volatility  2.6.1
About: The Volatility Framework is a collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples (requires Python).
  Fossies Dox: volatility-2.6.1.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY Class Reference
Inheritance diagram for volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY:
[legend]
Collaboration diagram for volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY:
[legend]

Public Member Functions

def valid (self, nt_header)
 
- Public Member Functions inherited from volatility.obj.CType
def __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, **kwargs)
 
def size (self)
 
def __repr__ (self)
 
def d (self)
 
def v (self)
 
def m (self, attr)
 
def __getattr__ (self, attr)
 
def __setattr__ (self, attr, value)
 
- Public Member Functions inherited from volatility.obj.BaseObject
def obj_type (self)
 
def obj_vm (self)
 
def obj_offset (self)
 
def obj_parent (self)
 
def obj_name (self)
 
def obj_native_vm (self)
 
def set_native_vm (self, native_vm)
 
def rebase (self, offset)
 
def proxied (self, attr)
 
def newattr (self, attr, value)
 
def write (self, value)
 
def __nonzero__ (self)
 
def __eq__ (self, other)
 
def __ne__ (self, other)
 
def __hash__ (self)
 
def is_valid (self)
 
def dereference (self)
 
def dereference_as (self, derefType, **kwargs)
 
def cast (self, castString)
 
def __format__ (self, formatspec)
 
def __str__ (self)
 
def __getstate__ (self)
 
def __setstate__ (self, state)
 

Private Member Functions

def _name (self, name_rva)
 
def _exported_functions (self)
 

Additional Inherited Members

- Public Attributes inherited from volatility.obj.CType
 members
 
 struct_size
 
- Public Attributes inherited from volatility.obj.BaseObject
 obj_offset
 
 obj_vm
 

Detailed Description

Class for PE export directory

Definition at line 203 of file pe_vtypes.py.

Member Function Documentation

◆ _exported_functions()

def volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY._exported_functions (   self)
private
Generator for exported functions.

@return: tuple (Ordinal, FunctionRVA, Name)

Ordinal is an integer and should never be None. If the function 
is forwarded, FunctionRVA is None. Otherwise, FunctionRVA is an
RVA to the function's code (relative to module base). Name is a
String containing the exported function's name. If the Name is 
paged, it will be None. If the function is forwarded, Name is the
forwarded function name including the DLL (ntdll.EtwLogTraceEvent). 

Definition at line 236 of file pe_vtypes.py.

References volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY._name(), volatility.plugins.malware.idt._KGDTENTRY.Base(), volatility.obj.BaseObject.obj_native_vm(), and volatility.obj.BaseObject.obj_parent().

◆ _name()

def volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY._name (   self,
  name_rva 
)
private
Return a String object for the function name.

Names are truncated at 128 characters although its possible 
they may be longer. Thus, infrequently a function name will
be missing some data. However, that's better than hard-coding
a larger value which frequently causes us to cross page 
boundaries and return a NoneObject anyway.  

Definition at line 222 of file pe_vtypes.py.

References volatility.obj.BaseObject.obj_native_vm(), and volatility.obj.BaseObject.obj_parent().

Referenced by volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY._exported_functions(), and volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR.dll_name().

◆ valid()

def volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY.valid (   self,
  nt_header 
)
Check the sanity of export table fields.

The RVAs cannot be larger than the module size. The function
and name counts cannot be larger than 32K. 

Definition at line 206 of file pe_vtypes.py.


The documentation for this class was generated from the following file: