 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
Shell in the memory image. More...
Public Member Functions | |
| def | __init__ (self, config, args, kwargs) |
| def | getpidlist (self) |
| def | getmodules (self) |
| def | context_display (self) |
| def | ps |
| def | modules |
| def | set_context |
| def | render_text (self, _outfd, _data) |
| Change current shell context. More... | |
 Public Member Functions inherited from volatility.commands.Command | |
| def | __init__ (self, config, _args, _kwargs) |
| Constructor uses args as an initializer. More... | |
| def | help (cls) |
| This function returns a string that will be displayed when a user lists available plugins. | |
| def | calculate (self) |
| This function is responsible for performing all calculations. More... | |
| def | execute (self) |
| Executes the plugin command. More... | |
| def | format_value (self, value, fmt) |
| Formats an individual field using the table formatting codes. | |
| def | table_header |
| Table header renders the title row of a table. More... | |
| def | table_row (self, outfd, args) |
| Outputs a single row of a table. | |
| def | text_cell_renderers (self, columns) |
| Returns default renderers for the columns listed. | |
| def | unified_output (self, data) |
| def | render_text (self, outfd, data) |
| def | render_greptext (self, outfd, data) |
| def | render_json (self, outfd, data) |
| def | render_sqlite (self, outfd, data) |
| def | render_dot (self, outfd, data) |
| def | render_html (self, outfd, data) |
| def | render_xlsx (self, outfd, data) |
Static Public Attributes | |
| dictionary | meta_info = {} |
| Static Public Attributes inherited from volatility.commands.Command | |
| string | op = "" |
| string | opts = "" |
| string | args = "" |
| string | cmdname = "" |
| dictionary | meta_info = {} |
| elide_data = True | |
| string | tablesep = " " |
| text_sort_column = None | |
| dictionary | text_stock_renderers |
Additional Inherited Members | |
| Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand | |
| def | is_valid_profile (profile) |
| Static Public Member Functions inherited from volatility.commands.Command | |
| def | register_options (config) |
| Registers options into a config object provided. | |
| def | is_valid_profile (profile) |
Shell in the memory image.
| def volatility.plugins.volshell.volshell.render_text | ( | self, | |
| _outfd, | |||
| _data | |||
| ) |
Change current shell context.
This function changes the current shell context to to the process specified. The process specification can be given as a virtual address (option: offset), PID (option: pid), or process name (option: name).
If multiple processes match the given PID or name, you will be shown a list of matching processes, and will have to specify by offset. Print bytes as canonical hexdump.
This function prints bytes at the given virtual address as a canonical
hexdump. The address will be translated in the current process context
(see help on cc for information on how to change contexts).
The length parameter (default: 0x80) specifies how many bytes to print,
the width parameter (default: 16) allows you to change how many bytes per
line should be displayed, and the space parameter allows you to
optionally specify the address space to read the data from.Print dwords at address.
This function prints the data at the given address, interpreted as
a series of dwords (unsigned four-byte integers) in hexadecimal.
The address will be translated in the current process context
(see help on cc for information on how to change contexts).
The optional length parameter (default: 0x80) controls how many bytes
to display, and space allows you to optionally specify the address space
to read the data from.Print qwords at address.
This function prints the data at the given address, interpreted as
a series of qwords (unsigned eight-byte integers) in hexadecimal.
The address will be translated in the current process context
(see help on cc for information on how to change contexts).
The optional length parameter (default: 0x80) controls how many bytes
to display, and space allows you to optionally specify the address space
to read the data from.Print active processes in a table view.
Prints a process listing with PID, PPID, image name, and offset.
Get the current kernel/virtual address space.
This returns the current address space.
Get the current process object.
This returns the current process object.
Generator of process objects (scripting).
This returns a list of active process objects.
Generator for kernel modules (scripting).
This returns a list of loaded kernel module objects.
Print loaded modules in a table view.
Prints a module listing with base, offset, name etc
Show the current context.
Show the current process information.
Traverse a _LIST_ENTRY.
Traverses a _LIST_ENTRY starting at virtual address head made up of
objects of type objname. The value of offset should be set to the
offset of the _LIST_ENTRY within the desired object. Describe an object or show type info.
Show the names and values of a complex object (struct). If the name of a
structure is passed, show the struct's members and their types.
You can also pass a type name and an address in order to on-the-fly
interpret a given address as an instance of a particular structure.
Examples:
# Dump the current process object
dt(self._proc)
# Show the _EPROCESS structure
dt('_EPROCESS')
# Overlay an _EPROCESS structure at 0x81234567
dt('_EPROCESS', 0x81234567)Disassemble code at a given address.
Disassembles code starting at address for a number of bytes
given by the length parameter (default: 128).
Note: This feature requires distorm, available at
http://www.ragestorm.net/distorm/
The mode is '16bit', '32bit' or '64bit'. If not supplied, the disasm
mode is taken from the profile. Find bytes in the current process's memory needle - string or list/tuple of strings to find max - number of results to return; 0 means find all shift - when outputting bytes, start output this many bytes before/after hit offset skip - ignore this many hits count - if True, displays a message reporting how many hits found; only really useful for max == 0 length - output this many bytes for each hit Get help on a command.
1.8.9.1