 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
A class for Desktop objects. More...
Public Member Functions | |
| def | is_valid (self) |
| def | WindowStation (self) |
| Returns this desktop's parent window station. | |
| def | DeskInfo (self) |
| Returns the desktop info object. | |
| def | threads (self) |
| Generator for _EPROCESS objects attached to this desktop. | |
| def | hook_params (self) |
| Parameters for the hooks() method. More... | |
| def | hooks (self) |
| Generator for tagHOOK info. More... | |
| def | windows |
| Traverses windows in their Z order, bottom to top. More... | |
| def | heaps (self) |
| Generator for the desktop heaps. | |
| def | traverse (self) |
| Generator for next desktops in the list. | |
 Public Member Functions inherited from volatility.plugins.gui.win32k_core.tagWINDOWSTATION | |
| def | is_valid (self) |
| def | PhysicalAddress (self) |
| This is a simple wrapper to always return the object's physical offset regardless of what AS its instantiated in. | |
| def | LastRegisteredViewer (self) |
| The EPROCESS of the last registered clipboard viewer. | |
| def | AtomTable (self) |
| This atom table belonging to this window station object. | |
| def | Interactive (self) |
| Check if a window station is interactive. | |
| def | Name (self) |
| Get the window station name. More... | |
| def | traverse (self) |
| A generator that yields window station objects. | |
| def | desktops (self) |
| A generator that yields the window station's desktops. | |
| Public Member Functions inherited from volatility.obj.CType | |
| def | __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs) |
| This must be instantiated with a dict of members. More... | |
| def | size (self) |
| def | __repr__ (self) |
| def | d (self) |
| def | v (self) |
| When a struct is evaluated we just return our offset. | |
| def | m (self, attr) |
| def | __getattr__ (self, attr) |
| def | __setattr__ (self, attr, value) |
| Change underlying members. | |
| Public Member Functions inherited from volatility.obj.BaseObject | |
| def | __init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs) |
| def | obj_type (self) |
| def | obj_vm (self) |
| def | obj_offset (self) |
| def | obj_parent (self) |
| def | obj_name (self) |
| def | obj_native_vm (self) |
| def | set_native_vm (self, native_vm) |
| Sets the native_vm. | |
| def | rebase (self, offset) |
| def | proxied (self, attr) |
| def | newattr (self, attr, value) |
| Sets a new attribute after the object has been created. | |
| def | write (self, value) |
| Function for writing the object back to disk. | |
| def | __getattr__ (self, attr) |
| This is only useful for proper methods (not ones that start with __ ) | |
| def | __setattr__ (self, attr, value) |
| def | __nonzero__ (self) |
| This method is called when we test the truth value of an Object. More... | |
| def | __eq__ (self, other) |
| def | __ne__ (self, other) |
| def | __hash__ (self) |
| def | m (self, memname) |
| def | is_valid (self) |
| def | dereference (self) |
| def | dereference_as (self, derefType, kwargs) |
| def | cast (self, castString) |
| def | v (self) |
| Do the actual reading and decoding of this member. | |
| def | __format__ (self, formatspec) |
| def | __str__ (self) |
| def | __repr__ (self) |
| def | d (self) |
| Display diagnostic information. | |
| def | __getstate__ (self) |
| This controls how we pickle and unpickle the objects. | |
| def | __setstate__ (self, state) |
Additional Inherited Members | |
| Public Attributes inherited from volatility.obj.CType | |
| members | |
| struct_size | |
| Public Attributes inherited from volatility.obj.BaseObject | |
| obj_offset | |
| obj_vm | |
A class for Desktop objects.
| def volatility.plugins.gui.win32k_core.tagDESKTOP.hook_params | ( | self | ) |
Parameters for the hooks() method.
These are split out into a function so it can be subclassed by tagTHREADINFO.
| def volatility.plugins.gui.win32k_core.tagDESKTOP.hooks | ( | self | ) |
Generator for tagHOOK info.
Hooks are carved using the same algorithm, but different starting points for desktop hooks and thread hooks. Thus the algorithm is presented in this function and the starting point is acquired by calling hook_params (which is then sub- classed by tagTHREADINFO.
| def volatility.plugins.gui.win32k_core.tagDESKTOP.windows | ( | self, | |
| win, | |||
filter = lambda x: True, |
|||
level = 0 |
|||
| ) |
Traverses windows in their Z order, bottom to top.
| win | an HWND to start. Usually this is the desktop window currently in focus. |
| filter | a callable (usually lambda) to use for filtering the results. See below for examples: |
filter = lambda x : x.lpfnWndProc == x.pcls.lpfnWndProc
filter = lambda x : str(x.head.pti.ppi.Process.ImageFileName).lower() \ == "csrss.exe" if x.head.pti.ppi else False
filter = lambda x : x.head.pti.pEThread.Cid.UniqueThread == 0x1020
filter = lambda x : 'WS_VISIBLE' not in x.get_flags()
1.8.9.1