 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
An extensive _EPROCESS with bells and whistles. More...
Public Member Functions | |
| def | Peb (self) |
| Returns a _PEB object which is using the process address space. More... | |
| def | get_process_address_space (self) |
| Gets a process address space for a task given in _EPROCESS. | |
| def | get_init_modules (self) |
| def | get_mem_modules (self) |
| def | get_load_modules (self) |
| def | get_token (self) |
| Return the process's TOKEN object if its valid. | |
| def | IsWow64 (self) |
| Returns True if this is a wow64 process. | |
| def | SessionId (self) |
| Returns the Session ID of the process. | |
| def | get_vads |
| Generator for MMVADs that match specific metadata. More... | |
| def | search_process_memory |
| Search memory for a simple byte string. More... | |
| def | environment_variables (self) |
| Generator for environment variables. More... | |
| def | is_valid (self) |
 Public Member Functions inherited from volatility.obj.CType | |
| def | __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs) |
| This must be instantiated with a dict of members. More... | |
| def | size (self) |
| def | __repr__ (self) |
| def | d (self) |
| def | v (self) |
| When a struct is evaluated we just return our offset. | |
| def | m (self, attr) |
| def | __getattr__ (self, attr) |
| def | __setattr__ (self, attr, value) |
| Change underlying members. | |
| Public Member Functions inherited from volatility.obj.BaseObject | |
| def | __init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs) |
| def | obj_type (self) |
| def | obj_vm (self) |
| def | obj_offset (self) |
| def | obj_parent (self) |
| def | obj_name (self) |
| def | obj_native_vm (self) |
| def | set_native_vm (self, native_vm) |
| Sets the native_vm. | |
| def | rebase (self, offset) |
| def | proxied (self, attr) |
| def | newattr (self, attr, value) |
| Sets a new attribute after the object has been created. | |
| def | write (self, value) |
| Function for writing the object back to disk. | |
| def | __getattr__ (self, attr) |
| This is only useful for proper methods (not ones that start with __ ) | |
| def | __setattr__ (self, attr, value) |
| def | __nonzero__ (self) |
| This method is called when we test the truth value of an Object. More... | |
| def | __eq__ (self, other) |
| def | __ne__ (self, other) |
| def | __hash__ (self) |
| def | m (self, memname) |
| def | is_valid (self) |
| def | dereference (self) |
| def | dereference_as (self, derefType, kwargs) |
| def | cast (self, castString) |
| def | v (self) |
| Do the actual reading and decoding of this member. | |
| def | __format__ (self, formatspec) |
| def | __str__ (self) |
| def | __repr__ (self) |
| def | d (self) |
| Display diagnostic information. | |
| def | __getstate__ (self) |
| This controls how we pickle and unpickle the objects. | |
| def | __setstate__ (self, state) |
| Public Member Functions inherited from volatility.plugins.overlays.windows.windows.ExecutiveObjectMixin | |
| def | get_object_header (self) |
Additional Inherited Members | |
| Public Attributes inherited from volatility.obj.CType | |
| members | |
| struct_size | |
| Public Attributes inherited from volatility.obj.BaseObject | |
| obj_offset | |
| obj_vm | |
An extensive _EPROCESS with bells and whistles.
| def volatility.plugins.overlays.windows.windows._EPROCESS.environment_variables | ( | self | ) |
Generator for environment variables.
The PEB points to our env block - a series of null-terminated unicode strings. Each string cannot be more than 0x7FFF chars. End of the list is a quad-null.
| def volatility.plugins.overlays.windows.windows._EPROCESS.get_vads | ( | self, | |
vad_filter = None, |
|||
skip_max_commit = False |
|||
| ) |
Generator for MMVADs that match specific metadata.
| vad_filter | a callable that is passed the current MMVAD and applies tests to the MMVAD struct members or nested struct members. |
| skip_max_commit | boolean, if true then VADs for Wow64 processes with the MM_MAX_COMMIT flag set will not be yielded. |
a tuple (mmvad, address_space). Where mmvad is the MMVAD object in kernel AS and address_space is the process address space.
| def volatility.plugins.overlays.windows.windows._EPROCESS.Peb | ( | self | ) |
Returns a _PEB object which is using the process address space.
The PEB structure is referencing back into the process address space so we need to switch address spaces when we look at it. This method ensure this happens automatically.
| def volatility.plugins.overlays.windows.windows._EPROCESS.search_process_memory | ( | self, | |
| s, | |||
vad_filter = None |
|||
| ) |
Search memory for a simple byte string.
FIXME: as of 2.3 this parameter can also be a list to search for mutliple strings concurrently. The single string will be deprecated in 3.0.
| s | the string to search for. |
1.8.9.1