Extract memory mapped and cached files. More...

Inheritance diagram for volatility.plugins.dumpfiles.DumpFiles:

Public Member Functions
def	__init__ (self, config, args, kwargs)

def	filter_tasks (self, tasks)
	Reduce the tasks based on the user selectable PIDS parameter. More...

def	audited_read_bytes (self, vm, vaddr, length, pad)
	This function provides an audited zread capability. More...

def	calculate (self)
	Finds all the requested FILE_OBJECTS. More...

def	unified_output (self, data)

def	generator (self, data)

def	render_text (self, outfd, data)
	Renders output for the dumpfiles plugin. More...

Public Member Functions inherited from volatility.commands.Command
def	__init__ (self, config, _args, _kwargs)
	Constructor uses args as an initializer. More...

def	help (cls)
	This function returns a string that will be displayed when a user lists available plugins.

def	calculate (self)
	This function is responsible for performing all calculations. More...

def	execute (self)
	Executes the plugin command. More...

def	format_value (self, value, fmt)
	Formats an individual field using the table formatting codes.

def	table_header
	Table header renders the title row of a table. More...

def	table_row (self, outfd, args)
	Outputs a single row of a table.

def	text_cell_renderers (self, columns)
	Returns default renderers for the columns listed.

def	unified_output (self, data)

def	render_text (self, outfd, data)

def	render_greptext (self, outfd, data)

def	render_json (self, outfd, data)

def	render_sqlite (self, outfd, data)

def	render_dot (self, outfd, data)

def	render_html (self, outfd, data)

def	render_xlsx (self, outfd, data)

Public Attributes
	kaddr_space

	filters

Additional Inherited Members
Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand
def	is_valid_profile (profile)

Static Public Member Functions inherited from volatility.commands.Command
def	register_options (config)
	Registers options into a config object provided.

def	is_valid_profile (profile)

Static Public Attributes inherited from volatility.commands.Command
string	op = ""

string	opts = ""

string	args = ""

string	cmdname = ""

dictionary	meta_info = {}

	elide_data = True

string	tablesep = " "

	text_sort_column = None

dictionary	text_stock_renderers

Detailed Description

Extract memory mapped and cached files.

Member Function Documentation

def volatility.plugins.dumpfiles.DumpFiles.audited_read_bytes	(	self,
		vm,
		vaddr,
		length,
		pad
	)

This function provides an audited zread capability.

It performs a similar function to zread, in that it will pad "invalid" pages. The main difference is that it allows us to collect auditing information about which pages were actually present and which ones were padded.

Args: vm: The address space to read the data from. vaddr: The virtual address to start reading the data from. length: How many bytes to read pad: This argument controls if the unavailable bytes are padded.

Returns: ret: Data that was read mdata: List of pages that are memory resident zpad: List of pages that not memory resident

Raises:

def volatility.plugins.dumpfiles.DumpFiles.calculate ( self )

Finds all the requested FILE_OBJECTS.

Traverses the VAD and HandleTable to find all requested FILE_OBJECTS

def volatility.plugins.dumpfiles.DumpFiles.filter_tasks	(	self,
		tasks
	)

Reduce the tasks based on the user selectable PIDS parameter.

Returns a reduced list or the full list if config.PIDS not specified.

def volatility.plugins.dumpfiles.DumpFiles.render_text	(	self,
		outfd,
		data
	)

Renders output for the dumpfiles plugin.

This includes extracting the file artifacts from memory to the specified dump directory.

Args: outfd: The file descriptor to write the text to. data: (summaryinfo)

The documentation for this class was generated from the following file:

volatility/plugins/dumpfiles.py

Public Member Functions

Public Attributes

Additional Inherited Members

Detailed Description

Member Function Documentation