The Volatility Framework
Public Member Functions | Public Attributes | List of all members
volatility.obj.CType Class Reference

A CType is an object which represents a c struct. More...

Inheritance diagram for volatility.obj.CType:
volatility.obj.BaseObject volatility.plugins.addrspaces.elfcoredump.DBGFCOREDESCRIPTOR volatility.plugins.addrspaces.hpak.HPAK_HEADER volatility.plugins.addrspaces.vmware._VMWARE_GROUP volatility.plugins.addrspaces.vmware._VMWARE_HEADER volatility.plugins.addrspaces.vmware._VMWARE_TAG volatility.plugins.crashinfo._DMP_HEADER volatility.plugins.dumpcerts._X509_PUBLIC_CERT volatility.plugins.dumpfiles._CONTROL_AREA volatility.plugins.dumpfiles._SHARED_CACHE_MAP volatility.plugins.gui.editbox._COMBOBOX_x64 volatility.plugins.gui.editbox._COMBOBOX_x86 volatility.plugins.gui.editbox._EDIT_x64 volatility.plugins.gui.editbox._EDIT_x86 volatility.plugins.gui.editbox._LISTBOX_x64 volatility.plugins.gui.editbox._LISTBOX_x86 volatility.plugins.gui.win32k_core._HANDLEENTRY volatility.plugins.gui.win32k_core._MM_SESSION_SPACE volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE_ENTRY volatility.plugins.gui.win32k_core.tagCLIPDATA volatility.plugins.gui.win32k_core.tagEVENTHOOK volatility.plugins.gui.win32k_core.tagHOOK volatility.plugins.gui.win32k_core.tagRECT volatility.plugins.gui.win32k_core.tagSHAREDINFO volatility.plugins.gui.win32k_core.tagWINDOWSTATION volatility.plugins.gui.win32k_core.tagWND volatility.plugins.iehistory._URL_RECORD volatility.plugins.linux.bash._hist_entry volatility.plugins.linux.bash_hash._bash_hash_table volatility.plugins.linux.slab_info.kmem_cache volatility.plugins.mac.bash._mac_hist_entry volatility.plugins.mac.bash_hash.bash_funcs volatility.plugins.mac.threads.queue_entry volatility.plugins.malware.callbacks._SHUTDOWN_PACKET volatility.plugins.malware.cmdhistory._COMMAND_HISTORY volatility.plugins.malware.cmdhistory._CONSOLE_INFORMATION volatility.plugins.malware.cmdhistory._CONSOLE_PROCESS volatility.plugins.malware.cmdhistory._EXE_ALIAS_LIST volatility.plugins.malware.cmdhistory._SCREEN_INFORMATION volatility.plugins.malware.devicetree._DEVICE_OBJECT volatility.plugins.malware.devicetree._DRIVER_OBJECT volatility.plugins.malware.idt._KGDTENTRY volatility.plugins.malware.idt._KIDTENTRY volatility.plugins.malware.svcscan._SERVICE_HEADER volatility.plugins.malware.svcscan._SERVICE_RECORD_LEGACY volatility.plugins.malware.timers._KTIMER volatility.plugins.mbrparser.PARTITION_ENTRY volatility.plugins.mftparser.MFT_FILE_RECORD volatility.plugins.mftparser.OBJECT_ID volatility.plugins.mftparser.RESIDENT_ATTRIBUTE volatility.plugins.mftparser.STANDARD_INFORMATION volatility.plugins.netscan._TCP_LISTENER volatility.plugins.notepad._HEAP volatility.plugins.notepad._HEAP_ENTRY volatility.plugins.notepad._HEAP_SEGMENT volatility.plugins.overlays.basic.VOLATILITY_MAGIC volatility.plugins.overlays.linux.elf.elf volatility.plugins.overlays.linux.elf.elf32_dyn volatility.plugins.overlays.linux.elf.elf32_link_map volatility.plugins.overlays.linux.elf.elf32_note volatility.plugins.overlays.linux.elf.elf32_phdr volatility.plugins.overlays.linux.elf.elf32_rel volatility.plugins.overlays.linux.elf.elf32_rela volatility.plugins.overlays.linux.elf.elf32_shdr volatility.plugins.overlays.linux.elf.elf32_sym volatility.plugins.overlays.linux.elf.elf64_dyn volatility.plugins.overlays.linux.elf.elf64_link_map volatility.plugins.overlays.linux.elf.elf64_note volatility.plugins.overlays.linux.elf.elf64_phdr volatility.plugins.overlays.linux.elf.elf64_rel volatility.plugins.overlays.linux.elf.elf64_rela volatility.plugins.overlays.linux.elf.elf64_shdr volatility.plugins.overlays.linux.elf.elf64_sym volatility.plugins.overlays.linux.linux.dentry volatility.plugins.overlays.linux.linux.desc_struct volatility.plugins.overlays.linux.linux.files_struct volatility.plugins.overlays.linux.linux.gate_struct64 volatility.plugins.overlays.linux.linux.hlist_bl_node volatility.plugins.overlays.linux.linux.hlist_node volatility.plugins.overlays.linux.linux.in_device volatility.plugins.overlays.linux.linux.inet_sock volatility.plugins.overlays.linux.linux.inode volatility.plugins.overlays.linux.linux.kernel_param volatility.plugins.overlays.linux.linux.kparam_array volatility.plugins.overlays.linux.linux.linux_file volatility.plugins.overlays.linux.linux.linux_fs_struct volatility.plugins.overlays.linux.linux.list_head volatility.plugins.overlays.linux.linux.module_sect_attr volatility.plugins.overlays.linux.linux.module_struct volatility.plugins.overlays.linux.linux.mount volatility.plugins.overlays.linux.linux.net_device