Copy disabled (too large)
Download .txt
Showing preview only (34,343K chars total). Download the full file to get everything.
Repository: volatilityfoundation/volatility
Branch: master
Commit: 328a178edeec
Files: 459
Total size: 32.7 MB
Directory structure:
gitextract_cqwfp5mv/
├── .gitattributes
├── .gitignore
├── AUTHORS.txt
├── CHANGELOG.txt
├── CREDITS.txt
├── LEGAL.txt
├── LICENSE.txt
├── MANIFEST.in
├── Makefile
├── PKG-INFO
├── README.txt
├── contrib/
│ ├── __init__.py
│ ├── library_example/
│ │ ├── libapi.py
│ │ └── pslist_json.py
│ └── plugins/
│ ├── README.md
│ ├── __init__.py
│ ├── aspaces/
│ │ └── README.md
│ ├── disablewarnings.py
│ ├── example.py
│ └── malware/
│ └── README.md
├── pyinstaller/
│ ├── hook-distorm3.py
│ ├── hook-openpyxl.py
│ ├── hook-volatility.py
│ └── hook-yara.py
├── pyinstaller.spec
├── setup.py
├── tools/
│ ├── doxygen/
│ │ ├── config
│ │ └── d3/
│ │ ├── createtree.py
│ │ └── tree.html
│ ├── linux/
│ │ ├── Makefile
│ │ ├── Makefile.enterprise
│ │ ├── kcore/
│ │ │ ├── Makefile
│ │ │ ├── elf.h
│ │ │ ├── getkcore.c
│ │ │ └── getkcore.h
│ │ └── module.c
│ ├── mac/
│ │ ├── convert.py
│ │ ├── generate_profile_list.py
│ │ ├── mac_create_all_profiles.py
│ │ └── parse_pbzx2.py
│ ├── vtype_diff.py
│ └── windows/
│ └── parsesummary.py
├── vol.py
└── volatility/
├── __init__.py
├── addrspace.py
├── cache.py
├── commands.py
├── conf.py
├── constants.py
├── debug.py
├── dwarf.py
├── exceptions.py
├── fmtspec.py
├── obj.py
├── plugins/
│ ├── __init__.py
│ ├── addrspaces/
│ │ ├── __init__.py
│ │ ├── amd64.py
│ │ ├── arm.py
│ │ ├── crash.py
│ │ ├── crashbmp.py
│ │ ├── elfcoredump.py
│ │ ├── hibernate.py
│ │ ├── hpak.py
│ │ ├── ieee1394.py
│ │ ├── intel.py
│ │ ├── lime.py
│ │ ├── macho.py
│ │ ├── osxpmemelf.py
│ │ ├── paged.py
│ │ ├── standard.py
│ │ ├── vmem.py
│ │ └── vmware.py
│ ├── bigpagepools.py
│ ├── bioskbd.py
│ ├── cmdline.py
│ ├── common.py
│ ├── connections.py
│ ├── connscan.py
│ ├── crashinfo.py
│ ├── dlldump.py
│ ├── drivermodule.py
│ ├── dumpcerts.py
│ ├── dumpfiles.py
│ ├── envars.py
│ ├── evtlogs.py
│ ├── fileparam.py
│ ├── filescan.py
│ ├── getservicesids.py
│ ├── getsids.py
│ ├── gui/
│ │ ├── __init__.py
│ │ ├── atoms.py
│ │ ├── clipboard.py
│ │ ├── constants.py
│ │ ├── desktops.py
│ │ ├── editbox.py
│ │ ├── eventhooks.py
│ │ ├── gahti.py
│ │ ├── gditimers.py
│ │ ├── messagehooks.py
│ │ ├── screenshot.py
│ │ ├── sessions.py
│ │ ├── userhandles.py
│ │ ├── vtypes/
│ │ │ ├── __init__.py
│ │ │ ├── vista.py
│ │ │ ├── win10.py
│ │ │ ├── win2003.py
│ │ │ ├── win7.py
│ │ │ ├── win7_sp0_x64_vtypes_gui.py
│ │ │ ├── win7_sp0_x86_vtypes_gui.py
│ │ │ ├── win7_sp1_x64_vtypes_gui.py
│ │ │ ├── win7_sp1_x86_vtypes_gui.py
│ │ │ ├── win8.py
│ │ │ └── xp.py
│ │ ├── win32k_core.py
│ │ ├── windows.py
│ │ └── windowstations.py
│ ├── handles.py
│ ├── heaps.py
│ ├── hibinfo.py
│ ├── hpakinfo.py
│ ├── iehistory.py
│ ├── imagecopy.py
│ ├── imageinfo.py
│ ├── joblinks.py
│ ├── kdbgscan.py
│ ├── kpcrscan.py
│ ├── linux/
│ │ ├── __init__.py
│ │ ├── apihooks.py
│ │ ├── arp.py
│ │ ├── aslr_shift.py
│ │ ├── banner.py
│ │ ├── bash.py
│ │ ├── bash_hash.py
│ │ ├── check_afinfo.py
│ │ ├── check_creds.py
│ │ ├── check_evt_arm.py
│ │ ├── check_fops.py
│ │ ├── check_idt.py
│ │ ├── check_inline_kernel.py
│ │ ├── check_modules.py
│ │ ├── check_syscall.py
│ │ ├── check_syscall_arm.py
│ │ ├── common.py
│ │ ├── cpuinfo.py
│ │ ├── dentry_cache.py
│ │ ├── dmesg.py
│ │ ├── dump_map.py
│ │ ├── elfs.py
│ │ ├── enumerate_files.py
│ │ ├── find_file.py
│ │ ├── flags.py
│ │ ├── getcwd.py
│ │ ├── hidden_modules.py
│ │ ├── ifconfig.py
│ │ ├── info_regs.py
│ │ ├── iomem.py
│ │ ├── kernel_opened_files.py
│ │ ├── keyboard_notifiers.py
│ │ ├── ld_env.py
│ │ ├── ldrmodules.py
│ │ ├── libc_env.py
│ │ ├── library_list.py
│ │ ├── librarydump.py
│ │ ├── lime.py
│ │ ├── linux_strings.py
│ │ ├── linux_truecrypt.py
│ │ ├── linux_volshell.py
│ │ ├── linux_yarascan.py
│ │ ├── list_raw.py
│ │ ├── lsmod.py
│ │ ├── lsof.py
│ │ ├── malfind.py
│ │ ├── mount.py
│ │ ├── mount_cache.py
│ │ ├── netfilter.py
│ │ ├── netscan.py
│ │ ├── netstat.py
│ │ ├── pidhashtable.py
│ │ ├── pkt_queues.py
│ │ ├── plthook.py
│ │ ├── proc_maps.py
│ │ ├── proc_maps_rb.py
│ │ ├── procdump.py
│ │ ├── process_hollow.py
│ │ ├── process_info.py
│ │ ├── process_stack.py
│ │ ├── psaux.py
│ │ ├── psenv.py
│ │ ├── pslist.py
│ │ ├── pslist_cache.py
│ │ ├── psscan.py
│ │ ├── pstree.py
│ │ ├── psxview.py
│ │ ├── recover_filesystem.py
│ │ ├── route_cache.py
│ │ ├── sk_buff_cache.py
│ │ ├── slab_info.py
│ │ ├── threads.py
│ │ ├── tmpfs.py
│ │ ├── tty_check.py
│ │ └── vma_cache.py
│ ├── mac/
│ │ ├── WKdm.py
│ │ ├── __init__.py
│ │ ├── adiummsgs.py
│ │ ├── apihooks.py
│ │ ├── apihooks_kernel.py
│ │ ├── arp.py
│ │ ├── bash.py
│ │ ├── bash_env.py
│ │ ├── bash_hash.py
│ │ ├── calendar.py
│ │ ├── check_fop.py
│ │ ├── check_mig_table.py
│ │ ├── check_syscall_shadow.py
│ │ ├── check_syscall_table.py
│ │ ├── check_sysctl.py
│ │ ├── check_trap_table.py
│ │ ├── classes.py
│ │ ├── common.py
│ │ ├── compressed_swap.py
│ │ ├── contacts.py
│ │ ├── dead_procs.py
│ │ ├── dead_sockets.py
│ │ ├── dead_vnodes.py
│ │ ├── devfs.py
│ │ ├── dlyd_maps.py
│ │ ├── dmesg.py
│ │ ├── dump_files.py
│ │ ├── dump_map.py
│ │ ├── find_aslr_shift.py
│ │ ├── get_profile.py
│ │ ├── gkextmap.py
│ │ ├── ifconfig.py
│ │ ├── interest_handlers.py
│ │ ├── ip_filters.py
│ │ ├── kevents.py
│ │ ├── keychaindump.py
│ │ ├── ldrmodules.py
│ │ ├── librarydump.py
│ │ ├── list_files.py
│ │ ├── list_kauth_listeners.py
│ │ ├── list_kauth_scopes.py
│ │ ├── list_raw.py
│ │ ├── list_zones.py
│ │ ├── lsmod.py
│ │ ├── lsmod_iokit.py
│ │ ├── lsof.py
│ │ ├── mac_strings.py
│ │ ├── mac_volshell.py
│ │ ├── mac_yarascan.py
│ │ ├── machine_info.py
│ │ ├── malfind.py
│ │ ├── memdump.py
│ │ ├── moddump.py
│ │ ├── mount.py
│ │ ├── netconns.py
│ │ ├── netstat.py
│ │ ├── notesapp.py
│ │ ├── notifiers.py
│ │ ├── orphan_threads.py
│ │ ├── pgrp_hash_table.py
│ │ ├── pid_hash_table.py
│ │ ├── print_boot_cmdline.py
│ │ ├── proc_maps.py
│ │ ├── procdump.py
│ │ ├── psaux.py
│ │ ├── psenv.py
│ │ ├── pslist.py
│ │ ├── pstasks.py
│ │ ├── pstree.py
│ │ ├── psxview.py
│ │ ├── recover_filesystem.py
│ │ ├── route.py
│ │ ├── session_hash_table.py
│ │ ├── socket_filters.py
│ │ ├── threads.py
│ │ ├── threads_simple.py
│ │ ├── timers.py
│ │ ├── trustedbsd.py
│ │ ├── version.py
│ │ └── vfsevents.py
│ ├── machoinfo.py
│ ├── malware/
│ │ ├── __init__.py
│ │ ├── apihooks.py
│ │ ├── callbacks.py
│ │ ├── cmdhistory.py
│ │ ├── devicetree.py
│ │ ├── idt.py
│ │ ├── impscan.py
│ │ ├── malfind.py
│ │ ├── psxview.py
│ │ ├── servicediff.py
│ │ ├── svcscan.py
│ │ ├── threads.py
│ │ └── timers.py
│ ├── mbrparser.py
│ ├── mftparser.py
│ ├── moddump.py
│ ├── modscan.py
│ ├── modules.py
│ ├── multiscan.py
│ ├── netscan.py
│ ├── notepad.py
│ ├── objtypescan.py
│ ├── overlays/
│ │ ├── __init__.py
│ │ ├── basic.py
│ │ ├── linux/
│ │ │ ├── __init__.py
│ │ │ ├── elf.py
│ │ │ └── linux.py
│ │ ├── mac/
│ │ │ ├── __init__.py
│ │ │ ├── mac.py
│ │ │ └── macho.py
│ │ ├── native_types.py
│ │ └── windows/
│ │ ├── __init__.py
│ │ ├── crash_vtypes.py
│ │ ├── hibernate_vtypes.py
│ │ ├── kdbg_vtypes.py
│ │ ├── kpcr_vtypes.py
│ │ ├── pe_vtypes.py
│ │ ├── ssdt_vtypes.py
│ │ ├── tcpip_vtypes.py
│ │ ├── vad_vtypes.py
│ │ ├── vista.py
│ │ ├── vista_sp0_x64_syscalls.py
│ │ ├── vista_sp0_x64_vtypes.py
│ │ ├── vista_sp0_x86_syscalls.py
│ │ ├── vista_sp0_x86_vtypes.py
│ │ ├── vista_sp12_x64_syscalls.py
│ │ ├── vista_sp12_x86_syscalls.py
│ │ ├── vista_sp1_x64_vtypes.py
│ │ ├── vista_sp1_x86_vtypes.py
│ │ ├── vista_sp2_x64_vtypes.py
│ │ ├── vista_sp2_x86_vtypes.py
│ │ ├── win10.py
│ │ ├── win10_x64_10240_17770_vtypes.py
│ │ ├── win10_x64_10586_syscalls.py
│ │ ├── win10_x64_14393_syscalls.py
│ │ ├── win10_x64_15063_syscalls.py
│ │ ├── win10_x64_15063_vtypes.py
│ │ ├── win10_x64_16299_syscalls.py
│ │ ├── win10_x64_16299_vtypes.py
│ │ ├── win10_x64_17134_vtypes.py
│ │ ├── win10_x64_17763_vtypes.py
│ │ ├── win10_x64_18362_vtypes.py
│ │ ├── win10_x64_19041_vtypes.py
│ │ ├── win10_x64_1AC738FB_vtypes.py
│ │ ├── win10_x64_DD08DD42_vtypes.py
│ │ ├── win10_x64_vtypes.py
│ │ ├── win10_x86_10240_17770_vtypes.py
│ │ ├── win10_x86_10586_syscalls.py
│ │ ├── win10_x86_14393_syscalls.py
│ │ ├── win10_x86_15063_syscalls.py
│ │ ├── win10_x86_15063_vtypes.py
│ │ ├── win10_x86_16299_syscalls.py
│ │ ├── win10_x86_16299_vtypes.py
│ │ ├── win10_x86_17134_vtypes.py
│ │ ├── win10_x86_17763_vtypes.py
│ │ ├── win10_x86_18362_vtypes.py
│ │ ├── win10_x86_19041_vtypes.py
│ │ ├── win10_x86_44B89EEA_vtypes.py
│ │ ├── win10_x86_9619274A_vtypes.py
│ │ ├── win10_x86_vtypes.py
│ │ ├── win2003.py
│ │ ├── win2003_sp0_x86_syscalls.py
│ │ ├── win2003_sp0_x86_vtypes.py
│ │ ├── win2003_sp12_x64_syscalls.py
│ │ ├── win2003_sp12_x86_syscalls.py
│ │ ├── win2003_sp1_x64_vtypes.py
│ │ ├── win2003_sp1_x86_vtypes.py
│ │ ├── win2003_sp2_x64_vtypes.py
│ │ ├── win2003_sp2_x86_vtypes.py
│ │ ├── win7.py
│ │ ├── win7_sp01_x64_syscalls.py
│ │ ├── win7_sp01_x86_syscalls.py
│ │ ├── win7_sp0_x64_vtypes.py
│ │ ├── win7_sp0_x86_vtypes.py
│ │ ├── win7_sp1_x64_24000_vtypes.py
│ │ ├── win7_sp1_x64_632B36E0_vtypes.py
│ │ ├── win7_sp1_x64_vtypes.py
│ │ ├── win7_sp1_x86_24000_vtypes.py
│ │ ├── win7_sp1_x86_BBA98F40_vtypes.py
│ │ ├── win7_sp1_x86_vtypes.py
│ │ ├── win8.py
│ │ ├── win81_u1_x64_vtypes.py
│ │ ├── win81_u1_x86_vtypes.py
│ │ ├── win8_kdbg.py
│ │ ├── win8_sp0_x64_syscalls.py
│ │ ├── win8_sp0_x64_vtypes.py
│ │ ├── win8_sp0_x86_syscalls.py
│ │ ├── win8_sp0_x86_vtypes.py
│ │ ├── win8_sp1_x64_54B5A1C6_vtypes.py
│ │ ├── win8_sp1_x64_syscalls.py
│ │ ├── win8_sp1_x64_vtypes.py
│ │ ├── win8_sp1_x86_syscalls.py
│ │ ├── win8_sp1_x86_vtypes.py
│ │ ├── windows.py
│ │ ├── windows64.py
│ │ ├── xp.py
│ │ ├── xp_sp2_x86_syscalls.py
│ │ ├── xp_sp2_x86_vtypes.py
│ │ └── xp_sp3_x86_vtypes.py
│ ├── patcher.py
│ ├── patchguard.py
│ ├── pooltracker.py
│ ├── privileges.py
│ ├── procdump.py
│ ├── pstree.py
│ ├── raw2dmp.py
│ ├── registry/
│ │ ├── __init__.py
│ │ ├── amcache.py
│ │ ├── auditpol.py
│ │ ├── dumpregistry.py
│ │ ├── hivelist.py
│ │ ├── hivescan.py
│ │ ├── lsadump.py
│ │ ├── printkey.py
│ │ ├── registryapi.py
│ │ ├── shellbags.py
│ │ ├── shimcache.py
│ │ ├── shutdown.py
│ │ └── userassist.py
│ ├── sockets.py
│ ├── sockscan.py
│ ├── ssdt.py
│ ├── strings.py
│ ├── taskmods.py
│ ├── tcaudit.py
│ ├── timeliner.py
│ ├── vadinfo.py
│ ├── vboxinfo.py
│ ├── verinfo.py
│ ├── vmwareinfo.py
│ ├── volshell.py
│ └── win10cookie.py
├── poolscan.py
├── protos.py
├── registry.py
├── renderers/
│ ├── __init__.py
│ ├── basic.py
│ ├── dot.py
│ ├── html.py
│ ├── sqlite.py
│ ├── text.py
│ └── xlsx.py
├── scan.py
├── timefmt.py
├── utils.py
├── validity.py
└── win32/
├── __init__.py
├── crashdump.py
├── domcachedump.py
├── hashdump.py
├── hive.py
├── lsasecrets.py
├── modules.py
├── network.py
├── rawreg.py
├── tasks.py
└── xpress.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
* text=auto
================================================
FILE: .gitignore
================================================
*.py[cod]
# Pycharm ide library
.idea
*.swp
# C extensions
*.so
# Packages
*.egg
*.egg-info
dist
build
eggs
parts
bin
var
sdist
develop-eggs
.installed.cfg
lib
lib64
# Installer logs
pip-log.txt
# Unit test / coverage reports
.coverage
.tox
nosetests.xml
# Translations
*.mo
# Mr Developer
.mr.developer.cfg
.project
.pydevproject
.svn/
.DS_Store
# compressed files
*.zip
*.7z
*.rar
*.tar.gz
*.gz
# common memory extensions:
*.vmem
*.mem
*.img
*.dmp
*.sys
*.bin
*.001
*.raw
================================================
FILE: AUTHORS.txt
================================================
===============================================
This file identifies core Volatility authors.
All lists are alphabetical.
===============================================
Volatility 2.6:
------------
Mike Auty
Andrew Case
Michael Hale Ligh
Jamie Levy
AAron Walters
Nick L. Petroni, Jr.
Volatility 2.4, 2.5:
------------
Mike Auty
Andrew Case
Michael Hale Ligh
Jamie Levy
AAron Walters
Volatility 2.0, 2.1, 2.2, 2.3:
------------
Mike Auty
Andrew Case
Michael Cohen
Brendan Dolan-Gavitt
Michael Hale Ligh
Jamie Levy
AAron Walters
Volatility 1.3:
------------
AAron Walters <awalters@4tphi.net>
Volatile Systems LLC
Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu>
Volatools Basic authors:
------------
AAron Walters
Komoku, Inc.
Nick L. Petroni, Jr.
Komoku, Inc.
================================================
FILE: CHANGELOG.txt
================================================
Changelog
As of Volatility 2.4, all changes are now tracked on the GitHub site:
https://github.com/volatilityfoundation/volatility
Volatility 2.0-2.3: all changes were tracked on the Google Code site:
http://code.google.com/p/volatility/source/list
04.8.2009 Volatility-1.3.1 moyix
* Update: Introduce BufferAddressSpace and refactor
* Files:
forensics/addrspace.py
forensics/object.py
Description:
Added a new BufferAddressSpace class that acts like a regular
FileAddressSpace, but can be instantiated from a string buffer.
This allows any function that expects an address space to work on
a buffer instead. Also refactored the *_buf functions in object.py
to use this class instead (reduces code duplication). Thanks to
Michael Cohen for the idea.
04.8.2009 Volatility-1.3.1 moyix
* Update: Add support for inactive hiberfiles to hibinfo
* Files:
forensics/win32/hiber_addrspace.py
Description:
Added the ability to convert hibernation files that are in the
"inactive" state (their first page is zeroed) to dd format. It is
still not possible to run Volatility directly on such files, but
they can now be converted for analysis. Thanks to Jon Evans for
the suggestion.
04.8.2009 Volatility-1.3.1 moyix
* Update: Pool scanning enhancements
* Files:
forensics/win32/scan2.py
forensics/object.py
Description:
Incorporated new functions written by Andreas Schuster to allow
more fine-grained checks in pool scanners, and modularize some of
the accessors (get_poolsize, get_poolsize, etc.). The patch also
adds read_unicode_string_buf and read_string_buf, which operate on
string buffers. Thanks to Andreas Schuster for the patch.
04.7.2009 Volatility-1.3 awalters
* Update: Handle table parsing
* Files:
forensics/win32/handles.py
Description:
Updated handle parsing code to fix typo. It was not
adding the correct offset for Level 3 tables. It was also
not traversing all the entries. Thanks to Brendan Dolan-Gavitt.
04.7.2009 Volatility-1.3 awalters
* Update: Network Offsets
* Files:
forensics/win32/network.py
Description:
Added new offset updates. Thanks to Jun Koi.
03.17.2009 Volatility-1.3 awalters
* Update: x86.py robustness
* Files:
forensics/x86.py
Description:
Added more robustness to the x86 address space. This time
it focused on PAE. Certain samples were reading outside of
the physical address space. Thanks to Brendan Dolan-Gavitt for patch.
03.17.2009 Volatility-1.3.1 awalters
* Bug: Hiberfil Address space w
* Files:
forensics\win32\hiber_addrspace.py
Description:
Needed to import the PAE address space. This only meant
that hibinfo was having some issue. It would still process
hiberfil's just fine. Thanks to Andreas Schuster for the bug report.
03.17.2009 Volatility-1.3.1 awalters
* Update: New version of tcp driver needed new offsets in SP3
* Files:
forensics/win32/network.py
forensics/win32/scan2.py
forensics/win32/scan.py
Description:
Added new offsets to network to handle new driver. Updated scan2
and scan as well to support new pool allocation size. Thanks to Brendan
Dolan-Gavitt.
02.22.2009 Volatility-1.3.1 awalters
* Update: procdump check peb
* Files:
vmodules.py
Description:
Added a check to make sure that the PEB is memory resident.
02.05.2009 Volatility-1.3.1 awalters
* Update: Handle parsing
* Files:
forensics/win32/handles.py
vmodules.py
Description:
Updated handle parsing code to correctly handle middle
and upper layer handles in multi-level schemes. Also
changed files to now use the common parsing code.
12.11.2008 Volatility-1.3.1 awalters
* Update: Plugin Generators
* Files:
forensics/commands.py
memory_plugins/example4.py
vutils.py
Description:
Added the ability to use generators in your plugins. This
is extremely powerful and allows us to support arbitrary
output formats. Thanks to Michael Cohen for the patch.
12.11.2008 Volatility-1.3.1 awalters
* Update: Object Inheritance
* Files:
forensics/object2.py
forensics/registry.py
memory_plugins/example3.py
Description:
Plugins creators are now able to express an inheritance order
associated with an object. The default is the Profile objects.
This fixes a problem associated with collisions. Thanks to
Cameron C Caffee for the bug report and thanks to Brendan
Dolan-Gavitt and Michael Cohen for insightful discussions.
12.10.2008 Volatility-1.3.1 awalters
* Update: lists.py
* Files:
forensics/win32/lists.py
Description:
Added Brendan Dolan-Gavitt lists.py file for traversing kernel
linked lists. Thanks Brendan.
12.06.2008 Volatility-1.3.1 awalters
* Bug: Crashdump base address space
* Files:
forensics/win32/tasks.py
Description:
Changed find_csdversion so that it does not pass in the filename.
Made fname an optional parameter to process_addr_space since it is
no longer being used and only maintained for backward compatibility.
Thanks to Richard Austin for the bug report.
11.25.2008 Volatility-1.3.1 awalters
* Bug: modules_list
* Files:
forensics/win32/modules.py
Description:
Added a check to make sure both PsLoadedModuleList and this
module were defined.
11.25.2008 Volatility-1.3.1 awalters
* Update: Tabs and spaces
* Files:
Too Many
Description:
Spent some quality time with the tab nanny.
11.25.2008 Volatility-1.3.1 awalters
* Bug: Added more checks for registry objects
* Files:
forensics/win32/registry.py
Description:
Added more checks in print_entry_keys for invalid pages.
Some of the key path was crossing page boundaries so more
checks needed to be added. Thanks to Christian Herndler
for the bug report.
11.22.2008 Volatility-1.3.1 awalters
* Update: get_obj_offset no longer modifies passed in list
* Files:
forensics/object.py
Description:
get_obj_offset previously modified the passed-in list used
to represent type information. Now it works on a copy to
prevent unexpected behavior. Thanks to Brendan Dolan-Gavitt
for the update.
11.17.2008 Volatility-1.3.1 awalters
* Bug: Checks to make sure KeyControlBlock is a valid address
* Files:
forensics/win32/registry.py
Description:
print_entry_keys has been updated to check that KeyControlBlock
is a valid address. Thanks to Christian Herndler for the bug
report and Brendan Dolan-Gavitt for the bug fix.
11.15.2008 Volatility-1.3.1 awalters
* Update: removed sha module from crashdump
* Files:
forensics/win32/crashdump.py
Description:
Removed the attempt to import the sha module since it generates
a warning with Python 2.6. Thanks to STC for reporting the issue.
11.14.2008 Volatility-1.3.1 awalters
* Bug: added more checks in object parsing for invalid pages
* Files:
forensics/win32/handles.py
forensics/win32/registry.py
vmodules.py
Description:
Added more checks for invalid pages while processing the
object directory. Thanks to Christian Herndler for the bug
report.
11.03.2008 Volatility-1.3.1 awalters
* Bug: Python 2.5 finally
* Files:
vmodules.py
Description:
Removed the finally clause that is only available in Python 2.5.
Thanks to Cameron Caffee for the bug report and Brendan Dolan-Gavitt
for the bug fix.
10.17.2008 Volatility-1.3.1 awalters
* Bug: Checking for invalid pages
* Files:
forensics/object2.py
Description:
Added more checks to object2 to makes sure the addresses
being accessed are valid. If not, then they now return a None.
Thanks to Jesse Kornblum for submitting a patch.
9.27.2008 Volatility-1.3.1 awalters
* Update: plugin directory now relative to registry
* Files:
forensics/registry.py
Description:
The plugin search is now performed relative to registry.py. Thanks
to Michael Cohen for the patch.
9.4.2008 Volatility-1.3.1 awalters
* Bug: length bug in hiberaddrspace
* Files:
forensics\win32\hiber_addrspace.py
Description:
We were referencing an undefined length variable. Thanks
to Andreas Schuster for sending the patch.
9.4.2008 Volatility-1.3.1 awalters
* Update: Find the plugin modules
* Files:
forensics/registry.py
Description:
Added the absolute path to search for dynamic plugins. This allows
volatility to be called from anywhere on the system. Thanks
to Andreas Schuster for sending the patch.
8.14.2008 Volatility-1.3 awalters
* Update: x86.py robustness
* Files:
forensics/x86.py
Description:
Added more robustness to the x86 address space. Thanks to Brendan
Dolan-Gavitt for sending in a bug report.
8.14.2008 Volatility-1.3 awalters
* Update: Standardized _LDR_MODULE -> _LDR_DATA_TABLE_ENTRY
* Files:
forensics/win32/modules.py
forensics/win32/scan.py
forensics/win32/scan2.py
Description:
Changed the data type names to make them more standardized across
operating system versions. Thanks Brendan Dolan-Gavitt for
sending in update request.
6.26.2008 Volatility-1.3 awalters
* Bug: regobjkey initialize list
* Files:
vmodules.py
Description:
When specifying a offset for regobjkey the list
had not been initialized yet. Thanks to Brendan Dolan-Gavitt
for sending in a bug report.
6.24.2008 Volatility-1.3 awalters
* Update: 64-bit hosts
* Files:
forensics/object.py
forensics/win32/crashdump.py
forensics/win32/scan2.py
forensics/win32/network.py
forensics/win32/executable.py
Description:
Updated so that modules will work correctly
when run from 64-bit hosts using python 2.5.
Thanks to sham for sending in the bug report.
6.23.2008 Volatility-1.3 awalters
* Bug: Non-resident Vad address
* Files:
forensics/win32/vad.py
vmodules.py
Description:
Updated the vad modules to handle
invalid addresses in low memory situations.
Thanks to Bryan D. Payne for sending in
a bug report.
6.23.2008 Volatility-1.3 awalters
* Bug: Handle count paged
* Files:
forensics/win32/tasks.py
Description:
Received a sample where the ObjectTable
was not a valid address. Added a check to make
sure it is valid. Thanks to Bryan D. Payne
for sending in a bug report.
6.22.2008 Volatility-1.3 awalters
* Update: Ident info
* Files:
forensics/win32/tasks.py
vutils.py
Description:
Updated ident command so that it correctly
finds the version of XP, now that we have
support for SP3. Thanks to jeremie0 for noticing
and to Brendan Dolan-Gavitt for helping with
the fix.
6.11.2008 Volatility-1.3 awalters
* Update: Array Types
* Files:
forensics/object2.py
Description:
Changed arrays so that they now return objects
in cases where they are not native types. Thanks
to Brendan Dolan-Gavitt for the update!
6.8.2008 Volatility-1.3 awalters
* Bug: Invalid page directories
* Files:
vmodules.py
Description:
Added code to catch the cases when we encounter
invalid page directories. Thanks to both Angelo Cavallini
and Brendan Dolan-Gavitt for reporting this bug.
6.8.2008 Volatility-1.3 awalters
* Update: potential bad string characters (unicode escaping)
* Files:
forensics/win32/scan2.py
forensics/object.py
Description:
Attempting to standardize error handling related to unicode
conversions. Thus we are now passing an explicit error
string argument. Thanks to Brendan Dolan-Gavitt.
6.8.2008 Volatility-1.3 awalters
* Update: psscan2 check_dtb
* Files:
forensics/win32/scan2.py
Description:
Added a check from psscan to psscan2 in the
check_dtb constraint to make sure the DTB
had a value. Thanks Andreas Schuster!
6.7.2008 Volatility-1.3 awalters
* Update: SP3 support
* Files:
forensics/win32/network.py
Description:
Made changes to support SP3.
5.21.2008 Volatility-1.3 awalters
* Update: Changed create_addr_space api
* Files:
forensics/win32/tasks.py
memory_objects/Windows/xp_sp2.py
memory_plugins/example2.py
memory_plugins/example3.py
vmodules.py
Description:
Changed the create_addr_space API so that it does
not require types or filname. This was an
artifact of the way the function used to work.
5.17.2008 Volatility-1.3 awalters
* Feature: New Object Model
* Files:
forensics/registry.py
memory_objects/Windows/xp_sp2.py
memory_plugins/example3.py
forensics/object2.py
forensics/win32/meta_info.py
vutils.py
Description:
Added a new object model to make navigating the data
structures more intuitive. All future modules will be
transition to use this new model. Thanks to Brendan
Dolan-Gavitt for all his help!
5.14.2008 Volatility-1.3 awalters
* Feature: Plugin Architecture
* Files:
forensics/commands.py
forensics/registry.py
volatility
memory_plugins/example1.py
memory_plugins/example2.py
Description:
Added an entirely new plugin infrastructure. Now it is
possible to load the commands dynamically just by adding
them to the correct directory. This will allow people
to support their own modules. This work is based on a
similar registry implementation found in PyFlag.
Thanks to Michael Cohen and David Collett for the great
work they have done and help getting this code integrated.
5.13.2008 Volatility-1.3 awalters
* Feature: Hiberfil support
* Files:
vmodules.py
volatility
forensics/win32/hiber_addrspace.py
forensics/win32/xpress.py
forensics/win32/scan.py
forensics/win32/network.py
forensics/win32/datetime.py
Description:
Added native hiberfil support. Also added the ability
to convert from hiberfil to linear format. Now all the
commands can be run against hiberfils natively. This
is accomplished through the new hiberfil address space.
Thanks to Matthieu Suiche and Brendan Dolan-Gavitt for
all the great work they have done with hiberfil parsing
and the xpress compression algorithm.
5.13.2008 Volatility-1.3 awalters
* Feature: New scanning infrastructure
* Files:
vmodules.py
volatility
forensics/win32/scan2.py
forensics/win32/globals.py
forensics/win32/crash_addrspace.py
forensics/win32/datetime.py
Description:
Added an entirely new OO scanning infrastructure. This allows
for extremely fast scanning and easier scanning across the
logical address spaces. As part of this we also ported the
scanning modules over to the new infrastructure. Thanks to
Michael Cohen and Andreas Schuster for the help and ideas
to get this working!
5.7.2008 Volatility-1.3 awalters
* Bug: get_available_addresses
* Files:
forensics/x86.py
vmodules.py
volatility
Description:
Fixed an off by 1 error in get_available_address for
non-pae machines that seemed to have crept back in. Also
changed the name of usrdmp to memdmp since it is really
dumping a processes addressable memory. Thanks Eoghan Casey!
4.30.2008 Volatility-1.3 awalters
* New Module: procdump
* Files:
forensics/win32/executable.py
vtypes.py
vmodules.py
Description:
Added a new module that will allow the analyst to extract
the executable from memory for further analysis. Thanks to
Brendan Dolan-Gavitt for all your hard work!
4.28.2008 Volatility-1.3 awalters
* Bug: open registry keys
* Files:
forensics/win32/handles.py
Description:
During testing Brendan found a bug when processing object types.
It would have been possible to enumerate KeyedEvents. Thanks
Brendan Dolan-Gavitt!
4.28.2008 Volatility-1.3 awalters
* New Module: regobjkey
* Files:
vmodules.py
forensics/win32/registry.py
forensics/win32/handles.py
vtypes.py
Description:
Added a new module that will allow an analyst to dump the open
registry keys found in the object table. Thanks to
Brendan Dolan-Gavitt for his contributions!
4.27.2008 Volatility-1.3 awalters
* Feature: psscan dot format
* Files:
vmodules.py
forensics/win32/scan.py
Description:
Added the ability to print the output of psscan in dot format.
Similar to that available by ptfinder by Andreas Schuster. This
was requested by Eoghan Casey.
4.23.2008 Volatility-1.3 awalters
* Useability: Pass pid or EPROCESS offset
Files:
vmodules.py
forensics/win32/handles.py
Description:
Added the ability to dump files and dlllist by pid or EPROCESS
offset. One reason this was asked for was to deal with data
only attacks which may remove the process from process list.
Thanks to Eoghan Casey for the feedback!
4.23.2008 Volatility-1.3 awalters
* New Modules: dmp2raw, raw2dmp
Files:
vtypes.py
vmodules.py
forensics/win32/crashdump.py
forensics/win32/info.py
forensics/win32/tasks.py
Description:
Added modules to convert from raw dumps to crash dumps and vice
versa. Thanks to Andreas Schuster for helping to get this started
and thanks to Brendan Dolan-Gavitt for helping get it perfected!
4.23.2008 Volatility-1.3 awalters
* Optimization: KUSER_SHARED_DATA
Files:
vmodules.py
Description:
Changed KUSER_SHARED_DATA in get_image_info and get_datetime to
point to 0xFFDF0000 instead of 0x7ffe0000. Thanks Brendan
Dolan-Gavitt!
4.1.2008 Volatility-1.2.3pre awalters
* Bug: socket crash
Files:
forensics/win32/network.py
Description:
In get_open_sockets, we needed to make sure that the AddrObjAddr
and AddrTableSize were not none and if they were fail gracefully.
Thanks to Eoghan Casey for the bug report.
3.3.2008 Volatility-1.2.3pre awalters
* Bug: get_obj_offset() non-builtin
Files:
forensics/object.py
Description:
Modified get_obj_offset to support arrays of non-builtin types.
Thanks Brendan Dolan-Gavitt!
2.27.2008 Volatility-1.2.3pre awalters
* Bug: Not traversing complete module list
Files:
forensics/win32/modules.py
Description:
Traversing the module list should not stop when it reaches a None but
continue to the next module
2.27.2008 Volatility-1.2.3pre awalters
* Bug: is_valid_address(addr)
Files:
forensics/addrspace.py
forensics/x86.py
Description:
is_valid_address was failing to check if addr was None. This was found
by analyzing hiberfile images. Thanks to Brendan Dolan-Gavitt and
Andreas Schuster for helping me find the problem!
2.25.2008 Volatility-1.2.3pre awalters
* Bug: hidden processes
Files:
vmodules.py
Description:
Both usrdmp and memmap were unable to handle hidden processes. They
can now be passed the offset to an EPROCESS object. Thanks to Eoghan
Casey for the bug report.
12.28.2007 Volatility-1.2.3pre awalters
* Bug: 64 bit
Files:
forensics/addrspace.py
forensics/object.py
forensics/win32/scan.py
forensics/x86.py
forensics/win32/crash_addrspace.py
Description:
Fixed a bug that occurs when people are running Python 2.5 on
a 64 bit OS. Python 2.5 changed the way that Python native types
are stored and thus changed the unpack usage. Thanks to Jamie Levy
and students!
11.28.2007 Volatility-1.2.2pre awalters
* Bug: memmap
Files:
vmodules.py
Description:
mem_map fixed so that you can specifiy a particular process.
11.28.2007 Volatility-1.2.2pre awalters
* Bug: dtb_aligned
Files:
forensics/win32/scan.py
Description:
On systems using PAE, EPROCESS.DirectoryTableBase actually
points to the base of the page directory pointer array.
Thanks Andreas Schuster.
11.27.2007 Volatility-1.2.2pre awalters
* Optimization: find_dtb
Files:
forensics/win32/tasks.py
Description:
Dramatically reduced the time for find_dtb. Thanks Michael Cohen.
09.21.2007 Volatility-1.2.1pre awalters
* New Module: usrdmp
Files:
vmodules.py
Description:
Dumps a processes address space. Thanks Eoghan Casey.
09.20.2007 Volatility-1.2pre awalters
* New Module: modscan
Files:
vmodules.py
forensics/win32/scan.py
forensics/win32/globals.py
Description:
Performs a linear scan for memory resident Windows modules. Contributed by Andreas Schuster.
* New Module: memmap
Files:
vmodules.py
forensics/x86.py
Description:
Provides a map of the virtual to physical address translations within
a particular address space. Based on similar tools by Andreas
Schuster (memdump.pl) and Brendan Dolan-Gavitt (memdump.py).
* New Module: dmpchk
Files:
vmodules.py
forensics/win32/crash_addrspace.py
Description:
Prints auxiliary information about the crash dump file.
* New Module: WindowsCrashDumpSpace32
Files:
forensics/x86.py
forensics/win32/crash_addrspace.py
Description:
Provides the ability to use crash dumps as input to Volatility. This is
accomplished through the use of stackable address spaces. Contributions
from Andreas Schuster.
* New Feature: get_available_pages()
Files:
forensics/x86.py
Description:
This functions allows an investigator to find all available pages within a particular address space. Thanks Brendan Dolan-Gavitt.
* New Feature: zread()
Files:
forensics/x86.py
forensics/addrspace.py
forensics/win32/crash_addrspace.py
Description:
Added the ability to continuing reading even if pages are unavailable.
Invalid pages are replaced with zeros. Thanks Brendan Dolan-Gavitt.
07.31.2007 Volatility-1.1.1 awalters
* Virtual Address Descriptor modules: vadinfo, vaddump, vadwalk. Based on the research of Brendan Dolan-Gavitt to be presented at DFRWS 2007
* Constraint based linear scanning framework. New modules include psscan, thrdscan, sockscan, connscan. Inspired by the work of Andreas Schuster.
* Completely open source. No third-party closed source dependencies.
* Auto-identification speed enhancements
* Bug fixes in network and socket modules
* Removed symbol dependencies
* Multiprocessor support
================================================
FILE: CREDITS.txt
================================================
===============================================
We would like to acknowledge individuals that
have made significant contributions, code, or
ideas toward the respective volatility releases.
All lists are alphabetical.
These lists exclude the core Volatility authors,
who are identified in AUTHORS.txt.
If you believe you've been left off, it is not
intentional. Please bring it to our attention!
===============================================
Volatility 2.6:
jie-lin for fixing a pyinstaller NameError issue
gcmoreira for fixing a recursive property issue in Linux plugins
Adam Bridge for updating the EditBox plugin
jie-lin for preventing a backtrace in the MBR parser plugin
haco20292 for fixing a bug in linux_dmesg
williamshowalter for updating mac_get_profile and convert.py for El Capitan support
robbyFux for fixing a bug in the svcscan plugin
f-s-p for adding unified output to the threads plugin
Binary_Raider for adding the powershell empire plugins
ozylol for updating create_all_profiles.py for Mac 10.11
JamesHabben for adjusting sqlite inserts to allow for more columns to exist in table
Volatility 2.5:
Adam Bridge for adding a --count option (humanly readable byte stats) to imagecopy/raw2dmp
Sebastien Bourdon-Richard for various patches and bug fixes
Bruno Constanzo for various patches to enhance performance/optimization
Glenn P. Edwards, Jr for adding combined user/kernel scans, --case, and ascii/unicode options to yarascan
@f-s-p for converting some plugins to unfied output format
Cem Gurkok for submitting the mac_threads plugin
Takahiro Haruyama for noticing and fixing a bug in impscan
@masdif for contributing a fix for kernel 3.7+ in linux/module.c
Wyatt Roersma for converting a large number of plugins to the unified output format
Karl Vogel for pointing out an issue with IPv4 addresses on big endian systems
Volatility 2.4:
Steven Adair for assistance identifying a large memory PAE bug
Sebastien Bourdon-Richard for his work on the VMware vmem/vmss split (with meta) AS
Justin Capella and Espen Olsen for their work on the Qemu ELF core dumps
Cem Gurkok for help updating Mac OS X support for 10.9
Matt McCormack for supplying a patch to rebase dumped PE files
Stewart McIntyre for extending apihooks for detecting JMP FAR instructions
Kevin Marker for contributing over 160 standard build Linux profiles
synack33 for creating various Mac OS X profiles, including initial ones for 10.10
Raphaël Vinot for his patch to fix IPython within volshell
Volatility 2.3:
Cem Gurkok for his work on the privileges plugin for Windows
Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project)
@osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit)
@osxreverser of reverse.put.as for his help with OSX memory analysis
Carl Pulley for numerous bug reports, example patches, and plugin testing
Andreas Schuster for his work on poison ivy plugins for Windows
Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities
Philippe Teuwen for his work on the virtual box address space
Santiago Vicente for his work on the citadel plugins for Windows
Volatility 2.2:
------------
Joe Sylve
Volatility 2.1:
------------
---
Volatility 2.0:
------------
Frank Boldewin
Carl Pulley
Andreas Schuster
Bradley Schatz
Volatility 1.3:
------------
Harlan Carvey
Michael Cohen
David Collett
Brendan Dolan-Gavitt
Andreas Schuster
Matthieu Suiche
We would also like to acknowledge those who have provided valuable
feedback, bug reports, and testing:
Jide Abu
Joseph Ayo Akinyele
Tommaso Assandri
Richard Austin
Cameron C Caffee
Eoghan Casey
Angelo Cavallini
Andre' DiMino
Jon Evans
Robert Guess
Christian Herndler
jeremie0
Jamie Levy
Eugene Libster
Erik Ligda
Robert Lowe
Tony Martin
Timothy Morgan
Bryan D. Payne
Golden G. Richard III
Wyatt Roersma
RB
Sam F. Stover
Marko Thure
================================================
FILE: LEGAL.txt
================================================
Volatility
===============
License
-------
Copyright (C) 2007-2013 Volatility Foundation
Volatility is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
Volatility is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Volatility. If not, see <http://www.gnu.org/licenses/>.
================================================
FILE: LICENSE.txt
================================================
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
================================================
FILE: MANIFEST.in
================================================
include *.txt
include *.win
include MANIFEST.in
include setup.py
include resources/*
include pyinstaller/*.py
include volatility/*.py
include contrib/plugins/*.py
include contrib/plugins/aspaces/*.py
include tools/*.py
include tools/linux/*
include tools/linux/pmem/*
include tools/mac/*.py
include vol.py
include Makefile
include pyinstaller.spec
================================================
FILE: Makefile
================================================
all: build
build:
python setup.py build
install:
python setup.py install
dist:
python setup.py sdist
clean:
rm -f `find . -name "*.pyc" -o -name "*~"`
rm -rf dist build
================================================
FILE: PKG-INFO
================================================
Metadata-Version: 1.0
Name: Volatility
Version: GC1
Summary: Volatility -- Volatile memory framwork
Home-page: http://www.volatilityfoundation.org
Author: AAron Walters
Author-email: awalters@4tphi.net
License: GPL
Description: UNKNOWN
Platform: UNKNOWN
================================================
FILE: README.txt
================================================
This project is archived. See Volatility 3 for modern investigations: https://github.com/volatilityfoundation/volatility3
============================================================================
Volatility Framework - Volatile memory extraction utility framework
============================================================================
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the
system being investigated but offer visibilty into the runtime state
of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts
from volatile memory samples and provide a platform for further work into
this exciting area of research.
The Volatility distribution is available from:
http://www.volatilityfoundation.org/#!releases/component_71401
Volatility should run on any platform that supports
Python (http://www.python.org)
Volatility supports investigations of the following memory images:
Windows:
* 32-bit Windows XP Service Pack 2 and 3
* 32-bit Windows 2003 Server Service Pack 0, 1, 2
* 32-bit Windows Vista Service Pack 0, 1, 2
* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
* 32-bit Windows 7 Service Pack 0, 1
* 32-bit Windows 8, 8.1, and 8.1 Update 1
* 32-bit Windows 10 (initial support)
* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows Vista Service Pack 0, 1, 2
* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2008 R2 Server Service Pack 0 and 1
* 64-bit Windows 7 Service Pack 0 and 1
* 64-bit Windows 8, 8.1, and 8.1 Update 1
* 64-bit Windows Server 2012 and 2012 R2
* 64-bit Windows 10 (including at least 10.0.19041)
* 64-bit Windows Server 2016 (including at least 10.0.19041)
Note: Please see the guidelines at the following link for notes on
compatibility with recently patched Windows 7 (or later) memory samples:
https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles
Linux:
* 32-bit Linux kernels 2.6.11 to 5.5
* 64-bit Linux kernels 2.6.11 to 5.5
* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
Mac OSX:
* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
* 32-bit 10.6.x Snow Leopard
* 64-bit 10.6.x Snow Leopard
* 32-bit 10.7.x Lion
* 64-bit 10.7.x Lion
* 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
* 64-bit 10.9.x Mavericks (there is no 32-bit version)
* 64-bit 10.10.x Yosemite (there is no 32-bit version)
* 64-bit 10.11.x El Capitan (there is no 32-bit version)
* 64-bit 10.12.x Sierra (there is no 32-bit version)
* 64-bit 10.13.x High Sierra (there is no 32-bit version))
* 64-bit 10.14.x Mojave (there is no 32-bit version)
* 64-bit 10.15.x Catalina (there is no 32-bit version)
Volatility does not provide memory sample acquisition
capabilities. For acquisition, there are both free and commercial
solutions available. If you would like suggestions about suitable
acquisition solutions, please contact us at:
volatility (at) volatilityfoundation (dot) org
Volatility supports a variety of sample file formats and the
ability to convert between these formats:
- Raw linear sample (dd)
- Hibernation file (from Windows 7 and earlier)
- Crash dump file
- VirtualBox ELF64 core dump
- VMware saved state and snapshot files
- EWF format (E01)
- LiME format
- Mach-O file format
- QEMU virtual machine dumps
- Firewire
- HPAK (FDPro)
For a more detailed list of capabilities, see the following:
https://github.com/volatilityfoundation/volatility/wiki
Also see the community plugins repository:
https://github.com/volatilityfoundation/community
Example Data
============
If you want to give Volatility a try, you can download exemplar
memory images from the following url:
https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Mailing Lists
=============
Mailing lists to support the users and developers of Volatility
can be found at the following address:
http://lists.volatilesystems.com/mailman/listinfo
Contact
=======
For information or requests, contact:
Volatility Foundation
Web: http://www.volatilityfoundation.org
http://volatility-labs.blogspot.com
http://volatility.tumblr.com
Email: volatility (at) volatilityfoundation (dot) org
IRC: #volatility on freenode
Twitter: @volatility
Requirements
============
- Python 2.6 or later, but not 3.0. http://www.python.org
Some plugins may have other requirements which can be found at:
https://github.com/volatilityfoundation/volatility/wiki/Installation
Quick Start
===========
1. Unpack the latest version of Volatility from
volatilityfoundation.org
2. To see available options, run "python vol.py -h" or "python vol.py --info"
Example:
$ python vol.py --info
Volatility Foundation Volatility Framework 2.6
Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - Address space for ARM processors
FileAddressSpace - This is a direct file AS.
HPAKAddressSpace - This AS supports the HPAK format
IA32PagedMemory - Standard IA-32 paging address space.
IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible
LimeAddressSpace - Address space for Lime
LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space.
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
OSXPmemELF - This AS supports VirtualBox ELF64 coredump format
QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format
VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files
VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata
VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format
Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space.
WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space.
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
Profiles
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win10x64 - A Profile for Windows 10 x64
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x86 - A Profile for Windows 10 x86
Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64 - A Profile for Windows Server 2012 x64
Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win81U1x64 - A Profile for Windows 8.1 Update 1 x64
Win81U1x86 - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64 - A Profile for Windows 8 x64
Win8SP0x86 - A Profile for Windows 8 x86
Win8SP1x64 - A Profile for Windows 8.1 x64
Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86 - A Profile for Windows 8.1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Plugins
-------
amcache - Print AmCache information
apihooks - Detect API hooks in process and kernel memory
atoms - Print session and window station atom tables
atomscan - Pool scanner for atom tables
auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools - Dump the big page pools using BigPagePoolScanner
bioskbd - Reads the keyboard buffer from Real Mode memory
cachedump - Dumps cached domain hashes from memory
callbacks - Print system-wide notification routines
clipboard - Extract the contents of the windows clipboard
cmdline - Display process command-line arguments
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Pool scanner for tcp connections
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
deskscan - Poolscaner for tagDESKTOP (desktops)
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
drivermodule - Associate driver objects to kernel modules
driverscan - Pool scanner for driver objects
dumpcerts - Dump RSA private and public SSL keys
dumpfiles - Extract memory mapped and cached files
dumpregistry - Dumps registry files out to disk
editbox - Displays information about Edit controls. (Listbox experimental.)
envars - Display process environment variables
eventhooks - Print details on windows event hooks
evtlogs - Extract Windows Event Logs (XP/2003 only)
filescan - Pool scanner for file objects
gahti - Dump the USER handle type information
gditimers - Print installed GDI timers and callbacks
gdt - Display Global Descriptor Table
getservicesids - Get the names of services in the Registry and return Calculated SID
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Pool scanner for registry hives
hpakextract - Extract physical memory from an HPAK file
hpakinfo - Info on an HPAK file
idt - Display Interrupt Descriptor Table
iehistory - Reconstruct Internet Explorer cache / history
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
joblinks - Print process job link information
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
limeinfo - Dump Lime file format information
linux_apihooks - Checks for userland apihooks
linux_arp - Print the ARP table
linux_aslr_shift - Automatically detect the Linux ASLR shift
linux_banner - Prints the Linux banner information
linux_bash - Recover bash history from bash process memory
linux_bash_env - Recover a process' dynamic environment variables
linux_bash_hash - Recover bash hash table from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_inline_kernel - Check for inline kernel hooks
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_check_syscall_arm - Checks if the system call table has been altered
linux_check_tty - Checks tty devices for hooks
linux_cpuinfo - Prints info about each active processor
linux_dentry_cache - Gather files from the dentry cache
linux_dmesg - Gather dmesg buffer
linux_dump_map - Writes selected memory mappings to disk
linux_dynamic_env - Recover a process' dynamic environment variables
linux_elfs - Find ELF binaries in process mappings
linux_enumerate_files - Lists files referenced by the filesystem cache
linux_find_file - Lists and recovers files from memory
linux_getcwd - Lists current working directory of each process
linux_hidden_modules - Carves memory to find hidden kernel modules
linux_ifconfig - Gathers active interfaces
linux_info_regs - It's like 'info registers' in GDB. It prints out all the
linux_iomem - Provides output similar to /proc/iomem
linux_kernel_opened_files - Lists files that are opened from within the kernel
linux_keyboard_notifiers - Parses the keyboard notifier call chain
linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
linux_library_list - Lists libraries loaded into a process
linux_librarydump - Dumps shared libraries in process memory to disk
linux_list_raw - List applications with promiscuous sockets
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists file descriptors and their path
linux_malfind - Looks for suspicious process mappings
linux_memmap - Dumps the memory map for linux tasks
linux_moddump - Extract loaded kernel modules
linux_mount - Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_netfilter - Lists Netfilter hooks
linux_netscan - Carves for network connection structures
linux_netstat - Lists open sockets
linux_pidhashtable - Enumerates processes through the PID hash table
linux_pkt_queues - Writes per-process packet queues out to disk
linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images
linux_proc_maps - Gathers process memory maps
linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree
linux_procdump - Dumps a process's executable image to disk
linux_process_hollow - Checks for signs of process hollowing
linux_psaux - Gathers processes along with full command line and start time
linux_psenv - Gathers processes along with their static environment variables
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_pslist_cache - Gather tasks from the kmem_cache
linux_psscan - Scan physical memory for processes
linux_pstree - Shows the parent/child relationship between processes
linux_psxview - Find hidden processes with various process listings
linux_recover_filesystem - Recovers the entire cached file system from memory
linux_route_cache - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads - Prints threads of processes
linux_tmpfs - Recovers tmpfs filesystems from memory
linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases
linux_vma_cache - Gather VMAs from the vm_area_struct cache
linux_volshell - Shell in the memory image
linux_yarascan - A shell in the Linux memory image
lsadump - Dump (decrypted) LSA secrets from the registry
mac_adium - Lists Adium messages
mac_apihooks - Checks for API hooks in processes
mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked
mac_arp - Prints the arp table
mac_bash - Recover bash history from bash process memory
mac_bash_env - Recover bash's environment variables
mac_bash_hash - Recover bash hash table from bash process memory
mac_calendar - Gets calendar events from Calendar.app
mac_check_fop - Validate File Operation Pointers
mac_check_mig_table - Lists entires in the kernel's MIG table
mac_check_syscall_shadow - Looks for shadow system call tables
mac_check_syscalls - Checks to see if system call table entries are hooked
mac_check_sysctl - Checks for unknown sysctl handlers
mac_check_trap_table - Checks to see if mach trap table entries are hooked
mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages
mac_contacts - Gets contact names from Contacts.app
mac_dead_procs - Prints terminated/de-allocated processes
mac_dead_sockets - Prints terminated/de-allocated network sockets
mac_dead_vnodes - Lists freed vnode structures
mac_devfs - Lists files in the file cache
mac_dmesg - Prints the kernel debug buffer
mac_dump_file - Dumps a specified file
mac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap
mac_dyld_maps - Gets memory maps of processes from dyld data structures
mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
mac_get_profile - Automatically detect Mac profiles
mac_ifconfig - Lists network interface information for all devices
mac_interest_handlers - Lists IOKit Interest Handlers
mac_ip_filters - Reports any hooked IP filters
mac_kernel_classes - Lists loaded c++ classes in the kernel
mac_kevents - Show parent/child relationship of processes
mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files
mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
mac_librarydump - Dumps the executable of a process
mac_list_files - Lists files in the file cache
mac_list_kauth_listeners - Lists Kauth Scope listeners
mac_list_kauth_scopes - Lists Kauth Scopes and their status
mac_list_raw - List applications with promiscuous sockets
mac_list_sessions - Enumerates sessions
mac_list_zones - Prints active zones
mac_lsmod - Lists loaded kernel modules
mac_lsmod_iokit - Lists loaded kernel modules through IOkit
mac_lsmod_kext_map - Lists loaded kernel modules
mac_lsof - Lists per-process opened files
mac_machine_info - Prints machine information about the sample
mac_malfind - Looks for suspicious process mappings
mac_memdump - Dump addressable memory pages to a file
mac_moddump - Writes the specified kernel extension to disk
mac_mount - Prints mounted device information
mac_netstat - Lists active per-process network connections
mac_network_conns - Lists network connections from kernel network structures
mac_notesapp - Finds contents of Notes messages
mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_orphan_threads - Lists threads that don't map back to known modules/processes
mac_pgrp_hash_table - Walks the process group hash table
mac_pid_hash_table - Walks the pid hash table
mac_print_boot_cmdline - Prints kernel boot arguments
mac_proc_maps - Gets memory maps of processes
mac_procdump - Dumps the executable of a process
mac_psaux - Prints processes with arguments in user land (**argv)
mac_psenv - Prints processes with environment in user land (**envp)
mac_pslist - List Running Processes
mac_pstree - Show parent/child relationship of processes
mac_psxview - Find hidden processes with various process listings
mac_recover_filesystem - Recover the cached filesystem
mac_route - Prints the routing table
mac_socket_filters - Reports socket filters
mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
mac_tasks - List Active Tasks
mac_threads - List Process Threads
mac_threads_simple - Lists threads along with their start time and priority
mac_timers - Reports timers set by kernel drivers
mac_trustedbsd - Lists malicious trustedbsd policies
mac_version - Prints the Mac version
mac_vfsevents - Lists processes filtering file system events
mac_volshell - Shell in the memory image
mac_yarascan - Scan memory for yara signatures
machoinfo - Dump Mach-O file format information
malfind - Find hidden and injected code
mbrparser - Scans for and parses potential Master Boot Records (MBRs)
memdump - Dump the addressable memory for a process
memmap - Print the memory map
messagehooks - List desktop and thread window message hooks
mftparser - Scans for and parses potential MFT entries
moddump - Dump a kernel driver to an executable file sample
modscan - Pool scanner for kernel modules
modules - Print list of loaded modules
multiscan - Scan for various objects at once
mutantscan - Pool scanner for mutex objects
netscan - Scan a Vista (or later) image for connections and sockets
notepad - List currently displayed notepad text
objtypescan - Scan for Windows object type objects
patcher - Patches memory based on page scans
poolpeek - Configurable pool scanner plugin
pooltracker - Show a summary of pool tag usage
printkey - Print a registry key, and its subkeys and values
privs - Display process privileges
procdump - Dump a process to an executable file sample
pslist - Print all running processes by following the EPROCESS lists
psscan - Pool scanner for process objects
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
qemuinfo - Dump Qemu information
raw2dmp - Converts a physical memory sample to a windbg crash dump
screenshot - Save a pseudo-screenshot based on GDI windows
servicediff - List Windows services (ala Plugx)
sessions - List details on _MM_SESSION_SPACE (user logon sessions)
shellbags - Prints ShellBags info
shimcache - Parses the Application Compatibility Shim Cache registry key
shutdowntime - Print ShutdownTime of machine from registry
sockets - Print list of open sockets
sockscan - Pool scanner for tcp socket objects
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Pool scanner for symlink objects
thrdscan - Pool scanner for thread objects
threads - Investigate _ETHREAD and _KTHREADs
timeliner - Creates a timeline from various artifacts in memory
timers - Print kernel timers and associated module DPCs
truecryptmaster - Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase - TrueCrypt Cached Passphrase Finder
truecryptsummary - TrueCrypt Summary
unloadedmodules - Print list of unloaded modules
userassist - Print userassist registry keys and information
userhandles - Dump the USER handle tables
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
vboxinfo - Dump virtualbox information
verinfo - Prints out the version information from PE images
vmwareinfo - Dump VMware VMSS/VMSN information
volshell - Shell in the memory image
win10cookie - Find the ObHeaderCookie value for Windows 10
windows - Print Desktop Windows (verbose details)
wintree - Print Z-Order Desktop Windows Tree
wndscan - Pool scanner for window stations
yarascan - Scan process or kernel memory with Yara signatures
3. To get more information on a Windows memory sample and to make sure Volatility
supports that sample type, run 'python vol.py imageinfo -f <imagename>' or 'python vol.py kdbgscan -f <imagename>'
Example:
$ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw
Volatility Foundation Volatility Framework 2.6
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf800016460a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001647d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-24 19:30:53 UTC+0000
Image local date and time : 2012-03-25 03:30:53 +0800
If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing
Windows 7 or later memory samples, please see the guidelines here:
https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles
4. Run some other plugins. -f is a required option for all plugins. Some
also require/accept other options. Run "python vol.py <plugin> -h" for
more information on a particular command. A Command Reference wiki
is also available on the GitHub site:
https://github.com/volatilityfoundation/volatility/wiki
as well as Basic Usage:
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
Licensing and Copyright
=======================
Copyright (C) 2007-2016 Volatility Foundation
All Rights Reserved
Volatility is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
Volatility is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Volatility. If not, see <http://www.gnu.org/licenses/>.
Bugs and Support
================
There is no support provided with Volatility. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
If you think you've found a bug, please report it at:
https://github.com/volatilityfoundation/volatility/issues
In order to help us solve your issues as quickly as possible,
please include the following information when filing a bug:
* The version of volatility you're using
* The operating system used to run volatility
* The version of python used to run volatility
* The suspected operating system of the memory image
* The complete command line you used to run volatility
Depending on the operating system of the memory image, you may need to provide
additional information, such as:
For Windows:
* The suspected Service Pack of the memory image
For Linux:
* The suspected kernel version of the memory image
Other options for communication can be found at:
https://github.com/volatilityfoundation/volatility/wiki
Missing or Truncated Information
================================
Volatility Foundation makes no claims about the validity or correctness of the
output of Volatility. Many factors may contribute to the
incorrectness of output from Volatility including, but not
limited to, malicious modifications to the operating system,
incomplete information due to swapping, and information corruption on
image acquisition.
Command Reference
====================
The following url contains a reference of all commands supported by
Volatility.
https://github.com/volatilityfoundation/volatility/wiki
================================================
FILE: contrib/__init__.py
================================================
================================================
FILE: contrib/library_example/libapi.py
================================================
# Volatility
# Copyright (c) 2015 Michael Ligh (michael.ligh@mnin.org)
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
import copy, StringIO, json
import volatility.conf as conf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.PluginImporter()
def get_json(config, plugin_class):
strio = StringIO.StringIO()
plugin = plugin_class(copy.deepcopy(config))
plugin.render_json(strio, plugin.calculate())
return json.loads(strio.getvalue())
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config
================================================
FILE: contrib/library_example/pslist_json.py
================================================
# Volatility
# Copyright (c) 2015 Michael Ligh (michael.ligh@mnin.org)
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import volatility.plugins.taskmods as taskmods
import libapi
def main():
## sys.argv[1] = volatility profile
## sys.argv[2] = full path on disk to your memory sample
config = libapi.get_config(sys.argv[1], sys.argv[2])
data = libapi.get_json(config, taskmods.PSList)
## `data` now contains json with two keys: `columns` and `rows`, where `columns`
## contains a list of column headings (matching the corresponding volatility
## plugin output) and `rows` contains a list of the values for each object found.
## you can either print/save all columns, or you can drill down to a particular
## column by getting the desired column's index as shown below and then accessing
## the index in each row. the following example prints each process' name.
name_index = data['columns'].index('Name')
for row in data['rows']:
print row[name_index]
if __name__ == "__main__":
main()
================================================
FILE: contrib/plugins/README.md
================================================
Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository.
================================================
FILE: contrib/plugins/__init__.py
================================================
================================================
FILE: contrib/plugins/aspaces/README.md
================================================
Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository.
================================================
FILE: contrib/plugins/disablewarnings.py
================================================
# Volatility
#
# Authors:
# Mike Auty <mike.auty@gmail.com>
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
import volatility.conf as conf
import logging
config = conf.ConfObject()
def disable_warnings(_option, _opt_str, _value, _parser):
"""Sets the location variable in the parser to the filename in question"""
rootlogger = logging.getLogger('')
rootlogger.setLevel(logging.WARNING + 1)
config.add_option("WARNINGS", default = False, action = "callback",
callback = disable_warnings,
short_option = 'W', nargs = 0,
help = "Disable warning messages")
================================================
FILE: contrib/plugins/example.py
================================================
# Volatility
#
# Authors:
# Mike Auty <mike.auty@gmail.com>
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
import volatility.timefmt as timefmt
import volatility.obj as obj
import volatility.utils as utils
import volatility.commands as commands
#pylint: disable-msg=C0111
class DateTime(commands.Command):
"""A simple example plugin that gets the date/time information from a Windows image"""
def calculate(self):
"""Calculate and carry out any processing that may take time upon the image"""
# Load the address space
addr_space = utils.load_as(self._config)
# Call a subfunction so that it can be used by other plugins
return self.get_image_time(addr_space)
def get_image_time(self, addr_space):
"""Extracts the time and date from the KUSER_SHARED_DATA area"""
# Get the Image Datetime
result = {}
# Create a VOLATILITY_MAGIC object to look up the location of certain constants
# Get the KUSER_SHARED_DATA location
KUSER_SHARED_DATA = obj.VolMagic(addr_space).KUSER_SHARED_DATA.v()
# Create the _KUSER_SHARED_DATA object at the appropriate offset
k = obj.Object("_KUSER_SHARED_DATA",
offset = KUSER_SHARED_DATA,
vm = addr_space)
# Start reading members from it
result['ImageDatetime'] = k.SystemTime
result['ImageTz'] = timefmt.OffsetTzInfo(-k.TimeZoneBias.as_windows_timestamp() / 10000000)
# Return any results we got
return result
def render_text(self, outfd, data):
"""Renders the calculated data as text to outfd"""
# Convert the result into a datetime object for display in local and non local format
dt = data['ImageDatetime'].as_datetime()
# Display the datetime in UTC as taken from the image
outfd.write("Image date and time : {0}\n".format(data['ImageDatetime']))
# Display the datetime taking into account the timezone of the image itself
outfd.write("Image local date and time : {0}\n".format(timefmt.display_datetime(dt, data['ImageTz'])))
================================================
FILE: contrib/plugins/malware/README.md
================================================
Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository.
================================================
FILE: pyinstaller/hook-distorm3.py
================================================
# Distorm3 hook
#
# This currently contains the hardcoded location for the standard distorm3.dll install
# It could be improved by carrying out a search, or using sys.path
#
# This also requires the distorm3 module to be modified with the following patch:
# import sys
# if hasattr(sys, '_MEIPASS'):
# _distorm_path = sys._MEIPASS
import os
import sys
datas = []
for path in sys.path:
if os.path.exists(os.path.join(path, "distorm3", "distorm3.dll")):
datas.append((os.path.join(path, "distorm3", "distorm3.dll"), "."))
if os.path.exists(os.path.join(path, "distorm3", "libdistorm3.so")):
datas.append((os.path.join(path, "distorm3", "libdistorm3.so"), "."))
================================================
FILE: pyinstaller/hook-openpyxl.py
================================================
# Openpyxl hook
#
# This currently contains the hardcoded location for the .constants.json file
# It could be improved by carrying out a search, or using sys.path
#
# This also requires the openpyxl module to be modified with the following patch:
# import sys
# if hasattr(sys, '_MEIPASS'):
# here = sys._MEIPASS
import os
import sys
datas = []
for path in sys.path:
if os.path.exists(os.path.join(path, "openpyxl", ".constants.json")):
datas.append((os.path.join(path, "openpyxl", ".constants.json"), "."))
================================================
FILE: pyinstaller/hook-volatility.py
================================================
import os
projpath = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
modules = set(['volatility.plugins'])
for dirpath, _dirnames, filenames in os.walk(os.path.join(projpath, 'volatility', 'plugins')):
dirpath = dirpath[len(os.path.join(projpath, 'volatility', 'plugins')):]
if dirpath and dirpath[0] == os.path.sep:
dirpath = dirpath[1:]
for filename in filenames:
path = os.path.join(dirpath, os.path.splitext(filename)[0])
if "/." in path:
continue
if "__" in path:
continue
path = path.replace("-", "_")
path = path.replace(os.path.sep, ".")
modules.add("volatility.plugins." + path)
hiddenimports = list(modules)
================================================
FILE: pyinstaller/hook-yara.py
================================================
import os
import sys
datas = []
for path in sys.path:
if os.path.exists(os.path.join(path, "yara.pyd")):
datas.append((os.path.join(path, "yara.pyd"), "."))
if os.path.exists(os.path.join(path, "yara.so")):
datas.append((os.path.join(path, "yara.so"), "."))
================================================
FILE: pyinstaller.spec
================================================
# -*- mode: python -*-
import sys
projpath = os.path.dirname(os.path.abspath(SPEC))
def get_plugins(list):
for item in list:
if item[0].startswith('volatility.plugins') and not (item[0] == 'volatility.plugins' and '__init__.py' in item[1]):
yield item
exeext = ".exe" if sys.platform.startswith("win") else ""
a = Analysis([os.path.join(projpath, 'vol.py')],
pathex = [HOMEPATH],
hookspath = [os.path.join(projpath, 'pyinstaller')])
pyz = PYZ(a.pure)
plugins = Tree(os.path.join(projpath, 'volatility', 'plugins'),
os.path.join('plugins'))
exe = EXE(pyz,
a.scripts + [('u', '', 'OPTION')],
a.binaries,
a.zipfiles,
a.datas,
plugins,
name = os.path.join(projpath, 'dist', 'pyinstaller', 'volatility' + exeext),
debug = False,
strip = False,
upx = True,
icon = os.path.join(projpath, 'resources', 'volatility.ico'),
console = 1)
================================================
FILE: setup.py
================================================
#!/usr/bin/env python
# Volatility
#
# Authors:
# AAron Walters <awalters@4tphi.net>
# Mike Auty <mike.auty@gmail.com>
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
try:
from setuptools import setup
except ImportError:
from distutils.core import setup
import volatility.constants
import sys
import os
py2exe_available = True
try:
import py2exe #pylint: disable-msg=W0611,F0401
except ImportError:
py2exe_available = False
def find_files(topdirs, py = False):
"""Lists all python files under any topdir from the topdirs lists.
Returns an appropriate list for data_files,
with source and destination directories the same"""
ret = []
for topdir in topdirs:
for r, _ds, fs in os.walk(topdir):
ret.append((r, [ os.path.join(r, f) for f in fs if (f.endswith('.py') or not py)]))
return ret
opts = {}
opts['name'] = "volatility"
opts['version'] = volatility.constants.VERSION
opts['description'] = "Volatility -- Volatile memory framework"
opts['author'] = "AAron Walters"
opts['author_email'] = "awalters@4tphi.net"
opts['url'] = "http://www.volatilityfoundation.org"
opts['license'] = "GPL"
opts['scripts'] = ["vol.py"]
opts['packages'] = ["volatility",
"volatility.win32",
"volatility.renderers",
"volatility.plugins",
"volatility.plugins.addrspaces",
"volatility.plugins.overlays",
"volatility.plugins.overlays.windows",
"volatility.plugins.overlays.linux",
"volatility.plugins.overlays.mac",
"volatility.plugins.gui",
"volatility.plugins.gui.vtypes",
"volatility.plugins.linux",
"volatility.plugins.registry",
"volatility.plugins.malware",
"volatility.plugins.mac"]
opts['data_files'] = find_files(['contrib'], py = True) + find_files(['tools'])
if py2exe_available:
py2exe_distdir = 'dist/py2exe'
opts['console'] = [{ 'script': 'vol.py',
'icon_resources': [(1, 'resources/volatility.ico')]
}]
# Optimize must be 1 for plugins that use docstring for the help value,
# otherwise the help gets optimized out
opts['options'] = {'py2exe':{'optimize': 1,
'dist_dir': py2exe_distdir,
'packages': opts['packages'] + ['socket', 'ctypes', 'Crypto.Cipher', 'urllib', 'distorm3', 'yara', 'xml.etree.ElementTree'],
# This, along with zipfile = None, ensures a single binary
'bundle_files': 1,
}
}
opts['zipfile'] = None
distrib = setup(**opts) #pylint: disable-msg=W0142
if 'py2exe' in sys.argv:
# Any py2exe specific files or things that need doing can go in here
pass
================================================
FILE: tools/doxygen/config
================================================
# Doxyfile 1.8.7
# This file describes the settings to be used by the documentation system
# doxygen (www.doxygen.org) for a project.
#
# All text after a double hash (##) is considered a comment and is placed in
# front of the TAG it is preceding.
#
# All text after a single hash (#) is considered a comment and will be ignored.
# The format is:
# TAG = value [value, ...]
# For lists, items can also be appended using:
# TAG += value [value, ...]
# Values that contain spaces should be placed between quotes (\" \").
#---------------------------------------------------------------------------
# Project related configuration options
#---------------------------------------------------------------------------
# This tag specifies the encoding used for all characters in the config file
# that follow. The default is UTF-8 which is also the encoding used for all text
# before the first occurrence of this tag. Doxygen uses libiconv (or the iconv
# built into libc) for the transcoding. See http://www.gnu.org/software/libiconv
# for the list of possible encodings.
# The default value is: UTF-8.
DOXYFILE_ENCODING = UTF-8
# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by
# double-quotes, unless you are using Doxywizard) that should identify the
# project for which the documentation is generated. This name is used in the
# title of most generated pages and in a few other places.
# The default value is: My Project.
PROJECT_NAME = "The Volatility Framework"
# The PROJECT_NUMBER tag can be used to enter a project or revision number. This
# could be handy for archiving the generated documentation or if some version
# control system is used.
PROJECT_NUMBER =
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
# quick idea about the purpose of the project. Keep the description short.
PROJECT_BRIEF =
# With the PROJECT_LOGO tag one can specify an logo or icon that is included in
# the documentation. The maximum height of the logo should not exceed 55 pixels
# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo
# to the output directory.
PROJECT_LOGO = ./tools/doxygen/vol.png
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
# into which the generated documentation will be written. If a relative path is
# entered, it will be relative to the location where doxygen was started. If
# left blank the current directory will be used.
OUTPUT_DIRECTORY = ./tools/doxygen/output
# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub-
# directories (in 2 levels) under the output directory of each output format and
# will distribute the generated files over these directories. Enabling this
# option can be useful when feeding doxygen a huge amount of source files, where
# putting all generated files in the same directory would otherwise causes
# performance problems for the file system.
# The default value is: NO.
CREATE_SUBDIRS = YES
# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
# characters to appear in the names of generated files. If set to NO, non-ASCII
# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
# U+3044.
# The default value is: NO.
ALLOW_UNICODE_NAMES = NO
# The OUTPUT_LANGUAGE tag is used to specify the language in which all
# documentation generated by doxygen is written. Doxygen will use this
# information to generate all constant output in the proper language.
# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
# Ukrainian and Vietnamese.
# The default value is: English.
OUTPUT_LANGUAGE = English
# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member
# descriptions after the members that are listed in the file and class
# documentation (similar to Javadoc). Set to NO to disable this.
# The default value is: YES.
BRIEF_MEMBER_DESC = YES
# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief
# description of a member or function before the detailed description
#
# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
# brief descriptions will be completely suppressed.
# The default value is: YES.
REPEAT_BRIEF = YES
# This tag implements a quasi-intelligent brief description abbreviator that is
# used to form the text in various listings. Each string in this list, if found
# as the leading text of the brief description, will be stripped from the text
# and the result, after processing the whole list, is used as the annotated
# text. Otherwise, the brief description is used as-is. If left blank, the
# following values are used ($name is automatically replaced with the name of
# the entity):The $name class, The $name widget, The $name file, is, provides,
# specifies, contains, represents, a, an and the.
ABBREVIATE_BRIEF =
# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
# doxygen will generate a detailed section even if there is only a brief
# description.
# The default value is: NO.
ALWAYS_DETAILED_SEC = NO
# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
# inherited members of a class in the documentation of that class as if those
# members were ordinary class members. Constructors, destructors and assignment
# operators of the base classes will not be shown.
# The default value is: NO.
INLINE_INHERITED_MEMB = NO
# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path
# before files name in the file list and in the header files. If set to NO the
# shortest path that makes the file name unique will be used
# The default value is: YES.
FULL_PATH_NAMES = YES
# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path.
# Stripping is only done if one of the specified strings matches the left-hand
# part of the path. The tag can be used to show relative paths in the file list.
# If left blank the directory from which doxygen is run is used as the path to
# strip.
#
# Note that you can specify absolute paths here, but also relative paths, which
# will be relative from the directory where doxygen is started.
# This tag requires that the tag FULL_PATH_NAMES is set to YES.
STRIP_FROM_PATH =
# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
# path mentioned in the documentation of a class, which tells the reader which
# header file to include in order to use a class. If left blank only the name of
# the header file containing the class definition is used. Otherwise one should
# specify the list of include paths that are normally passed to the compiler
# using the -I flag.
STRIP_FROM_INC_PATH =
# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
# less readable) file names. This can be useful is your file systems doesn't
# support long names like on DOS, Mac, or CD-ROM.
# The default value is: NO.
SHORT_NAMES = NO
# If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the
# first line (until the first dot) of a Javadoc-style comment as the brief
# description. If set to NO, the Javadoc-style will behave just like regular Qt-
# style comments (thus requiring an explicit @brief command for a brief
# description.)
# The default value is: NO.
JAVADOC_AUTOBRIEF = NO
# If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first
# line (until the first dot) of a Qt-style comment as the brief description. If
# set to NO, the Qt-style will behave just like regular Qt-style comments (thus
# requiring an explicit \brief command for a brief description.)
# The default value is: NO.
QT_AUTOBRIEF = NO
# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a
# multi-line C++ special comment block (i.e. a block of //! or /// comments) as
# a brief description. This used to be the default behavior. The new default is
# to treat a multi-line C++ comment block as a detailed description. Set this
# tag to YES if you prefer the old behavior instead.
#
# Note that setting this tag to YES also means that rational rose comments are
# not recognized any more.
# The default value is: NO.
MULTILINE_CPP_IS_BRIEF = NO
# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the
# documentation from any documented member that it re-implements.
# The default value is: YES.
INHERIT_DOCS = YES
# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a
# new page for each member. If set to NO, the documentation of a member will be
# part of the file/class/namespace that contains it.
# The default value is: NO.
SEPARATE_MEMBER_PAGES = NO
# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen
# uses this value to replace tabs by spaces in code fragments.
# Minimum value: 1, maximum value: 16, default value: 4.
TAB_SIZE = 4
# This tag can be used to specify a number of aliases that act as commands in
# the documentation. An alias has the form:
# name=value
# For example adding
# "sideeffect=@par Side Effects:\n"
# will allow you to put the command \sideeffect (or @sideeffect) in the
# documentation, which will result in a user-defined paragraph with heading
# "Side Effects:". You can put \n's in the value part of an alias to insert
# newlines.
ALIASES =
# This tag can be used to specify a number of word-keyword mappings (TCL only).
# A mapping has the form "name=value". For example adding "class=itcl::class"
# will allow you to use the command class in the itcl::class meaning.
TCL_SUBST =
# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
# only. Doxygen will then generate output that is more tailored for C. For
# instance, some of the names that are used will be different. The list of all
# members will be omitted, etc.
# The default value is: NO.
OPTIMIZE_OUTPUT_FOR_C = NO
# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or
# Python sources only. Doxygen will then generate output that is more tailored
# for that language. For instance, namespaces will be presented as packages,
# qualified scopes will look different, etc.
# The default value is: NO.
OPTIMIZE_OUTPUT_JAVA = NO
# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
# sources. Doxygen will then generate output that is tailored for Fortran.
# The default value is: NO.
OPTIMIZE_FOR_FORTRAN = NO
# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
# sources. Doxygen will then generate output that is tailored for VHDL.
# The default value is: NO.
OPTIMIZE_OUTPUT_VHDL = NO
# Doxygen selects the parser to use depending on the extension of the files it
# parses. With this tag you can assign which parser to use for a given
# extension. Doxygen has a built-in mapping, but you can override or extend it
# using this tag. The format is ext=language, where ext is a file extension, and
# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
# Fortran. In the later case the parser tries to guess whether the code is fixed
# or free formatted code, this is the default for Fortran type files), VHDL. For
# instance to make doxygen treat .inc files as Fortran files (default is PHP),
# and .f files as C (default is Fortran), use: inc=Fortran f=C.
#
# Note For files without extension you can use no_extension as a placeholder.
#
# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
# the files are not read by doxygen.
EXTENSION_MAPPING =
# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
# according to the Markdown format, which allows for more readable
# documentation. See http://daringfireball.net/projects/markdown/ for details.
# The output of markdown processing is further processed by doxygen, so you can
# mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in
# case of backward compatibilities issues.
# The default value is: YES.
MARKDOWN_SUPPORT = YES
# When enabled doxygen tries to link words that correspond to documented
# classes, or namespaces to their corresponding documentation. Such a link can
# be prevented in individual cases by by putting a % sign in front of the word
# or globally by setting AUTOLINK_SUPPORT to NO.
# The default value is: YES.
AUTOLINK_SUPPORT = YES
# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
# to include (a tag file for) the STL sources as input, then you should set this
# tag to YES in order to let doxygen match functions declarations and
# definitions whose arguments contain STL classes (e.g. func(std::string);
# versus func(std::string) {}). This also make the inheritance and collaboration
# diagrams that involve STL classes more complete and accurate.
# The default value is: NO.
BUILTIN_STL_SUPPORT = NO
# If you use Microsoft's C++/CLI language, you should set this option to YES to
# enable parsing support.
# The default value is: NO.
CPP_CLI_SUPPORT = NO
# Set the SIP_SUPPORT tag to YES if your project consists of sip (see:
# http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen
# will parse them like normal C++ but will assume all classes use public instead
# of private inheritance when no explicit protection keyword is present.
# The default value is: NO.
SIP_SUPPORT = NO
# For Microsoft's IDL there are propget and propput attributes to indicate
# getter and setter methods for a property. Setting this option to YES will make
# doxygen to replace the get and set methods by a property in the documentation.
# This will only work if the methods are indeed getting or setting a simple
# type. If this is not the case, or you want to show the methods anyway, you
# should set this option to NO.
# The default value is: YES.
IDL_PROPERTY_SUPPORT = YES
# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
# tag is set to YES, then doxygen will reuse the documentation of the first
# member in the group (if any) for the other members of the group. By default
# all members of a group must be documented explicitly.
# The default value is: NO.
DISTRIBUTE_GROUP_DOC = NO
# Set the SUBGROUPING tag to YES to allow class member groups of the same type
# (for instance a group of public functions) to be put as a subgroup of that
# type (e.g. under the Public Functions section). Set it to NO to prevent
# subgrouping. Alternatively, this can be done per class using the
# \nosubgrouping command.
# The default value is: YES.
SUBGROUPING = YES
# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions
# are shown inside the group in which they are included (e.g. using \ingroup)
# instead of on a separate page (for HTML and Man pages) or section (for LaTeX
# and RTF).
#
# Note that this feature does not work in combination with
# SEPARATE_MEMBER_PAGES.
# The default value is: NO.
INLINE_GROUPED_CLASSES = NO
# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions
# with only public data fields or simple typedef fields will be shown inline in
# the documentation of the scope in which they are defined (i.e. file,
# namespace, or group documentation), provided this scope is documented. If set
# to NO, structs, classes, and unions are shown on a separate page (for HTML and
# Man pages) or section (for LaTeX and RTF).
# The default value is: NO.
INLINE_SIMPLE_STRUCTS = NO
# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or
# enum is documented as struct, union, or enum with the name of the typedef. So
# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
# with name TypeT. When disabled the typedef will appear as a member of a file,
# namespace, or class. And the struct will be named TypeS. This can typically be
# useful for C code in case the coding convention dictates that all compound
# types are typedef'ed and only the typedef is referenced, never the tag name.
# The default value is: NO.
TYPEDEF_HIDES_STRUCT = NO
# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This
# cache is used to resolve symbols given their name and scope. Since this can be
# an expensive process and often the same symbol appears multiple times in the
# code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small
# doxygen will become slower. If the cache is too large, memory is wasted. The
# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range
# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536
# symbols. At the end of a run doxygen will report the cache usage and suggest
# the optimal cache size from a speed point of view.
# Minimum value: 0, maximum value: 9, default value: 0.
LOOKUP_CACHE_SIZE = 0
#---------------------------------------------------------------------------
# Build related configuration options
#---------------------------------------------------------------------------
# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
# documentation are documented, even if no documentation was available. Private
# class members and static file members will be hidden unless the
# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
# Note: This will also disable the warnings about undocumented members that are
# normally produced when WARNINGS is set to YES.
# The default value is: NO.
EXTRACT_ALL = NO
# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will
# be included in the documentation.
# The default value is: NO.
EXTRACT_PRIVATE = NO
# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal
# scope will be included in the documentation.
# The default value is: NO.
EXTRACT_PACKAGE = NO
# If the EXTRACT_STATIC tag is set to YES all static members of a file will be
# included in the documentation.
# The default value is: NO.
EXTRACT_STATIC = NO
# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined
# locally in source files will be included in the documentation. If set to NO
# only classes defined in header files are included. Does not have any effect
# for Java sources.
# The default value is: YES.
EXTRACT_LOCAL_CLASSES = YES
# This flag is only useful for Objective-C code. When set to YES local methods,
# which are defined in the implementation section but not in the interface are
# included in the documentation. If set to NO only methods in the interface are
# included.
# The default value is: NO.
EXTRACT_LOCAL_METHODS = NO
# If this flag is set to YES, the members of anonymous namespaces will be
# extracted and appear in the documentation as a namespace called
# 'anonymous_namespace{file}', where file will be replaced with the base name of
# the file that contains the anonymous namespace. By default anonymous namespace
# are hidden.
# The default value is: NO.
EXTRACT_ANON_NSPACES = NO
# If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all
# undocumented members inside documented classes or files. If set to NO these
# members will be included in the various overviews, but no documentation
# section is generated. This option has no effect if EXTRACT_ALL is enabled.
# The default value is: NO.
HIDE_UNDOC_MEMBERS = NO
# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
# undocumented classes that are normally visible in the class hierarchy. If set
# to NO these classes will be included in the various overviews. This option has
# no effect if EXTRACT_ALL is enabled.
# The default value is: NO.
HIDE_UNDOC_CLASSES = NO
# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
# (class|struct|union) declarations. If set to NO these declarations will be
# included in the documentation.
# The default value is: NO.
HIDE_FRIEND_COMPOUNDS = NO
# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
# documentation blocks found inside the body of a function. If set to NO these
# blocks will be appended to the function's detailed documentation block.
# The default value is: NO.
HIDE_IN_BODY_DOCS = NO
# The INTERNAL_DOCS tag determines if documentation that is typed after a
# \internal command is included. If the tag is set to NO then the documentation
# will be excluded. Set it to YES to include the internal documentation.
# The default value is: NO.
INTERNAL_DOCS = NO
# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
# names in lower-case letters. If set to YES upper-case letters are also
# allowed. This is useful if you have classes or files whose names only differ
# in case and if your file system supports case sensitive file names. Windows
# and Mac users are advised to set this option to NO.
# The default value is: system dependent.
CASE_SENSE_NAMES = NO
# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
# their full class and namespace scopes in the documentation. If set to YES the
# scope will be hidden.
# The default value is: NO.
HIDE_SCOPE_NAMES = NO
# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
# the files that are included by a file in the documentation of that file.
# The default value is: YES.
SHOW_INCLUDE_FILES = YES
# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
# grouped member an include statement to the documentation, telling the reader
# which file to include in order to use the member.
# The default value is: NO.
SHOW_GROUPED_MEMB_INC = NO
# If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
# files with double quotes in the documentation rather than with sharp brackets.
# The default value is: NO.
FORCE_LOCAL_INCLUDES = NO
# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the
# documentation for inline members.
# The default value is: YES.
INLINE_INFO = YES
# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
# (detailed) documentation of file and class members alphabetically by member
# name. If set to NO the members will appear in declaration order.
# The default value is: YES.
SORT_MEMBER_DOCS = YES
# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
# descriptions of file, namespace and class members alphabetically by member
# name. If set to NO the members will appear in declaration order. Note that
# this will also influence the order of the classes in the class list.
# The default value is: NO.
SORT_BRIEF_DOCS = NO
# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the
# (brief and detailed) documentation of class members so that constructors and
# destructors are listed first. If set to NO the constructors will appear in the
# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS.
# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief
# member documentation.
# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting
# detailed member documentation.
# The default value is: NO.
SORT_MEMBERS_CTORS_1ST = NO
# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy
# of group names into alphabetical order. If set to NO the group names will
# appear in their defined order.
# The default value is: NO.
SORT_GROUP_NAMES = NO
# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by
# fully-qualified names, including namespaces. If set to NO, the class list will
# be sorted only by class name, not including the namespace part.
# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
# Note: This option applies only to the class list, not to the alphabetical
# list.
# The default value is: NO.
SORT_BY_SCOPE_NAME = NO
# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper
# type resolution of all parameters of a function it will reject a match between
# the prototype and the implementation of a member function even if there is
# only one candidate or it is obvious which candidate to choose by doing a
# simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still
# accept a match between prototype and implementation in such cases.
# The default value is: NO.
STRICT_PROTO_MATCHING = NO
# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the
# todo list. This list is created by putting \todo commands in the
# documentation.
# The default value is: YES.
GENERATE_TODOLIST = YES
# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the
# test list. This list is created by putting \test commands in the
# documentation.
# The default value is: YES.
GENERATE_TESTLIST = YES
# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug
# list. This list is created by putting \bug commands in the documentation.
# The default value is: YES.
GENERATE_BUGLIST = YES
# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO)
# the deprecated list. This list is created by putting \deprecated commands in
# the documentation.
# The default value is: YES.
GENERATE_DEPRECATEDLIST= YES
# The ENABLED_SECTIONS tag can be used to enable conditional documentation
# sections, marked by \if <section_label> ... \endif and \cond <section_label>
# ... \endcond blocks.
ENABLED_SECTIONS =
# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
# initial value of a variable or macro / define can have for it to appear in the
# documentation. If the initializer consists of more lines than specified here
# it will be hidden. Use a value of 0 to hide initializers completely. The
# appearance of the value of individual variables and macros / defines can be
# controlled using \showinitializer or \hideinitializer command in the
# documentation regardless of this setting.
# Minimum value: 0, maximum value: 10000, default value: 30.
MAX_INITIALIZER_LINES = 30
# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
# the bottom of the documentation of classes and structs. If set to YES the list
# will mention the files that were used to generate the documentation.
# The default value is: YES.
SHOW_USED_FILES = YES
# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This
# will remove the Files entry from the Quick Index and from the Folder Tree View
# (if specified).
# The default value is: YES.
SHOW_FILES = YES
# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces
# page. This will remove the Namespaces entry from the Quick Index and from the
# Folder Tree View (if specified).
# The default value is: YES.
SHOW_NAMESPACES = YES
# The FILE_VERSION_FILTER tag can be used to specify a program or script that
# doxygen should invoke to get the current version for each file (typically from
# the version control system). Doxygen will invoke the program by executing (via
# popen()) the command command input-file, where command is the value of the
# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided
# by doxygen. Whatever the program writes to standard output is used as the file
# version. For an example see the documentation.
FILE_VERSION_FILTER =
# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
# by doxygen. The layout file controls the global structure of the generated
# output files in an output format independent way. To create the layout file
# that represents doxygen's defaults, run doxygen with the -l option. You can
# optionally specify a file name after the option, if omitted DoxygenLayout.xml
# will be used as the name of the layout file.
#
# Note that if you run doxygen from a directory containing a file called
# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
# tag is left empty.
LAYOUT_FILE =
# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
# the reference definitions. This must be a list of .bib files. The .bib
# extension is automatically appended if omitted. This requires the bibtex tool
# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
# For LaTeX the style of the bibliography can be controlled using
# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
# search path. Do not use file names with spaces, bibtex cannot handle them. See
# also \cite for info how to create references.
CITE_BIB_FILES =
#---------------------------------------------------------------------------
# Configuration options related to warning and progress messages
#---------------------------------------------------------------------------
# The QUIET tag can be used to turn on/off the messages that are generated to
# standard output by doxygen. If QUIET is set to YES this implies that the
# messages are off.
# The default value is: NO.
QUIET = NO
# The WARNINGS tag can be used to turn on/off the warning messages that are
# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES
# this implies that the warnings are on.
#
# Tip: Turn warnings on while writing the documentation.
# The default value is: YES.
WARNINGS = YES
# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate
# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
# will automatically be disabled.
# The default value is: YES.
WARN_IF_UNDOCUMENTED = YES
# If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for
# potential errors in the documentation, such as not documenting some parameters
# in a documented function, or documenting parameters that don't exist or using
# markup commands wrongly.
# The default value is: YES.
WARN_IF_DOC_ERROR = YES
# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
# are documented, but have no documentation for their parameters or return
# value. If set to NO doxygen will only warn about wrong or incomplete parameter
# documentation, but not about the absence of documentation.
# The default value is: NO.
WARN_NO_PARAMDOC = NO
# The WARN_FORMAT tag determines the format of the warning messages that doxygen
# can produce. The string should contain the $file, $line, and $text tags, which
# will be replaced by the file and line number from which the warning originated
# and the warning text. Optionally the format may contain $version, which will
# be replaced by the version of the file (if it could be obtained via
# FILE_VERSION_FILTER)
# The default value is: $file:$line: $text.
WARN_FORMAT = "$file:$line: $text"
# The WARN_LOGFILE tag can be used to specify a file to which warning and error
# messages should be written. If left blank the output is written to standard
# error (stderr).
WARN_LOGFILE =
#---------------------------------------------------------------------------
# Configuration options related to the input files
#---------------------------------------------------------------------------
# The INPUT tag is used to specify the files and/or directories that contain
# documented source files. You may enter file names like myfile.cpp or
# directories like /usr/src/myproject. Separate the files or directories with
# spaces.
# Note: If this tag is empty the current directory is searched.
INPUT = .
# This tag can be used to specify the character encoding of the source files
# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
# libiconv (or the iconv built into libc) for the transcoding. See the libiconv
# documentation (see: http://www.gnu.org/software/libiconv) for the list of
# possible encodings.
# The default value is: UTF-8.
INPUT_ENCODING = UTF-8
# If the value of the INPUT tag contains directories, you can use the
# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
# *.h) to filter out the source-files in the directories. If left blank the
# following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii,
# *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp,
# *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown,
# *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf,
# *.qsf, *.as and *.js.
FILE_PATTERNS = *.py
# The RECURSIVE tag can be used to specify whether or not subdirectories should
# be searched for input files as well.
# The default value is: NO.
RECURSIVE = YES
# The EXCLUDE tag can be used to specify files and/or directories that should be
# excluded from the INPUT source files. This way you can easily exclude a
# subdirectory from a directory tree whose root is specified with the INPUT tag.
#
# Note that relative paths are relative to the directory from which doxygen is
# run.
EXCLUDE =
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
# directories that are symbolic links (a Unix file system feature) are excluded
# from the input.
# The default value is: NO.
EXCLUDE_SYMLINKS = NO
# If the value of the INPUT tag contains directories, you can use the
# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
# certain files from those directories.
#
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories for example use the pattern */test/*
EXCLUDE_PATTERNS =
# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
# (namespaces, classes, functions, etc.) that should be excluded from the
# output. The symbol name can be a fully qualified name, a word, or if the
# wildcard * is used, a substring. Examples: ANamespace, AClass,
# AClass::ANamespace, ANamespace::*Test
#
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
EXCLUDE_SYMBOLS =
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include
# command).
EXAMPLE_PATH =
# If the value of the EXAMPLE_PATH tag contains directories, you can use the
# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
# *.h) to filter out the source-files in the directories. If left blank all
# files are included.
EXAMPLE_PATTERNS =
# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
# searched for input files to be used with the \include or \dontinclude commands
# irrespective of the value of the RECURSIVE tag.
# The default value is: NO.
EXAMPLE_RECURSIVE = NO
# The IMAGE_PATH tag can be used to specify one or more files or directories
# that contain images that are to be included in the documentation (see the
# \image command).
IMAGE_PATH =
# The INPUT_FILTER tag can be used to specify a program that doxygen should
# invoke to filter for each input file. Doxygen will invoke the filter program
# by executing (via popen()) the command:
#
# <filter> <input-file>
#
# where <filter> is the value of the INPUT_FILTER tag, and <input-file> is the
# name of an input file. Doxygen will then use the output that the filter
# program writes to standard output. If FILTER_PATTERNS is specified, this tag
# will be ignored.
#
# Note that the filter must not add or remove lines; it is applied before the
# code is scanned, but not when the output code is generated. If lines are added
# or removed, the anchors will not be placed correctly.
INPUT_FILTER = /usr/local/bin/doxypy.py
# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
# basis. Doxygen will compare the file name with each pattern and apply the
# filter if there is a match. The filters are a list of the form: pattern=filter
# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
# patterns match the file name, INPUT_FILTER is applied.
FILTER_PATTERNS =
# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
# INPUT_FILTER ) will also be used to filter the input files that are used for
# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
# The default value is: NO.
FILTER_SOURCE_FILES = YES
# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and
# it is also possible to disable source filtering for a specific pattern using
# *.ext= (so without naming a filter).
# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
FILTER_SOURCE_PATTERNS =
# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
# is part of the input, its contents will be placed on the main page
# (index.html). This can be useful if you have a project on for instance GitHub
# and want to reuse the introduction page also for the doxygen output.
USE_MDFILE_AS_MAINPAGE =
#---------------------------------------------------------------------------
# Configuration options related to source browsing
#---------------------------------------------------------------------------
# If the SOURCE_BROWSER tag is set to YES then a list of source files will be
# generated. Documented entities will be cross-referenced with these sources.
#
# Note: To get rid of all source code in the generated output, make sure that
# also VERBATIM_HEADERS is set to NO.
# The default value is: NO.
SOURCE_BROWSER = NO
# Setting the INLINE_SOURCES tag to YES will include the body of functions,
# classes and enums directly into the documentation.
# The default value is: NO.
INLINE_SOURCES = NO
# Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any
# special comment blocks from generated source code fragments. Normal C, C++ and
# Fortran comments will always remain visible.
# The default value is: YES.
STRIP_CODE_COMMENTS = YES
# If the REFERENCED_BY_RELATION tag is set to YES then for each documented
# function all documented functions referencing it will be listed.
# The default value is: NO.
REFERENCED_BY_RELATION = NO
# If the REFERENCES_RELATION tag is set to YES then for each documented function
# all documented entities called/used by that function will be listed.
# The default value is: NO.
REFERENCES_RELATION = NO
# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
# to YES, then the hyperlinks from functions in REFERENCES_RELATION and
# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
# link to the documentation.
# The default value is: YES.
REFERENCES_LINK_SOURCE = YES
# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the
# source code will show a tooltip with additional information such as prototype,
# brief description and links to the definition and documentation. Since this
# will make the HTML file larger and loading of large files a bit slower, you
# can opt to disable this feature.
# The default value is: YES.
# This tag requires that the tag SOURCE_BROWSER is set to YES.
SOURCE_TOOLTIPS = YES
# If the USE_HTAGS tag is set to YES then the references to source code will
# point to the HTML generated by the htags(1) tool instead of doxygen built-in
# source browser. The htags tool is part of GNU's global source tagging system
# (see http://www.gnu.org/software/global/global.html). You will need version
# 4.8.6 or higher.
#
# To use it do the following:
# - Install the latest version of global
# - Enable SOURCE_BROWSER and USE_HTAGS in the config file
# - Make sure the INPUT points to the root of the source tree
# - Run doxygen as normal
#
# Doxygen will invoke htags (and that will in turn invoke gtags), so these
# tools must be available from the command line (i.e. in the search path).
#
# The result: instead of the source browser generated by doxygen, the links to
# source code will now point to the output of htags.
# The default value is: NO.
# This tag requires that the tag SOURCE_BROWSER is set to YES.
USE_HTAGS = NO
# If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a
# verbatim copy of the header file for each class for which an include is
# specified. Set to NO to disable this.
# See also: Section \class.
# The default value is: YES.
VERBATIM_HEADERS = YES
#---------------------------------------------------------------------------
# Configuration options related to the alphabetical class index
#---------------------------------------------------------------------------
# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all
# compounds will be generated. Enable this if the project contains a lot of
# classes, structs, unions or interfaces.
# The default value is: YES.
ALPHABETICAL_INDEX = YES
# The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in
# which the alphabetical index list will be split.
# Minimum value: 1, maximum value: 20, default value: 5.
# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
COLS_IN_ALPHA_INDEX = 5
# In case all classes in a project start with a common prefix, all classes will
# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag
# can be used to specify a prefix (or a list of prefixes) that should be ignored
# while generating the index headers.
# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
IGNORE_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the HTML output
#---------------------------------------------------------------------------
# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output
# The default value is: YES.
GENERATE_HTML = YES
# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it.
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_OUTPUT = html
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).
# The default value is: .html.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_FILE_EXTENSION = .html
# The HTML_HEADER tag can be used to specify a user-defined HTML header file for
# each generated HTML page. If the tag is left blank doxygen will generate a
# standard header.
#
# To get valid HTML the header file that includes any scripts and style sheets
# that doxygen needs, which is dependent on the configuration options used (e.g.
# the setting GENERATE_TREEVIEW). It is highly recommended to start with a
# default header using
# doxygen -w html new_header.html new_footer.html new_stylesheet.css
# YourConfigFile
# and then modify the file new_header.html. See also section "Doxygen usage"
# for information on how to generate the default header that doxygen normally
# uses.
# Note: The header is subject to change so you typically have to regenerate the
# default header when upgrading to a newer version of doxygen. For a description
# of the possible markers and block names see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_HEADER =
# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
# generated HTML page. If the tag is left blank doxygen will generate a standard
# footer. See HTML_HEADER for more information on how to generate a default
# footer and what special commands can be used inside the footer. See also
# section "Doxygen usage" for information on how to generate the default footer
# that doxygen normally uses.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_FOOTER =
# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
# sheet that is used by each HTML page. It can be used to fine-tune the look of
# the HTML output. If left blank doxygen will generate a default style sheet.
# See also section "Doxygen usage" for information on how to generate the style
# sheet that doxygen normally uses.
# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as
# it is more robust and this tag (HTML_STYLESHEET) will in the future become
# obsolete.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_STYLESHEET =
# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user-
# defined cascading style sheet that is included after the standard style sheets
# created by doxygen. Using this option one can overrule certain style aspects.
# This is preferred over using HTML_STYLESHEET since it does not replace the
# standard style sheet and is therefor more robust against future updates.
# Doxygen will copy the style sheet file to the output directory. For an example
# see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_EXTRA_STYLESHEET =
# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the HTML output directory. Note
# that these files will be copied to the base HTML output directory. Use the
# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
# files. In the HTML_STYLESHEET file, use the file name only. Also note that the
# files will be copied as-is; there are no commands or markers available.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_EXTRA_FILES =
# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
# will adjust the colors in the stylesheet and background images according to
# this color. Hue is specified as an angle on a colorwheel, see
# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
# purple, and 360 is red again.
# Minimum value: 0, maximum value: 359, default value: 220.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_COLORSTYLE_HUE = 220
# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors
# in the HTML output. For a value of 0 the output will use grayscales only. A
# value of 255 will produce the most vivid colors.
# Minimum value: 0, maximum value: 255, default value: 100.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_COLORSTYLE_SAT = 100
# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the
# luminance component of the colors in the HTML output. Values below 100
# gradually make the output lighter, whereas values above 100 make the output
# darker. The value divided by 100 is the actual gamma applied, so 80 represents
# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not
# change the gamma.
# Minimum value: 40, maximum value: 240, default value: 80.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_COLORSTYLE_GAMMA = 80
# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
# page will contain the date and time when the page was generated. Setting this
# to NO can help when comparing the output of multiple runs.
# The default value is: YES.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_TIMESTAMP = YES
# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
# documentation will contain sections that can be hidden and shown after the
# page has loaded.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_DYNAMIC_SECTIONS = NO
# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries
# shown in the various tree structured indices initially; the user can expand
# and collapse entries dynamically later on. Doxygen will expand the tree to
# such a level that at most the specified number of entries are visible (unless
# a fully collapsed tree already exceeds this amount). So setting the number of
# entries 1 will produce a full collapsed tree by default. 0 is a special value
# representing an infinite number of entries and will result in a full expanded
# tree by default.
# Minimum value: 0, maximum value: 9999, default value: 100.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_INDEX_NUM_ENTRIES = 100
# If the GENERATE_DOCSET tag is set to YES, additional index files will be
# generated that can be used as input for Apple's Xcode 3 integrated development
# environment (see: http://developer.apple.com/tools/xcode/), introduced with
# OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a
# Makefile in the HTML output directory. Running make will produce the docset in
# that directory and running make install will install the docset in
# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at
# startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
# for more information.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_DOCSET = NO
# This tag determines the name of the docset feed. A documentation feed provides
# an umbrella under which multiple documentation sets from a single provider
# (such as a company or product suite) can be grouped.
# The default value is: Doxygen generated docs.
# This tag requires that the tag GENERATE_DOCSET is set to YES.
DOCSET_FEEDNAME = "Doxygen generated docs"
# This tag specifies a string that should uniquely identify the documentation
# set bundle. This should be a reverse domain-name style string, e.g.
# com.mycompany.MyDocSet. Doxygen will append .docset to the name.
# The default value is: org.doxygen.Project.
# This tag requires that the tag GENERATE_DOCSET is set to YES.
DOCSET_BUNDLE_ID = org.doxygen.Project
# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify
# the documentation publisher. This should be a reverse domain-name style
# string, e.g. com.mycompany.MyDocSet.documentation.
# The default value is: org.doxygen.Publisher.
# This tag requires that the tag GENERATE_DOCSET is set to YES.
DOCSET_PUBLISHER_ID = org.doxygen.Publisher
# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher.
# The default value is: Publisher.
# This tag requires that the tag GENERATE_DOCSET is set to YES.
DOCSET_PUBLISHER_NAME = Publisher
# If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three
# additional HTML index files: index.hhp, index.hhc, and index.hhk. The
# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop
# (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on
# Windows.
#
# The HTML Help Workshop contains a compiler that can convert all HTML output
# generated by doxygen into a single compiled HTML file (.chm). Compiled HTML
# files are now used as the Windows 98 help format, and will replace the old
# Windows help format (.hlp) on all Windows platforms in the future. Compressed
# HTML files also contain an index, a table of contents, and you can search for
# words in the documentation. The HTML workshop also contains a viewer for
# compressed HTML files.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_HTMLHELP = NO
# The CHM_FILE tag can be used to specify the file name of the resulting .chm
# file. You can add a path in front of the file if the result should not be
# written to the html output directory.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
CHM_FILE =
# The HHC_LOCATION tag can be used to specify the location (absolute path
# including file name) of the HTML help compiler ( hhc.exe). If non-empty
# doxygen will try to run the HTML help compiler on the generated index.hhp.
# The file has to be specified with full path.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
HHC_LOCATION =
# The GENERATE_CHI flag controls if a separate .chi index file is generated (
# YES) or that it should be included in the master .chm file ( NO).
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
GENERATE_CHI = NO
# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc)
# and project file content.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
CHM_INDEX_ENCODING =
# The BINARY_TOC flag controls whether a binary table of contents is generated (
# YES) or a normal table of contents ( NO) in the .chm file. Furthermore it
# enables the Previous and Next buttons.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
BINARY_TOC = NO
# The TOC_EXPAND flag can be set to YES to add extra items for group members to
# the table of contents of the HTML help documentation and to the tree view.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
TOC_EXPAND = YES
# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that
# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help
# (.qch) of the generated HTML documentation.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_QHP = NO
# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify
# the file name of the resulting .qch file. The path specified is relative to
# the HTML output folder.
# This tag requires that the tag GENERATE_QHP is set to YES.
QCH_FILE =
# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
# Project output. For more information please see Qt Help Project / Namespace
# (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace).
# The default value is: org.doxygen.Project.
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_NAMESPACE = org.doxygen.Project
# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt
# Help Project output. For more information please see Qt Help Project / Virtual
# Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual-
# folders).
# The default value is: doc.
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_VIRTUAL_FOLDER = doc
# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom
# filter to add. For more information please see Qt Help Project / Custom
# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_CUST_FILTER_NAME =
# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
# custom filter to add. For more information please see Qt Help Project / Custom
# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_CUST_FILTER_ATTRS =
# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
# project's filter section matches. Qt Help Project / Filter Attributes (see:
# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_SECT_FILTER_ATTRS =
# The QHG_LOCATION tag can be used to specify the location of Qt's
# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
# generated .qhp file.
# This tag requires that the tag GENERATE_QHP is set to YES.
QHG_LOCATION =
# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
# generated, together with the HTML files, they form an Eclipse help plugin. To
# install this plugin and make it available under the help contents menu in
# Eclipse, the contents of the directory containing the HTML and XML files needs
# to be copied into the plugins directory of eclipse. The name of the directory
# within the plugins directory should be the same as the ECLIPSE_DOC_ID value.
# After copying Eclipse needs to be restarted before the help appears.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_ECLIPSEHELP = NO
# A unique identifier for the Eclipse help plugin. When installing the plugin
# the directory name containing the HTML and XML files should also have this
# name. Each documentation set should have its own identifier.
# The default value is: org.doxygen.Project.
# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES.
ECLIPSE_DOC_ID = org.doxygen.Project
# If you want full control over the layout of the generated HTML pages it might
# be necessary to disable the index and replace it with your own. The
# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top
# of each HTML page. A value of NO enables the index and the value YES disables
# it. Since the tabs in the index contain the same information as the navigation
# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
DISABLE_INDEX = YES
# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
# structure should be generated to display hierarchical information. If the tag
# value is set to YES, a side panel will be generated containing a tree-like
# index structure (just like the one that is generated for HTML Help). For this
# to work a browser that supports JavaScript, DHTML, CSS and frames is required
# (i.e. any modern browser). Windows users are probably better off using the
# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can
# further fine-tune the look of the index. As an example, the default style
# sheet generated by doxygen has an example that shows how to put an image at
# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
# the same information as the tab index, you could consider setting
# DISABLE_INDEX to YES when enabling this option.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_TREEVIEW = YES
# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that
# doxygen will group on one line in the generated HTML documentation.
#
# Note that a value of 0 will completely suppress the enum values from appearing
# in the overview section.
# Minimum value: 0, maximum value: 20, default value: 4.
# This tag requires that the tag GENERATE_HTML is set to YES.
ENUM_VALUES_PER_LINE = 4
# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used
# to set the initial width (in pixels) of the frame in which the tree is shown.
# Minimum value: 0, maximum value: 1500, default value: 250.
# This tag requires that the tag GENERATE_HTML is set to YES.
TREEVIEW_WIDTH = 250
# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to
# external symbols imported via tag files in a separate window.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
EXT_LINKS_IN_WINDOW = NO
# Use this tag to change the font size of LaTeX formulas included as images in
# the HTML documentation. When you change the font size after a successful
# doxygen run you need to manually remove any form_*.png images from the HTML
# output directory to force them to be regenerated.
# Minimum value: 8, maximum value: 50, default value: 10.
# This tag requires that the tag GENERATE_HTML is set to YES.
FORMULA_FONTSIZE = 10
# Use the FORMULA_TRANPARENT tag to determine whether or not the images
# generated for formulas are transparent PNGs. Transparent PNGs are not
# supported properly for IE 6.0, but are supported on all modern browsers.
#
# Note that when changing this option you need to delete any form_*.png files in
# the HTML output directory before the changes have effect.
# The default value is: YES.
# This tag requires that the tag GENERATE_HTML is set to YES.
FORMULA_TRANSPARENT = YES
# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
# http://www.mathjax.org) which uses client side Javascript for the rendering
# instead of using prerendered bitmaps. Use this if you do not have LaTeX
# installed or if you want to formulas look prettier in the HTML output. When
# enabled you may also need to install MathJax separately and configure the path
# to it using the MATHJAX_RELPATH option.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
USE_MATHJAX = NO
# When MathJax is enabled you can set the default output format to be used for
# the MathJax output. See the MathJax site (see:
# http://docs.mathjax.org/en/latest/output.html) for more details.
# Possible values are: HTML-CSS (which is slower, but has the best
# compatibility), NativeMML (i.e. MathML) and SVG.
# The default value is: HTML-CSS.
# This tag requires that the tag USE_MATHJAX is set to YES.
MATHJAX_FORMAT = HTML-CSS
# When MathJax is enabled you need to specify the location relative to the HTML
# output directory using the MATHJAX_RELPATH option. The destination directory
# should contain the MathJax.js script. For instance, if the mathjax directory
# is located at the same level as the HTML output directory, then
# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax
# Content Delivery Network so you can quickly see the result without installing
# MathJax. However, it is strongly recommended to install a local copy of
# MathJax from http://www.mathjax.org before deployment.
# The default value is: http://cdn.mathjax.org/mathjax/latest.
# This tag requires that the tag USE_MATHJAX is set to YES.
MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest
# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax
# extension names that should be enabled during MathJax rendering. For example
# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
# This tag requires that the tag USE_MATHJAX is set to YES.
MATHJAX_EXTENSIONS =
# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
# of code that will be used on startup of the MathJax code. See the MathJax site
# (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an
# example see the documentation.
# This tag requires that the tag USE_MATHJAX is set to YES.
MATHJAX_CODEFILE =
# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
# the HTML output. The underlying search engine uses javascript and DHTML and
# should work on any modern browser. Note that when using HTML help
# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET)
# there is already a search function so this one should typically be disabled.
# For large projects the javascript based search engine can be slow, then
# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to
# search using the keyboard; to jump to the search box use <access key> + S
# (what the <access key> is depends on the OS and browser, but it is typically
# <CTRL>, <ALT>/<option>, or both). Inside the search box use the <cursor down
# key> to jump into the search results window, the results can be navigated
# using the <cursor keys>. Press <Enter> to select an item or <escape> to cancel
# the search. The filter options can be selected when the cursor is inside the
# search box by pressing <Shift>+<cursor down>. Also here use the <cursor keys>
# to select a filter and <Enter> or <escape> to activate or cancel the filter
# option.
# The default value is: YES.
# This tag requires that the tag GENERATE_HTML is set to YES.
SEARCHENGINE = YES
# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
# implemented using a web server instead of a web client using Javascript. There
# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
# setting. When disabled, doxygen will generate a PHP script for searching and
# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
# and searching needs to be provided by external tools. See the section
# "External Indexing and Searching" for details.
# The default value is: NO.
# This tag requires that the tag SEARCHENGINE is set to YES.
SERVER_BASED_SEARCH = NO
# When EXTERNAL_SEARCH tag is enabled doxygen will no longer generate the PHP
# script for searching. Instead the search results are written to an XML file
# which needs to be processed by an external indexer. Doxygen will invoke an
# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
# search results.
#
# Doxygen ships with an example indexer ( doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/).
#
# See the section "External Indexing and Searching" for details.
# The default value is: NO.
# This tag requires that the tag SEARCHENGINE is set to YES.
EXTERNAL_SEARCH = NO
# The SEARCHENGINE_URL should point to a search engine hosted by a web server
# which will return the search results when EXTERNAL_SEARCH is enabled.
#
# Doxygen ships with an example indexer ( doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/). See the section "External Indexing and
# Searching" for details.
# This tag requires that the tag SEARCHENGINE is set to YES.
SEARCHENGINE_URL =
# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
# search data is written to a file for indexing by an external tool. With the
# SEARCHDATA_FILE tag the name of this file can be specified.
# The default file is: searchdata.xml.
# This tag requires that the tag SEARCHENGINE is set to YES.
SEARCHDATA_FILE = searchdata.xml
# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the
# EXTERNAL_SEARCH_ID tag can be used as an identifier for the project. This is
# useful in combination with EXTRA_SEARCH_MAPPINGS to search through multiple
# projects and redirect the results back to the right project.
# This tag requires that the tag SEARCHENGINE is set to YES.
EXTERNAL_SEARCH_ID =
# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
# projects other than the one defined by this configuration file, but that are
# all added to the same external search index. Each project needs to have a
# unique id set via EXTERNAL_SEARCH_ID. The search mapping then maps the id of
# to a relative location where the documentation can be found. The format is:
# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
# This tag requires that the tag SEARCHENGINE is set to YES.
EXTRA_SEARCH_MAPPINGS =
#---------------------------------------------------------------------------
# Configuration options related to the LaTeX output
#---------------------------------------------------------------------------
# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output.
# The default value is: YES.
GENERATE_LATEX = YES
# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it.
# The default directory is: latex.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_OUTPUT = latex
# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
# invoked.
#
# Note that when enabling USE_PDFLATEX this option is only used for generating
# bitmaps for formulas in the HTML output, but not in the Makefile that is
# written to the output directory.
# The default file is: latex.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_CMD_NAME = latex
# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to generate
# index for LaTeX.
# The default file is: makeindex.
# This tag requires that the tag GENERATE_LATEX is set to YES.
MAKEINDEX_CMD_NAME = makeindex
# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
COMPACT_LATEX = NO
# The PAPER_TYPE tag can be used to set the paper type that is used by the
# printer.
# Possible values are: a4 (210 x 297 mm), letter (8.5 x 11 inches), legal (8.5 x
# 14 inches) and executive (7.25 x 10.5 inches).
# The default value is: a4.
# This tag requires that the tag GENERATE_LATEX is set to YES.
PAPER_TYPE = a4
# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
# that should be included in the LaTeX output. To get the times font for
# instance you can specify
# EXTRA_PACKAGES=times
# If left blank no extra packages will be included.
# This tag requires that the tag GENERATE_LATEX is set to YES.
EXTRA_PACKAGES =
# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
# generated LaTeX document. The header should contain everything until the first
# chapter. If it is left blank doxygen will generate a standard header. See
# section "Doxygen usage" for information on how to let doxygen write the
# default header to a separate file.
#
# Note: Only use a user-defined header if you know what you are doing! The
# following commands have a special meaning inside the header: $title,
# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will
# replace them by respectively the title of the page, the current date and time,
# only the current date, the version number of doxygen, the project name (see
# PROJECT_NAME), or the project number (see PROJECT_NUMBER).
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_HEADER =
# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
# generated LaTeX document. The footer should contain everything after the last
# chapter. If it is left blank doxygen will generate a standard footer.
#
# Note: Only use a user-defined footer if you know what you are doing!
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_FOOTER =
# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the LATEX_OUTPUT output
# directory. Note that the files will be copied as-is; there are no commands or
# markers available.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_EXTRA_FILES =
# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
# contain links (just like the HTML output) instead of page references. This
# makes the output suitable for online browsing using a PDF viewer.
# The default value is: YES.
# This tag requires that the tag GENERATE_LATEX is set to YES.
PDF_HYPERLINKS = YES
# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
# the PDF file directly from the LaTeX files. Set this option to YES to get a
# higher quality PDF documentation.
# The default value is: YES.
# This tag requires that the tag GENERATE_LATEX is set to YES.
USE_PDFLATEX = YES
# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \batchmode
# command to the generated LaTeX files. This will instruct LaTeX to keep running
# if errors occur, instead of asking the user for help. This option is also used
# when generating formulas in HTML.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_BATCHMODE = NO
# If the LATEX_HIDE_INDICES tag is set to YES then doxygen will not include the
# index chapters (such as File Index, Compound Index, etc.) in the output.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_HIDE_INDICES = NO
# If the LATEX_SOURCE_CODE tag is set to YES then doxygen will include source
# code with syntax highlighting in the LaTeX output.
#
# Note that which sources are shown also depends on other settings such as
# SOURCE_BROWSER.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_SOURCE_CODE = NO
# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
# bibliography, e.g. plainnat, or ieeetr. See
# http://en.wikipedia.org/wiki/BibTeX and \cite for more info.
# The default value is: plain.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_BIB_STYLE = plain
#---------------------------------------------------------------------------
# Configuration options related to the RTF output
#---------------------------------------------------------------------------
# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The
# RTF output is optimized for Word 97 and may not look too pretty with other RTF
# readers/editors.
# The default value is: NO.
GENERATE_RTF = NO
# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it.
# The default directory is: rtf.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_OUTPUT = rtf
# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
# This tag requires that the tag GENERATE_RTF is set to YES.
COMPACT_RTF = NO
# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated will
# contain hyperlink fields. The RTF file will contain links (just like the HTML
# output) instead of page references. This makes the output suitable for online
# browsing using Word or some other Word compatible readers that support those
# fields.
#
# Note: WordPad (write) and others do not support links.
# The default value is: NO.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_HYPERLINKS = NO
# Load stylesheet definitions from file. Syntax is similar to doxygen's config
# file, i.e. a series of assignments. You only have to provide replacements,
# missing definitions are set to their default value.
#
# See also section "Doxygen usage" for information on how to generate the
# default style sheet that doxygen normally uses.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_STYLESHEET_FILE =
# Set optional variables used in the generation of an RTF document. Syntax is
# similar to doxygen's config file. A template extensions file can be generated
# using doxygen -e rtf extensionFile.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_EXTENSIONS_FILE =
#---------------------------------------------------------------------------
# Configuration options related to the man page output
#---------------------------------------------------------------------------
# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for
# classes and files.
# The default value is: NO.
GENERATE_MAN = NO
# The MAN_OUTPUT tag is used to specify where the man pages will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it. A directory man3 will be created inside the directory specified by
# MAN_OUTPUT.
# The default directory is: man.
# This tag requires that the tag GENERATE_MAN is set to YES.
MAN_OUTPUT = man
# The MAN_EXTENSION tag determines the extension that is added to the generated
# man pages. In case the manual section does not start with a number, the number
# 3 is prepended. The dot (.) at the beginning of the MAN_EXTENSION tag is
# optional.
# The default value is: .3.
# This tag requires that the tag GENERATE_MAN is set to YES.
MAN_EXTENSION = .3
# The MAN_SUBDIR tag determines the name of the directory created within
# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
# MAN_EXTENSION with the initial . removed.
# This tag requires that the tag GENERATE_MAN is set to YES.
MAN_SUBDIR =
# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
# will generate one additional man file for each entity documented in the real
# man page(s). These additional files only source the real man page, but without
# them the man command would be unable to find the correct page.
# The default value is: NO.
# This tag requires that the tag GENERATE_MAN is set to YES.
MAN_LINKS = NO
#---------------------------------------------------------------------------
# Configuration options related to the XML output
#---------------------------------------------------------------------------
# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that
# captures the structure of the code including all documentation.
# The default value is: NO.
GENERATE_XML = NO
# The XML_OUTPUT tag is used to specify where the XML pages will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it.
# The default directory is: xml.
# This tag requires that the tag GENERATE_XML is set to YES.
XML_OUTPUT = xml
# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
# listings (including syntax highlighting and cross-referencing information) to
# the XML output. Note that enabling this will significantly increase the size
# of the XML output.
# The default value is: YES.
# This tag requires that the tag GENERATE_XML is set to YES.
XML_PROGRAMLISTING = YES
#---------------------------------------------------------------------------
# Configuration options related to the DOCBOOK output
#---------------------------------------------------------------------------
# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files
# that can be used to generate PDF.
# The default value is: NO.
GENERATE_DOCBOOK = NO
# The DOCBOOK_OUTPUT tag is used to specify where the Docbook pages will be put.
# If a relative path is entered the value of OUTPUT_DIRECTORY will be put in
# front of it.
# The default directory is: docbook.
# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
DOCBOOK_OUTPUT = docbook
#---------------------------------------------------------------------------
# Configuration options for the AutoGen Definitions output
#---------------------------------------------------------------------------
# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen
# Definitions (see http://autogen.sf.net) file that captures the structure of
# the code including all documentation. Note that this feature is still
# experimental and incomplete at the moment.
# The default value is: NO.
GENERATE_AUTOGEN_DEF = NO
#---------------------------------------------------------------------------
# Configuration options related to the Perl module output
#---------------------------------------------------------------------------
# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module
# file that captures the structure of the code including all documentation.
#
# Note that this feature is still experimental and incomplete at the moment.
# The default value is: NO.
GENERATE_PERLMOD = NO
# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary
# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
# output from the Perl module output.
# The default value is: NO.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
PERLMOD_LATEX = NO
# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely
# formatted so it can be parsed by a human reader. This is useful if you want to
# understand what is going on. On the other hand, if this tag is set to NO the
# size of the Perl module output will be much smaller and Perl will parse it
# just the same.
# The default value is: YES.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
PERLMOD_PRETTY = YES
# The names of the make variables in the generated doxyrules.make file are
# prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. This is useful
# so different doxyrules.make files included by the same Makefile don't
# overwrite each other's variables.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
PERLMOD_MAKEVAR_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the preprocessor
#---------------------------------------------------------------------------
# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all
# C-preprocessor directives found in the sources and include files.
# The default value is: YES.
ENABLE_PREPROCESSING = YES
# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names
# in the source code. If set to NO only conditional compilation will be
# performed. Macro expansion can be done in a controlled way by setting
# EXPAND_ONLY_PREDEF to YES.
# The default value is: NO.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
MACRO_EXPANSION = NO
# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
# the macro expansion is limited to the macros specified with the PREDEFINED and
# EXPAND_AS_DEFINED tags.
# The default value is: NO.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
EXPAND_ONLY_PREDEF = NO
# If the SEARCH_INCLUDES tag is set to YES the includes files in the
# INCLUDE_PATH will be searched if a #include is found.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
SEARCH_INCLUDES = YES
# The INCLUDE_PATH tag can be used to specify one or more directories that
# contain include files that are not input files but should be processed by the
# preprocessor.
# This tag requires that the tag SEARCH_INCLUDES is set to YES.
INCLUDE_PATH =
# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
# patterns (like *.h and *.hpp) to filter out the header-files in the
# directories. If left blank, the patterns specified with FILE_PATTERNS will be
# used.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
INCLUDE_FILE_PATTERNS =
# The PREDEFINED tag can be used to specify one or more macro names that are
# defined before the preprocessor is started (similar to the -D option of e.g.
# gcc). The argument of the tag is a list of macros of the form: name or
# name=definition (no spaces). If the definition and the "=" are omitted, "=1"
# is assumed. To prevent a macro definition from being undefined via #undef or
# recursively expanded use the := operator instead of the = operator.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
PREDEFINED =
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
# tag can be used to specify a list of macro names that should be expanded. The
# macro definition that is found in the sources will be used. Use the PREDEFINED
# tag if you want to use a different macro definition that overrules the
# definition found in the source code.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
EXPAND_AS_DEFINED =
# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
# remove all references to function-like macros that are alone on a line, have
# an all uppercase name, and do not end with a semicolon. Such function macros
# are typically used for boiler-plate code, and will confuse the parser if not
# removed.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
SKIP_FUNCTION_MACROS = YES
#---------------------------------------------------------------------------
# Configuration options related to external references
#---------------------------------------------------------------------------
# The TAGFILES tag can be used to specify one or more tag files. For each tag
# file the location of the external documentation should be added. The format of
# a tag file without this location is as follows:
# TAGFILES = file1 file2 ...
# Adding location for the tag files is done as follows:
# TAGFILES = file1=loc1 "file2 = loc2" ...
# where loc1 and loc2 can be relative or absolute paths or URLs. See the
# section "Linking to external documentation" for more information about the use
# of tag files.
# Note: Each tag file must have a unique name (where the name does NOT include
# the path). If a tag file is not located in the directory in which doxygen is
# run, you must also specify the path to the tagfile here.
TAGFILES =
# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
# tag file that is based on the input files it reads. See section "Linking to
# external documentation" for more information about the usage of tag files.
GENERATE_TAGFILE =
# If the ALLEXTERNALS tag is set to YES all external class will be listed in the
# class index. If set to NO only the inherited external classes will be listed.
# The default value is: NO.
ALLEXTERNALS = NO
# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in
# the modules index. If set to NO, only the current project's groups will be
# listed.
# The default value is: YES.
EXTERNAL_GROUPS = YES
# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in
# the related pages index. If set to NO, only the current project's pages will
# be listed.
# The default value is: YES.
EXTERNAL_PAGES = YES
# The PERL_PATH should be the absolute path and name of the perl script
# interpreter (i.e. the result of 'which perl').
# The default file (with absolute path) is: /usr/bin/perl.
PERL_PATH = /usr/bin/perl
#---------------------------------------------------------------------------
# Configuration options related to the dot tool
#---------------------------------------------------------------------------
# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram
# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
# NO turns the diagrams off. Note that this option also works with HAVE_DOT
# disabled, but it is recommended to install and use dot, since it yields more
# powerful graphs.
# The default value is: YES.
CLASS_DIAGRAMS = YES
# You can define message sequence charts within doxygen comments using the \msc
# command. Doxygen will then run the mscgen tool (see:
# http://www.mcternan.me.uk/mscgen/)) to produce the chart and insert it in the
# documentation. The MSCGEN_PATH tag allows you to specify the directory where
# the mscgen tool resides. If left empty the tool is assumed to be found in the
# default search path.
MSCGEN_PATH =
# You can include diagrams made with dia in doxygen documentation. Doxygen will
# then run dia to produce the diagram and insert it in the documentation. The
# DIA_PATH tag allows you to specify the directory where the dia binary resides.
# If left empty dia is assumed to be found in the default search path.
DIA_PATH =
# If set to YES, the inheritance and collaboration graphs will hide inheritance
# and usage relations if the target is undocumented or is not a class.
# The default value is: YES.
HIDE_UNDOC_RELATIONS = YES
# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
# available from the path. This tool is part of Graphviz (see:
# http://www.graphviz.org/), a graph visualization toolkit from AT&T and Lucent
# Bell Labs. The other options in this section have no effect if this option is
# set to NO
# The default value is: NO.
HAVE_DOT = NO
# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
# to run in parallel. When set to 0 doxygen will base this on the number of
# processors available in the system. You can set it explicitly to a value
# larger than 0 to get control over the balance between CPU load and processing
# speed.
# Minimum value: 0, maximum value: 32, default value: 0.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_NUM_THREADS = 0
# When you want a differently looking font n the dot files that doxygen
# generates you can specify the font name using DOT_FONTNAME. You need to make
# sure dot is able to find the font, which can be done by putting it in a
# standard location or by setting the DOTFONTPATH environment variable or by
# setting DOT_FONTPATH to the directory containing the font.
# The default value is: Helvetica.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_FONTNAME = Helvetica
# The DOT_FONTSIZE tag can be used to set the size (in points) of the font of
# dot graphs.
# Minimum value: 4, maximum value: 24, default value: 10.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_FONTSIZE = 10
# By default doxygen will tell dot to use the default font as specified with
# DOT_FONTNAME. If you specify a different font using DOT_FONTNAME you can set
# the path where dot can find it using this tag.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_FONTPATH =
# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
# each documented class showing the direct and indirect inheritance relations.
# Setting this tag to YES will force the CLASS_DIAGRAMS tag to NO.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
CLASS_GRAPH = YES
# If the COLLABORATION_GRAPH tag is set to YES then doxygen will generate a
# graph for each documented class showing the direct and indirect implementation
# dependencies (inheritance, containment, and class references variables) of the
# class with other documented classes.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
COLLABORATION_GRAPH = YES
# If the GROUP_GRAPHS tag is set to YES then doxygen will generate a graph for
# groups, showing the direct groups dependencies.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
GROUP_GRAPHS = YES
# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
# collaboration diagrams in a style similar to the OMG's Unified Modeling
# Language.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
UML_LOOK = NO
# If the UML_LOOK tag is enabled, the fields and methods are shown inside the
# class node. If there are many fields or methods and many nodes the graph may
# become too big to be useful. The UML_LIMIT_NUM_FIELDS threshold limits the
# number of items for each type to make the size more manageable. Set this to 0
# for no limit. Note that the threshold may be exceeded by 50% before the limit
# is enforced. So when you set the threshold to 10, up to 15 fields may appear,
# but if the number exceeds 15, the total amount of fields shown is limited to
# 10.
# Minimum value: 0, maximum value: 100, default value: 10.
# This tag requires that the tag HAVE_DOT is set to YES.
UML_LIMIT_NUM_FIELDS = 10
# If the TEMPLATE_RELATIONS tag is set to YES then the inheritance and
# collaboration graphs will show the relations between templates and their
# instances.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
TEMPLATE_RELATIONS = NO
# If the INCLUDE_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are set to
# YES then doxygen will generate a graph for each documented file showing the
# direct and indirect include dependencies of the file with other documented
# files.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
INCLUDE_GRAPH = YES
# If the INCLUDED_BY_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are
# set to YES then doxygen will generate a graph for each documented file showing
# the direct and indirect include dependencies of the file with other documented
# files.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
INCLUDED_BY_GRAPH = YES
# If the CALL_GRAPH tag is set to YES then doxygen will generate a call
# dependency graph for every global function or class method.
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable call graphs for selected
# functions only using the \callgraph command.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
CALL_GRAPH = NO
# If the CALLER_GRAPH tag is set to YES then doxygen will generate a caller
# dependency graph for every global function or class method.
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable caller graphs for selected
# functions only using the \callergraph command.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
CALLER_GRAPH = NO
# If the GRAPHICAL_HIERARCHY tag is set to YES then doxygen will graphical
# hierarchy of all classes instead of a textual one.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
GRAPHICAL_HIERARCHY = YES
# If the DIRECTORY_GRAPH tag is set to YES then doxygen will show the
# dependencies a directory has on other directories in a graphical way. The
# dependency relations are determined by the #include relations between the
# files in the directories.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
DIRECTORY_GRAPH = YES
# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
# generated by dot.
# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
# to make the SVG files visible in IE 9+ (other browsers do not have this
# requirement).
# Possible values are: png, jpg, gif and svg.
# The default value is: png.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_IMAGE_FORMAT = png
# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
# enable generation of interactive SVG images that allow zooming and panning.
#
# Note that this requires a modern browser other than Internet Explorer. Tested
# and working are Firefox, Chrome, Safari, and Opera.
# Note: For IE 9+ you need to set HTML_FILE_EXTENSION to xhtml in order to make
# the SVG files visible. Older versions of IE do not have SVG support.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
INTERACTIVE_SVG = NO
# The DOT_PATH tag can be used to specify the path where the dot tool can be
# found. If left blank, it is assumed the dot tool can be found in the path.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_PATH =
# The DOTFILE_DIRS tag can be used to specify one or more directories that
# contain dot files that are included in the documentation (see the \dotfile
# command).
# This tag requires that the tag HAVE_DOT is set to YES.
DOTFILE_DIRS =
# The MSCFILE_DIRS tag can be used to specify one or more directories that
# contain msc files that are included in the documentation (see the \mscfile
# command).
MSCFILE_DIRS =
# The DIAFILE_DIRS tag can be used to specify one or more directories that
# contain dia files that are included in the documentation (see the \diafile
# command).
DIAFILE_DIRS =
# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
# that will be shown in the graph. If the number of nodes in a graph becomes
# larger than this value, doxygen will truncate the graph, which is visualized
# by representing a node as a red box. Note that doxygen if the number of direct
# children of the root node in a graph is already larger than
# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note that
# the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
# Minimum value: 0, maximum value: 10000, default value: 50.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_GRAPH_MAX_NODES = 50
# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the graphs
# generated by dot. A depth value of 3 means that only nodes reachable from the
# root by following a path via at most 3 edges will be shown. Nodes that lay
# further from the root node will be omitted. Note that setting this option to 1
# or 2 may greatly reduce the computation time needed for large code bases. Also
# note that the size of a graph can be further restricted by
# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
# Minimum value: 0, maximum value: 1000, default value: 0.
# This tag requires that the tag HAVE_DOT is set to YES.
MAX_DOT_GRAPH_DEPTH = 0
# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
# background. This is disabled by default, because dot on Windows does not seem
# to support this out of the box.
#
# Warning: Depending on the platform used, enabling this option may lead to
# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
# read).
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_TRANSPARENT = NO
# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
# files in one run (i.e. multiple -o and -T options on the command line). This
# makes dot run faster, but since only newer versions of dot (>1.8.10) support
# this, this feature is disabled by default.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_MULTI_TARGETS = NO
# If the GENERATE_LEGEND tag is set to YES doxygen will generate a legend page
# explaining the meaning of the various boxes and arrows in the dot generated
# graphs.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
GENERATE_LEGEND = YES
# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot
# files that are used to generate the various graphs.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_CLEANUP = YES
================================================
FILE: tools/doxygen/d3/createtree.py
================================================
import os
import json
'''
Author: Gleeda <jamie@memoryanalysis.net>
modified from:
http://stackoverflow.com/questions/25226208/represent-directory-tree-as-json
Quick and Dirty. Run from the Volatility root directory and redirect:
python createtree.py > OUTPUT/d3/vol.json
'''
link = "https://github.com/volatilityfoundation/volatility/blob/master/"
ignore = [".git", "doxygen", ".gitignore", ".gitattributes"]
def path_to_dict(path):
if path == ".":
d = {'name': os.path.basename("root")}
else:
d = {'name': os.path.basename(path)}
d['link'] = str(link + path).replace("/.", "")
if os.path.isdir(path):
d['type'] = "directory"
d['children'] = [path_to_dict(os.path.join(path, x)) for x in os.listdir(path) if x not in ignore]
else:
d['type'] = "file"
return d
print json.dumps(path_to_dict('.'))
