The Volatility Framework
Public Member Functions | List of all members
volatility.poolscan.SinglePoolScanner Class Reference
Inheritance diagram for volatility.poolscan.SinglePoolScanner:
volatility.scan.BaseScanner volatility.plugins.pooltracker.GenericPoolScan

Public Member Functions

def object_offset (self, found, address_space)
 The name of this function "object_offset" can be misleading depending on how its used. More...
 
def scan
 
- Public Member Functions inherited from volatility.scan.BaseScanner
def __init__
 
def check_addr (self, found)
 This calls all our constraints on the offset found and returns the number of contraints that matched. More...
 
def scan
 

Additional Inherited Members

- Public Attributes inherited from volatility.scan.BaseScanner
 buffer
 
 window_size
 
 constraints
 Build our constraints from the specified ScannerCheck classes:
 
 error_count
 
- Static Public Attributes inherited from volatility.scan.BaseScanner
list checks = []
 
int overlap = 20
 

Member Function Documentation

def volatility.poolscan.SinglePoolScanner.object_offset (   self,
  found,
  address_space 
)

The name of this function "object_offset" can be misleading depending on how its used.

Even before removing the preambles (r1324), it may not always return the offset of an object. Here are the rules:

If you subclass PoolScanner and do not override this function, it will return the offset of _POOL_HEADER. If you do override this function, it should be used to calculate and return the offset of your desired object within the pool. Thus there are two different ways it can be done.

Example 1.

For an example of subclassing PoolScanner and not overriding this function, see filescan.PoolScanFile. In this case, the plugin (filescan.FileScan) treats the offset returned by this function as the start of _POOL_HEADER and then works out the object from the bottom up: 

for offset in PoolScanFile().scan(address_space):
    pool_obj = obj.Object("_POOL_HEADER", vm = address_space,
         offset = offset)
    ##
    ## Work out objects base here
    ##

Example 2.

For an example of subclassing PoolScanner and overriding this function, see filescan.PoolScanProcess. In this case, the "work" described above is done here (in the sublcassed object_offset). Thus in the plugin (filescan.PSScan) it can directly instantiate _EPROCESS from the offset we return. 

for offset in PoolScanProcess().scan(address_space):
    eprocess = obj.Object('_EPROCESS', vm = address_space,
            native_vm = kernel_as, offset = offset)
The documentation for this class was generated from the following file: