volatility  2.6.1
About: The Volatility Framework is a collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples (requires Python).
  Fossies Dox: volatility-2.6.1.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR Class Reference
Inheritance diagram for volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR:
[legend]
Collaboration diagram for volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR:
[legend]

Public Member Functions

def valid (self, nt_header)
 
def dll_name (self)
 
def is_list_end (self)
 
- Public Member Functions inherited from volatility.obj.CType
def __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, **kwargs)
 
def size (self)
 
def __repr__ (self)
 
def d (self)
 
def v (self)
 
def m (self, attr)
 
def __getattr__ (self, attr)
 
def __setattr__ (self, attr, value)
 
- Public Member Functions inherited from volatility.obj.BaseObject
def obj_type (self)
 
def obj_vm (self)
 
def obj_offset (self)
 
def obj_parent (self)
 
def obj_name (self)
 
def obj_native_vm (self)
 
def set_native_vm (self, native_vm)
 
def rebase (self, offset)
 
def proxied (self, attr)
 
def newattr (self, attr, value)
 
def write (self, value)
 
def __nonzero__ (self)
 
def __eq__ (self, other)
 
def __ne__ (self, other)
 
def __hash__ (self)
 
def is_valid (self)
 
def dereference (self)
 
def dereference_as (self, derefType, **kwargs)
 
def cast (self, castString)
 
def __format__ (self, formatspec)
 
def __str__ (self)
 
def __getstate__ (self)
 
def __setstate__ (self, state)
 

Private Member Functions

def _name (self, name_rva)
 
def _imported_functions (self)
 

Additional Inherited Members

- Public Attributes inherited from volatility.obj.CType
 members
 
 struct_size
 
- Public Attributes inherited from volatility.obj.BaseObject
 obj_offset
 
 obj_vm
 

Detailed Description

Handles IID entries for imported functions

Definition at line 343 of file pe_vtypes.py.

Member Function Documentation

◆ _imported_functions()

def volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR._imported_functions (   self)
private
Generator for imported functions. 

@return: tuple (Ordinal, FunctionVA, Name)

If the function is imported by ordinal, then Ordinal is the 
ordinal value and Name is None. 

If the function is imported by name, then Ordinal is the
hint and Name is the imported function name (or None if its
paged). 

FunctionVA is the virtual address of the imported function,
as applied to the IAT by the Windows loader. If the FirstThunk
is paged, then FunctionVA will be None. 

Definition at line 368 of file pe_vtypes.py.

References volatility.obj.BaseObject.obj_native_vm(), volatility.obj.BaseObject.obj_parent(), and volatility.obj.BaseObject.obj_vm.

◆ _name()

def volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR._name (   self,
  name_rva 
)
private
Return a String object for the name at the given RVA

Definition at line 357 of file pe_vtypes.py.

References volatility.obj.BaseObject.obj_native_vm(), and volatility.obj.BaseObject.obj_parent().

Referenced by volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR.dll_name().

◆ dll_name()

def volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR.dll_name (   self)

◆ is_list_end()

def volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR.is_list_end (   self)
Returns True if we've reached the list end

Definition at line 426 of file pe_vtypes.py.

References volatility.obj.BaseObject.obj_offset, and volatility.obj.BaseObject.obj_vm.

◆ valid()

def volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR.valid (   self,
  nt_header 
)
Check the validity of some fields

Definition at line 346 of file pe_vtypes.py.

References volatility.plugins.gui.constants.FakeAtom.Name, and volatility.plugins.gui.win32k_core.tagWINDOWSTATION.Name().


The documentation for this class was generated from the following file: