A class for 64-bit Windows 8 / 2012 handle tables. More...
Public Member Functions | |
def | decode_pointer (self, value) |
Decode a pointer like SAR. More... | |
def | get_item |
Returns the OBJECT_HEADER of the associated handle. More... | |
Public Member Functions inherited from volatility.plugins.overlays.windows.win8._HANDLE_TABLE32 | |
def | HandleCount (self) |
The Windows 8 / 2012 handle table does not have a HandleCount member, so we fake it. More... | |
def | get_item |
Returns the OBJECT_HEADER of the associated handle. More... | |
Public Member Functions inherited from volatility.plugins.overlays.windows.windows._HANDLE_TABLE | |
def | get_item |
Returns the OBJECT_HEADER of the associated handle. More... | |
def | handles (self) |
A generator which yields this process's handles. More... | |
Public Member Functions inherited from volatility.obj.CType | |
def | __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs) |
This must be instantiated with a dict of members. More... | |
def | size (self) |
def | __repr__ (self) |
def | d (self) |
def | v (self) |
When a struct is evaluated we just return our offset. | |
def | m (self, attr) |
def | __getattr__ (self, attr) |
def | __setattr__ (self, attr, value) |
Change underlying members. | |
Public Member Functions inherited from volatility.obj.BaseObject | |
def | __init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs) |
def | obj_type (self) |
def | obj_vm (self) |
def | obj_offset (self) |
def | obj_parent (self) |
def | obj_name (self) |
def | obj_native_vm (self) |
def | set_native_vm (self, native_vm) |
Sets the native_vm. | |
def | rebase (self, offset) |
def | proxied (self, attr) |
def | newattr (self, attr, value) |
Sets a new attribute after the object has been created. | |
def | write (self, value) |
Function for writing the object back to disk. | |
def | __getattr__ (self, attr) |
This is only useful for proper methods (not ones that start with __ ) | |
def | __setattr__ (self, attr, value) |
def | __nonzero__ (self) |
This method is called when we test the truth value of an Object. More... | |
def | __eq__ (self, other) |
def | __ne__ (self, other) |
def | __hash__ (self) |
def | m (self, memname) |
def | is_valid (self) |
def | dereference (self) |
def | dereference_as (self, derefType, kwargs) |
def | cast (self, castString) |
def | v (self) |
Do the actual reading and decoding of this member. | |
def | __format__ (self, formatspec) |
def | __str__ (self) |
def | __repr__ (self) |
def | d (self) |
Display diagnostic information. | |
def | __getstate__ (self) |
This controls how we pickle and unpickle the objects. | |
def | __setstate__ (self, state) |
Static Public Attributes | |
int | DECODE_MAGIC = 0x13 |
Additional Inherited Members | |
Public Attributes inherited from volatility.obj.CType | |
members | |
struct_size | |
Public Attributes inherited from volatility.obj.BaseObject | |
obj_offset | |
obj_vm | |
A class for 64-bit Windows 8 / 2012 handle tables.
def volatility.plugins.overlays.windows.win8._HANDLE_TABLE64.decode_pointer | ( | self, | |
value | |||
) |
Decode a pointer like SAR.
Since Python does not have an operator for shift arithmetic, we implement one ourselves.
def volatility.plugins.overlays.windows.win8._HANDLE_TABLE64.get_item | ( | self, | |
entry, | |||
handle_value = 0 |
|||
) |
Returns the OBJECT_HEADER of the associated handle.
The parent is the _HANDLE_TABLE_ENTRY so that an object can be linked to its GrantedAccess.