volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE Class Reference

A class for atom tables. More...

Inheritance diagram for volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE:

Public Member Functions
def	__init__ (self, args, kwargs)
	Give ourselves an atom cache for quick lookups.
def	is_valid (self)
	Check for validity based on the atom table signature and the maximum allowed number of buckets.
def	NumBuckets (self)
	Dynamically retrieve the number of atoms in the hash table. More...
def	atoms (self)
	Carve all atoms out of this atom table.
def	find_atom (self, atom_to_find)
	Find an atom by its ID. More...
Public Member Functions inherited from volatility.plugins.gui.win32k_core.tagWINDOWSTATION
def	is_valid (self)
def	PhysicalAddress (self)
	This is a simple wrapper to always return the object's physical offset regardless of what AS its instantiated in.
def	LastRegisteredViewer (self)
	The EPROCESS of the last registered clipboard viewer.
def	AtomTable (self)
	This atom table belonging to this window station object.
def	Interactive (self)
	Check if a window station is interactive.
def	Name (self)
	Get the window station name. More...
def	traverse (self)
	A generator that yields window station objects.
def	desktops (self)
	A generator that yields the window station's desktops.
Public Member Functions inherited from volatility.obj.CType
def	__init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs)
	This must be instantiated with a dict of members. More...
def	size (self)
def	__repr__ (self)
def	d (self)
def	v (self)
	When a struct is evaluated we just return our offset.
def	m (self, attr)
def	__getattr__ (self, attr)
def	__setattr__ (self, attr, value)
	Change underlying members.
Public Member Functions inherited from volatility.obj.BaseObject
def	__init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs)
def	obj_type (self)
def	obj_vm (self)
def	obj_offset (self)
def	obj_parent (self)
def	obj_name (self)
def	obj_native_vm (self)
def	set_native_vm (self, native_vm)
	Sets the native_vm.
def	rebase (self, offset)
def	proxied (self, attr)
def	newattr (self, attr, value)
	Sets a new attribute after the object has been created.
def	write (self, value)
	Function for writing the object back to disk.
def	__getattr__ (self, attr)
	This is only useful for proper methods (not ones that start with __ )
def	__setattr__ (self, attr, value)
def	__nonzero__ (self)
	This method is called when we test the truth value of an Object. More...
def	__eq__ (self, other)
def	__ne__ (self, other)
def	__hash__ (self)
def	m (self, memname)
def	is_valid (self)
def	dereference (self)
def	dereference_as (self, derefType, kwargs)
def	cast (self, castString)
def	v (self)
	Do the actual reading and decoding of this member.
def	__format__ (self, formatspec)
def	__str__ (self)
def	__repr__ (self)
def	d (self)
	Display diagnostic information.
def	__getstate__ (self)
	This controls how we pickle and unpickle the objects.
def	__setstate__ (self, state)

Public Attributes
	atom_cache
	Signature
Public Attributes inherited from volatility.obj.CType
	members
	struct_size
Public Attributes inherited from volatility.obj.BaseObject
	obj_offset
	obj_vm

Detailed Description

A class for atom tables.

Member Function Documentation

def volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE.find_atom	(		self,
			atom_to_find
	)

Find an atom by its ID.

Parameters

atom_to_find

the atom ID (ushort) to find

Returns

an _RTL_ATOM_TALE_ENTRY object

def volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE.NumBuckets

(

self

)

Dynamically retrieve the number of atoms in the hash table.

First we take into account the offset from the current profile but if it fails and the profile is Win7SP1x64 then we auto set it to the value found in the recently patched versions.

This is a temporary fix until we have support better support for parsing pdb symbols on the fly.

---

The documentation for this class was generated from the following file:

• volatility/plugins/gui/win32k_core.py