volatility.plugins.overlays.windows.win7._OBJECT_HEADER Class Reference

A Volatility object to handle Windows 7 object headers. More...

Inheritance diagram for volatility.plugins.overlays.windows.win7._OBJECT_HEADER:

Public Member Functions
def	find_optional_headers (self)
	Find this object's optional headers. More...
def	get_object_type (self)
	Return the object's type as a string.
Public Member Functions inherited from volatility.plugins.overlays.windows.windows._OBJECT_HEADER
def	__init__ (self, args, kwargs)
def	find_optional_headers (self)
	Find this object's optional headers. More...
def	GrantedAccess (self)
def	dereference_as (self, theType)
	Instantiate an object from the _OBJECT_HEADER.Body.
def	get_object_type (self)
	Return the object's type as a string.
def	is_valid (self)
Public Member Functions inherited from volatility.obj.CType
def	__init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs)
	This must be instantiated with a dict of members. More...
def	size (self)
def	__repr__ (self)
def	d (self)
def	v (self)
	When a struct is evaluated we just return our offset.
def	m (self, attr)
def	__getattr__ (self, attr)
def	__setattr__ (self, attr, value)
	Change underlying members.
Public Member Functions inherited from volatility.obj.BaseObject
def	__init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs)
def	obj_type (self)
def	obj_vm (self)
def	obj_offset (self)
def	obj_parent (self)
def	obj_name (self)
def	obj_native_vm (self)
def	set_native_vm (self, native_vm)
	Sets the native_vm.
def	rebase (self, offset)
def	proxied (self, attr)
def	newattr (self, attr, value)
	Sets a new attribute after the object has been created.
def	write (self, value)
	Function for writing the object back to disk.
def	__getattr__ (self, attr)
	This is only useful for proper methods (not ones that start with __ )
def	__setattr__ (self, attr, value)
def	__nonzero__ (self)
	This method is called when we test the truth value of an Object. More...
def	__eq__ (self, other)
def	__ne__ (self, other)
def	__hash__ (self)
def	m (self, memname)
def	is_valid (self)
def	dereference (self)
def	dereference_as (self, derefType, kwargs)
def	cast (self, castString)
def	v (self)
	Do the actual reading and decoding of this member.
def	__format__ (self, formatspec)
def	__str__ (self)
def	__repr__ (self)
def	d (self)
	Display diagnostic information.
def	__getstate__ (self)
	This controls how we pickle and unpickle the objects.
def	__setstate__ (self, state)

Static Public Attributes
dictionary	type_map
tuple	optional_header_mask
Static Public Attributes inherited from volatility.plugins.overlays.windows.windows._OBJECT_HEADER
list	optional_headers

Additional Inherited Members
Public Attributes inherited from volatility.plugins.overlays.windows.windows._OBJECT_HEADER
	HandleValue
Public Attributes inherited from volatility.obj.CType
	members
	struct_size
Public Attributes inherited from volatility.obj.BaseObject
	obj_offset
	obj_vm

Detailed Description

A Volatility object to handle Windows 7 object headers.

Windows 7 changes the way objects are handled: References: http://www.codemachine.com/article_objectheader.html

Member Function Documentation

def volatility.plugins.overlays.windows.win7._OBJECT_HEADER.find_optional_headers

(

self

)

Find this object's optional headers.

Member Data Documentation

tuple volatility.plugins.overlays.windows.win7._OBJECT_HEADER.optional_header_mask

static

Initial value:

= (('CreatorInfo', '_OBJECT_HEADER_CREATOR_INFO', 0x01),
                            ('NameInfo', '_OBJECT_HEADER_NAME_INFO', 0x02),
                            ('HandleInfo', '_OBJECT_HEADER_HANDLE_INFO', 0x04),
                            ('QuotaInfo', '_OBJECT_HEADER_QUOTA_INFO', 0x08),
                            ('ProcessInfo', '_OBJECT_HEADER_PROCESS_INFO', 0x10))

---

The documentation for this class was generated from the following file:

• volatility/plugins/overlays/windows/win7.py