 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
Print system-wide notification routines. More...
Public Member Functions | |
| def | calculate (self) |
| def | unified_output (self, data) |
| def | generator (self, data) |
| def | render_text (self, outfd, data) |
 Public Member Functions inherited from volatility.plugins.common.AbstractScanCommand | |
| def | __init__ (self, config, args, kwargs) |
| def | calculate (self) |
| def | offset_column (self) |
| def | scan_results (self, addr_space) |
| Public Member Functions inherited from volatility.commands.Command | |
| def | __init__ (self, config, _args, _kwargs) |
| Constructor uses args as an initializer. More... | |
| def | help (cls) |
| This function returns a string that will be displayed when a user lists available plugins. | |
| def | calculate (self) |
| This function is responsible for performing all calculations. More... | |
| def | execute (self) |
| Executes the plugin command. More... | |
| def | format_value (self, value, fmt) |
| Formats an individual field using the table formatting codes. | |
| def | table_header |
| Table header renders the title row of a table. More... | |
| def | table_row (self, outfd, args) |
| Outputs a single row of a table. | |
| def | text_cell_renderers (self, columns) |
| Returns default renderers for the columns listed. | |
| def | unified_output (self, data) |
| def | render_text (self, outfd, data) |
| def | render_greptext (self, outfd, data) |
| def | render_json (self, outfd, data) |
| def | render_sqlite (self, outfd, data) |
| def | render_dot (self, outfd, data) |
| def | render_html (self, outfd, data) |
| def | render_xlsx (self, outfd, data) |
Static Public Member Functions | |
| def | get_kernel_callbacks (nt_mod) |
| Enumerate the Create Process, Create Thread, and Image Load callbacks. More... | |
| def | get_bugcheck_callbacks (addr_space) |
| Enumerate generic Bugcheck callbacks. More... | |
| def | get_registry_callbacks_legacy (nt_mod) |
| Enumerate registry change callbacks. More... | |
| def | get_bugcheck_reason_callbacks (nt_mod) |
| Enumerate Bugcheck Reason callbacks. More... | |
| Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand | |
| def | is_valid_profile (profile) |
| Static Public Member Functions inherited from volatility.commands.Command | |
| def | register_options (config) |
| Registers options into a config object provided. | |
| def | is_valid_profile (profile) |
Static Public Attributes | |
| list | scanners = [PoolScanFSCallback, PoolScanShutdownCallback, PoolScanGenericCallback] |
| Static Public Attributes inherited from volatility.plugins.common.AbstractScanCommand | |
| list | scanners = [] |
| Static Public Attributes inherited from volatility.commands.Command | |
| string | op = "" |
| string | opts = "" |
| string | args = "" |
| string | cmdname = "" |
| dictionary | meta_info = {} |
| elide_data = True | |
| string | tablesep = " " |
| text_sort_column = None | |
| dictionary | text_stock_renderers |
Print system-wide notification routines.
|
static |
Enumerate generic Bugcheck callbacks.
Note: These structures don't exist in tagged pools, but you can find them via KDDEBUGGER_DATA64 on all versions of Windows.
|
static |
Enumerate Bugcheck Reason callbacks.
Note: These structures don't exist in tagged pools, so we find them by locating the list head which is a non-exported NT symbol. The method works on all x86 versions of Windows.
mov [eax+KBUGCHECK_REASON_CALLBACK_RECORD.Entry.Blink], \ offset _KeBugCheckReasonCallbackListHead
|
static |
Enumerate the Create Process, Create Thread, and Image Load callbacks.
On some systems, the byte sequences will be inaccurate or the exported function will not be found. In these cases, the PoolScanGenericCallback scanner will pick up the pool associated with the callbacks.
|
static |
Enumerate registry change callbacks.
This method of finding a global variable via disassembly of the CmRegisterCallback function is only for XP systems. If it fails on XP you can still find the callbacks using PoolScanGenericCallback.
On Vista and Windows 7, these callbacks are registered using the CmRegisterCallbackEx function.
1.8.9.1