List desktop and thread window message hooks. More...

Inheritance diagram for volatility.plugins.gui.messagehooks.MessageHooks:

Public Member Functions
def	calculate (self)

def	translate_atom (self, winsta, atom_tables, atom_id)
	Translate an atom into an atom name. More...

def	translate_hmod (self, winsta, atom_tables, index)
	Translate an ihmod (index into a handle table) into an atom. More...

def	render_text (self, outfd, data)
	Render output in table form.

def	render_block (self, outfd, data)
	Render output as a block.

Public Member Functions inherited from volatility.plugins.gui.atoms.Atoms
def	calculate (self)

def	unified_output (self, data)

def	generator (self, data)

def	render_text (self, outfd, data)

Public Member Functions inherited from volatility.commands.Command
def	__init__ (self, config, _args, _kwargs)
	Constructor uses args as an initializer. More...

def	help (cls)
	This function returns a string that will be displayed when a user lists available plugins.

def	calculate (self)
	This function is responsible for performing all calculations. More...

def	execute (self)
	Executes the plugin command. More...

def	format_value (self, value, fmt)
	Formats an individual field using the table formatting codes.

def	table_header
	Table header renders the title row of a table. More...

def	table_row (self, outfd, args)
	Outputs a single row of a table.

def	text_cell_renderers (self, columns)
	Returns default renderers for the columns listed.

def	unified_output (self, data)

def	render_text (self, outfd, data)

def	render_greptext (self, outfd, data)

def	render_json (self, outfd, data)

def	render_sqlite (self, outfd, data)

def	render_dot (self, outfd, data)

def	render_html (self, outfd, data)

def	render_xlsx (self, outfd, data)

Public Member Functions inherited from volatility.plugins.gui.sessions.SessionsMixin
def	session_spaces (self, kernel_space)
	Generators unique _MM_SESSION_SPACE objects referenced by active processes. More...

def	find_session_space (self, kernel_space, session_id)
	Get a session address space by its ID. More...

Additional Inherited Members
Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand
def	is_valid_profile (profile)

Static Public Member Functions inherited from volatility.commands.Command
def	register_options (config)
	Registers options into a config object provided.

def	is_valid_profile (profile)

Static Public Attributes inherited from volatility.plugins.gui.atoms.Atoms
string	text_sort_column = "Atom"

Static Public Attributes inherited from volatility.commands.Command
string	op = ""

string	opts = ""

string	args = ""

string	cmdname = ""

dictionary	meta_info = {}

	elide_data = True

string	tablesep = " "

	text_sort_column = None

dictionary	text_stock_renderers

Detailed Description

List desktop and thread window message hooks.

Member Function Documentation

def volatility.plugins.gui.messagehooks.MessageHooks.translate_atom	(	self,
		winsta,
		atom_tables,
		atom_id
	)

Translate an atom into an atom name.

Parameters

winsta	a tagWINDOWSTATION in the proper session space
atom_tables	a dictionary with _RTL_ATOM_TABLE instances as the keys and owning window stations as the values.
index	the index into the atom handle table.

def volatility.plugins.gui.messagehooks.MessageHooks.translate_hmod	(	self,
		winsta,
		atom_tables,
		index
	)

Translate an ihmod (index into a handle table) into an atom.

This requires locating the win32k!_aatomSysLoaded symbol. If the symbol cannot be found, we'll just report back the ihmod value.

Parameters

winsta	a tagWINDOWSTATION in the proper session space
atom_tables	a dictionary with _RTL_ATOM_TABLE instances as the keys and owning window stations as the values.
index	the index into the atom handle table.

The documentation for this class was generated from the following file:

volatility/plugins/gui/messagehooks.py

Public Member Functions

Additional Inherited Members

Detailed Description

Member Function Documentation