volatility  2.6.1
About: The Volatility Framework is a collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples (requires Python).
  Fossies Dox: volatility-2.6.1.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

volatility.plugins.overlays.windows.pe_vtypes Namespace Reference

Classes

class  _IMAGE_DOS_HEADER
 
class  _IMAGE_EXPORT_DIRECTORY
 
class  _IMAGE_IMPORT_DESCRIPTOR
 
class  _IMAGE_NT_HEADERS
 
class  _IMAGE_NT_HEADERS64
 
class  _IMAGE_RESOURCE_DIR_STRING_U
 
class  _IMAGE_RESOURCE_DIRECTORY
 
class  _IMAGE_SECTION_HEADER
 
class  _LDR_DATA_TABLE_ENTRY
 
class  _VS_FIXEDFILEINFO
 
class  _VS_VERSION_INFO
 
class  VerStruct
 
class  WinPEObjectClasses
 
class  WinPEVTypes
 
class  WinPEx64VTypes
 

Variables

dictionary pe_vtypes
 
dictionary pe_vtypes_64
 
dictionary resource_types
 
int IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b
 
int IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
 

Variable Documentation

◆ IMAGE_NT_OPTIONAL_HDR32_MAGIC

int volatility.plugins.overlays.windows.pe_vtypes.IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b

Definition at line 200 of file pe_vtypes.py.

◆ IMAGE_NT_OPTIONAL_HDR64_MAGIC

int volatility.plugins.overlays.windows.pe_vtypes.IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b

Definition at line 201 of file pe_vtypes.py.

◆ pe_vtypes

dictionary volatility.plugins.overlays.windows.pe_vtypes.pe_vtypes

Definition at line 27 of file pe_vtypes.py.

◆ pe_vtypes_64

dictionary volatility.plugins.overlays.windows.pe_vtypes.pe_vtypes_64
Initial value:
1 = {
2  '_IMAGE_THUNK_DATA' : [ 0x8, {
3  # Fake member for testing if the highest bit is set
4  'OrdinalBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64)]],
5  'Function' : [ 0x0, ['pointer64', ['void']]],
6  'Ordinal' : [ 0x0, ['unsigned long long']],
7  'AddressOfData' : [ 0x0, ['unsigned long long']],
8  'ForwarderString' : [ 0x0, ['unsigned long long']],
9  }],
10 }

Definition at line 166 of file pe_vtypes.py.

◆ resource_types

dictionary volatility.plugins.overlays.windows.pe_vtypes.resource_types
Initial value:
1 = {
2  'RT_CURSOR' : 1,
3  'RT_BITMAP' : 2,
4  'RT_ICON' : 3,
5  'RT_MENU' : 4,
6  'RT_DIALOG' : 5,
7  'RT_STRING' : 6,
8  'RT_FONTDIR' : 7,
9  'RT_FONT' : 8,
10  'RT_ACCELERATOR' : 9,
11  'RT_RCDATA' : 10,
12  'RT_MESSAGETABLE' : 11,
13  'RT_GROUP_CURSOR' : 12,
14  'RT_GROUP_ICON' : 14,
15  'RT_VERSION' : 16,
16  'RT_DLGINCLUDE' : 17,
17  'RT_PLUGPLAY' : 19,
18  'RT_VXD' : 20,
19  'RT_ANICURSOR' : 21,
20  'RT_ANIICON' : 22,
21  'RT_HTML' : 23,
22 }

Definition at line 177 of file pe_vtypes.py.