 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
A class for session spaces. More...
Public Member Functions | |
| def | processes (self) |
| Generator for processes in this session. More... | |
| def | Win32KBase (self) |
| Get the base address of the win32k.sys as mapped into this session's memory. More... | |
| def | images (self) |
| Generator for images (modules) loaded into this session's space. | |
| def | find_gahti (self) |
| Find this session's gahti. More... | |
| def | find_shared_info (self) |
| Find this session's tagSHAREDINFO structure. More... | |
 Public Member Functions inherited from volatility.obj.CType | |
| def | __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs) |
| This must be instantiated with a dict of members. More... | |
| def | size (self) |
| def | __repr__ (self) |
| def | d (self) |
| def | v (self) |
| When a struct is evaluated we just return our offset. | |
| def | m (self, attr) |
| def | __getattr__ (self, attr) |
| def | __setattr__ (self, attr, value) |
| Change underlying members. | |
| Public Member Functions inherited from volatility.obj.BaseObject | |
| def | __init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs) |
| def | obj_type (self) |
| def | obj_vm (self) |
| def | obj_offset (self) |
| def | obj_parent (self) |
| def | obj_name (self) |
| def | obj_native_vm (self) |
| def | set_native_vm (self, native_vm) |
| Sets the native_vm. | |
| def | rebase (self, offset) |
| def | proxied (self, attr) |
| def | newattr (self, attr, value) |
| Sets a new attribute after the object has been created. | |
| def | write (self, value) |
| Function for writing the object back to disk. | |
| def | __getattr__ (self, attr) |
| This is only useful for proper methods (not ones that start with __ ) | |
| def | __setattr__ (self, attr, value) |
| def | __nonzero__ (self) |
| This method is called when we test the truth value of an Object. More... | |
| def | __eq__ (self, other) |
| def | __ne__ (self, other) |
| def | __hash__ (self) |
| def | m (self, memname) |
| def | is_valid (self) |
| def | dereference (self) |
| def | dereference_as (self, derefType, kwargs) |
| def | cast (self, castString) |
| def | v (self) |
| Do the actual reading and decoding of this member. | |
| def | __format__ (self, formatspec) |
| def | __str__ (self) |
| def | __repr__ (self) |
| def | d (self) |
| Display diagnostic information. | |
| def | __getstate__ (self) |
| This controls how we pickle and unpickle the objects. | |
| def | __setstate__ (self, state) |
Additional Inherited Members | |
| Public Attributes inherited from volatility.obj.CType | |
| members | |
| struct_size | |
| Public Attributes inherited from volatility.obj.BaseObject | |
| obj_offset | |
| obj_vm | |
A class for session spaces.
| def volatility.plugins.gui.win32k_core._MM_SESSION_SPACE.find_gahti | ( | self | ) |
Find this session's gahti.
This can potentially be much faster by searching for '\0' * sizeof(tagHANDLETYPEINFO) instead of moving on a dword aligned boundary through the section.
| def volatility.plugins.gui.win32k_core._MM_SESSION_SPACE.find_shared_info | ( | self | ) |
Find this session's tagSHAREDINFO structure.
This structure is embedded in win32k's .data section, (i.e. not in dynamically allocated memory). Thus we iterate over each DWORD-aligned possibility and treat it as a tagSHAREDINFO until the sanity checks are met.
| def volatility.plugins.gui.win32k_core._MM_SESSION_SPACE.processes | ( | self | ) |
Generator for processes in this session.
A process is always associated with exactly one session.
| def volatility.plugins.gui.win32k_core._MM_SESSION_SPACE.Win32KBase | ( | self | ) |
Get the base address of the win32k.sys as mapped into this session's memory.
Since win32k.sys is always the first image to be mapped, we can just grab the first list entry.
Update: we no longer use the session image list, because it seems to have gone away in Win8/2012.
1.8.9.1