================================================
FILE: tools/doxygen/d3/tree.html
================================================
<!DOCTYPE html>
<!-- modified from http://mbostock.github.io/d3/talk/20111018/tree.html -->
<meta charset="utf-8">
<style>
.node {
cursor: pointer;
}
.node circle {
fill: #fff;
stroke: steelblue;
stroke-width: 1.5px;
}
.node text {
font: 10px sans-serif;
}
.link {
fill: none;
stroke: #ccc;
stroke-width: 1.5px;
}
</style>
<body>
<script src="https://d3js.org/d3.v3.min.js"></script>
<script>
var margin = {top: 20, right: 120, bottom: 20, left: 120},
width = 1960 - margin.right - margin.left,
height = 1000 - margin.top - margin.bottom;
var i = 0,
duration = 750,
root;
var tree = d3.layout.tree()
.size([height, width]);
var diagonal = d3.svg.diagonal()
.projection(function(d) { return [d.y, d.x]; });
var svg = d3.select("body").append("svg")
.attr("width", width + margin.right + margin.left)
.attr("height", height + margin.top + margin.bottom)
.append("g")
.attr("transform", "translate(" + margin.left + "," + margin.top + ")");
d3.json("vol.json", function(error, vol) {
root = vol;
root.x0 = height / 2;
root.y0 = 0;
function collapse(d) {
if (d.children) {
d._children = d.children;
d._children.forEach(collapse);
d.children = null;
}
}
root.children.forEach(collapse);
update(root);
});
d3.select(self.frameElement).style("height", "800px");
function update(source) {
// Compute the new tree layout.
var nodes = tree.nodes(root).reverse(),
links = tree.links(nodes);
// Normalize for fixed-depth.
nodes.forEach(function(d) { d.y = d.depth * 180; });
// Update the nodes…
var node = svg.selectAll("g.node")
.data(nodes, function(d) { return d.id || (d.id = ++i); });
// Enter any new nodes at the parent's previous position.
var nodeEnter = node.enter().append("g")
.attr("class", "node")
.attr("transform", function(d) { return "translate(" + source.y0 + "," + source.x0 + ")"; })
.on("click", click);
nodeEnter.append("a")
.attr("xlink:href", function(d) { return d.link; })
.attr("target", "_blank")
.attr("xlink:show", "new")
.append("text")
.attr("class", "clickable")
.attr("dy", ".35em")
.attr("x", function (d) { return d.children || d._children ? -10 : 10; })
.attr("text-anchor", function(d) { return d.children || d._children ? "end" : "start"; })
.text(function(d) { return d.name; })
.style("fill-opacity", 1e-6);
nodeEnter.append("circle")
.attr("r", 1e-6)
.sty
gitextract_cqwfp5mv/
├── .gitattributes
├── .gitignore
├── AUTHORS.txt
├── CHANGELOG.txt
├── CREDITS.txt
├── LEGAL.txt
├── LICENSE.txt
├── MANIFEST.in
├── Makefile
├── PKG-INFO
├── README.txt
├── contrib/
│ ├── __init__.py
│ ├── library_example/
│ │ ├── libapi.py
│ │ └── pslist_json.py
│ └── plugins/
│ ├── README.md
│ ├── __init__.py
│ ├── aspaces/
│ │ └── README.md
│ ├── disablewarnings.py
│ ├── example.py
│ └── malware/
│ └── README.md
├── pyinstaller/
│ ├── hook-distorm3.py
│ ├── hook-openpyxl.py
│ ├── hook-volatility.py
│ └── hook-yara.py
├── pyinstaller.spec
├── setup.py
├── tools/
│ ├── doxygen/
│ │ ├── config
│ │ └── d3/
│ │ ├── createtree.py
│ │ └── tree.html
│ ├── linux/
│ │ ├── Makefile
│ │ ├── Makefile.enterprise
│ │ ├── kcore/
│ │ │ ├── Makefile
│ │ │ ├── elf.h
│ │ │ ├── getkcore.c
│ │ │ └── getkcore.h
│ │ └── module.c
│ ├── mac/
│ │ ├── convert.py
│ │ ├── generate_profile_list.py
│ │ ├── mac_create_all_profiles.py
│ │ └── parse_pbzx2.py
│ ├── vtype_diff.py
│ └── windows/
│ └── parsesummary.py
├── vol.py
└── volatility/
├── __init__.py
├── addrspace.py
├── cache.py
├── commands.py
├── conf.py
├── constants.py
├── debug.py
├── dwarf.py
├── exceptions.py
├── fmtspec.py
├── obj.py
├── plugins/
│ ├── __init__.py
│ ├── addrspaces/
│ │ ├── __init__.py
│ │ ├── amd64.py
│ │ ├── arm.py
│ │ ├── crash.py
│ │ ├── crashbmp.py
│ │ ├── elfcoredump.py
│ │ ├── hibernate.py
│ │ ├── hpak.py
│ │ ├── ieee1394.py
│ │ ├── intel.py
│ │ ├── lime.py
│ │ ├── macho.py
│ │ ├── osxpmemelf.py
│ │ ├── paged.py
│ │ ├── standard.py
│ │ ├── vmem.py
│ │ └── vmware.py
│ ├── bigpagepools.py
│ ├── bioskbd.py
│ ├── cmdline.py
│ ├── common.py
│ ├── connections.py
│ ├── connscan.py
│ ├── crashinfo.py
│ ├── dlldump.py
│ ├── drivermodule.py
│ ├── dumpcerts.py
│ ├── dumpfiles.py
│ ├── envars.py
│ ├── evtlogs.py
│ ├── fileparam.py
│ ├── filescan.py
│ ├── getservicesids.py
│ ├── getsids.py
│ ├── gui/
│ │ ├── __init__.py
│ │ ├── atoms.py
│ │ ├── clipboard.py
│ │ ├── constants.py
│ │ ├── desktops.py
│ │ ├── editbox.py
│ │ ├── eventhooks.py
│ │ ├── gahti.py
│ │ ├── gditimers.py
│ │ ├── messagehooks.py
│ │ ├── screenshot.py
│ │ ├── sessions.py
│ │ ├── userhandles.py
│ │ ├── vtypes/
│ │ │ ├── __init__.py
│ │ │ ├── vista.py
│ │ │ ├── win10.py
│ │ │ ├── win2003.py
│ │ │ ├── win7.py
│ │ │ ├── win7_sp0_x64_vtypes_gui.py
│ │ │ ├── win7_sp0_x86_vtypes_gui.py
│ │ │ ├── win7_sp1_x64_vtypes_gui.py
│ │ │ ├── win7_sp1_x86_vtypes_gui.py
│ │ │ ├── win8.py
│ │ │ └── xp.py
│ │ ├── win32k_core.py
│ │ ├── windows.py
│ │ └── windowstations.py
│ ├── handles.py
│ ├── heaps.py
│ ├── hibinfo.py
│ ├── hpakinfo.py
│ ├── iehistory.py
│ ├── imagecopy.py
│ ├── imageinfo.py
│ ├── joblinks.py
│ ├── kdbgscan.py
│ ├── kpcrscan.py
│ ├── linux/
│ │ ├── __init__.py
│ │ ├── apihooks.py
│ │ ├── arp.py
│ │ ├── aslr_shift.py
│ │ ├── banner.py
│ │ ├── bash.py
│ │ ├── bash_hash.py
│ │ ├── check_afinfo.py
│ │ ├── check_creds.py
│ │ ├── check_evt_arm.py
│ │ ├── check_fops.py
│ │ ├── check_idt.py
│ │ ├── check_inline_kernel.py
│ │ ├── check_modules.py
│ │ ├── check_syscall.py
│ │ ├── check_syscall_arm.py
│ │ ├── common.py
│ │ ├── cpuinfo.py
│ │ ├── dentry_cache.py
│ │ ├── dmesg.py
│ │ ├── dump_map.py
│ │ ├── elfs.py
│ │ ├── enumerate_files.py
│ │ ├── find_file.py
│ │ ├── flags.py
│ │ ├── getcwd.py
│ │ ├── hidden_modules.py
│ │ ├── ifconfig.py
│ │ ├── info_regs.py
│ │ ├── iomem.py
│ │ ├── kernel_opened_files.py
│ │ ├── keyboard_notifiers.py
│ │ ├── ld_env.py
│ │ ├── ldrmodules.py
│ │ ├── libc_env.py
│ │ ├── library_list.py
│ │ ├── librarydump.py
│ │ ├── lime.py
│ │ ├── linux_strings.py
│ │ ├── linux_truecrypt.py
│ │ ├── linux_volshell.py
│ │ ├── linux_yarascan.py
│ │ ├── list_raw.py
│ │ ├── lsmod.py
│ │ ├── lsof.py
│ │ ├── malfind.py
│ │ ├── mount.py
│ │ ├── mount_cache.py
│ │ ├── netfilter.py
│ │ ├── netscan.py
│ │ ├── netstat.py
│ │ ├── pidhashtable.py
│ │ ├── pkt_queues.py
│ │ ├── plthook.py
│ │ ├── proc_maps.py
│ │ ├── proc_maps_rb.py
│ │ ├── procdump.py
│ │ ├── process_hollow.py
│ │ ├── process_info.py
│ │ ├── process_stack.py
│ │ ├── psaux.py
│ │ ├── psenv.py
│ │ ├── pslist.py
│ │ ├── pslist_cache.py
│ │ ├── psscan.py
│ │ ├── pstree.py
│ │ ├── psxview.py
│ │ ├── recover_filesystem.py
│ │ ├── route_cache.py
│ │ ├── sk_buff_cache.py
│ │ ├── slab_info.py
│ │ ├── threads.py
│ │ ├── tmpfs.py
│ │ ├── tty_check.py
│ │ └── vma_cache.py
│ ├── mac/
│ │ ├── WKdm.py
│ │ ├── __init__.py
│ │ ├── adiummsgs.py
│ │ ├── apihooks.py
│ │ ├── apihooks_kernel.py
│ │ ├── arp.py
│ │ ├── bash.py
│ │ ├── bash_env.py
│ │ ├── bash_hash.py
│ │ ├── calendar.py
│ │ ├── check_fop.py
│ │ ├── check_mig_table.py
│ │ ├── check_syscall_shadow.py
│ │ ├── check_syscall_table.py
│ │ ├── check_sysctl.py
│ │ ├── check_trap_table.py
│ │ ├── classes.py
│ │ ├── common.py
│ │ ├── compressed_swap.py
│ │ ├── contacts.py
│ │ ├── dead_procs.py
│ │ ├── dead_sockets.py
│ │ ├── dead_vnodes.py
│ │ ├── devfs.py
│ │ ├── dlyd_maps.py
│ │ ├── dmesg.py
│ │ ├── dump_files.py
│ │ ├── dump_map.py
│ │ ├── find_aslr_shift.py
│ │ ├── get_profile.py
│ │ ├── gkextmap.py
│ │ ├── ifconfig.py
│ │ ├── interest_handlers.py
│ │ ├── ip_filters.py
│ │ ├── kevents.py
│ │ ├── keychaindump.py
│ │ ├── ldrmodules.py
│ │ ├── librarydump.py
│ │ ├── list_files.py
│ │ ├── list_kauth_listeners.py
│ │ ├── list_kauth_scopes.py
│ │ ├── list_raw.py
│ │ ├── list_zones.py
│ │ ├── lsmod.py
│ │ ├── lsmod_iokit.py
│ │ ├── lsof.py
│ │ ├── mac_strings.py
│ │ ├── mac_volshell.py
│ │ ├── mac_yarascan.py
│ │ ├── machine_info.py
│ │ ├── malfind.py
│ │ ├── memdump.py
│ │ ├── moddump.py
│ │ ├── mount.py
│ │ ├── netconns.py
│ │ ├── netstat.py
│ │ ├── notesapp.py
│ │ ├── notifiers.py
│ │ ├── orphan_threads.py
│ │ ├── pgrp_hash_table.py
│ │ ├── pid_hash_table.py
│ │ ├── print_boot_cmdline.py
│ │ ├── proc_maps.py
│ │ ├── procdump.py
│ │ ├── psaux.py
│ │ ├── psenv.py
│ │ ├── pslist.py
│ │ ├── pstasks.py
│ │ ├── pstree.py
│ │ ├── psxview.py
│ │ ├── recover_filesystem.py
│ │ ├── route.py
│ │ ├── session_hash_table.py
│ │ ├── socket_filters.py
│ │ ├── threads.py
│ │ ├── threads_simple.py
│ │ ├── timers.py
│ │ ├── trustedbsd.py
│ │ ├── version.py
│ │ └── vfsevents.py
│ ├── machoinfo.py
│ ├── malware/
│ │ ├── __init__.py
│ │ ├── apihooks.py
│ │ ├── callbacks.py
│ │ ├── cmdhistory.py
│ │ ├── devicetree.py
│ │ ├── idt.py
│ │ ├── impscan.py
│ │ ├── malfind.py
│ │ ├── psxview.py
│ │ ├── servicediff.py
│ │ ├── svcscan.py
│ │ ├── threads.py
│ │ └── timers.py
│ ├── mbrparser.py
│ ├── mftparser.py
│ ├── moddump.py
│ ├── modscan.py
│ ├── modules.py
│ ├── multiscan.py
│ ├── netscan.py
│ ├── notepad.py
│ ├── objtypescan.py
│ ├── overlays/
│ │ ├── __init__.py
│ │ ├── basic.py
│ │ ├── linux/
│ │ │ ├── __init__.py
│ │ │ ├── elf.py
│ │ │ └── linux.py
│ │ ├── mac/
│ │ │ ├── __init__.py
│ │ │ ├── mac.py
│ │ │ └── macho.py
│ │ ├── native_types.py
│ │ └── windows/
│ │ ├── __init__.py
│ │ ├── crash_vtypes.py
│ │ ├── hibernate_vtypes.py
│ │ ├── kdbg_vtypes.py
│ │ ├── kpcr_vtypes.py
│ │ ├── pe_vtypes.py
│ │ ├── ssdt_vtypes.py
│ │ ├── tcpip_vtypes.py
│ │ ├── vad_vtypes.py
│ │ ├── vista.py
│ │ ├── vista_sp0_x64_syscalls.py
│ │ ├── vista_sp0_x64_vtypes.py
│ │ ├── vista_sp0_x86_syscalls.py
│ │ ├── vista_sp0_x86_vtypes.py
│ │ ├── vista_sp12_x64_syscalls.py
│ │ ├── vista_sp12_x86_syscalls.py
│ │ ├── vista_sp1_x64_vtypes.py
│ │ ├── vista_sp1_x86_vtypes.py
│ │ ├── vista_sp2_x64_vtypes.py
│ │ ├── vista_sp2_x86_vtypes.py
│ │ ├── win10.py
│ │ ├── win10_x64_10240_17770_vtypes.py
│ │ ├── win10_x64_10586_syscalls.py
│ │ ├── win10_x64_14393_syscalls.py
│ │ ├── win10_x64_15063_syscalls.py
│ │ ├── win10_x64_15063_vtypes.py
│ │ ├── win10_x64_16299_syscalls.py
│ │ ├── win10_x64_16299_vtypes.py
│ │ ├── win10_x64_17134_vtypes.py
│ │ ├── win10_x64_17763_vtypes.py
│ │ ├── win10_x64_18362_vtypes.py
│ │ ├── win10_x64_19041_vtypes.py
│ │ ├── win10_x64_1AC738FB_vtypes.py
│ │ ├── win10_x64_DD08DD42_vtypes.py
│ │ ├── win10_x64_vtypes.py
│ │ ├── win10_x86_10240_17770_vtypes.py
│ │ ├── win10_x86_10586_syscalls.py
│ │ ├── win10_x86_14393_syscalls.py
│ │ ├── win10_x86_15063_syscalls.py
│ │ ├── win10_x86_15063_vtypes.py
│ │ ├── win10_x86_16299_syscalls.py
│ │ ├── win10_x86_16299_vtypes.py
│ │ ├── win10_x86_17134_vtypes.py
│ │ ├── win10_x86_17763_vtypes.py
│ │ ├── win10_x86_18362_vtypes.py
│ │ ├── win10_x86_19041_vtypes.py
│ │ ├── win10_x86_44B89EEA_vtypes.py
│ │ ├── win10_x86_9619274A_vtypes.py
│ │ ├── win10_x86_vtypes.py
│ │ ├── win2003.py
│ │ ├── win2003_sp0_x86_syscalls.py
│ │ ├── win2003_sp0_x86_vtypes.py
│ │ ├── win2003_sp12_x64_syscalls.py
│ │ ├── win2003_sp12_x86_syscalls.py
│ │ ├── win2003_sp1_x64_vtypes.py
│ │ ├── win2003_sp1_x86_vtypes.py
│ │ ├── win2003_sp2_x64_vtypes.py
│ │ ├── win2003_sp2_x86_vtypes.py
│ │ ├── win7.py
│ │ ├── win7_sp01_x64_syscalls.py
│ │ ├── win7_sp01_x86_syscalls.py
│ │ ├── win7_sp0_x64_vtypes.py
│ │ ├── win7_sp0_x86_vtypes.py
│ │ ├── win7_sp1_x64_24000_vtypes.py
│ │ ├── win7_sp1_x64_632B36E0_vtypes.py
│ │ ├── win7_sp1_x64_vtypes.py
│ │ ├── win7_sp1_x86_24000_vtypes.py
│ │ ├── win7_sp1_x86_BBA98F40_vtypes.py
│ │ ├── win7_sp1_x86_vtypes.py
│ │ ├── win8.py
│ │ ├── win81_u1_x64_vtypes.py
│ │ ├── win81_u1_x86_vtypes.py
│ │ ├── win8_kdbg.py
│ │ ├── win8_sp0_x64_syscalls.py
│ │ ├── win8_sp0_x64_vtypes.py
│ │ ├── win8_sp0_x86_syscalls.py
│ │ ├── win8_sp0_x86_vtypes.py
│ │ ├── win8_sp1_x64_54B5A1C6_vtypes.py
│ │ ├── win8_sp1_x64_syscalls.py
│ │ ├── win8_sp1_x64_vtypes.py
│ │ ├── win8_sp1_x86_syscalls.py
│ │ ├── win8_sp1_x86_vtypes.py
│ │ ├── windows.py
│ │ ├── windows64.py
│ │ ├── xp.py
│ │ ├── xp_sp2_x86_syscalls.py
│ │ ├── xp_sp2_x86_vtypes.py
│ │ └── xp_sp3_x86_vtypes.py
│ ├── patcher.py
│ ├── patchguard.py
│ ├── pooltracker.py
│ ├── privileges.py
│ ├── procdump.py
│ ├── pstree.py
│ ├── raw2dmp.py
│ ├── registry/
│ │ ├── __init__.py
│ │ ├── amcache.py
│ │ ├── auditpol.py
│ │ ├── dumpregistry.py
│ │ ├── hivelist.py
│ │ ├── hivescan.py
│ │ ├── lsadump.py
│ │ ├── printkey.py
│ │ ├── registryapi.py
│ │ ├── shellbags.py
│ │ ├── shimcache.py
│ │ ├── shutdown.py
│ │ └── userassist.py
│ ├── sockets.py
│ ├── sockscan.py
│ ├── ssdt.py
│ ├── strings.py
│ ├── taskmods.py
│ ├── tcaudit.py
│ ├── timeliner.py
│ ├── vadinfo.py
│ ├── vboxinfo.py
│ ├── verinfo.py
│ ├── vmwareinfo.py
│ ├── volshell.py
│ └── win10cookie.py
├── poolscan.py
├── protos.py
├── registry.py
├── renderers/
│ ├── __init__.py
│ ├── basic.py
│ ├── dot.py
│ ├── html.py
│ ├── sqlite.py
│ ├── text.py
│ └── xlsx.py
├── scan.py
├── timefmt.py
├── utils.py
├── validity.py
└── win32/
├── __init__.py
├── crashdump.py
├── domcachedump.py
├── hashdump.py
├── hive.py
├── lsasecrets.py
├── modules.py
├── network.py
├── rawreg.py
├── tasks.py
└── xpress.py
Showing preview only (323K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (4417 symbols across 339 files)
FILE: contrib/library_example/libapi.py
function get_json (line 28) | def get_json(config, plugin_class):
function get_config (line 34) | def get_config(profile, target_path):
FILE: contrib/library_example/pslist_json.py
function main (line 24) | def main():
FILE: contrib/plugins/disablewarnings.py
function disable_warnings (line 27) | def disable_warnings(_option, _opt_str, _value, _parser):
FILE: contrib/plugins/example.py
class DateTime (line 29) | class DateTime(commands.Command):
method calculate (line 31) | def calculate(self):
method get_image_time (line 39) | def get_image_time(self, addr_space):
method render_text (line 59) | def render_text(self, outfd, data):
FILE: setup.py
function find_files (line 39) | def find_files(topdirs, py = False):
FILE: tools/doxygen/d3/createtree.py
function path_to_dict (line 19) | def path_to_dict(path):
FILE: tools/linux/kcore/elf.h
type Elf32_Half (line 33) | typedef uint16_t Elf32_Half;
type Elf64_Half (line 34) | typedef uint16_t Elf64_Half;
type Elf32_Word (line 37) | typedef uint32_t Elf32_Word;
type Elf32_Sword (line 38) | typedef int32_t Elf32_Sword;
type Elf64_Word (line 39) | typedef uint32_t Elf64_Word;
type Elf64_Sword (line 40) | typedef int32_t Elf64_Sword;
type Elf32_Xword (line 43) | typedef uint64_t Elf32_Xword;
type Elf32_Sxword (line 44) | typedef int64_t Elf32_Sxword;
type Elf64_Xword (line 45) | typedef uint64_t Elf64_Xword;
type Elf64_Sxword (line 46) | typedef int64_t Elf64_Sxword;
type Elf32_Addr (line 49) | typedef uint32_t Elf32_Addr;
type Elf64_Addr (line 50) | typedef uint64_t Elf64_Addr;
type Elf32_Off (line 53) | typedef uint32_t Elf32_Off;
type Elf64_Off (line 54) | typedef uint64_t Elf64_Off;
type Elf32_Section (line 57) | typedef uint16_t Elf32_Section;
type Elf64_Section (line 58) | typedef uint16_t Elf64_Section;
type Elf32_Half (line 61) | typedef Elf32_Half Elf32_Versym;
type Elf64_Half (line 62) | typedef Elf64_Half Elf64_Versym;
type Elf32_Ehdr (line 69) | typedef struct
type Elf64_Ehdr (line 87) | typedef struct
type Elf32_Shdr (line 270) | typedef struct
type Elf64_Shdr (line 284) | typedef struct
type Elf32_Sym (line 379) | typedef struct
type Elf64_Sym (line 389) | typedef struct
type Elf32_Syminfo (line 402) | typedef struct
type Elf64_Syminfo (line 408) | typedef struct
type Elf32_Rel (line 494) | typedef struct
type Elf64_Rel (line 505) | typedef struct
type Elf32_Rela (line 513) | typedef struct
type Elf64_Rela (line 520) | typedef struct
type Elf32_Phdr (line 539) | typedef struct
type Elf64_Phdr (line 551) | typedef struct
type Elf32_Dyn (line 633) | typedef struct
type Elf64_Dyn (line 643) | typedef struct
type Elf32_Verdef (line 800) | typedef struct
type Elf64_Verdef (line 812) | typedef struct
type Elf32_Verdaux (line 842) | typedef struct
type Elf64_Verdaux (line 849) | typedef struct
type Elf32_Verneed (line 859) | typedef struct
type Elf64_Verneed (line 870) | typedef struct
type Elf32_Vernaux (line 889) | typedef struct
type Elf64_Vernaux (line 899) | typedef struct
type Elf32_auxv_t (line 923) | typedef struct
type Elf64_auxv_t (line 935) | typedef struct
type Elf32_Nhdr (line 1007) | typedef struct
type Elf64_Nhdr (line 1014) | typedef struct
type Elf32_Move (line 1071) | typedef struct
type Elf64_Move (line 1080) | typedef struct
type Elf32_gptab (line 1464) | typedef union
type Elf32_RegInfo (line 1480) | typedef struct
type Elf_Options (line 1489) | typedef struct
type Elf_Options_Hw (line 1540) | typedef struct
type Elf32_Lib (line 1701) | typedef struct
type Elf64_Lib (line 1710) | typedef struct
type Elf32_Addr (line 1732) | typedef Elf32_Addr Elf32_Conflict;
FILE: tools/linux/kcore/getkcore.c
function _debug_msg (line 49) | void _debug_msg(const char *format,...)
function _die (line 61) | void _die(const char* format,...)
function _do_startup_checks (line 72) | void _do_startup_checks(void)
function _write_lime_header (line 81) | void _write_lime_header(int out_fd, unsigned long long phys_off, unsigne...
function _read_write_region (line 97) | void _read_write_region(int kcore_fd, int out_fd, Elf64_Phdr *p, unsigne...
function _process_header (line 139) | void _process_header(int kcore_fd, int out_fd, unsigned long long phdr_a...
function _write_region (line 156) | void _write_region(int kcore_fd, int out_fd, unsigned long long phys_sta...
function _dump_ranges (line 201) | void _dump_ranges(int kcore_fd, int out_fd, unsigned char *read_buf)
function create_memory_dump (line 258) | int create_memory_dump(char *outfile)
function main (line 285) | int main(int argc, char **argv)
FILE: tools/linux/kcore/getkcore.h
type lime_range (line 4) | typedef struct {
FILE: tools/linux/module.c
type xa_node (line 21) | struct xa_node
type lockref (line 26) | struct lockref
type pid_namespace (line 42) | struct pid_namespace
type nf_hook_ops (line 49) | struct nf_hook_ops
type nf_sockopt_ops (line 50) | struct nf_sockopt_ops
type xt_table (line 54) | struct xt_table
type atomic_notifier_head (line 68) | struct atomic_notifier_head
type tty_driver (line 72) | struct tty_driver
type tty_struct (line 75) | struct tty_struct
type udp_seq_afinfo (line 77) | struct udp_seq_afinfo
type tcp_seq_afinfo (line 78) | struct tcp_seq_afinfo
type files_struct (line 80) | struct files_struct
type uts_namespace (line 83) | struct uts_namespace
type sock (line 86) | struct sock
type inet_sock (line 87) | struct inet_sock
type vfsmount (line 88) | struct vfsmount
type in_device (line 89) | struct in_device
type fib_table (line 90) | struct fib_table
type unix_sock (line 91) | struct unix_sock
type pid (line 92) | struct pid
type radix_tree_root (line 93) | struct radix_tree_root
type Qdisc (line 98) | struct Qdisc
type inet_protosw (line 102) | struct inet_protosw
type kthread_create_info (line 109) | struct kthread_create_info
type kthread_create_info (line 123) | struct kthread_create_info
type fn_zone (line 138) | struct fn_zone {
type fn_hash (line 153) | struct fn_hash {
type fib_alias (line 158) | struct fib_alias
type fib_node (line 171) | struct fib_node
type fib_node (line 180) | struct fib_node
type fib_alias (line 181) | struct fib_alias
type rt_hash_bucket (line 183) | struct rt_hash_bucket {
type radix_tree_node (line 199) | struct radix_tree_node {
type module_sect_attr (line 217) | struct module_sect_attr
type module_sect_attrs (line 224) | struct module_sect_attrs
type module_sect_attrs (line 231) | struct module_sect_attrs
type module_sections (line 235) | struct module_sections
type module_kobject (line 239) | struct module_kobject
type latch_tree_root (line 249) | struct latch_tree_root
type kmem_cache (line 264) | struct kmem_cache {
type kmem_cache (line 340) | struct kmem_cache {
type kmem_cache (line 409) | struct kmem_cache
type kmem_list3 (line 412) | struct kmem_list3 {
type kmem_list3 (line 426) | struct kmem_list3
type slab (line 428) | struct slab {
type slab (line 437) | struct slab
type u64 (line 447) | typedef u64 cycle_t;
type timekeeper (line 449) | struct timekeeper {
type timekeeper (line 509) | struct timekeeper
type log (line 511) | struct log {
type log (line 521) | struct log
type mnt_namespace (line 527) | struct mnt_namespace {
type mnt_pcp (line 535) | struct mnt_pcp {
type mount (line 540) | struct mount {
type proc_dir_entry (line 583) | struct proc_dir_entry {
type proc_dir_entry (line 604) | struct proc_dir_entry {
type resource (line 629) | struct resource
FILE: tools/mac/convert.py
class DWARFParser (line 5) | class DWARFParser(object):
method __init__ (line 38) | def __init__(self):
method resolve (line 52) | def resolve(self, memb):
method fix_typedefs (line 72) | def fix_typedefs(self):
method resolve_refs (line 88) | def resolve_refs(self):
method deep_replace (line 96) | def deep_replace(self, t, search, repl):
method get_deepest (line 105) | def get_deepest(self, t):
method base_type_name (line 119) | def base_type_name(self, data):
method feed_line (line 130) | def feed_line(self, line):
method get_offset (line 154) | def get_offset(self, data):
method process_statement (line 167) | def process_statement(self, kind, level, data, statement_id):
method process_variable (line 376) | def process_variable(self, data):
method finalize (line 385) | def finalize(self):
method print_output (line 430) | def print_output(self):
function parse_dwarf (line 446) | def parse_dwarf():
function write_line (line 459) | def write_line(outfile, level, id, name):
function convert_file (line 463) | def convert_file(mac_file, outfile):
function main (line 603) | def main():
FILE: tools/mac/generate_profile_list.py
function parse_dsymutil (line 29) | def parse_dsymutil(data, module):
FILE: tools/mac/mac_create_all_profiles.py
function run_cmd (line 22) | def run_cmd(args, output_file = None):
function generate_profile (line 40) | def generate_profile(temp_dir, volatility_dir, profile_dir, profile):
function main (line 102) | def main():
FILE: tools/mac/parse_pbzx2.py
function seekread (line 21) | def seekread(f, offset=None, length=0, relative=True):
function parse_pbzx (line 28) | def parse_pbzx(pbzx_path):
function main (line 82) | def main():
FILE: tools/vtype_diff.py
class VtypeHolder (line 35) | class VtypeHolder(object):
method __init__ (line 39) | def __init__(self):
method _rename_types (line 47) | def _rename_types(self, vtypes, namemap):
method _deep_replace (line 64) | def _deep_replace(self, t, search, repl):
method _get_deepest (line 72) | def _get_deepest(self, t):
method _tuplify (line 84) | def _tuplify(self, types, t):
method as_string (line 94) | def as_string(self, msizes = True):
method load (line 127) | def load(self, filename):
method canonicalize (line 136) | def canonicalize(self):
method decanonicalize (line 154) | def decanonicalize(self, namemap = None):
method diff (line 172) | def diff(self, base):
FILE: tools/windows/parsesummary.py
function usage (line 18) | def usage(name):
function main (line 21) | def main():
FILE: vol.py
function list_plugins (line 64) | def list_plugins():
function command_help (line 94) | def command_help(command):
function print_info (line 109) | def print_info():
function main (line 135) | def main():
FILE: volatility/addrspace.py
class ASAssertionError (line 46) | class ASAssertionError(AssertionError):
method __init__ (line 48) | def __init__(self, *args, **kwargs):
function check_valid_profile (line 51) | def check_valid_profile(option, _opt_str, value, parser):
class BaseAddressSpace (line 64) | class BaseAddressSpace(object):
method __init__ (line 66) | def __init__(self, base, config, *_args, **_kwargs):
method register_options (line 76) | def register_options(config):
method get_config (line 85) | def get_config(self):
method _set_profile (line 89) | def _set_profile(self, profile_name):
method is_valid_profile (line 106) | def is_valid_profile(self, profile): #pylint: disable-msg=W0613
method as_assert (line 110) | def as_assert(self, assertion, error = None):
method __eq__ (line 120) | def __eq__(self, other):
method __ne__ (line 124) | def __ne__(self, other):
method read (line 127) | def read(self, addr, length):
method zread (line 130) | def zread(self, addr, length):
method get_available_addresses (line 133) | def get_available_addresses(self):
method is_valid_address (line 141) | def is_valid_address(self, _addr):
method write (line 145) | def write(self, _addr, _buf):
method __getstate__ (line 150) | def __getstate__(self):
method __setstate__ (line 156) | def __setstate__(self, state):
method address_mask (line 160) | def address_mask(cls, addr):
method address_compare (line 165) | def address_compare(cls, a, b):
method address_equality (line 170) | def address_equality(cls, a, b):
method physical_space (line 174) | def physical_space(self):
class AbstractDiscreteAllocMemory (line 189) | class AbstractDiscreteAllocMemory(BaseAddressSpace):
method __init__ (line 195) | def __init__(self, base, config, *args, **kwargs):
method translate (line 198) | def translate(self, vaddr):
method get_available_allocs (line 201) | def get_available_allocs(self):
method calculate_alloc_stats (line 205) | def calculate_alloc_stats(self):
method _read (line 223) | def _read(self, addr, length, pad = False):
method read (line 271) | def read(self, addr, length):
method zread (line 278) | def zread(self, addr, length):
class AbstractRunBasedMemory (line 285) | class AbstractRunBasedMemory(AbstractDiscreteAllocMemory):
method __init__ (line 292) | def __init__(self, base, config, *args, **kwargs):
method get_runs (line 297) | def get_runs(self):
method get_header (line 301) | def get_header(self):
method translate (line 305) | def translate(self, addr):
method get_available_allocs (line 320) | def get_available_allocs(self):
method get_available_addresses (line 325) | def get_available_addresses(self):
method is_valid_address (line 331) | def is_valid_address(self, phys_addr):
method get_address_range (line 338) | def get_address_range(self):
method write (line 346) | def write(self, phys_addr, buf):
class AbstractVirtualAddressSpace (line 361) | class AbstractVirtualAddressSpace(AbstractDiscreteAllocMemory):
method __init__ (line 363) | def __init__(self, base, config, astype = 'virtual', *args, **kwargs):
method vtop (line 367) | def vtop(self, vaddr):
method translate (line 370) | def translate(self, vaddr):
class BufferAddressSpace (line 376) | class BufferAddressSpace(BaseAddressSpace):
method __init__ (line 377) | def __init__(self, config, base_offset = 0, data = '', **kwargs):
method assign_buffer (line 383) | def assign_buffer(self, data, base_offset = 0):
method is_valid_address (line 387) | def is_valid_address(self, addr):
method read (line 392) | def read(self, addr, length):
method zread (line 396) | def zread(self, addr, length):
method write (line 399) | def write(self, addr, data):
method get_available_addresses (line 405) | def get_available_addresses(self):
FILE: volatility/cache.py
class CacheContainsGenerator (line 229) | class CacheContainsGenerator(exceptions.VolatilityException):
class InvalidCache (line 233) | class InvalidCache(Exception):
class CacheNode (line 237) | class CacheNode(object):
method __init__ (line 239) | def __init__(self, name, stem, storage = None, payload = None, invalid...
method __getitem__ (line 255) | def __getitem__(self, item = ''):
method __str__ (line 269) | def __str__(self):
method _find_generators (line 273) | def _find_generators(self, item):
method set_payload (line 298) | def set_payload(self, payload):
method dump (line 306) | def dump(self):
method get_payload (line 312) | def get_payload(self):
class BlockingNode (line 316) | class BlockingNode(CacheNode):
method __init__ (line 318) | def __init__(self, name, stem, **kwargs):
method __getitem__ (line 321) | def __getitem__(self, item = ''):
method dump (line 324) | def dump(self):
method get_payload (line 328) | def get_payload(self):
class Invalidator (line 332) | class Invalidator(object):
method __init__ (line 350) | def __init__(self):
method add_condition (line 353) | def add_condition(self, key, callback):
method __setstate__ (line 358) | def __setstate__(self, state):
method __getstate__ (line 372) | def __getstate__(self):
class CacheTree (line 387) | class CacheTree(object):
method __init__ (line 389) | def __init__(self, storage = None, cls = CacheNode, invalidator = None):
method __getitem__ (line 395) | def __getitem__(self, path):
method invalidate_on (line 399) | def invalidate_on(self, key, callback):
method check (line 402) | def check(self, path, callback = None, cls = CacheNode):
class CacheStorage (line 434) | class CacheStorage(object):
method encode (line 439) | def encode(self, string):
method filename (line 449) | def filename(self, url):
method load (line 463) | def load(self, url):
method dump (line 472) | def dump(self, url, payload):
function enable_caching (line 499) | def enable_caching(_option, _opt_str, _value, _parser):
class CacheDecorator (line 514) | class CacheDecorator(object):
method __init__ (line 516) | def __init__(self, path):
method generate (line 543) | def generate(self, path, g):
method dump (line 555) | def dump(self, path, payload):
method _cachewrapper (line 560) | def _cachewrapper(self, f, s, *args, **kwargs):
method __call__ (line 587) | def __call__(self, f):
class TestDecorator (line 596) | class TestDecorator(CacheDecorator):
method __call__ (line 599) | def __call__(self, f):
class Testable (line 604) | class Testable(object):
method calculate (line 610) | def calculate(self):
method _flatten (line 613) | def _flatten(self, item):
method test (line 632) | def test(self):
FILE: volatility/commands.py
class Command (line 38) | class Command(object):
method __init__ (line 51) | def __init__(self, config, *_args, **_kwargs):
method register_options (line 60) | def register_options(config):
method help (line 75) | def help(cls):
method is_valid_profile (line 85) | def is_valid_profile(profile):
method calculate (line 88) | def calculate(self):
method execute (line 99) | def execute(self):
method _formatlookup (line 149) | def _formatlookup(self, profile, code):
method _elide (line 174) | def _elide(self, string, length):
method format_value (line 193) | def format_value(self, value, fmt):
method table_header (line 198) | def table_header(self, outfd, title_format_list = None):
method table_row (line 230) | def table_row(self, outfd, *args):
method text_cell_renderers (line 250) | def text_cell_renderers(self, columns):
method unified_output (line 269) | def unified_output(self, data):
method _render (line 272) | def _render(self, outfd, renderer, data):
method render_text (line 280) | def render_text(self, outfd, data):
method render_greptext (line 284) | def render_greptext(self, outfd, data):
method render_json (line 292) | def render_json(self, outfd, data):
method render_sqlite (line 300) | def render_sqlite(self, outfd, data):
method render_dot (line 308) | def render_dot(self, outfd, data):
method render_html (line 316) | def render_html(self, outfd, data):
method render_xlsx (line 324) | def render_xlsx(self, outfd, data):
FILE: volatility/conf.py
class PyFlagOptionParser (line 77) | class PyFlagOptionParser(optparse.OptionParser):
method _process_args (line 81) | def _process_args(self, largs, rargs, values):
method error (line 88) | def error(self, msg):
method print_help (line 96) | def print_help(self, file = sys.stdout):
class ConfObject (line 102) | class ConfObject(object):
method __init__ (line 157) | def __init__(self):
method set_usage (line 165) | def set_usage(self, usage = None, version = None):
method add_file (line 172) | def add_file(self, filename, _type = 'init'):
method print_help (line 202) | def print_help(self):
method add_help_hook (line 205) | def add_help_hook(self, cb):
method set_help_hook (line 209) | def set_help_hook(self, cb):
method parse_options (line 212) | def parse_options(self, final = True):
method remove_option (line 272) | def remove_option(self, option):
method add_option (line 309) | def add_option(self, option, short_option = None,
method update (line 376) | def update(self, key, value):
method get_value (line 380) | def get_value(self, key):
method __getattr__ (line 383) | def __getattr__(self, attr):
class DummyConfig (line 443) | class DummyConfig(ConfObject):
FILE: volatility/debug.py
function setup (line 37) | def setup(level = 0):
function debug (line 46) | def debug(msg, level = 1):
function info (line 50) | def info(msg):
function warning (line 54) | def warning(msg):
function error (line 58) | def error(msg):
function critical (line 62) | def critical(msg):
function log (line 66) | def log(msg, level):
function _log (line 81) | def _log(msg, facility, loglevel):
function b (line 86) | def b(level = 1):
function post_mortem (line 93) | def post_mortem(level = 1):
FILE: volatility/dwarf.py
class DWARFParser (line 23) | class DWARFParser(object):
method __init__ (line 56) | def __init__(self, data = None):
method resolve (line 74) | def resolve(self, memb):
method resolve_refs (line 91) | def resolve_refs(self):
method deep_replace (line 99) | def deep_replace(self, t, search, repl):
method get_deepest (line 109) | def get_deepest(self, t):
method base_type_name (line 123) | def base_type_name(self, data):
method feed_line (line 134) | def feed_line(self, line):
method process_statement (line 165) | def process_statement(self, kind, level, data, statement_id):
method process_variable (line 324) | def process_variable(self, data):
method finalize (line 332) | def finalize(self):
method print_output (line 376) | def print_output(self):
FILE: volatility/exceptions.py
class VolatilityException (line 19) | class VolatilityException(Exception):
method __init__ (line 21) | def __init__(self, *args, **kwargs):
class AddrSpaceError (line 24) | class AddrSpaceError(VolatilityException):
method __init__ (line 26) | def __init__(self):
method append_reason (line 30) | def append_reason(self, driver, reason):
method __str__ (line 33) | def __str__(self):
class CacheRelativeURLException (line 40) | class CacheRelativeURLException(VolatilityException):
class SanityCheckException (line 43) | class SanityCheckException(VolatilityException):
FILE: volatility/fmtspec.py
class FormatSpec (line 21) | class FormatSpec(object):
method __init__ (line 22) | def __init__(self, string = '', **kwargs):
method from_specs (line 37) | def from_specs(self, fill = None, align = None, sign = None, altform =...
method from_string (line 54) | def from_string(self, formatspec):
method to_string (line 87) | def to_string(self):
method __str__ (line 104) | def __str__(self):
method __repr__ (line 107) | def __repr__(self):
FILE: volatility/obj.py
class classproperty (line 50) | class classproperty(property):
method __get__ (line 51) | def __get__(self, cls, owner):
function get_bt_string (line 55) | def get_bt_string(_e = None):
class NoneObject (line 58) | class NoneObject(object):
method __init__ (line 64) | def __init__(self, reason = '', strict = False):
method __str__ (line 72) | def __str__(self):
method write (line 82) | def write(self, data):
method __repr__ (line 86) | def __repr__(self):
method __iter__ (line 90) | def __iter__(self):
method __len__ (line 93) | def __len__(self):
method __format__ (line 96) | def __format__(self, formatspec):
method next (line 100) | def next(self):
method __getattr__ (line 103) | def __getattr__(self, attr):
method __bool__ (line 109) | def __bool__(self):
method __nonzero__ (line 112) | def __nonzero__(self):
method __eq__ (line 115) | def __eq__(self, other):
method __ne__ (line 118) | def __ne__(self, other):
method __getitem__ (line 122) | def __getitem__(self, item):
method __call__ (line 125) | def __call__(self, *arg, **kwargs):
method __int__ (line 128) | def __int__(self):
class InvalidOffsetError (line 161) | class InvalidOffsetError(exceptions.VolatilityException):
function Object (line 165) | def Object(theType, offset, vm, name = None, **kwargs):
class BaseObject (line 186) | class BaseObject(object):
method __init__ (line 191) | def __init__(self, theType, offset, vm, native_vm = None, parent = Non...
method obj_type (line 203) | def obj_type(self):
method obj_vm (line 207) | def obj_vm(self):
method obj_offset (line 211) | def obj_offset(self):
method obj_parent (line 215) | def obj_parent(self):
method obj_name (line 219) | def obj_name(self):
method obj_native_vm (line 223) | def obj_native_vm(self):
method set_native_vm (line 226) | def set_native_vm(self, native_vm):
method rebase (line 230) | def rebase(self, offset):
method proxied (line 234) | def proxied(self, attr):
method newattr (line 237) | def newattr(self, attr, value):
method write (line 241) | def write(self, value):
method __getattr__ (line 245) | def __getattr__(self, attr):
method __setattr__ (line 257) | def __setattr__(self, attr, value):
method __nonzero__ (line 263) | def __nonzero__(self):
method __eq__ (line 285) | def __eq__(self, other):
method __ne__ (line 289) | def __ne__(self, other):
method __hash__ (line 292) | def __hash__(self):
method m (line 296) | def m(self, memname):
method is_valid (line 299) | def is_valid(self):
method dereference (line 302) | def dereference(self):
method dereference_as (line 305) | def dereference_as(self, derefType, **kwargs):
method cast (line 313) | def cast(self, castString):
method v (line 316) | def v(self):
method __format__ (line 321) | def __format__(self, formatspec):
method __str__ (line 324) | def __str__(self):
method __repr__ (line 327) | def __repr__(self):
method d (line 331) | def d(self):
method __getstate__ (line 335) | def __getstate__(self):
method __setstate__ (line 361) | def __setstate__(self, state):
function CreateMixIn (line 375) | def CreateMixIn(mixin):
class NumericProxyMixIn (line 400) | class NumericProxyMixIn(object):
class NativeType (line 422) | class NativeType(BaseObject, NumericProxyMixIn):
method __init__ (line 423) | def __init__(self, theType, offset, vm, format_string = None, **kwargs):
method write (line 428) | def write(self, data):
method proxied (line 433) | def proxied(self, attr):
method size (line 436) | def size(self):
method v (line 439) | def v(self):
method cdecl (line 457) | def cdecl(self):
method __repr__ (line 460) | def __repr__(self):
method d (line 463) | def d(self):
class BitField (line 467) | class BitField(NativeType):
method __init__ (line 469) | def __init__(self, theType, offset, vm, start_bit = 0, end_bit = 32, n...
method v (line 477) | def v(self):
method write (line 481) | def write(self, data):
class Pointer (line 486) | class Pointer(NativeType):
method __init__ (line 487) | def __init__(self, theType, offset, vm, target = None, **kwargs):
method __getstate__ (line 500) | def __getstate__(self):
method is_valid (line 504) | def is_valid(self):
method dereference (line 508) | def dereference(self):
method cdecl (line 521) | def cdecl(self):
method __nonzero__ (line 524) | def __nonzero__(self):
method __repr__ (line 527) | def __repr__(self):
method d (line 531) | def d(self):
method __getattr__ (line 535) | def __getattr__(self, attr):
method m (line 543) | def m(self, memname):
class Pointer32 (line 548) | class Pointer32(Pointer):
method __init__ (line 549) | def __init__(self, theType, offset, vm, target = None, **kwargs):
class Void (line 559) | class Void(NativeType):
method __init__ (line 560) | def __init__(self, theType, offset, vm, **kwargs):
method cdecl (line 566) | def cdecl(self):
method __repr__ (line 569) | def __repr__(self):
method d (line 572) | def d(self):
method __nonzero__ (line 575) | def __nonzero__(self):
class Array (line 578) | class Array(BaseObject):
method __init__ (line 580) | def __init__(self, theType, offset, vm, parent = None,
method __getstate__ (line 603) | def __getstate__(self):
method size (line 607) | def size(self):
method __iter__ (line 610) | def __iter__(self):
method __repr__ (line 626) | def __repr__(self):
method d (line 630) | def d(self):
method __eq__ (line 634) | def __eq__(self, other):
method __getitem__ (line 648) | def __getitem__(self, pos):
method __setitem__ (line 675) | def __setitem__(self, pos, value):
class CType (line 681) | class CType(BaseObject):
method __init__ (line 683) | def __init__(self, theType, offset, vm, name = None, members = None, s...
method size (line 698) | def size(self):
method __repr__ (line 701) | def __repr__(self):
method d (line 704) | def d(self):
method v (line 711) | def v(self):
method m (line 719) | def m(self, attr):
method __getattr__ (line 750) | def __getattr__(self, attr):
method __setattr__ (line 753) | def __setattr__(self, attr, value):
class VolatilityMagic (line 769) | class VolatilityMagic(BaseObject):
method __init__ (line 775) | def __init__(self, theType, offset, vm, value = None, configname = Non...
method v (line 790) | def v(self):
method __str__ (line 799) | def __str__(self):
method get_suggestions (line 802) | def get_suggestions(self):
method generate_suggestions (line 816) | def generate_suggestions(self):
method get_best_suggestion (line 819) | def get_best_suggestion(self):
function VolMagic (line 826) | def VolMagic(vm):
class Profile (line 841) | class Profile(object):
method __init__ (line 846) | def __init__(self, strict = False):
method applied_modifications (line 865) | def applied_modifications(self):
method clear (line 868) | def clear(self):
method reset (line 883) | def reset(self):
method load_vtypes (line 894) | def load_vtypes(self):
method load_modifications (line 914) | def load_modifications(self):
method compile (line 946) | def compile(self):
method metadata (line 971) | def metadata(self):
method _get_subclasses (line 980) | def _get_subclasses(self, cls):
method _get_dummy_obj (line 987) | def _get_dummy_obj(self, name):
method has_type (line 1008) | def has_type(self, theType):
method get_obj_offset (line 1012) | def get_obj_offset(self, name, member):
method get_obj_size (line 1019) | def get_obj_size(self, name):
method obj_has_member (line 1024) | def obj_has_member(self, name, member):
method merge_overlay (line 1029) | def merge_overlay(self, overlay):
method add_types (line 1037) | def add_types(self, vtypes, overlay = None):
method apply_overlay (line 1045) | def apply_overlay(self, *args, **kwargs):
method _apply_overlay (line 1050) | def _apply_overlay(self, type_member, overlay):
method _resolve_mod_dependencies (line 1091) | def _resolve_mod_dependencies(self, mods):
method _list_to_type (line 1137) | def _list_to_type(self, name, typeList, typeDict = None):
method _convert_members (line 1208) | def _convert_members(self, cname):
class ProfileModification (line 1247) | class ProfileModification(object):
method check (line 1253) | def check(self, profile):
method dependencies (line 1260) | def dependencies(self, profile):
method modification (line 1266) | def modification(self, profile):
FILE: volatility/plugins/addrspaces/amd64.py
class AMD64PagedMemory (line 36) | class AMD64PagedMemory(paged.AbstractWritablePagedMemory):
method entry_present (line 70) | def entry_present(self, entry):
method page_size_flag (line 73) | def page_size_flag(self, entry):
method is_user_page (line 78) | def is_user_page(self, entry):
method is_supervisor_page (line 81) | def is_supervisor_page(self, entry):
method is_writeable (line 84) | def is_writeable(self, entry):
method is_dirty (line 87) | def is_dirty(self, entry):
method is_nx (line 90) | def is_nx(self, entry):
method is_accessed (line 93) | def is_accessed(self, entry):
method is_copyonwrite (line 96) | def is_copyonwrite(self, entry):
method is_prototype (line 99) | def is_prototype(self, entry):
method get_2MB_paddr (line 102) | def get_2MB_paddr(self, vaddr, pgd_entry):
method is_valid_profile (line 106) | def is_valid_profile(self, profile):
method pml4e_index (line 113) | def pml4e_index(self, vaddr):
method get_pml4e (line 121) | def get_pml4e(self, vaddr):
method get_pdpi (line 134) | def get_pdpi(self, vaddr, pml4e):
method get_1GB_paddr (line 147) | def get_1GB_paddr(self, vaddr, pdpte):
method pde_index (line 157) | def pde_index(self, vaddr):
method pdba_base (line 160) | def pdba_base(self, pdpe):
method get_pgd (line 163) | def get_pgd(self, vaddr, pdpe):
method pte_index (line 167) | def pte_index(self, vaddr):
method ptba_base (line 170) | def ptba_base(self, pde):
method get_pte (line 173) | def get_pte(self, vaddr, pgd):
method pte_pfn (line 177) | def pte_pfn(self, pte):
method get_paddr (line 180) | def get_paddr(self, vaddr, pte):
method vtop (line 183) | def vtop(self, vaddr):
method read_long_long_phys (line 213) | def read_long_long_phys(self, addr):
method get_available_pages (line 231) | def get_available_pages(self, with_pte = False):
method address_mask (line 315) | def address_mask(cls, addr):
class WindowsAMD64PagedMemory (line 318) | class WindowsAMD64PagedMemory(AMD64PagedMemory):
method is_valid_profile (line 326) | def is_valid_profile(self, profile):
method entry_present (line 335) | def entry_present(self, entry):
class SkipDuplicatesAMD64PagedMemory (line 342) | class SkipDuplicatesAMD64PagedMemory(WindowsAMD64PagedMemory):
method is_valid_profile (line 351) | def is_valid_profile(self, profile):
class LinuxAMD64PagedMemory (line 362) | class LinuxAMD64PagedMemory(AMD64PagedMemory):
method is_valid_profile (line 370) | def is_valid_profile(self, profile):
method entry_present (line 379) | def entry_present(self, entry):
FILE: volatility/plugins/addrspaces/arm.py
class ArmAddressSpace (line 28) | class ArmAddressSpace(paged.AbstractWritablePagedMemory):
method read_long_phys (line 39) | def read_long_phys(self, addr):
method page_table_present (line 53) | def page_table_present(self, entry):
method pde_index (line 59) | def pde_index(self, vaddr):
method pde_value (line 63) | def pde_value(self, vaddr):
method pde2_index (line 67) | def pde2_index(self, vaddr):
method pde2_value (line 71) | def pde2_value(self, vaddr, pde):
method pde2_index_fine (line 75) | def pde2_index_fine(self, vaddr):
method pde2_value_fine (line 79) | def pde2_value_fine(self, vaddr, pde):
method get_pte (line 83) | def get_pte(self, vaddr, pde_value):
method vtop (line 147) | def vtop(self, vaddr):
method get_available_pages (line 165) | def get_available_pages(self):
FILE: volatility/plugins/addrspaces/crash.py
class WindowsCrashDumpSpace32 (line 33) | class WindowsCrashDumpSpace32(addrspace.AbstractRunBasedMemory):
method __init__ (line 41) | def __init__(self, base, config, **kwargs):
method get_header (line 64) | def get_header(self):
method get_base (line 67) | def get_base(self):
method read_long (line 70) | def read_long(self, addr):
method get_available_addresses (line 78) | def get_available_addresses(self):
method close (line 83) | def close(self):
class WindowsCrashDumpSpace64 (line 86) | class WindowsCrashDumpSpace64(WindowsCrashDumpSpace32):
FILE: volatility/plugins/addrspaces/crashbmp.py
class BitmapDmpVTypes (line 29) | class BitmapDmpVTypes(obj.ProfileModification):
method modification (line 34) | def modification(self, profile):
class WindowsCrashDumpSpace64BitMap (line 49) | class WindowsCrashDumpSpace64BitMap(crash.WindowsCrashDumpSpace32):
method __init__ (line 57) | def __init__(self, base, config, **kwargs):
FILE: volatility/plugins/addrspaces/elfcoredump.py
class DBGFCOREDESCRIPTOR (line 42) | class DBGFCOREDESCRIPTOR(obj.CType):
method Major (line 46) | def Major(self):
method Minor (line 50) | def Minor(self):
method Build (line 54) | def Build(self):
class VirtualBoxModification (line 57) | class VirtualBoxModification(obj.ProfileModification):
method modification (line 58) | def modification(self, profile):
class VirtualBoxCoreDumpElf64 (line 70) | class VirtualBoxCoreDumpElf64(addrspace.AbstractRunBasedMemory):
method __init__ (line 75) | def __init__(self, base, config, **kwargs):
method check_note (line 120) | def check_note(self, note):
method validate (line 126) | def validate(self):
class QemuCoreDumpElf (line 132) | class QemuCoreDumpElf(VirtualBoxCoreDumpElf64):
method check_note (line 135) | def check_note(self, note):
method validate (line 143) | def validate(self):
FILE: volatility/plugins/addrspaces/hibernate.py
class Store (line 38) | class Store(object):
method __init__ (line 39) | def __init__(self, limit = 50):
method put (line 45) | def put(self, key, item):
method get (line 55) | def get(self, key):
class WindowsHiberFileSpace32 (line 58) | class WindowsHiberFileSpace32(addrspace.BaseAddressSpace):
method __init__ (line 68) | def __init__(self, base, config, **kwargs):
method _get_first_table_page (line 111) | def _get_first_table_page(self):
method build_page_cache (line 119) | def build_page_cache(self):
method next_xpress (line 183) | def next_xpress(self, XpressHeader, XpressBlockSize):
method get_xpress_block_size (line 208) | def get_xpress_block_size(self, xpress_header):
method get_header (line 221) | def get_header(self):
method get_base (line 224) | def get_base(self):
method is_paging (line 227) | def is_paging(self):
method is_pse (line 230) | def is_pse(self):
method is_pae (line 233) | def is_pae(self):
method get_addr (line 236) | def get_addr(self, addr):
method get_block_offset (line 243) | def get_block_offset(self, _xb, addr):
method is_valid_address (line 250) | def is_valid_address(self, addr):
method read_xpress (line 254) | def read_xpress(self, baddr, BlockSize):
method _partial_read (line 268) | def _partial_read(self, addr, len):
method read (line 293) | def read(self, addr, length, zread = False):
method zread (line 311) | def zread(self, addr, length):
method read_long (line 315) | def read_long(self, addr):
method get_available_pages (line 323) | def get_available_pages(self):
method get_address_range (line 330) | def get_address_range(self):
method check_address_range (line 335) | def check_address_range(self, addr):
method get_available_addresses (line 340) | def get_available_addresses(self):
method close (line 345) | def close(self):
FILE: volatility/plugins/addrspaces/hpak.py
class HPAKVTypes (line 24) | class HPAKVTypes(obj.ProfileModification):
method modification (line 25) | def modification(self, profile):
class HPAK_HEADER (line 42) | class HPAK_HEADER(obj.CType):
method Sections (line 45) | def Sections(self):
class HPAKAddressSpace (line 57) | class HPAKAddressSpace(standard.FileAddressSpace):
method __init__ (line 62) | def __init__(self, base, config, **kwargs):
method read (line 82) | def read(self, addr, length):
method zread (line 85) | def zread(self, addr, length):
method is_valid_address (line 88) | def is_valid_address(self, addr):
method get_header (line 91) | def get_header(self):
method convert_to_raw (line 94) | def convert_to_raw(self, outfd):
FILE: volatility/plugins/addrspaces/ieee1394.py
function FirewireRW (line 33) | def FirewireRW(netloc, location):
class FWRaw1394 (line 38) | class FWRaw1394(object):
method __init__ (line 39) | def __init__(self, location):
method is_valid (line 45) | def is_valid(self):
method read (line 58) | def read(self, addr, length):
method write (line 62) | def write(self, addr, buf):
class FWForensic1394 (line 66) | class FWForensic1394(object):
method __init__ (line 67) | def __init__(self, location):
method is_valid (line 76) | def is_valid(self):
method read (line 93) | def read(self, addr, length):
method write (line 97) | def write(self, addr, buf):
class FirewireAddressSpace (line 101) | class FirewireAddressSpace(addrspace.BaseAddressSpace):
method __init__ (line 106) | def __init__(self, base, config, **kargs):
method intervals (line 135) | def intervals(self, start, size):
method _intervals (line 139) | def _intervals(self, exclusions, start, end, accumulator):
method read (line 172) | def read(self, offset, length):
method zread (line 194) | def zread(self, offset, length):
method write (line 200) | def write(self, offset, data):
method get_address_range (line 215) | def get_address_range(self):
method get_available_addresses (line 219) | def get_available_addresses(self):
FILE: volatility/plugins/addrspaces/intel.py
class IA32PagedMemory (line 45) | class IA32PagedMemory(paged.AbstractWritablePagedMemory):
method __init__ (line 79) | def __init__(self, base, config, dtb = 0, skip_as_check = False, *args...
method is_valid_profile (line 85) | def is_valid_profile(self, profile):
method entry_present (line 88) | def entry_present(self, entry):
method page_size_flag (line 107) | def page_size_flag(self, entry):
method is_user_page (line 112) | def is_user_page(self, entry):
method is_supervisor_page (line 115) | def is_supervisor_page(self, entry):
method is_writeable (line 118) | def is_writeable(self, entry):
method is_dirty (line 121) | def is_dirty(self, entry):
method is_nx (line 124) | def is_nx(self, entry):
method is_accessed (line 127) | def is_accessed(self, entry):
method is_copyonwrite (line 130) | def is_copyonwrite(self, entry):
method is_prototype (line 133) | def is_prototype(self, entry):
method pgd_index (line 136) | def pgd_index(self, pgd):
method get_pgd (line 139) | def get_pgd(self, vaddr):
method pte_pfn (line 143) | def pte_pfn(self, pte):
method pte_index (line 146) | def pte_index(self, pte):
method get_pte (line 149) | def get_pte(self, vaddr, pgd):
method get_paddr (line 154) | def get_paddr(self, vaddr, pte):
method get_four_meg_paddr (line 157) | def get_four_meg_paddr(self, vaddr, pgd_entry):
method vtop (line 160) | def vtop(self, vaddr):
method read_long_phys (line 174) | def read_long_phys(self, addr):
method get_available_pages (line 184) | def get_available_pages(self, with_pte = False):
class IA32PagedMemoryPae (line 206) | class IA32PagedMemoryPae(IA32PagedMemory):
method get_pdptb (line 231) | def get_pdptb(self, pdpr):
method pdpi_index (line 234) | def pdpi_index(self, pdpi):
method get_pdpi (line 237) | def get_pdpi(self, vaddr):
method pde_index (line 241) | def pde_index(self, vaddr):
method pdba_base (line 244) | def pdba_base(self, pdpe):
method get_pgd (line 247) | def get_pgd(self, vaddr, pdpe):
method pte_pfn (line 251) | def pte_pfn(self, pte):
method pte_index (line 254) | def pte_index(self, vaddr):
method ptba_base (line 257) | def ptba_base(self, pde):
method get_pte (line 260) | def get_pte(self, vaddr, pgd):
method get_paddr (line 264) | def get_paddr(self, vaddr, pte):
method get_large_paddr (line 267) | def get_large_paddr(self, vaddr, pgd_entry):
method vtop (line 270) | def vtop(self, vaddr):
method _read_long_long_phys (line 288) | def _read_long_long_phys(self, addr):
method get_available_pages (line 301) | def get_available_pages(self, with_pte = False):
FILE: volatility/plugins/addrspaces/lime.py
class LimeTypes (line 27) | class LimeTypes(obj.ProfileModification):
method modification (line 29) | def modification(self, profile):
class LimeAddressSpace (line 41) | class LimeAddressSpace(addrspace.AbstractRunBasedMemory):
method __init__ (line 47) | def __init__(self, base, config, *args, **kwargs):
method parse_lime (line 64) | def parse_lime(self):
FILE: volatility/plugins/addrspaces/macho.py
class MachOAddressSpace (line 27) | class MachOAddressSpace(addrspace.AbstractRunBasedMemory):
method __init__ (line 38) | def __init__(self, base, config, *args, **kwargs):
method get_object_name (line 59) | def get_object_name(self, object):
method get_available_addresses (line 65) | def get_available_addresses(self):
method get_header (line 69) | def get_header(self):
method parse_macho (line 72) | def parse_macho(self):
FILE: volatility/plugins/addrspaces/osxpmemelf.py
class OSXPmemELF (line 36) | class OSXPmemELF(addrspace.AbstractRunBasedMemory):
method __init__ (line 41) | def __init__(self, base, config, **kwargs):
FILE: volatility/plugins/addrspaces/paged.py
class AbstractPagedMemory (line 24) | class AbstractPagedMemory(addrspace.AbstractVirtualAddressSpace):
method __init__ (line 31) | def __init__(self, base, config, dtb = 0, skip_as_check = False, *args...
method is_user_page (line 56) | def is_user_page(self, entry):
method is_supervisor_page (line 60) | def is_supervisor_page(self, entry):
method is_writeable (line 64) | def is_writeable(self, entry):
method is_dirty (line 68) | def is_dirty(self, entry):
method is_nx (line 72) | def is_nx(self, entry):
method is_accessed (line 76) | def is_accessed(self, entry):
method is_copyonwrite (line 80) | def is_copyonwrite(self, entry):
method is_prototype (line 84) | def is_prototype(self, entry):
method load_dtb (line 88) | def load_dtb(self):
method __getstate__ (line 107) | def __getstate__(self):
method register_options (line 114) | def register_options(config):
method vtop (line 118) | def vtop(self, addr):
method get_available_pages (line 122) | def get_available_pages(self):
method get_available_allocs (line 126) | def get_available_allocs(self):
method get_available_addresses (line 129) | def get_available_addresses(self):
method is_valid_address (line 148) | def is_valid_address(self, vaddr):
class AbstractWritablePagedMemory (line 160) | class AbstractWritablePagedMemory(AbstractPagedMemory):
method write (line 166) | def write(self, vaddr, buf):
FILE: volatility/plugins/addrspaces/standard.py
function write_callback (line 35) | def write_callback(option, _opt_str, _value, parser, *_args, **_kwargs):
class FileAddressSpace (line 57) | class FileAddressSpace(addrspace.BaseAddressSpace):
method __init__ (line 71) | def __init__(self, base, config, layered = False, **kwargs):
method register_options (line 90) | def register_options(config):
method fread (line 94) | def fread(self, length):
method read (line 98) | def read(self, addr, length):
method zread (line 109) | def zread(self, addr, length):
method read_long (line 117) | def read_long(self, addr):
method get_available_addresses (line 122) | def get_available_addresses(self):
method is_valid_address (line 127) | def is_valid_address(self, addr):
method close (line 132) | def close(self):
method write (line 135) | def write(self, addr, data):
method __eq__ (line 145) | def __eq__(self, other):
FILE: volatility/plugins/addrspaces/vmem.py
class VMWareMetaAddressSpace (line 32) | class VMWareMetaAddressSpace(addrspace.AbstractRunBasedMemory):
method __init__ (line 39) | def __init__(self, base, config, **kwargs):
FILE: volatility/plugins/addrspaces/vmware.py
class _VMWARE_HEADER (line 32) | class _VMWARE_HEADER(obj.CType):
method Version (line 36) | def Version(self):
class _VMWARE_GROUP (line 40) | class _VMWARE_GROUP(obj.CType):
method _get_header (line 43) | def _get_header(self):
method Tags (line 53) | def Tags(self):
class _VMWARE_TAG (line 66) | class _VMWARE_TAG(obj.CType):
method _size_type (line 69) | def _size_type(self):
method OriginalDataOffset (line 81) | def OriginalDataOffset(self):
method RealDataOffset (line 87) | def RealDataOffset(self):
method OriginalDataSize (line 102) | def OriginalDataSize(self):
method DataDiskSize (line 106) | def DataDiskSize(self):
method DataMemSize (line 117) | def DataMemSize(self):
method cast_as (line 128) | def cast_as(self, cast_type):
class VMwareVTypesModification (line 134) | class VMwareVTypesModification(obj.ProfileModification):
method modification (line 137) | def modification(self, profile):
class VMWareAddressSpace (line 161) | class VMWareAddressSpace(addrspace.AbstractRunBasedMemory):
method __init__ (line 167) | def __init__(self, base, config, **kwargs):
method get_tag (line 227) | def get_tag(header, grp_name, tag_name, indices = None, data_type = No...
