volatility  2.6.1
About: The Volatility Framework is a collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples (requires Python).
  Fossies Dox: volatility-2.6.1.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY Class Reference
Inheritance diagram for volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY:
Collaboration diagram for volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY:

Public Member Functions

def load_time (self)
def LoadCount (self)
def export_dir (self)
def import_dir (self)
def debug_dir (self)
def security_dir (self)
def get_debug_directory (self)
def getprocaddress (self, func)
def imports (self)
def exports (self)
- Public Member Functions inherited from volatility.obj.CType
def __init__ (self, theType, offset, vm, name=None, members=None, struct_size=0, **kwargs)
def size (self)
def __repr__ (self)
def d (self)
def v (self)
def m (self, attr)
def __getattr__ (self, attr)
def __setattr__ (self, attr, value)
- Public Member Functions inherited from volatility.obj.BaseObject
def obj_type (self)
def obj_vm (self)
def obj_offset (self)
def obj_parent (self)
def obj_name (self)
def obj_native_vm (self)
def set_native_vm (self, native_vm)
def rebase (self, offset)
def proxied (self, attr)
def newattr (self, attr, value)
def write (self, value)
def __nonzero__ (self)
def __eq__ (self, other)
def __ne__ (self, other)
def __hash__ (self)
def is_valid (self)
def dereference (self)
def dereference_as (self, derefType, **kwargs)
def cast (self, castString)
def __format__ (self, formatspec)
def __str__ (self)
def __getstate__ (self)
def __setstate__ (self, state)

Private Member Functions

def _nt_header (self)
def _directory (self, dir_index)

Additional Inherited Members

- Public Attributes inherited from volatility.obj.CType
- Public Attributes inherited from volatility.obj.BaseObject

Detailed Description

Class for PE file / modules

If these classes are instantiated by _EPROCESS.list_*_modules() 
then its guaranteed to be in the process address space. 

FIXME: If these classes are found by modscan, ensure we can
dereference properly with obj_native_vm. 

Definition at line 434 of file pe_vtypes.py.

Member Function Documentation

◆ _directory()

◆ _nt_header()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY._nt_header (   self)

◆ debug_dir()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.debug_dir (   self)

◆ export_dir()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.export_dir (   self)

◆ exports()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.exports (   self)

◆ get_debug_directory()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.get_debug_directory (   self)
Return the debug directory object for this PE

Definition at line 517 of file pe_vtypes.py.

References volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.debug_dir(), and volatility.obj.BaseObject.obj_native_vm().

◆ getprocaddress()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.getprocaddress (   self,
Return the RVA of func

Definition at line 529 of file pe_vtypes.py.

References volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.exports().

◆ import_dir()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.import_dir (   self)

◆ imports()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.imports (   self)
Generator for the PE's imported functions.

The _DIRECTORY_ENTRY_IMPORT.VirtualAddress points to an array 
of _IMAGE_IMPORT_DESCRIPTOR structures. The end is reached when 
the IID structure is all zeros. 

Definition at line 536 of file pe_vtypes.py.

References volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY._nt_header(), volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.import_dir(), volatility.obj.BaseObject.obj_native_vm(), and volatility.obj.BaseObject.obj_vm.

◆ load_time()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.load_time (   self)

Definition at line 445 of file pe_vtypes.py.

◆ LoadCount()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.LoadCount (   self)

Definition at line 452 of file pe_vtypes.py.

References volatility.obj.BaseObject.m().

◆ security_dir()

def volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.security_dir (   self)

Definition at line 513 of file pe_vtypes.py.

References volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY._directory().

The documentation for this class was generated from the following file: