volatility.framework.symbols.windows.extensions.services module¶

class SERVICE_HEADER(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

A service header structure.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

is_valid()[source]¶

Determine if the structure is valid.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.

class SERVICE_RECORD(context, type_name, object_info, size, members)[source]¶

Bases: volatility.framework.objects.StructType

A service record structure.

Constructs an Object adhering to the ObjectInterface.

Parameters

context (ContextInterface) – The context associated with the object
type_name (str) – The name of the type structure for the object
object_info (ObjectInformation) – Basic information relevant to the object (layer, offset, member_name, parent, etc)

class VolTemplateProxy¶

Bases: volatility.framework.interfaces.objects.VolTemplateProxy

classmethod children(template)¶

Method to list children of a template.

Return type: List[Template]

classmethod has_member(template, member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

classmethod relative_child_offset(template, child)¶

Returns the relative offset of a child to its parent.

Return type: int

classmethod replace_child(template, old_child, new_child)¶

Replace a child elements within the arguments handed to the template.

Return type: None

classmethod size(template)¶

Method to return the size of this type.

Return type: int

cast(new_type_name, **additional)¶

Returns a new object at the offset and from the layer that the current object inhabits.

Note

If new type name does not include a symbol table, the symbol table for the current object is used

Return type: ObjectInterface

get_binary()[source]¶

Returns the binary associated with the service.

Return type: Union[str, BaseAbsentValue]

get_display()[source]¶

Returns the service display.

Return type: Union[str, BaseAbsentValue]

get_name()[source]¶

Returns the service name.

Return type: Union[str, BaseAbsentValue]

get_pid()[source]¶

Return the pid of the process, if any.

Return type: Union[int, BaseAbsentValue]

get_symbol_table()¶

Returns the symbol table for this particular object.

Returns none if the symbol table cannot be identified.

Return type: SymbolTableInterface

get_type()[source]¶

Returns the binary types.

Return type: str

has_member(member_name)¶

Returns whether the object would contain a member called member_name.

Return type: bool

is_valid()[source]¶

Determine if the structure is valid.

Return type: bool

member(attr='member')¶

Specifically named method for retrieving members.

Return type: object

traverse()[source]¶: Generator that enumerates other services.

property vol¶

Returns the volatility specific object information.

Return type: ReadOnlyMapping

write(value)¶: Writes the new value into the format at the offset the object currently resides at.