo.open
    • VerInfo.run()
    • VerInfo.set_open_method()
    • VerInfo.unsatisfied()
    • VerInfo.version
• volatility3.plugins.windows.virtmap module
  • VirtMap
    • VirtMap.build_configuration()
    • VirtMap.config
    • VirtMap.config_path
    • VirtMap.context
    • VirtMap.determine_map()
    • VirtMap.get_requirements()
    • VirtMap.make_subconfig()
    • VirtMap.open
    • VirtMap.run()
    • VirtMap.scannable_sections()
    • VirtMap.set_open_method()
    • VirtMap.unsatisfied()
    • VirtMap.version