FILE: volatility/plugins/bigpagepools.py
class PoolTrackTypeOverlay (line 30) | class PoolTrackTypeOverlay(obj.ProfileModification):
method modification (line 42) | def modification(self, profile):
class BigPageTableMagic (line 63) | class BigPageTableMagic(obj.ProfileModification):
method modification (line 68) | def modification(self, profile):
class BigPageTable (line 104) | class BigPageTable(obj.VolatilityMagic):
method __init__ (line 107) | def __init__(self, *args, **kwargs):
method generate_suggestions (line 116) | def generate_suggestions(self):
class BigPagePoolScanner (line 148) | class BigPagePoolScanner(object):
method __init__ (line 151) | def __init__(self, kernel_space):
method scan (line 154) | def scan(self, tags = []):
class BigPools (line 179) | class BigPools(common.AbstractWindowsCommand):
method __init__ (line 182) | def __init__(self, config, *args, **kwargs):
method calculate (line 186) | def calculate(self):
method unified_output (line 198) | def unified_output(self, data):
method generator (line 205) | def generator(self, data):
method render_text (line 220) | def render_text(self, outfd, data):
FILE: volatility/plugins/bioskbd.py
class BiosKbd (line 31) | class BiosKbd(common.AbstractWindowsCommand):
method unified_output (line 39) | def unified_output(self, data):
method generator (line 45) | def generator(self, data):
method render_text (line 50) | def render_text(self, outfd, data):
method format_char (line 56) | def format_char(self, c):
method calculate (line 62) | def calculate(self):
FILE: volatility/plugins/cmdline.py
class Cmdline (line 23) | class Cmdline(taskmods.DllList):
method __init__ (line 25) | def __init__(self, config, *args, **kwargs):
method unified_output (line 32) | def unified_output(self, data):
method generator (line 39) | def generator(self, data):
method render_text (line 52) | def render_text(self, outfd, data):
FILE: volatility/plugins/common.py
class AbstractWindowsCommand (line 30) | class AbstractWindowsCommand(commands.Command):
method is_valid_profile (line 32) | def is_valid_profile(profile):
class AbstractScanCommand (line 35) | class AbstractScanCommand(AbstractWindowsCommand):
method __init__ (line 43) | def __init__(self, config, *args, **kwargs):
method calculate (line 58) | def calculate(self):
method offset_column (line 64) | def offset_column(self):
method scan_results (line 67) | def scan_results(self, addr_space):
function pool_align (line 81) | def pool_align(vm, object_name, align):
FILE: volatility/plugins/connections.py
class Connections (line 32) | class Connections(common.AbstractWindowsCommand):
method __init__ (line 44) | def __init__(self, config, *args, **kwargs):
method is_valid_profile (line 51) | def is_valid_profile(profile):
method unified_output (line 55) | def unified_output(self, data):
method generator (line 63) | def generator(self, data):
method render_text (line 73) | def render_text(self, outfd, data):
method calculate (line 92) | def calculate(self):
FILE: volatility/plugins/connscan.py
class PoolScanConn (line 37) | class PoolScanConn(poolscan.PoolScanner):
method __init__ (line 40) | def __init__(self, address_space):
class ConnScan (line 51) | class ConnScan(common.AbstractScanCommand):
method is_valid_profile (line 67) | def is_valid_profile(profile):
method render_text (line 71) | def render_text(self, outfd, data):
method unified_output (line 87) | def unified_output(self, data):
method generator (line 94) | def generator(self, data):
FILE: volatility/plugins/crashinfo.py
class _DMP_HEADER (line 29) | class _DMP_HEADER(obj.CType):
method SystemUpTime (line 33) | def SystemUpTime(self):
class CrashInfoModification (line 46) | class CrashInfoModification(obj.ProfileModification):
method modification (line 53) | def modification(self, profile):
class CrashInfo (line 71) | class CrashInfo(common.AbstractWindowsCommand):
method calculate (line 77) | def calculate(self):
method unified_output (line 93) | def unified_output(self, data):
method generator (line 117) | def generator(self, data):
method render_text (line 145) | def render_text(self, outfd, data):
FILE: volatility/plugins/dlldump.py
class DLLDump (line 34) | class DLLDump(procdump.ProcDump):
method __init__ (line 37) | def __init__(self, config, *args, **kwargs):
method calculate (line 54) | def calculate(self):
method generator (line 96) | def generator(self, data):
method unified_output (line 111) | def unified_output(self, data):
method render_text (line 120) | def render_text(self, outfd, data):
FILE: volatility/plugins/drivermodule.py
class drivermodule (line 30) | class drivermodule(common.AbstractWindowsCommand):
method __init__ (line 33) | def __init__(self, config, *args, **kwargs):
method calculate (line 39) | def calculate(self):
method generator (line 83) | def generator(self, data):
method unified_output (line 88) | def unified_output(self, data):
method render_text (line 95) | def render_text(self, outfd, data):
FILE: volatility/plugins/dumpcerts.py
class _X509_PUBLIC_CERT (line 46) | class _X509_PUBLIC_CERT(obj.CType):
method Size (line 50) | def Size(self):
method object_as_string (line 57) | def object_as_string(self):
method is_valid (line 64) | def is_valid(self):
method as_openssl (line 75) | def as_openssl(self, file_name):
class _PKCS_PRIVATE_CERT (line 92) | class _PKCS_PRIVATE_CERT(_X509_PUBLIC_CERT):
method as_openssl (line 95) | def as_openssl(self, file_name):
class SSLKeyModification (line 102) | class SSLKeyModification(obj.ProfileModification):
method modification (line 107) | def modification(self, profile):
class DumpCerts (line 126) | class DumpCerts(procdump.ProcDump):
method __init__ (line 143) | def __init__(self, config, *args, **kwargs):
method calculate (line 155) | def calculate(self):
method get_parsed_fields (line 188) | def get_parsed_fields(self, openssl, fields = ["O", "OU"]):
method unified_output (line 214) | def unified_output(self, data):
method generator (line 225) | def generator(self, data):
method render_text (line 258) | def render_text(self, outfd, data):
FILE: volatility/plugins/dumpfiles.py
class _CONTROL_AREA (line 53) | class _CONTROL_AREA(obj.CType):
method extract_ca_file (line 55) | def extract_ca_file(self, unsafe = False):
class _SHARED_CACHE_MAP (line 297) | class _SHARED_CACHE_MAP(obj.CType):
method is_valid (line 299) | def is_valid(self):
method process_index_array (line 320) | def process_index_array(self, array_pointer, level, limit, vacbary = N...
method extract_vacb (line 366) | def extract_vacb(self, vacbs, size):
method extract_scm_file (line 419) | def extract_scm_file(self):
class ControlAreaModification (line 569) | class ControlAreaModification(obj.ProfileModification):
method modification (line 572) | def modification(self, profile):
class DumpFilesVTypesx86 (line 650) | class DumpFilesVTypesx86(obj.ProfileModification):
method modification (line 656) | def modification(self, profile):
class DumpFiles (line 659) | class DumpFiles(common.AbstractWindowsCommand):
method __init__ (line 662) | def __init__(self, config, *args, **kwargs):
method filter_tasks (line 701) | def filter_tasks(self, tasks):
method audited_read_bytes (line 717) | def audited_read_bytes(self, vm, vaddr, length, pad):
method calculate (line 766) | def calculate(self):
method unified_output (line 1026) | def unified_output(self, data):
method generator (line 1035) | def generator(self, data):
method render_text (line 1157) | def render_text(self, outfd, data):
FILE: volatility/plugins/envars.py
class Envars (line 26) | class Envars(taskmods.DllList):
method __init__ (line 29) | def __init__(self, config, *args, **kwargs):
method _get_silent_vars (line 36) | def _get_silent_vars(self):
method unified_output (line 87) | def unified_output(self, data):
method generator (line 95) | def generator(self, data):
method render_text (line 110) | def render_text(self, outfd, data):
FILE: volatility/plugins/evtlogs.py
class EVTObjectTypes (line 75) | class EVTObjectTypes(obj.ProfileModification):
method modification (line 80) | def modification(self, profile):
class EvtLogs (line 83) | class EvtLogs(common.AbstractWindowsCommand):
method __init__ (line 85) | def __init__(self, config, *args, **kwargs):
method is_valid_profile (line 98) | def is_valid_profile(profile):
method load_user_sids (line 103) | def load_user_sids(self):
method get_sid_string (line 114) | def get_sid_string(self, data):
method calculate (line 141) | def calculate(self):
method parse_evt_info (line 173) | def parse_evt_info(self, name, buf, rawtime = False):
method unified_output (line 248) | def unified_output(self, data):
method generator (line 258) | def generator(self, data):
method render_text (line 277) | def render_text(self, outfd, data):
FILE: volatility/plugins/fileparam.py
function set_location (line 32) | def set_location(_option, _opt_str, value, parser):
FILE: volatility/plugins/filescan.py
class PoolScanFile (line 35) | class PoolScanFile(poolscan.PoolScanner):
method __init__ (line 38) | def __init__(self, address_space):
class FileScan (line 52) | class FileScan(common.AbstractScanCommand):
method render_text (line 67) | def render_text(self, outfd, data):
method unified_output (line 84) | def unified_output(self, data):
method generator (line 92) | def generator(self, data):
class PoolScanDriver (line 102) | class PoolScanDriver(poolscan.PoolScanner):
method __init__ (line 105) | def __init__(self, address_space):
class DriverScan (line 122) | class DriverScan(common.AbstractScanCommand):
method unified_output (line 127) | def unified_output(self, data):
method generator (line 138) | def generator(self, data):
method render_text (line 150) | def render_text(self, outfd, data):
class PoolScanSymlink (line 174) | class PoolScanSymlink(poolscan.PoolScanner):
method __init__ (line 177) | def __init__(self, address_space):
class SymLinkScan (line 190) | class SymLinkScan(common.AbstractScanCommand):
method unified_output (line 195) | def unified_output(self, data):
method generator (line 204) | def generator(self, data):
method render_text (line 215) | def render_text(self, outfd, data):
class PoolScanMutant (line 235) | class PoolScanMutant(poolscan.PoolScanner):
method __init__ (line 238) | def __init__(self, address_space, **kwargs):
class MutantScan (line 252) | class MutantScan(common.AbstractScanCommand):
method __init__ (line 257) | def __init__(self, config, *args, **kwargs):
method unified_output (line 263) | def unified_output(self, data):
method generator (line 273) | def generator(self, data):
method render_text (line 293) | def render_text(self, outfd, data):
class PoolScanProcess (line 323) | class PoolScanProcess(poolscan.PoolScanner):
method __init__ (line 326) | def __init__(self, address_space, **kwargs):
class PSScan (line 342) | class PSScan(common.AbstractScanCommand):
method calculate (line 357) | def calculate(self):
method render_dot (line 370) | def render_dot(self, outfd, data):
method unified_output (line 398) | def unified_output(self, data):
method generator (line 408) | def generator(self, data):
method render_text (line 418) | def render_text(self, outfd, data):
FILE: volatility/plugins/getservicesids.py
function createservicesid (line 502) | def createservicesid(svc):
class GetServiceSids (line 513) | class GetServiceSids(common.AbstractWindowsCommand):
method calculate (line 516) | def calculate(self):
method unified_output (line 540) | def unified_output(self, data):
method generator (line 545) | def generator(self, data):
method render_text (line 551) | def render_text(self, outfd, data):
FILE: volatility/plugins/getsids.py
function find_sid_re (line 40) | def find_sid_re(sid_string, sid_re_list):
class GetSIDs (line 158) | class GetSIDs(taskmods.DllList):
method lookup_user_sids (line 172) | def lookup_user_sids(self):
method unified_output (line 192) | def unified_output(self, data):
method render_text (line 233) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/atoms.py
class PoolScanAtom (line 29) | class PoolScanAtom(poolscan.PoolScanner):
method __init__ (line 32) | def __init__(self, address_space):
class AtomScan (line 61) | class AtomScan(common.AbstractScanCommand):
method __init__ (line 66) | def __init__(self, config, *args, **kwargs):
method render_text (line 74) | def render_text(self, outfd, data):
method unified_output (line 109) | def unified_output(self, data):
method generator (line 120) | def generator(self, data):
class Atoms (line 146) | class Atoms(common.AbstractWindowsCommand):
method calculate (line 149) | def calculate(self):
method unified_output (line 175) | def unified_output(self, data):
method generator (line 188) | def generator(self, data):
method render_text (line 207) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/clipboard.py
class Clipboard (line 31) | class Clipboard(common.AbstractWindowsCommand, sessions.SessionsMixin):
method calculate (line 34) | def calculate(self):
method unified_output (line 98) | def unified_output(self, data):
method generator (line 107) | def generator(self, data):
method render_text (line 144) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/constants.py
class FakeAtom (line 30) | class FakeAtom(object):
method __init__ (line 31) | def __init__(self, name):
FILE: volatility/plugins/gui/desktops.py
class DeskScan (line 25) | class DeskScan(windowstations.WndScan):
method unified_output (line 28) | def unified_output(self, data):
method generator (line 48) | def generator(self, data):
method render_text (line 78) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/editbox.py
class COMCTL_EDIT (line 156) | class COMCTL_EDIT(obj.CType):
method __str__ (line 159) | def __str__(self):
method get_text (line 173) | def get_text(self, no_crlf=False):
method get_undo (line 191) | def get_undo(self, no_crlf=False):
method is_pwd (line 205) | def is_pwd(self):
method dump_meta (line 213) | def dump_meta(self, outfd):
method dump_data (line 227) | def dump_data(self, outfd):
method rtl_run_decode_unicode_string (line 235) | def rtl_run_decode_unicode_string(key, data):
class COMCTL_LISTBOX (line 241) | class COMCTL_LISTBOX(obj.CType):
method __str__ (line 244) | def __str__(self):
method get_text (line 255) | def get_text(self, joiner='\n'):
method dump_meta (line 267) | def dump_meta(self, outfd):
method dump_data (line 280) | def dump_data(self, outfd):
function split_null_strings (line 289) | def split_null_strings(data):
function dump_to_file (line 303) | def dump_to_file(ctrl, pid, proc_name, folder):
class Editbox (line 317) | class Editbox(common.AbstractWindowsCommand):
method __init__ (line 326) | def __init__(self, config, *args, **kwargs):
method apply_types (line 340) | def apply_types(addr_space, meta=None):
method calculate (line 372) | def calculate(self):
method render_table (line 431) | def render_table(self, outfd, data):
method unified_output (line 448) | def unified_output(self, data):
method generator (line 467) | def generator(self, data):
method render_text (line 487) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/eventhooks.py
class EventHooks (line 23) | class EventHooks(sessions.Sessions):
method render_text (line 26) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/gahti.py
class Gahti (line 29) | class Gahti(sessions.Sessions):
method unified_output (line 32) | def unified_output(self, data):
method generator (line 42) | def generator(self, data):
method render_text (line 66) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/gditimers.py
class GDITimers (line 25) | class GDITimers(common.AbstractWindowsCommand, sessions.SessionsMixin):
method is_valid_profile (line 29) | def is_valid_profile(profile):
method calculate (line 36) | def calculate(self):
method render_text (line 51) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/messagehooks.py
class MessageHooks (line 61) | class MessageHooks(atoms.Atoms, sessions.SessionsMixin):
method calculate (line 64) | def calculate(self):
method translate_atom (line 78) | def translate_atom(self, winsta, atom_tables, atom_id):
method translate_hmod (line 116) | def translate_hmod(self, winsta, atom_tables, index):
method render_text (line 193) | def render_text(self, outfd, data):
method render_block (line 239) | def render_block(self, outfd, data):
FILE: volatility/plugins/gui/screenshot.py
class Screenshot (line 32) | class Screenshot(windowstations.WndScan):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method draw_text (line 41) | def draw_text(self, draw, text, left, top, fill = "Black"):
method render_text (line 49) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/sessions.py
class SessionsMixin (line 27) | class SessionsMixin(object):
method session_spaces (line 31) | def session_spaces(self, kernel_space):
method find_session_space (line 49) | def find_session_space(self, kernel_space, session_id):
class Sessions (line 66) | class Sessions(common.AbstractWindowsCommand, SessionsMixin):
method calculate (line 69) | def calculate(self):
method render_text (line 76) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/userhandles.py
class UserHandles (line 24) | class UserHandles(sessions.Sessions):
method __init__ (line 27) | def __init__(self, config, *args, **kwargs):
method render_text (line 43) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/vtypes/vista.py
class Vista2008x64GuiVTypes (line 25) | class Vista2008x64GuiVTypes(obj.ProfileModification):
method modification (line 34) | def modification(self, profile):
class Vista2008x86GuiVTypes (line 76) | class Vista2008x86GuiVTypes(obj.ProfileModification):
method modification (line 85) | def modification(self, profile):
FILE: volatility/plugins/gui/vtypes/win10.py
class Win10x86_Gui (line 23) | class Win10x86_Gui(obj.ProfileModification):
method modification (line 32) | def modification(self, profile):
class Win10x64_Gui (line 58) | class Win10x64_Gui(obj.ProfileModification):
method modification (line 67) | def modification(self, profile):
FILE: volatility/plugins/gui/vtypes/win2003.py
class Win2003x86GuiVTypes (line 23) | class Win2003x86GuiVTypes(obj.ProfileModification):
method modification (line 33) | def modification(self, profile):
FILE: volatility/plugins/gui/vtypes/win7.py
class Win7SP0x64GuiVTypes (line 29) | class Win7SP0x64GuiVTypes(obj.ProfileModification):
method modification (line 38) | def modification(self, profile):
class Win7SP1x64GuiVTypes (line 41) | class Win7SP1x64GuiVTypes(obj.ProfileModification):
method modification (line 50) | def modification(self, profile):
class Win7SP0x86GuiVTypes (line 53) | class Win7SP0x86GuiVTypes(obj.ProfileModification):
method modification (line 62) | def modification(self, profile):
class Win7SP1x86GuiVTypes (line 65) | class Win7SP1x86GuiVTypes(obj.ProfileModification):
method modification (line 74) | def modification(self, profile):
class Win7GuiOverlay (line 77) | class Win7GuiOverlay(obj.ProfileModification):
method modification (line 87) | def modification(self, profile):
class Win7Vista2008x64Timers (line 102) | class Win7Vista2008x64Timers(obj.ProfileModification):
method modification (line 109) | def modification(self, profile):
class Win7Vista2008x86Timers (line 124) | class Win7Vista2008x86Timers(obj.ProfileModification):
method modification (line 131) | def modification(self, profile):
class _MM_SESSION_SPACE (line 144) | class _MM_SESSION_SPACE(win32k_core._MM_SESSION_SPACE): #pylint: disable...
method find_shared_info (line 147) | def find_shared_info(self):
class tagSHAREDINFO (line 178) | class tagSHAREDINFO(win32k_core.tagSHAREDINFO):
method is_valid (line 181) | def is_valid(self):
class Win7Win32KCoreClasses (line 195) | class Win7Win32KCoreClasses(obj.ProfileModification):
method modification (line 204) | def modification(self, profile):
FILE: volatility/plugins/gui/vtypes/win8.py
class _RTL_ATOM_TABLE_ENTRY (line 27) | class _RTL_ATOM_TABLE_ENTRY(win32k_core._RTL_ATOM_TABLE_ENTRY):
method Flags (line 31) | def Flags(self):
method ReferenceCount (line 35) | def ReferenceCount(self):
class Win8x86Gui (line 38) | class Win8x86Gui(obj.ProfileModification):
method modification (line 47) | def modification(self, profile):
class Win8x64Gui (line 133) | class Win8x64Gui(obj.ProfileModification):
method modification (line 142) | def modification(self, profile):
FILE: volatility/plugins/gui/vtypes/xp.py
class XP2003x86BaseVTypes (line 24) | class XP2003x86BaseVTypes(obj.ProfileModification):
method check (line 27) | def check(self, profile):
method modification (line 35) | def modification(self, profile):
class XP2003x64BaseVTypes (line 187) | class XP2003x64BaseVTypes(obj.ProfileModification):
method modification (line 194) | def modification(self, profile):
FILE: volatility/plugins/gui/win32k_core.py
class _MM_SESSION_SPACE (line 33) | class _MM_SESSION_SPACE(obj.CType):
method processes (line 36) | def processes(self):
method Win32KBase (line 48) | def Win32KBase(self):
method images (line 63) | def images(self):
method _section_chunks (line 76) | def _section_chunks(self, sec_name):
method find_gahti (line 131) | def find_gahti(self):
method find_shared_info (line 160) | def find_shared_info(self):
class tagSHAREDINFO (line 185) | class tagSHAREDINFO(obj.CType):
method is_valid (line 188) | def is_valid(self):
method handles (line 220) | def handles(self, filters = None):
class _HANDLEENTRY (line 255) | class _HANDLEENTRY(obj.CType):
method reference_object (line 258) | def reference_object(self):
method Free (line 282) | def Free(self):
method ThreadOwned (line 287) | def ThreadOwned(self):
method ProcessOwned (line 295) | def ProcessOwned(self):
method Thread (line 301) | def Thread(self):
method Process (line 310) | def Process(self):
class tagWINDOWSTATION (line 322) | class tagWINDOWSTATION(obj.CType, windows.ExecutiveObjectMixin):
method is_valid (line 325) | def is_valid(self):
method PhysicalAddress (line 329) | def PhysicalAddress(self):
method LastRegisteredViewer (line 338) | def LastRegisteredViewer(self):
method AtomTable (line 344) | def AtomTable(self):
method Interactive (line 350) | def Interactive(self):
method Name (line 355) | def Name(self):
method traverse (line 371) | def traverse(self):
method desktops (line 382) | def desktops(self):
class tagDESKTOP (line 389) | class tagDESKTOP(tagWINDOWSTATION):
method is_valid (line 392) | def is_valid(self):
method WindowStation (line 396) | def WindowStation(self):
method DeskInfo (line 401) | def DeskInfo(self):
method threads (line 405) | def threads(self):
method hook_params (line 411) | def hook_params(self):
method hooks (line 419) | def hooks(self):
method windows (line 441) | def windows(self, win, filter = lambda x: True, level = 0): #pylint: d...
method heaps (line 486) | def heaps(self):
method traverse (line 492) | def traverse(self):
class tagWND (line 503) | class tagWND(obj.CType):
method IsClipListener (line 507) | def IsClipListener(self):
method ClassAtom (line 512) | def ClassAtom(self):
method SuperClassAtom (line 517) | def SuperClassAtom(self):
method Process (line 522) | def Process(self):
method Thread (line 527) | def Thread(self):
method Visible (line 532) | def Visible(self):
method _get_flags (line 536) | def _get_flags(self, member, flags):
method style (line 544) | def style(self):
method ExStyle (line 549) | def ExStyle(self):
class tagRECT (line 553) | class tagRECT(obj.CType):
method get_tup (line 556) | def get_tup(self):
class tagCLIPDATA (line 560) | class tagCLIPDATA(obj.CType):
method as_string (line 563) | def as_string(self, fmt):
method as_hex (line 584) | def as_hex(self):
class tagTHREADINFO (line 590) | class tagTHREADINFO(tagDESKTOP):
method get_params (line 593) | def get_params(self):
class tagHOOK (line 597) | class tagHOOK(obj.CType):
method traverse (line 600) | def traverse(self):
class tagEVENTHOOK (line 607) | class tagEVENTHOOK(obj.CType):
method dwFlags (line 611) | def dwFlags(self):
class _RTL_ATOM_TABLE (line 621) | class _RTL_ATOM_TABLE(tagWINDOWSTATION):
method __init__ (line 624) | def __init__(self, *args, **kwargs):
method is_valid (line 629) | def is_valid(self):
method NumBuckets (line 637) | def NumBuckets(self):
method atoms (line 666) | def atoms(self):
method find_atom (line 679) | def find_atom(self, atom_to_find):
class _RTL_ATOM_TABLE_ENTRY (line 697) | class _RTL_ATOM_TABLE_ENTRY(obj.CType):
method Pinned (line 701) | def Pinned(self):
method is_string_atom (line 705) | def is_string_atom(self):
method is_valid (line 713) | def is_valid(self):
class Win32KCoreClasses (line 727) | class Win32KCoreClasses(obj.ProfileModification):
method modification (line 734) | def modification(self, profile):
class Win32KGahtiVType (line 753) | class Win32KGahtiVType(obj.ProfileModification):
method modification (line 759) | def modification(self, profile):
class AtomTablex86Overlay (line 774) | class AtomTablex86Overlay(obj.ProfileModification):
method modification (line 782) | def modification(self, profile):
class AtomTablex64Overlay (line 797) | class AtomTablex64Overlay(obj.ProfileModification):
method modification (line 803) | def modification(self, profile):
class XP2003x86TimerVType (line 818) | class XP2003x86TimerVType(obj.ProfileModification):
method modification (line 825) | def modification(self, profile):
class XP2003x64TimerVType (line 840) | class XP2003x64TimerVType(obj.ProfileModification):
method modification (line 847) | def modification(self, profile):
class Win32Kx86VTypes (line 862) | class Win32Kx86VTypes(obj.ProfileModification):
method modification (line 871) | def modification(self, profile):
class Win32Kx64VTypes (line 904) | class Win32Kx64VTypes(obj.ProfileModification):
method modification (line 913) | def modification(self, profile):
class XPx86SessionOverlay (line 947) | class XPx86SessionOverlay(obj.ProfileModification):
method modification (line 958) | def modification(self, profile):
FILE: volatility/plugins/gui/windows.py
class WinTree (line 24) | class WinTree(messagehooks.MessageHooks):
method render_text (line 27) | def render_text(self, outfd, data):
class Windows (line 44) | class Windows(messagehooks.MessageHooks):
method __init__ (line 47) | def __init__(self, config, *args, **kwargs):
method render_text (line 55) | def render_text(self, outfd, data):
FILE: volatility/plugins/gui/windowstations.py
class PoolScanWind (line 28) | class PoolScanWind(poolscan.PoolScanner):
method __init__ (line 31) | def __init__(self, address_space):
class WndScan (line 47) | class WndScan(common.AbstractScanCommand, sessions.SessionsMixin):
method calculate (line 52) | def calculate(self):
method render_text (line 80) | def render_text(self, outfd, data):
FILE: volatility/plugins/handles.py
class Handles (line 28) | class Handles(taskmods.DllList):
method __init__ (line 31) | def __init__(self, config, *args, **kwargs):
method generator (line 41) | def generator(self, data):
method unified_output (line 64) | def unified_output(self, data):
method render_text (line 76) | def render_text(self, outfd, data):
method calculate (line 106) | def calculate(self):
FILE: volatility/plugins/heaps.py
class HeapModification (line 23) | class HeapModification(obj.ProfileModification):
method modification (line 28) | def modification(self, profile):
FILE: volatility/plugins/hibinfo.py
class HibInfo (line 29) | class HibInfo(common.AbstractWindowsCommand):
method calculate (line 33) | def calculate(self):
method render_text (line 63) | def render_text(self, outfd, data):
FILE: volatility/plugins/hpakinfo.py
class HPAKInfo (line 23) | class HPAKInfo(crashinfo.CrashInfo):
method render_text (line 28) | def render_text(self, outfd, data):
class HPAKExtract (line 42) | class HPAKExtract(HPAKInfo):
method render_text (line 45) | def render_text(self, outfd, data):
FILE: volatility/plugins/iehistory.py
class _URL_RECORD (line 31) | class _URL_RECORD(obj.CType):
method is_valid (line 34) | def is_valid(self):
method Length (line 45) | def Length(self):
method has_data (line 48) | def has_data(self):
class _DEST_RECORD (line 55) | class _DEST_RECORD(obj.CType):
method is_valid (line 57) | def is_valid(self):
method url_and_title (line 67) | def url_and_title(self):
method Url (line 92) | def Url(self):
class IEHistoryVTypes (line 95) | class IEHistoryVTypes(obj.ProfileModification):
method modification (line 100) | def modification(self, profile):
class IEHistory (line 135) | class IEHistory(taskmods.DllList):
method __init__ (line 138) | def __init__(self, config, *args, **kwargs):
method is_valid_profile (line 148) | def is_valid_profile(profile):
method calculate (line 151) | def calculate(self):
method unified_output (line 184) | def unified_output(self, data):
method generator (line 201) | def generator(self, data):
method render_text (line 239) | def render_text(self, outfd, data):
method render_csv (line 269) | def render_csv(self, outfd, data):
FILE: volatility/plugins/imagecopy.py
class ImageCopy (line 27) | class ImageCopy(commands.Command):
method __init__ (line 30) | def __init__(self, *args, **kwargs):
method calculate (line 42) | def calculate(self):
method human_readable (line 56) | def human_readable(self, value):
method render_text (line 63) | def render_text(self, outfd, data):
FILE: volatility/plugins/imageinfo.py
class ImageInfo (line 33) | class ImageInfo(kdbgscan.KDBGScan):
method unified_output (line 35) | def unified_output(self, data):
method render_text (line 43) | def render_text(self, outfd, data):
method calculate (line 49) | def calculate(self):
method get_image_time (line 129) | def get_image_time(self, addr_space):
FILE: volatility/plugins/joblinks.py
class JobLinks (line 31) | class JobLinks(taskmods.DllList):
method __init__ (line 33) | def __init__(self, config, *args, **kwargs):
method unified_output (line 40) | def unified_output(self, data):
method generator (line 56) | def generator(self, data):
method render_text (line 101) | def render_text(self, outfd, data):
FILE: volatility/plugins/kdbgscan.py
class MultiStringFinderCheck (line 31) | class MultiStringFinderCheck(scan.ScannerCheck):
method __init__ (line 34) | def __init__(self, address_space, needles = None):
method check (line 45) | def check(self, offset):
method skip (line 52) | def skip(self, data, offset):
class MultiPrefixFinderCheck (line 60) | class MultiPrefixFinderCheck(MultiStringFinderCheck):
method check (line 62) | def check(self, offset):
class KDBGScanner (line 69) | class KDBGScanner(scan.BaseScanner):
method __init__ (line 72) | def __init__(self, window_size = 8, needles = None):
method scan (line 84) | def scan(self, address_space, offset = 0, maxlen = None):
class KDBGScan (line 94) | class KDBGScan(common.AbstractWindowsCommand):
method register_options (line 98) | def register_options(config):
method calculate (line 106) | def calculate(self):
method render_text (line 167) | def render_text(self, outfd, data):
FILE: volatility/plugins/kpcrscan.py
class KPCRScan (line 35) | class KPCRScan(common.AbstractWindowsCommand):
method register_options (line 49) | def register_options(config):
method calculate (line 54) | def calculate(self):
method render_text (line 63) | def render_text(self, outfd, data):
class KPCRScannerCheck (line 116) | class KPCRScannerCheck(scan.ScannerCheck):
method __init__ (line 118) | def __init__(self, address_space):
method check (line 138) | def check(self, offset):
method skip (line 156) | def skip(self, data, offset):
class KPCRScanner (line 175) | class KPCRScanner(scan.BaseScanner):
method scan (line 178) | def scan(self, address_space, offset = 0, maxlen = None):
FILE: volatility/plugins/linux/apihooks.py
class linux_apihooks (line 36) | class linux_apihooks(linux_pslist.linux_pslist):
method unified_output (line 39) | def unified_output(self, data):
method generator (line 50) | def generator(self, data):
method render_text (line 64) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/arp.py
class a_ent (line 31) | class a_ent(object):
method __init__ (line 33) | def __init__(self, ip, mac, devname):
class linux_arp (line 40) | class linux_arp(linux_common.AbstractLinuxCommand):
method calculate (line 43) | def calculate(self):
method handle_table (line 65) | def handle_table(self, ntable):
method walk_neighbor (line 101) | def walk_neighbor(self, neighbor):
method render_text (line 133) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/aslr_shift.py
class linux_aslr_shift (line 29) | class linux_aslr_shift(common.AbstractLinuxCommand):
method calculate (line 32) | def calculate(self):
method render_text (line 37) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/banner.py
class linux_banner (line 33) | class linux_banner(linux_common.AbstractLinuxCommand):
method calculate (line 36) | def calculate(self):
method render_text (line 48) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/bash.py
class _hist_entry (line 51) | class _hist_entry(obj.CType):
method is_valid (line 54) | def is_valid(self):
method time_as_integer (line 82) | def time_as_integer(self):
method time_object (line 88) | def time_object(self):
class BashTypes (line 96) | class BashTypes(obj.ProfileModification):
method modification (line 99) | def modification(self, profile):
class linux_bash (line 108) | class linux_bash(linux_pslist.linux_pslist):
method __init__ (line 111) | def __init__(self, config, *args, **kwargs):
method calculate (line 117) | def calculate(self):
method unified_output (line 157) | def unified_output(self, data):
method generator (line 164) | def generator(self, data):
method render_text (line 170) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/bash_hash.py
class _bash_hash_table (line 87) | class _bash_hash_table(obj.CType):
method is_valid (line 89) | def is_valid(self):
method __iter__ (line 98) | def __iter__(self):
class BashHashTypes (line 119) | class BashHashTypes(obj.ProfileModification):
method modification (line 122) | def modification(self, profile):
class linux_bash_hash (line 130) | class linux_bash_hash(linux_pslist.linux_pslist):
method __init__ (line 133) | def __init__(self, config, *args, **kwargs):
method calculate (line 137) | def calculate(self):
method unified_output (line 156) | def unified_output(self, data):
method generator (line 164) | def generator(self, data):
method render_text (line 171) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_afinfo.py
class linux_check_afinfo (line 32) | class linux_check_afinfo(linux_common.AbstractLinuxCommand):
method check_members (line 35) | def check_members(self, var_ops, members, modules):
method check_afinfo (line 39) | def check_afinfo(self, var_name, var, op_members, seq_members, modules):
method _pre_4_18 (line 51) | def _pre_4_18(self, modules, seq_members):
method _4_18_plus (line 72) | def _4_18_plus(self, modules, seq_members):
method calculate (line 86) | def calculate(self):
method render_text (line 100) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_creds.py
class linux_check_creds (line 33) | class linux_check_creds(linux_pslist.linux_pslist):
method calculate (line 36) | def calculate(self):
method unified_output (line 57) | def unified_output(self, data):
method generator (line 61) | def generator(self, data):
method render_text (line 73) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_evt_arm.py
class linux_check_evt_arm (line 30) | class linux_check_evt_arm(linux_common.AbstractLinuxARMCommand):
method calculate (line 36) | def calculate(self):
method render_text (line 78) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_fops.py
class linux_check_fop (line 40) | class linux_check_fop(linux_common.AbstractLinuxCommand):
method __init__ (line 43) | def __init__(self, config, *args, **kwargs):
method check_file_cache (line 49) | def check_file_cache(self, f_op_members, modules):
method check_open_files_fop (line 54) | def check_open_files_fop(self, f_op_members, modules):
method check_proc_fop (line 64) | def check_proc_fop(self, f_op_members, modules):
method _get_name (line 108) | def _get_name(self, pde, parent):
method _walk_proc_old (line 116) | def _walk_proc_old(self, cur, f_op_members, modules, parent):
method _walk_rb (line 151) | def _walk_rb(self, rb):
method _do_walk_proc_current (line 170) | def _do_walk_proc_current(self, cur, f_op_members, modules, parent):
method _walk_proc_current (line 182) | def _walk_proc_current(self, cur, f_op_members, modules, parent):
method _walk_proc_dir (line 189) | def _walk_proc_dir(self, proc_root, f_op_members, modules, parent):
method check_proc_root_fops (line 198) | def check_proc_root_fops(self, f_op_members, modules):
method check_proc_net_fops (line 210) | def check_proc_net_fops(self, f_op_members, modules):
method calculate (line 222) | def calculate(self):
method unified_output (line 248) | def unified_output(self, data):
method generator (line 254) | def generator(self, data):
method render_text (line 258) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_idt.py
class LinuxIDTTypes (line 44) | class LinuxIDTTypes(obj.ProfileModification):
method modification (line 47) | def modification(self, profile):
class linux_check_idt (line 52) | class linux_check_idt(linux_common.AbstractLinuxCommand):
method calculate (line 55) | def calculate(self):
method unified_output (line 121) | def unified_output(self, data):
method generator (line 127) | def generator(self, data):
method render_text (line 131) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_inline_kernel.py
class linux_check_inline_kernel (line 47) | class linux_check_inline_kernel(linux_common.AbstractLinuxCommand):
method __init__ (line 50) | def __init__(self, config, *args, **kwargs):
method _is_hooked (line 53) | def _is_hooked(self, sym_addr, modules):
method _is_inline_hooked (line 122) | def _is_inline_hooked(self, ops, op_members, modules):
method check_file_cache (line 133) | def check_file_cache(self, f_op_members, modules):
method check_open_files_fop (line 138) | def check_open_files_fop(self, f_op_members, modules):
method check_proc_fop (line 148) | def check_proc_fop(self, f_op_members, modules):
method walk_proc (line 170) | def walk_proc(self, cur, f_op_members, modules, parent = ""):
method check_proc_root_fops (line 201) | def check_proc_root_fops(self, f_op_members, modules):
method _check_file_op_pointers (line 215) | def _check_file_op_pointers(self, modules):
method check_afinfo (line 225) | def check_afinfo(self, var_name, var, op_members, seq_members, modules):
method _check_afinfo (line 234) | def _check_afinfo(self, modules):
method _check_inetsw (line 256) | def _check_inetsw(self, modules):
method _check_known_functions (line 280) | def _check_known_functions(self, modules):
method calculate (line 292) | def calculate(self):
method unified_output (line 306) | def unified_output(self, data):
method generator (line 313) | def generator(self, data):
method render_text (line 317) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_modules.py
class linux_check_modules (line 35) | class linux_check_modules(linux_common.AbstractLinuxCommand):
method get_kset_modules (line 38) | def get_kset_modules(self):
method calculate (line 58) | def calculate(self):
method unified_output (line 68) | def unified_output(self, data):
method generator (line 73) | def generator(self, data):
method render_text (line 77) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_syscall.py
class linux_check_syscall (line 45) | class linux_check_syscall(linux_common.AbstractLinuxCommand):
method _get_table_size (line 48) | def _get_table_size(self, table_addr, table_name):
method _get_table_size_meta (line 60) | def _get_table_size_meta(self):
method _get_table_info_other (line 68) | def _get_table_info_other(self, table_addr, table_name):
method _get_table_info_distorm (line 78) | def _get_table_info_distorm(self):
method _get_table_info (line 115) | def _get_table_info(self, table_name):
method _compute_hook_sym_name (line 129) | def _compute_hook_sym_name(self, visible_mods, hidden_mods, call_addr):
method _index_name (line 150) | def _index_name(self, table_name, index_info, i):
method _find_index (line 162) | def _find_index(self, index_names, line_index):
method get_syscalls (line 179) | def get_syscalls(self, index_info = None, get_hidden = False, compute_...