volatility.plugins.overlays.linux.linux.page volatility.plugins.overlays.linux.linux.sock volatility.plugins.overlays.linux.linux.super_block volatility.plugins.overlays.linux.linux.task_struct volatility.plugins.overlays.linux.linux.timespec volatility.plugins.overlays.linux.linux.tty_ldisc volatility.plugins.overlays.linux.linux.vfsmount volatility.plugins.overlays.linux.linux.vm_area_struct volatility.plugins.overlays.mac.mac.dyld32_image_info volatility.plugins.overlays.mac.mac.dyld64_image_info volatility.plugins.overlays.mac.mac.fileglob volatility.plugins.overlays.mac.mac.ifnet volatility.plugins.overlays.mac.mac.inpcb volatility.plugins.overlays.mac.mac.inpcbinfo volatility.plugins.overlays.mac.mac.kauth_scope volatility.plugins.overlays.mac.mac.OSString volatility.plugins.overlays.mac.mac.proc volatility.plugins.overlays.mac.mac.queue_entry volatility.plugins.overlays.mac.mac.rtentry volatility.plugins.overlays.mac.mac.sockaddr volatility.plugins.overlays.mac.mac.sockaddr_dl volatility.plugins.overlays.mac.mac.socket volatility.plugins.overlays.mac.mac.sysctl_oid volatility.plugins.overlays.mac.mac.thread volatility.plugins.overlays.mac.mac.vm_map_entry volatility.plugins.overlays.mac.mac.vm_map_object volatility.plugins.overlays.mac.mac.vnode volatility.plugins.overlays.mac.mac.zone volatility.plugins.overlays.mac.macho.macho volatility.plugins.overlays.mac.macho.macho32_dysymtab_command volatility.plugins.overlays.mac.macho.macho32_header volatility.plugins.overlays.mac.macho.macho32_load_command volatility.plugins.overlays.mac.macho.macho32_nlist volatility.plugins.overlays.mac.macho.macho32_section volatility.plugins.overlays.mac.macho.macho32_segment_command volatility.plugins.overlays.mac.macho.macho32_symtab_command volatility.plugins.overlays.mac.macho.macho64_dysymtab_command volatility.plugins.overlays.mac.macho.macho64_header volatility.plugins.overlays.mac.macho.macho64_load_command volatility.plugins.overlays.mac.macho.macho64_nlist volatility.plugins.overlays.mac.macho.macho64_section volatility.plugins.overlays.mac.macho.macho64_segment_command volatility.plugins.overlays.mac.macho.macho64_symtab_command volatility.plugins.overlays.windows.kdbg_vtypes._KDDEBUGGER_DATA64 volatility.plugins.overlays.windows.kpcr_vtypes._KPCROnx86 volatility.plugins.overlays.windows.pe_vtypes._IMAGE_DOS_HEADER volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR volatility.plugins.overlays.windows.pe_vtypes._IMAGE_NT_HEADERS volatility.plugins.overlays.windows.pe_vtypes._IMAGE_RESOURCE_DIR_STRING_U volatility.plugins.overlays.windows.pe_vtypes._IMAGE_RESOURCE_DIRECTORY volatility.plugins.overlays.windows.pe_vtypes._IMAGE_SECTION_HEADER volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY volatility.plugins.overlays.windows.pe_vtypes._VS_FIXEDFILEINFO volatility.plugins.overlays.windows.pe_vtypes.VerStruct volatility.plugins.overlays.windows.tcpip_vtypes._ADDRESS_OBJECT volatility.plugins.overlays.windows.vad_vtypes._MM_AVL_TABLE volatility.plugins.overlays.windows.vad_vtypes._MM_AVL_TABLE_WIN8 volatility.plugins.overlays.windows.vad_vtypes._RTL_AVL_TREE volatility.plugins.overlays.windows.vad_vtypes.VadFlags volatility.plugins.overlays.windows.vad_vtypes.VadTraverser volatility.plugins.overlays.windows.win10._HMAP_ENTRY volatility.plugins.overlays.windows.windows._CM_KEY_BODY volatility.plugins.overlays.windows.windows._CMHIVE volatility.plugins.overlays.windows.windows._EPROCESS volatility.plugins.overlays.windows.windows._ETHREAD volatility.plugins.overlays.windows.windows._EX_FAST_REF volatility.plugins.overlays.windows.windows._FILE_OBJECT volatility.plugins.overlays.windows.windows._HANDLE_TABLE volatility.plugins.overlays.windows.windows._KMUTANT volatility.plugins.overlays.windows.windows._LIST_ENTRY volatility.plugins.overlays.windows.windows._OBJECT_HEADER volatility.plugins.overlays.windows.windows._OBJECT_SYMBOLIC_LINK volatility.plugins.overlays.windows.windows._OBJECT_TYPE volatility.plugins.overlays.windows.windows._POOL_HEADER volatility.plugins.overlays.windows.windows._TOKEN volatility.plugins.overlays.windows.windows._UNICODE_STRING volatility.plugins.registry.auditpol.AuditPolData7 volatility.plugins.registry.auditpol.AuditPolDataVista volatility.plugins.registry.auditpol.AuditPolDataXP volatility.plugins.registry.shellbags._GUID volatility.plugins.registry.shellbags._VOLUSER_ASSIST_TYPES volatility.plugins.registry.shellbags.FOLDER_ENTRY volatility.plugins.registry.shellbags.ITEMPOS volatility.plugins.registry.shellbags.NETWORK_VOLUME_NAME volatility.plugins.registry.shellbags.VOLUME_NAME

