volatility.plugins.overlays.windows.windows._POOL_HEADER Class Reference

A class for pool headers. More...

Inheritance diagram for volatility.plugins.overlays.windows.windows._POOL_HEADER:

Public Member Functions
def	FreePool (self)
def	NonPagedPool (self)
def	PagedPool (self)
def	get_object_bottom_up (self, struct_name, object_type, skip_type_check)
	Get the windows object contained within this pool by using the bottom-up approach to finding the object.
def	get_object_top_down (self, object_name, object_type, _skip_type_check)
	On windows 8, pool allocations are done from preset sizes. More...
def	get_object
	Get the windows object contained within this pool using whichever method is best for the target OS. More...
Public Member Functions inherited from volatility.obj.CType
def	__init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs)
	This must be instantiated with a dict of members. More...
def	size (self)
def	__repr__ (self)
def	d (self)
def	v (self)
	When a struct is evaluated we just return our offset.
def	m (self, attr)
def	__getattr__ (self, attr)
def	__setattr__ (self, attr, value)
	Change underlying members.
Public Member Functions inherited from volatility.obj.BaseObject
def	__init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs)
def	obj_type (self)
def	obj_vm (self)
def	obj_offset (self)
def	obj_parent (self)
def	obj_name (self)
def	obj_native_vm (self)
def	set_native_vm (self, native_vm)
	Sets the native_vm.
def	rebase (self, offset)
def	proxied (self, attr)
def	newattr (self, attr, value)
	Sets a new attribute after the object has been created.
def	write (self, value)
	Function for writing the object back to disk.
def	__getattr__ (self, attr)
	This is only useful for proper methods (not ones that start with __ )
def	__setattr__ (self, attr, value)
def	__nonzero__ (self)
	This method is called when we test the truth value of an Object. More...
def	__eq__ (self, other)
def	__ne__ (self, other)
def	__hash__ (self)
def	m (self, memname)
def	is_valid (self)
def	dereference (self)
def	dereference_as (self, derefType, kwargs)
def	cast (self, castString)
def	v (self)
	Do the actual reading and decoding of this member.
def	__format__ (self, formatspec)
def	__str__ (self)
def	__repr__ (self)
def	d (self)
	Display diagnostic information.
def	__getstate__ (self)
	This controls how we pickle and unpickle the objects.
def	__setstate__ (self, state)

Static Public Attributes
int	MAX_PREAMBLE = 0x60

Additional Inherited Members
Public Attributes inherited from volatility.obj.CType
	members
	struct_size
Public Attributes inherited from volatility.obj.BaseObject
	obj_offset
	obj_vm

Detailed Description

A class for pool headers.

Member Function Documentation

def volatility.plugins.overlays.windows.windows._POOL_HEADER.get_object	(		self,
			struct_name,
			object_type = None,
			use_top_down = False,
			skip_type_check = False
	)

Get the windows object contained within this pool using whichever method is best for the target OS.

Parameters

struct_name	the name of the structure to cast such as _EPROCESS.
object_type	the name of the executive object. If there is no executive object in the pool allocation, then this can be None.
use_top_down	specify the technique we use to find the object within the pool allocation.
skip_type_check	specify if we skip unallocated objects or return them.

def volatility.plugins.overlays.windows.windows._POOL_HEADER.get_object_top_down	(		self,
			object_name,
			object_type,
			_skip_type_check
	)

On windows 8, pool allocations are done from preset sizes.

This means that the allocation is never exactly the same size and we can not use the bottom up method like before.

We therefore, have to build the headers forward by checking the preamble size and validity of each object. This is a little slower than with earlier versions of windows.

---

The documentation for this class was generated from the following file:

• volatility/plugins/overlays/windows/windows.py