volatility.framework.symbols.linux.bash module¶
-
class
BashIntermedSymbols
(*args, **kwargs)[source]¶ Bases:
volatility.framework.symbols.intermed.IntermediateSymbolTable
Instantiates a SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema. The validation can be disabled by passing validate = False, but this should almost never be done.
- Parameters
context – The volatility context for the symbol table
config_path – The configuration path for the symbol table
name – The name for the symbol table (this is used in symbols e.g. table!symbol )
isf_url – The URL pointing to the ISF file location
native_types – The NativeSymbolTable that contains the native types for this symbol table
table_mapping – A dictionary linking names referenced in the file with symbol tables in the context
validate – Determines whether the ISF file will be validated against the appropriate schema
class_types – A dictionary of type names and classes that override StructType when they are instantiated
-
build_configuration
()¶ Constructs a HierarchicalDictionary of all the options required to build this component in the current context.
Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too
- Return type
-
property
config
¶ The Hierarchical configuration Dictionary for this Configurable object.
- Return type
-
property
context
¶ The context object that this configurable belongs to/configuration is stored in.
- Return type
-
classmethod
create
(context, config_path, sub_path, filename, native_types=None, table_mapping=None, class_types=None)¶ Takes a context and loads an intermediate symbol table based on a filename.
- Parameters
context (
ContextInterface
) – The context that the current plugin is being run withinconfig_path (
str
) – The configuration path for reading/storing configuration information this symbol table may usesub_path (
str
) – The path under a suitable symbol path (defaults to volatility/symbols and volatility/framework/symbols) to checkfilename (
str
) – Basename of the file to find under the sub_pathnative_types (
Optional
[NativeTableInterface
]) – Set of native types, defaults to native types read from the intermediate symbol format filetable_mapping (
Optional
[Dict
[str
,str
]]) – a dictionary of table names mentioned within the ISF file, and the tables within the context which they map to
- Return type
- Returns
the name of the added symbol table
-
del_type_class
(*args, **kwargs)¶
-
property
enumerations
¶
-
classmethod
file_symbol_url
(sub_path, filename=None)¶ Returns an iterator of appropriate file-scheme symbol URLs that can be opened by a ResourceAccessor class.
Filter reduces the number of results returned to only those URLs containing that string
-
get_enumeration
(*args, **kwargs)¶
-
classmethod
get_requirements
()¶ Returns a list of RequirementInterface objects required by this object.
- Return type
-
get_symbol
(*args, **kwargs)¶
-
get_symbol_type
(name)¶ Resolves a symbol name into a symbol and then resolves the symbol’s type.
-
get_symbols_by_location
(offset, size=0)¶ Returns the name of all symbols in this table that live at a particular offset.
-
get_symbols_by_type
(type_name)¶ Returns the name of all symbols in this table that have type matching type_name.
-
get_type
(*args, **kwargs)¶
-
get_type_class
(*args, **kwargs)¶
-
classmethod
make_subconfig
(context, base_config_path, **kwargs)¶ Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.
- Parameters
context (
ContextInterface
) – The context in which to store the new configurationbase_config_path (
str
) – The base configuration path on which to build the new configurationkwargs – Keyword arguments that are used to populate the new configuration path
- Returns
The newly generated full configuration path
- Return type
-
property
metadata
¶
-
property
natives
¶ Returns None or a NativeTable for handling space specific native types.
- Return type
-
set_type_class
(*args, **kwargs)¶
-
property
symbols
¶
-
property
types
¶
-
classmethod
unsatisfied
(context, config_path)¶ Returns a list of the names of all unsatisfied requirements.
Since a satisfied set of requirements will return [], it can be used in tests as follows:
unmet = configurable.unsatisfied(context, config_path) if unmet: raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
- Return type