volatility.framework.symbols.windows.extensions package¶

class DEVICE_OBJECT(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType, volatility.framework.symbols.windows.extensions.ExecutiveObject

A class for kernel device objects.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_device_name()[source]¶

Return type: str

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

object_header()¶

Return type: OBJECT_HEADER

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class DRIVER_OBJECT(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType, volatility.framework.symbols.windows.extensions.ExecutiveObject

A class for kernel driver objects.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_driver_name()[source]¶

Return type: str

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

is_valid()[source]¶

Determine if the object is valid.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

object_header()¶

Return type: OBJECT_HEADER

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class EPROCESS(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.symbols.generic.GenericIntelProcess, volatility.framework.symbols.windows.extensions.ExecutiveObject

A class for executive kernel processes objects.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

add_process_layer(config_prefix=None, preferred_name=None)[source]¶: Constructs a new layer based on the process’s DirectoryTableBase.

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_create_time()[source]¶

get_exit_time()[source]¶

get_handle_count()[source]¶

get_is_wow64()[source]¶

get_session_id()[source]¶

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

get_vad_root()[source]¶

get_wow_64_process()[source]¶

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

is_valid()[source]¶

Determine if the object is valid.

Return type: bool

load_order_modules()[source]¶

Generator for DLLs in the order that they were loaded.

Return type: Iterable[int]

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

object_header()¶

Return type: OBJECT_HEADER

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class ETHREAD(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

A class for executive thread objects.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

owning_process(kernel_layer=None)[source]¶

Return the EPROCESS that owns this thread.

Return type: ObjectInterface

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class EX_FAST_REF(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

This is a standard Windows structure that stores a pointer to an object but also leverages the least significant bits to encode additional details.

When dereferencing the pointer, we need to strip off the extra bits.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

dereference()[source]¶

Return type: ObjectInterface

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class ExecutiveObject(context, type_name, object_info, **kwargs)[source]¶

Bases: volatility.framework.interfaces.objects.ObjectInterface

This is used as a “mixin” that provides all kernel executive objects with a means of finding their own object header.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: object

A container for proxied methods that the ObjectTemplate of this object will call. This is primarily to keep methods together for easy organization/management, there is no significant need for it to be a separate class.

The methods of this class must be class methods rather than standard methods, to allow for code reuse. Each method also takes a template since the templates may contain the necessary data about the yet-to-be-constructed object. It allows objects to control how their templates respond without needing to write new templates for each and every potental object type.

abstract classmethod children(template)¶

Returns the children of the template.

Return type: List[Template]

abstract classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

abstract classmethod relative_child_offset(template, child)¶

Returns the relative offset from the head of the parent data to the child member.

Return type: int

abstract classmethod replace_child(template, old_child, new_child)¶

Substitutes the old_child for the new_child.

Return type: None

abstract classmethod size(template)¶

Returns the size of the template object.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Parameters: member_name (str) – Name to test whether a member exists within the type structure
Return type: bool

object_header()[source]¶

Return type: OBJECT_HEADER

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

abstract write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class FILE_OBJECT(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType, volatility.framework.symbols.windows.extensions.ExecutiveObject

A class for windows file objects.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

file_name_with_device()[source]¶

Return type: Union[str, BaseAbsentValue]

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

is_valid()[source]¶

Determine if the object is valid.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

object_header()¶

Return type: OBJECT_HEADER

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class KMUTANT(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType, volatility.framework.symbols.windows.extensions.ExecutiveObject

A class for windows mutant objects.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_name()[source]¶

Get the object’s name from the object header.

Return type: str

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

is_valid()[source]¶

Determine if the object is valid.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

object_header()¶

Return type: OBJECT_HEADER

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class KSYSTEM_TIME(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

A system time structure that stores a high and low part.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

get_time()[source]¶

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class LIST_ENTRY(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType, collections.abc.Iterable

A class for double-linked lists on Windows.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

to_list(symbol_type, member, forward=True, sentinel=True, layer=None)[source]¶

Returns an iterator of the entries in the list.

Return type: Iterator[ObjectInterface]

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class MMVAD(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.symbols.windows.extensions.MMVAD_SHORT

A version of the process virtual memory range structure that contains additional fields necessary to map files from disk.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_commit_charge()¶: Get the VAD’s commit charge (number of committed pages)

get_end()¶: Get the VAD’s ending virtual address.

get_file_name()[source]¶: Get the name of the file mapped into the memory range (if any)

get_left_child()¶: Get the left child member.

get_parent()¶: Get the VAD’s parent member.

get_private_memory()¶: Get the VAD’s private memory setting.

get_protection(protect_values, winnt_protections)¶: Get the VAD’s protection constants as a string.

get_right_child()¶: Get the right child member.

get_start()¶: Get the VAD’s starting virtual address.

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

get_tag¶

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

traverse(visited=None, depth=0)¶: Traverse the VAD tree, determining each underlying VAD node type by looking up the pool tag for the structure and then casting into a new object.

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class MMVAD_SHORT(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

A class that represents process virtual memory ranges.

Each instance is a node in a binary tree structure and is pointed to by VadRoot.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_commit_charge()[source]¶: Get the VAD’s commit charge (number of committed pages)

get_end()[source]¶: Get the VAD’s ending virtual address.

get_file_name()[source]¶: Only long(er) vads have mapped files.

get_left_child()[source]¶: Get the left child member.

get_parent()[source]¶: Get the VAD’s parent member.

get_private_memory()[source]¶: Get the VAD’s private memory setting.

get_protection(protect_values, winnt_protections)[source]¶: Get the VAD’s protection constants as a string.

get_right_child()[source]¶: Get the right child member.

get_start()[source]¶: Get the VAD’s starting virtual address.

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

get_tag[source]¶

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

traverse(visited=None, depth=0)[source]¶: Traverse the VAD tree, determining each underlying VAD node type by looking up the pool tag for the structure and then casting into a new object.

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class OBJECT_HEADER(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

A class for the headers for executive kernel objects, which contains quota information, ownership details, naming data, and ACLs.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

property NameInfo¶

Return type: ObjectInterface

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_object_type(type_map, cookie=None)[source]¶

Across all Windows versions, the _OBJECT_HEADER embeds details on the type of object (i.e. process, file) but the way its embedded differs between versions.

This API abstracts away those details.

Return type: Optional[str]

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

is_valid()[source]¶

Determine if the object is valid.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class OBJECT_SYMBOLIC_LINK(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType, volatility.framework.symbols.windows.extensions.ExecutiveObject

A class for kernel link objects.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_create_time()[source]¶

get_link_name()[source]¶

Return type: str

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

is_valid()[source]¶

Determine if the object is valid.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

object_header()¶

Return type: OBJECT_HEADER

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class POOL_HEADER(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

A kernel pool allocation header.

Exists at the base of the allocation and provides a tag that we can scan for.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_object(type_name, type_map, use_top_down, native_layer_name=None, object_type=None, cookie=None)[source]¶

Carve an object or data structure from a kernel pool allocation.

Parameters

type_name (str) – the data structure type name
native_layer_name (Optional[str]) – the name of the layer where the data originally lived
object_type (Optional[str]) – the object type (executive kernel objects only)

Return type

Optional[ObjectInterface]

Returns

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class UNICODE_STRING(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

A class for Windows unicode string structures.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

property String¶

Return type: ObjectInterface

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_string()[source]¶

Return type: ObjectInterface

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

volatility.framework.symbols.windows.extensions package¶

Submodules¶