 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
Match physical offsets to virtual addresses (may take a while, VERY verbose) More...
Public Member Functions | |
| def | __init__ (self, config, args, kwargs) |
| def | get_processes (self, addr_space) |
| Enumerate processes based on user options. More... | |
| def | get_modules (cls, addr_space) |
| Enumerate the kernel modules. More... | |
| def | find_module (cls, mods, mod_addrs, addr_space, vpage) |
| Determine which module owns a virtual page. More... | |
| def | get_module_name (cls, module) |
| Get the name of a kernel module. More... | |
| def | get_task_pid (cls, task) |
| Get the PID of a process. More... | |
| def | calculate (self) |
| def | parse_line (cls, line) |
| Parses a line of strings. More... | |
| def | get_reverse_map (cls, addr_space, tasks) |
| Generates a reverse mapping of physical addresses to the kernel and/or tasks. More... | |
| def | unified_output (self, data) |
| def | generator (self, data) |
| def | render_text (self, outfd, data) |
 Public Member Functions inherited from volatility.commands.Command | |
| def | __init__ (self, config, _args, _kwargs) |
| Constructor uses args as an initializer. More... | |
| def | help (cls) |
| This function returns a string that will be displayed when a user lists available plugins. | |
| def | calculate (self) |
| This function is responsible for performing all calculations. More... | |
| def | execute (self) |
| Executes the plugin command. More... | |
| def | format_value (self, value, fmt) |
| Formats an individual field using the table formatting codes. | |
| def | table_header |
| Table header renders the title row of a table. More... | |
| def | table_row (self, outfd, args) |
| Outputs a single row of a table. | |
| def | text_cell_renderers (self, columns) |
| Returns default renderers for the columns listed. | |
| def | unified_output (self, data) |
| def | render_text (self, outfd, data) |
| def | render_greptext (self, outfd, data) |
| def | render_json (self, outfd, data) |
| def | render_sqlite (self, outfd, data) |
| def | render_dot (self, outfd, data) |
| def | render_html (self, outfd, data) |
| def | render_xlsx (self, outfd, data) |
Additional Inherited Members | |
| Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand | |
| def | is_valid_profile (profile) |
| Static Public Member Functions inherited from volatility.commands.Command | |
| def | register_options (config) |
| Registers options into a config object provided. | |
| def | is_valid_profile (profile) |
| Static Public Attributes inherited from volatility.commands.Command | |
| string | op = "" |
| string | opts = "" |
| string | args = "" |
| string | cmdname = "" |
| dictionary | meta_info = {} |
| elide_data = True | |
| string | tablesep = " " |
| text_sort_column = None | |
| dictionary | text_stock_renderers |
Match physical offsets to virtual addresses (may take a while, VERY verbose)
| def volatility.plugins.strings.Strings.find_module | ( | cls, | |
| mods, | |||
| mod_addrs, | |||
| addr_space, | |||
| vpage | |||
| ) |
Determine which module owns a virtual page.
:param mods |
|
| <addrspace.AbstractVirtualAddressSpace> vpage | <int>
:returns <_LDR_DATA_TABLE_ENTRY> || None
| def volatility.plugins.strings.Strings.get_module_name | ( | cls, | |
| module | |||
| ) |
Get the name of a kernel module.
:param module | <_LDR_DATA_TABLE_ENTRY>
:returns <str>
| def volatility.plugins.strings.Strings.get_modules | ( | cls, | |
| addr_space | |||
| ) |
Enumerate the kernel modules.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <tuple>
| def volatility.plugins.strings.Strings.get_processes | ( | self, | |
| addr_space | |||
| ) |
Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns
| def volatility.plugins.strings.Strings.get_reverse_map | ( | cls, | |
| addr_space, | |||
| tasks | |||
| ) |
Generates a reverse mapping of physical addresses to the kernel and/or tasks.
:param addr_space | <addrspace.AbstractVirtualAddressSpace> tasks |
returns <dict>
| def volatility.plugins.strings.Strings.get_task_pid | ( | cls, | |
| task | |||
| ) |
Get the PID of a process.
:param task | <_EPROCESS>
:returns <int>
| def volatility.plugins.strings.Strings.parse_line | ( | cls, | |
| line | |||
| ) |
Parses a line of strings.
:param cls | <Strings> line | <str>
:returns <tuple>
1.8.9.1