Public Member Functions

def __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, kwargs)
 This must be instantiated with a dict of members. More...
 
def size (self)
 
def __repr__ (self)
 
def d (self)
 
def v (self)
 When a struct is evaluated we just return our offset.
 
def m (self, attr)
 
def __getattr__ (self, attr)
 
def __setattr__ (self, attr, value)
 Change underlying members.
 
- Public Member Functions inherited from volatility.obj.BaseObject
def __init__ (self, theType, offset, vm, native_vm=None, parent=None, name=None, kwargs)
 
def obj_type (self)
 
def obj_vm (self)
 
def obj_offset (self)
 
def obj_parent (self)
 
def obj_name (self)
 
def obj_native_vm (self)
 
def set_native_vm (self, native_vm)
 Sets the native_vm.
 
def rebase (self, offset)
 
def proxied (self, attr)
 
def newattr (self, attr, value)
 Sets a new attribute after the object has been created.
 
def write (self, value)
 Function for writing the object back to disk.
 
def __getattr__ (self, attr)
 This is only useful for proper methods (not ones that start with __ )
 
def __setattr__ (self, attr, value)
 
def __nonzero__ (self)
 This method is called when we test the truth value of an Object. More...
 
def __eq__ (self, other)
 
def __ne__ (self, other)
 
def __hash__ (self)
 
def m (self, memname)
 
def is_valid (self)
 
def dereference (self)
 
def dereference_as (self, derefType, kwargs)
 
def cast (self, castString)
 
def v (self)
 Do the actual reading and decoding of this member.
 
def __format__ (self, formatspec)
 
def __str__ (self)
 
def __repr__ (self)
 
def d (self)
 Display diagnostic information.
 
def __getstate__ (self)
 This controls how we pickle and unpickle the objects.
 
def __setstate__ (self, state)
 

Public Attributes

 members
 
 struct_size
 
- Public Attributes inherited from volatility.obj.BaseObject
 obj_offset
 
 obj_vm
 

Detailed Description

A CType is an object which represents a c struct.

Constructor & Destructor Documentation

def volatility.obj.CType.__init__ (   self,
  theType,
  offset,
  vm,
  name = None,
  members = None,
  struct_size = 0,
  kwargs 
)

This must be instantiated with a dict of members.

The keys are the offsets, the values are Curried Object classes that will be instantiated when accessed.

The documentation for this class was generated from the following file: