 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
A class for Windowstation objects. More...
Public Member Functions | |
| def | is_valid (self) |
| def | PhysicalAddress (self) |
| This is a simple wrapper to always return the object's physical offset regardless of what AS its instantiated in. | |
| def | LastRegisteredViewer (self) |
| The EPROCESS of the last registered clipboard viewer. | |
| def | AtomTable (self) |
| This atom table belonging to this window station object. | |
| def | Interactive (self) |
| Check if a window station is interactive. | |
| def | Name (self) |
| Get the window station name. More... | |
| def | traverse (self) |
| A generator that yields window station objects. | |
| def | desktops (self) |
| A generator that yields the window station's desktops. | |
 Public Member Functions inherited from volatility.obj.CType | |
| def | __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs) |
| This must be instantiated with a dict of members. More... | |
| def | size (self) |
| def | __repr__ (self) |
| def | d (self) |
| def | v (self) |
| When a struct is evaluated we just return our offset. | |
| def | m (self, attr) |
| def | __getattr__ (self, attr) |
| def | __setattr__ (self, attr, value) |
| Change underlying members. | |
| Public Member Functions inherited from volatility.obj.BaseObject | |
| def | __init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs) |
| def | obj_type (self) |
| def | obj_vm (self) |
| def | obj_offset (self) |
| def | obj_parent (self) |
| def | obj_name (self) |
| def | obj_native_vm (self) |
| def | set_native_vm (self, native_vm) |
| Sets the native_vm. | |
| def | rebase (self, offset) |
| def | proxied (self, attr) |
| def | newattr (self, attr, value) |
| Sets a new attribute after the object has been created. | |
| def | write (self, value) |
| Function for writing the object back to disk. | |
| def | __getattr__ (self, attr) |
| This is only useful for proper methods (not ones that start with __ ) | |
| def | __setattr__ (self, attr, value) |
| def | __nonzero__ (self) |
| This method is called when we test the truth value of an Object. More... | |
| def | __eq__ (self, other) |
| def | __ne__ (self, other) |
| def | __hash__ (self) |
| def | m (self, memname) |
| def | is_valid (self) |
| def | dereference (self) |
| def | dereference_as (self, derefType, kwargs) |
| def | cast (self, castString) |
| def | v (self) |
| Do the actual reading and decoding of this member. | |
| def | __format__ (self, formatspec) |
| def | __str__ (self) |
| def | __repr__ (self) |
| def | d (self) |
| Display diagnostic information. | |
| def | __getstate__ (self) |
| This controls how we pickle and unpickle the objects. | |
| def | __setstate__ (self, state) |
Additional Inherited Members | |
| Public Attributes inherited from volatility.obj.CType | |
| members | |
| struct_size | |
| Public Attributes inherited from volatility.obj.BaseObject | |
| obj_offset | |
| obj_vm | |
A class for Windowstation objects.
| def volatility.plugins.gui.win32k_core.tagWINDOWSTATION.Name | ( | self | ) |
Get the window station name.
Since window stations are securable objects, and are managed by the same object manager as processes, threads, etc, there is an object header which stores the name.
1.8.9.1