 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
Public Member Functions | |
| def | __init__ (self, theType, offset, vm, is_utc=False, kwargs) |
| def | as_dos_timestamp (self) |
| def | v (self) |
| def | __nonzero__ (self) |
| def | __str__ (self) |
| def | as_datetime (self) |
| def | __format__ (self, formatspec) |
| Formats the datetime according to the timefmt module. | |
| def | dos_to_unix_time (self, dosdate) |
| Every previous conversion algorithm takes in two unsigned shorts separately. More... | |
 Public Member Functions inherited from volatility.obj.NativeType | |
| def | __init__ (self, theType, offset, vm, format_string=None, kwargs) |
| def | write (self, data) |
| Writes the data back into the address space. | |
| def | proxied (self, attr) |
| def | size (self) |
| def | v (self) |
| def | cdecl (self) |
| def | __repr__ (self) |
| def | d (self) |
| Public Member Functions inherited from volatility.obj.BaseObject | |
| def | __init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs) |
| def | obj_type (self) |
| def | obj_vm (self) |
| def | obj_offset (self) |
| def | obj_parent (self) |
| def | obj_name (self) |
| def | obj_native_vm (self) |
| def | set_native_vm (self, native_vm) |
| Sets the native_vm. | |
| def | rebase (self, offset) |
| def | proxied (self, attr) |
| def | newattr (self, attr, value) |
| Sets a new attribute after the object has been created. | |
| def | write (self, value) |
| Function for writing the object back to disk. | |
| def | __getattr__ (self, attr) |
| This is only useful for proper methods (not ones that start with __ ) | |
| def | __setattr__ (self, attr, value) |
| def | __nonzero__ (self) |
| This method is called when we test the truth value of an Object. More... | |
| def | __eq__ (self, other) |
| def | __ne__ (self, other) |
| def | __hash__ (self) |
| def | m (self, memname) |
| def | is_valid (self) |
| def | dereference (self) |
| def | dereference_as (self, derefType, kwargs) |
| def | cast (self, castString) |
| def | v (self) |
| Do the actual reading and decoding of this member. | |
| def | __format__ (self, formatspec) |
| def | __str__ (self) |
| def | __repr__ (self) |
| def | d (self) |
| Display diagnostic information. | |
| def | __getstate__ (self) |
| This controls how we pickle and unpickle the objects. | |
| def | __setstate__ (self, state) |
Public Attributes | |
| is_utc | |
| Public Attributes inherited from volatility.obj.NativeType | |
| format_string | |
| Public Attributes inherited from volatility.obj.BaseObject | |
| obj_offset | |
| obj_vm | |
| def volatility.plugins.overlays.windows.windows.DosDate.dos_to_unix_time | ( | self, | |
| dosdate | |||
| ) |
Every previous conversion algorithm takes in two unsigned shorts separately.
We're not doing that here, but instead getting those shorts from an unsigned int (dosdate)
dosdate: 4 bytes little endian converted to: date: 2 bytes time: 2 bytes
conversion to datetime taken from: http://code.google.com/p/libforensics/ dosdate is already in UTC: http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf
1.8.9.1