method get_unistd_paths (line 226) | def get_unistd_paths(self):
method parse_index_file (line 240) | def parse_index_file(self, index_lines):
method _find_and_parse_index_file (line 262) | def _find_and_parse_index_file(self):
method calculate (line 297) | def calculate(self):
method unified_output (line 310) | def unified_output(self, data):
method generator (line 318) | def generator(self, data):
method render_text (line 322) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/check_syscall_arm.py
class linux_check_syscall_arm (line 32) | class linux_check_syscall_arm(linux_common.AbstractLinuxARMCommand):
method _get_syscall_table_size (line 35) | def _get_syscall_table_size(self):
method _get_syscall_table_address (line 53) | def _get_syscall_table_address(self):
method calculate (line 63) | def calculate(self):
method unified_output (line 90) | def unified_output(self, data):
method generator (line 96) | def generator(self, data):
method render_text (line 106) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/common.py
class vol_timespec (line 38) | class vol_timespec:
method __init__ (line 40) | def __init__(self, secs, nsecs):
function set_plugin_members (line 44) | def set_plugin_members(obj_ref):
class AbstractLinuxCommand (line 53) | class AbstractLinuxCommand(commands.Command):
method __init__ (line 54) | def __init__(self, *args, **kwargs):
method profile (line 61) | def profile(self):
method execute (line 66) | def execute(self, *args, **kwargs):
method is_valid_profile (line 70) | def is_valid_profile(profile):
method register_options (line 74) | def register_options(config):
method is_known_address (line 78) | def is_known_address(self, addr, modules):
method address_in_module (line 86) | def address_in_module(self, addr, modules):
method verify_ops (line 94) | def verify_ops(self, ops, op_members, modules):
class AbstractLinuxIntelCommand (line 124) | class AbstractLinuxIntelCommand(AbstractLinuxCommand):
method is_valid_profile (line 126) | def is_valid_profile(profile):
class AbstractLinuxARMCommand (line 131) | class AbstractLinuxARMCommand(AbstractLinuxCommand):
method is_valid_profile (line 133) | def is_valid_profile(profile):
function walk_internal_list (line 137) | def walk_internal_list(struct_name, list_member, list_start, addr_space ...
function do_get_path (line 147) | def do_get_path(rdentry, rmnt, dentry, vfsmnt):
function _get_path_file (line 188) | def _get_path_file(task, filp):
function get_new_sock_pipe_path (line 201) | def get_new_sock_pipe_path(task, filp):
function get_path (line 230) | def get_path(task, filp):
function write_elf_file (line 240) | def write_elf_file(dump_dir, task, elf_addr):
function get_time_vars (line 253) | def get_time_vars(obj_vm):
FILE: volatility/plugins/linux/cpuinfo.py
class linux_cpuinfo (line 31) | class linux_cpuinfo(linux_common.AbstractLinuxIntelCommand):
method calculate (line 34) | def calculate(self):
method get_info_single (line 51) | def get_info_single(self):
method get_info_smp (line 57) | def get_info_smp(self):
method get_per_cpu_symbol (line 66) | def get_per_cpu_symbol(self, sym_name, module = "kernel"):
method online_cpus (line 79) | def online_cpus(self):
method walk_per_cpu_var (line 105) | def walk_per_cpu_var(self, per_var, var_type):
method unified_output (line 126) | def unified_output(self, data):
method generator (line 132) | def generator(self, data):
method render_text (line 136) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/dentry_cache.py
class linux_dentry_cache (line 30) | class linux_dentry_cache(linux_common.AbstractLinuxCommand):
method __init__ (line 33) | def __init__(self, config, *args, **kwargs):
method make_body (line 40) | def make_body(self, dentry):
method calculate (line 57) | def calculate(self):
method render_text (line 69) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/dmesg.py
class linux_dmesg (line 30) | class linux_dmesg(linux_common.AbstractLinuxCommand):
method _get_log_info (line 33) | def _get_log_info(self):
method _pre_3 (line 42) | def _pre_3(self, buf_addr, buf_len):
method _ver_3 (line 46) | def _ver_3(self, buf_addr, buf_len):
method calculate (line 85) | def calculate(self):
method render_text (line 95) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/dump_map.py
class linux_dump_map (line 32) | class linux_dump_map(linux_proc_maps.linux_proc_maps):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method read_addr_range (line 40) | def read_addr_range(self, task, start, end):
method render_text (line 52) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/elfs.py
class linux_elfs (line 36) | class linux_elfs(linux_pslist.linux_pslist):
method calculate (line 39) | def calculate(self):
method unified_output (line 47) | def unified_output(self, data):
method generator (line 56) | def generator(self, data):
method render_text (line 61) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/enumerate_files.py
class linux_enumerate_files (line 33) | class linux_enumerate_files(linux_common.AbstractLinuxCommand):
method calculate (line 36) | def calculate(self):
method unified_output (line 44) | def unified_output(self, data):
method generator (line 48) | def generator(self, data):
method render_text (line 52) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/find_file.py
class linux_find_file (line 36) | class linux_find_file(linux_common.AbstractLinuxCommand):
method __init__ (line 39) | def __init__(self, config, *args, **kwargs):
method _walk_sb (line 51) | def _walk_sb(self, dentry_param, parent):
method _get_sbs (line 93) | def _get_sbs(self):
method walk_sbs (line 101) | def walk_sbs(self, sbs = []):
method calculate (line 119) | def calculate(self):
method render_text (line 153) | def render_text(self, outfd, data):
method radix_tree_is_internal_node (line 166) | def radix_tree_is_internal_node(self, ptr):
method radix_tree_is_indirect_ptr (line 172) | def radix_tree_is_indirect_ptr(self, ptr):
method radix_tree_indirect_to_ptr (line 175) | def radix_tree_indirect_to_ptr(self, ptr):
method index_is_valid (line 178) | def index_is_valid(self, root, index):
method is_sibling_entry (line 190) | def is_sibling_entry(self, parent, node):
method get_slot_offset (line 197) | def get_slot_offset(self, parent, slot):
method radix_tree_descend (line 200) | def radix_tree_descend(self, parent, node, index):
method find_slot_post_4_11 (line 218) | def find_slot_post_4_11(self, root, index):
method radix_tree_lookup_slot (line 237) | def radix_tree_lookup_slot(self, root, index):
method SHMEM_I (line 306) | def SHMEM_I(self, inode):
method xa_is_internal (line 310) | def xa_is_internal(self, entry):
method xa_is_node (line 313) | def xa_is_node(self, entry):
method xa_get_offset (line 316) | def xa_get_offset(self, index, node):
method xa_get_entry_from_offset (line 319) | def xa_get_entry_from_offset(self, offset, node):
method xas_descend (line 323) | def xas_descend(self, offset, node):
method walk_xarray (line 339) | def walk_xarray(self, inode, offset):
method find_get_page (line 352) | def find_get_page(self, inode, offset):
method get_page_contents (line 362) | def get_page_contents(self, inode, idx):
method get_file_contents (line 381) | def get_file_contents(self, inode):
FILE: volatility/plugins/linux/getcwd.py
class linux_getcwd (line 31) | class linux_getcwd(linux_pslist.linux_pslist):
method render_text (line 34) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/hidden_modules.py
class linux_hidden_modules (line 36) | class linux_hidden_modules(linux_common.AbstractLinuxCommand):
method walk_modules_address_space (line 39) | def walk_modules_address_space(self, addr_space):
method calculate (line 108) | def calculate(self):
method unified_output (line 114) | def unified_output(self, data):
method generator (line 119) | def generator(self, data):
method render_text (line 123) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/ifconfig.py
class linux_ifconfig (line 32) | class linux_ifconfig(linux_common.AbstractLinuxCommand):
method _get_devs_base (line 35) | def _get_devs_base(self):
method _get_devs_namespace (line 42) | def _get_devs_namespace(self):
method _gather_net_dev_info (line 54) | def _gather_net_dev_info(self, net_dev):
method calculate (line 65) | def calculate(self):
method unified_output (line 82) | def unified_output(self, data):
method generator (line 89) | def generator(self, data):
method render_text (line 93) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/info_regs.py
class linux_info_regs (line 86) | class linux_info_regs(linux_pslist.linux_pslist):
method __init__ (line 89) | def __init__(self, config, *args, **kwargs):
method calculate (line 97) | def calculate(self):
method render_text (line 117) | def render_text(self, outfd, data):
method parse_kernel_stack (line 133) | def parse_kernel_stack(self, task):
FILE: volatility/plugins/linux/iomem.py
class linux_iomem (line 31) | class linux_iomem(linux_common.AbstractLinuxCommand):
method yield_resource (line 34) | def yield_resource(self, io_res, depth = 0):
method calculate (line 50) | def calculate(self):
method render_text (line 59) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/kernel_opened_files.py
class linux_kernel_opened_files (line 33) | class linux_kernel_opened_files(linux_common.AbstractLinuxCommand):
method _walk_node_hash (line 36) | def _walk_node_hash(self, node):
method _walk_node_node (line 50) | def _walk_node_node(self, node):
method _walk_node (line 62) | def _walk_node(self, node):
method _gather_dcache (line 73) | def _gather_dcache(self):
method _compare_filps (line 97) | def _compare_filps(self):
method calculate (line 115) | def calculate(self):
method generator (line 123) | def generator(self,data):
method unified_output (line 127) | def unified_output(self, data):
method render_text (line 132) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/keyboard_notifiers.py
class linux_keyboard_notifiers (line 31) | class linux_keyboard_notifiers(linux_common.AbstractLinuxCommand):
method calculate (line 34) | def calculate(self):
method render_text (line 64) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/ld_env.py
class linux_dynamic_env (line 30) | class linux_dynamic_env(linux_pslist.linux_pslist):
method render_text (line 33) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/ldrmodules.py
class linux_ldrmodules (line 34) | class linux_ldrmodules(linux_pslist.linux_pslist):
method unified_output (line 37) | def unified_output(self, data):
method generator (line 46) | def generator(self, data):
method render_text (line 56) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/libc_env.py
class linux_bash_env (line 36) | class linux_bash_env(linux_pslist.linux_pslist):
method render_text (line 39) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/library_list.py
class linux_library_list (line 31) | class linux_library_list(linux_pslist.linux_pslist):
method calculate (line 34) | def calculate(self):
method unified_output (line 46) | def unified_output(self, data):
method generator (line 53) | def generator(self, data):
method render_text (line 57) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/librarydump.py
class linux_librarydump (line 35) | class linux_librarydump(linux_pslist.linux_pslist):
method __init__ (line 38) | def __init__(self, config, *args, **kwargs):
method render_text (line 43) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/lime.py
class LiMEInfo (line 24) | class LiMEInfo(linux_common.AbstractLinuxCommand):
method calculate (line 29) | def calculate(self):
method render_text (line 45) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/linux_strings.py
class linux_strings (line 25) | class linux_strings(strings.Strings, linux_common.AbstractLinuxCommand):
method is_valid_profile (line 29) | def is_valid_profile(profile):
method get_processes (line 32) | def get_processes(self, addr_space):
method get_modules (line 52) | def get_modules(cls, addr_space):
method find_module (line 69) | def find_module(cls, modlist, mod_addrs, addr_space, vpage):
method get_module_name (line 93) | def get_module_name(cls, module):
method get_task_pid (line 104) | def get_task_pid(cls, task):
FILE: volatility/plugins/linux/linux_truecrypt.py
class PassphraseScanner (line 32) | class PassphraseScanner(malfind.BaseYaraScanner):
method __init__ (line 35) | def __init__(self, task = None, **kwargs):
method scan (line 46) | def scan(self, offset = 0, maxlen = None):
class LinuxTruecryptModification (line 79) | class LinuxTruecryptModification(obj.ProfileModification):
method modification (line 84) | def modification(self, profile):
class linux_truecrypt_passphrase (line 108) | class linux_truecrypt_passphrase(linux_pslist.linux_pslist):
method calculate (line 111) | def calculate(self):
method render_text (line 136) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/linux_volshell.py
class linux_volshell (line 25) | class linux_volshell(volshell.volshell):
method is_valid_profile (line 29) | def is_valid_profile(profile):
method modules (line 32) | def modules(self):
method getpidlist (line 38) | def getpidlist(self):
method ps (line 41) | def ps(self, procs = None):
method context_display (line 46) | def context_display(self):
method set_context (line 51) | def set_context(self, offset = None, pid = None, name = None, physical...
FILE: volatility/plugins/linux/linux_yarascan.py
class VmaYaraScanner (line 33) | class VmaYaraScanner(malfind.BaseYaraScanner):
method __init__ (line 36) | def __init__(self, task = None, **kwargs):
method scan (line 45) | def scan(self, offset = 0, maxlen = None):
class linux_yarascan (line 50) | class linux_yarascan(malfind.YaraScan):
method is_valid_profile (line 54) | def is_valid_profile(profile):
method filter_tasks (line 57) | def filter_tasks(self):
method calculate (line 83) | def calculate(self):
method render_text (line 116) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/list_raw.py
class linux_list_raw (line 34) | class linux_list_raw(linux_common.AbstractLinuxCommand):
method __init__ (line 37) | def __init__(self, config, *args, **kwargs):
method _SOCK_INODE (line 41) | def _SOCK_INODE(self, sk):
method _walk_net_spaces (line 47) | def _walk_net_spaces(self):
method _fill_cache (line 67) | def _fill_cache(self):
method _find_proc_for_inode (line 75) | def _find_proc_for_inode(self, inode):
method __walk_hlist_node (line 88) | def __walk_hlist_node(self, node):
method _walk_packet_sklist (line 105) | def _walk_packet_sklist(self):
method calculate (line 113) | def calculate(self):
method render_text (line 126) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/lsmod.py
class linux_lsmod (line 33) | class linux_lsmod(linux_common.AbstractLinuxCommand):
method __init__ (line 36) | def __init__(self, config, *args, **kwargs):
method _get_modules (line 46) | def _get_modules(self):
method calculate (line 59) | def calculate(self):
method render_text (line 78) | def render_text(self, outfd, data):
method get_module (line 102) | def get_module(self, name):
method get_modules (line 114) | def get_modules(self, include_list = None):
class linux_moddump (line 129) | class linux_moddump(linux_common.AbstractLinuxCommand):
method __init__ (line 132) | def __init__(self, config, *args, **kwargs):
method calculate (line 151) | def calculate(self):
method _get_header_64 (line 177) | def _get_header_64(self, load_addr, sect_hdr_offset, num_sects):
method _get_header_32 (line 202) | def _get_header_32(self, load_addr, sect_hdr_offset, num_sects):
method _build_sections_list (line 228) | def _build_sections_list(self, module):
method _parse_sections (line 251) | def _parse_sections(self, module):
method _calc_sect_name_idx (line 312) | def _calc_sect_name_idx(self, name):
method _calc_sect_type (line 317) | def _calc_sect_type(self, name):
method _calc_sect_flags (line 364) | def _calc_sect_flags(self, name):
method _calc_link (line 375) | def _calc_link(self, name, strtab_idx, symtab_idx, sect_type):
method _calc_entsize (line 388) | def _calc_entsize(self, name, sect_type, bits):
method _make_sect_header_64 (line 403) | def _make_sect_header_64(self, name, address, size, file_off, strtab_i...
method _make_sect_header_32 (line 425) | def _make_sect_header_32(self, name, address, size, file_off, strtab_i...
method _null_sect_hdr (line 447) | def _null_sect_hdr(self, sz):
method _calc_string_data (line 451) | def _calc_string_data(self, module):
method _find_sec (line 462) | def _find_sec(self, sections_info, sym_addr):
method _fix_sym_table (line 471) | def _fix_sym_table(self, module, sections_info):
method _get_module_data (line 581) | def _get_module_data(self, module):
method get_module_data (line 624) | def get_module_data(self, module):
method render_text (line 627) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/lsof.py
class linux_lsof (line 33) | class linux_lsof(linux_pslist.linux_pslist):
method unified_output (line 36) | def unified_output(self, data):
method generator (line 44) | def generator(self, data):
method render_text (line 50) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/malfind.py
class linux_malfind (line 34) | class linux_malfind(linux_pslist.linux_pslist):
method render_text (line 37) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/mount.py
class linux_mount (line 32) | class linux_mount(linux_common.AbstractLinuxCommand):
method _parse_mnt (line 35) | def _parse_mnt(self, mnt, ns, fs_types):
method calculate (line 93) | def calculate(self):
method _calc_mnt_string (line 224) | def _calc_mnt_string(self, mnt):
method _get_filesystem_types (line 233) | def _get_filesystem_types(self):
method render_text (line 248) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/mount_cache.py
class linux_mount_cache (line 32) | class linux_mount_cache(linux_mount.linux_mount):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method _get_filesystem_types (line 42) | def _get_filesystem_types(self):
method calculate (line 57) | def calculate(self):
FILE: volatility/plugins/linux/netfilter.py
class linux_netfilter (line 35) | class linux_netfilter(linux_common.AbstractLinuxCommand):
method calculate (line 38) | def calculate(self):
method unified_output (line 71) | def unified_output(self, data):
method generator (line 78) | def generator(self, data):
method render_text (line 82) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/netscan.py
class linux_netscan (line 40) | class linux_netscan(linux_common.AbstractLinuxCommand):
method check_socket_back_pointer (line 43) | def check_socket_back_pointer(self, i):
method check_pointers (line 49) | def check_pointers(self, i):
method check_proto (line 57) | def check_proto(self, i):
method check_family (line 60) | def check_family(self, i):
method calculate (line 63) | def calculate(self):
method render_text (line 118) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/netstat.py
class linux_netstat (line 34) | class linux_netstat(linux_pslist.linux_pslist):
method __init__ (line 37) | def __init__(self, config, *args, **kwargs):
method unified_output (line 41) | def unified_output(self,data):
method generator (line 54) | def generator(self, data):
method render_text (line 86) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/pidhashtable.py
class linux_pidhashtable (line 37) | class linux_pidhashtable(linux_pslist.linux_pslist):
method __init__ (line 40) | def __init__(self, *args, **kwargs):
method get_obj (line 44) | def get_obj(self, ptr, sname, member):
method _task_for_pid (line 49) | def _task_for_pid(self, upid, pid):
method _walk_upid (line 68) | def _walk_upid(self, upid):
method _get_pidhash_array (line 88) | def _get_pidhash_array(self):
method calculate_v3 (line 100) | def calculate_v3(self):
method profile_unsupported (line 129) | def profile_unsupported(self, func_name):
method calculate_v2 (line 132) | def calculate_v2(self):
method calculate_v1 (line 170) | def calculate_v1(self):
method refresh_pid_hash_task_table (line 173) | def refresh_pid_hash_task_table(self):
method get_both (line 176) | def get_both(self):
method radix_tree_is_internal_node (line 202) | def radix_tree_is_internal_node(self, ptr):
method radix_tree_is_indirect_ptr (line 208) | def radix_tree_is_indirect_ptr(self, ptr):
method radix_tree_indirect_to_ptr (line 211) | def radix_tree_indirect_to_ptr(self, ptr):
method _walk_idr_node (line 215) | def _walk_idr_node(self, node, height, idx):
method _walk_pid_ns_idr (line 234) | def _walk_pid_ns_idr(self):
method _task_for_radix_pid_node (line 268) | def _task_for_radix_pid_node(self, node):
method _do_walk_xarray (line 287) | def _do_walk_xarray(self, ff, node, height, index):
method _walk_xarray_pids (line 305) | def _walk_xarray_pids(self):
method pid_namespace_idr (line 341) | def pid_namespace_idr(self):
method determine_func (line 354) | def determine_func(self):
method calculate (line 377) | def calculate(self):
FILE: volatility/plugins/linux/pkt_queues.py
class linux_pkt_queues (line 31) | class linux_pkt_queues(linux_netstat.linux_netstat):
method __init__ (line 34) | def __init__(self, config, *args, **kwargs):
method process_queue (line 38) | def process_queue(self, name, pid, fd_num, queue):
method render_text (line 75) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/plthook.py
class linux_plthook (line 32) | class linux_plthook(linux_pslist.linux_pslist):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method render_text (line 46) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/proc_maps.py
class linux_proc_maps (line 32) | class linux_proc_maps(linux_pslist.linux_pslist):
method calculate (line 35) | def calculate(self):
method unified_output (line 44) | def unified_output(self, data):
method generator (line 58) | def generator(self, data):
method render_text (line 74) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/proc_maps_rb.py
class linux_proc_maps_rb (line 33) | class linux_proc_maps_rb(linux_proc_maps.linux_proc_maps):
method calculate (line 36) | def calculate(self):
FILE: volatility/plugins/linux/procdump.py
class linux_procdump (line 34) | class linux_procdump(linux_pslist.linux_pslist):
method __init__ (line 37) | def __init__(self, config, *args, **kwargs):
method render_text (line 41) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/process_hollow.py
class linux_process_hollow (line 34) | class linux_process_hollow(linux_pslist.linux_pslist):
method __init__ (line 37) | def __init__(self, config, *args, **kwargs):
method calculate (line 45) | def calculate(self):
method render_text (line 107) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/process_info.py
function null_list (line 57) | def null_list(pages, size):
function int_list (line 77) | def int_list(pages, size):
function _neg_fix (line 97) | def _neg_fix(addr):
function print_hex (line 103) | def print_hex(value):
function read_addr_range (line 108) | def read_addr_range(start, end, addr_space):
function read_null_list (line 125) | def read_null_list( start, end, addr_space):
function read_int_list (line 136) | def read_int_list( start, end, addr_space):
function read_registers (line 147) | def read_registers(task, addr_space):
class linux_process_info (line 164) | class linux_process_info:
method __init__ (line 167) | def __init__(self, config, *args, **kwargs):
method read_addr_range (line 176) | def read_addr_range(self, start, end, addr_space=None):
method calculate (line 188) | def calculate(self):
method read_null_list (line 198) | def read_null_list(self, start, end, addr_space=None):
method read_int_list (line 209) | def read_int_list(self, start, end, addr_space=None):
method analyze (line 220) | def analyze(self, task):
method get_map (line 261) | def get_map(self, task, address):
method render_text (line 273) | def render_text(self, outfd, data):
method render_stack_frames (line 326) | def render_stack_frames(self, stack_frames):
method render_registers (line 338) | def render_registers(self, reg):
method render_list (line 348) | def render_list(self, l):
method render_annotated_list (line 358) | def render_annotated_list(self, ann_list):
class process_info (line 369) | class process_info(object):
method __init__ (line 374) | def __init__(self, task):
method maps (line 415) | def maps(self):
method maps (line 422) | def maps(self, value):
method reg (line 437) | def reg(self):
method reg (line 444) | def reg(self, value):
method stack (line 454) | def stack(self):
method stack (line 462) | def stack(self, value):
method threads (line 474) | def threads(self):
method threads (line 482) | def threads(self, value):
method _find_thread_registers (line 492) | def _find_thread_registers(self):
method get_stack_value (line 503) | def get_stack_value(self, address):
method get_stack_index (line 511) | def get_stack_index(self, address):
method _generate_thread_stack_list (line 519) | def _generate_thread_stack_list(self):
method _calculate_stack_offset (line 539) | def _calculate_stack_offset(self):
method annotate_addr_list (line 552) | def annotate_addr_list(self, l, offset=None, skip_zero=True):
method is_stack_pointer (line 577) | def is_stack_pointer(self, addr):
method is_thread_stack_pointer (line 585) | def is_thread_stack_pointer(self, addr):
method is_heap_pointer (line 597) | def is_heap_pointer(self, addr):
method is_constant_pointer (line 605) | def is_constant_pointer(self, addr):
method is_program_code_pointer (line 613) | def is_program_code_pointer(self, addr):
method is_library_code_pointer (line 621) | def is_library_code_pointer(self, addr):
method is_code_pointer (line 629) | def is_code_pointer(self, addr):
method is_data_pointer (line 640) | def is_data_pointer(self, addr):
method is_pointer (line 648) | def is_pointer(self, addr, space=None):
method get_map_by_name (line 663) | def get_map_by_name(self, name, permissions='r-x'):
method get_unique_data_pointers (line 678) | def get_unique_data_pointers(self):
method get_unique_pointers (line 685) | def get_unique_pointers(self, pointer_iter=None):
method get_data_pointers (line 701) | def get_data_pointers(self):
method get_pointers (line 708) | def get_pointers(self, cond=None, space=None):
method get_data_pointers_from_heap (line 725) | def get_data_pointers_from_heap(self):
method get_data_pointers_from_map (line 735) | def get_data_pointers_from_map(self, m):
method get_data_pointers_from_threads (line 747) | def get_data_pointers_from_threads(self):
method get_pointers_from_stack (line 755) | def get_pointers_from_stack(self):
method get_pointer_type (line 762) | def get_pointer_type(self, addr):
method annotated_stack (line 773) | def annotated_stack(self):
FILE: volatility/plugins/linux/process_stack.py
function yield_address (line 63) | def yield_address(space, start, length = None, reverse = False):
function read_address (line 88) | def read_address(space, start, length = None):
class linux_process_stack (line 100) | class linux_process_stack(linux_process_info.linux_process_info):
method __init__ (line 105) | def __init__(self, config, *args, **kwargs):
method load_symbols (line 126) | def load_symbols(self, dir):
method calculate (line 163) | def calculate(self):
method analyze_stack (line 193) | def analyze_stack(self, process_info, task, thread_number):
method find_oldschool_frames (line 355) | def find_oldschool_frames(self, p, proc_as, registers):
method find_scanned_frames (line 399) | def find_scanned_frames(self, p, address, end):
method find_entry_point (line 419) | def find_entry_point(self, proc_as, start_code):
method validate_stack_frames (line 440) | def validate_stack_frames(self, frames):
method is_return_address (line 459) | def is_return_address(self, address, process_info):
method find_return_libc_start (line 479) | def find_return_libc_start(self, proc_as, start_stack, return_start):
method find_return_main (line 496) | def find_return_main(self, proc_as, libc_start, libc_end, start_address):
method find_locals_size (line 605) | def find_locals_size(self, proc_as, frames):
method has_frame_pointer (line 624) | def has_frame_pointer(self, function_address, proc_as):
method is_function_header (line 633) | def is_function_header(self, instructions):
method find_function_symbol (line 641) | def find_function_symbol(self, task, address):
method find_function_address (line 673) | def find_function_address(self, proc_as, ret_addr):
method calculate_annotations (line 729) | def calculate_annotations(self, frames):
method render_text (line 757) | def render_text(self, outfd, data):
method write_annotated_stack (line 768) | def write_annotated_stack(self, f, stack_ann):
class stack_frame (line 781) | class stack_frame(object):
method __init__ (line 785) | def __init__(self, address, proc_as, frame_number):
method function (line 795) | def function(self):
method function (line 799) | def function(self, value):
method ret (line 803) | def ret(self):
method ret_address (line 809) | def ret_address(self):
method ebp (line 813) | def ebp(self):
method ebp_address (line 819) | def ebp_address(self):
method arg_address (line 823) | def arg_address(self):
method locals_end (line 827) | def locals_end(self):
method get_locals (line 830) | def get_locals(self):
method __repr__ (line 835) | def __repr__(self):
FILE: volatility/plugins/linux/psaux.py
class linux_psaux (line 31) | class linux_psaux(linux_pslist.linux_pslist):
method unified_output (line 34) | def unified_output(self, data):
method generator (line 41) | def generator(self, data):
method render_text (line 45) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/psenv.py
class linux_psenv (line 31) | class linux_psenv(linux_pslist.linux_pslist):
method unified_output (line 33) | def unified_output(self, data):
method generator (line 39) | def generator(self, data):
method render_text (line 43) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/pslist.py
class linux_pslist (line 33) | class linux_pslist(linux_common.AbstractLinuxCommand):
method __init__ (line 36) | def __init__(self, config, *args, **kwargs):
method virtual_process_from_physical_offset (line 43) | def virtual_process_from_physical_offset(addr_space, offset):
method allprocs (line 54) | def allprocs(self):
method calculate (line 64) | def calculate(self):
method unified_output (line 75) | def unified_output(self, data):
method _get_task_vals (line 85) | def _get_task_vals(self, task):
method generator (line 117) | def generator(self, data):
method render_text (line 129) | def render_text(self, outfd, data):
class linux_memmap (line 150) | class linux_memmap(linux_pslist):
method unified_output (line 153) | def unified_output(self, data):
method generator (line 161) | def generator(self, data):
method render_text (line 175) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/pslist_cache.py
class linux_pslist_cache (line 30) | class linux_pslist_cache(linux_pslist.linux_pslist):
method __init__ (line 33) | def __init__(self, config, *args, **kwargs):
method calculate (line 40) | def calculate(self):
FILE: volatility/plugins/linux/psscan.py
class linux_psscan (line 39) | class linux_psscan(pslist.linux_pslist):
method __init__ (line 42) | def __init__(self, config, *args, **kwargs):
method calculate (line 46) | def calculate(self):
FILE: volatility/plugins/linux/pstree.py
class linux_pstree (line 29) | class linux_pstree(linux_pslist.linux_pslist):
method __init__ (line 32) | def __init__(self, *args, **kwargs):
method unified_output (line 36) | def unified_output(self, data):
method generator (line 47) | def generator(self, data):
method recurse_task (line 63) | def recurse_task(self,task,ppid,level,procs):
method render_text (line 80) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/psxview.py
class linux_psxview (line 42) | class linux_psxview(linux_common.AbstractLinuxCommand):
method _get_pslist (line 45) | def _get_pslist(self):
method _get_pid_hash (line 48) | def _get_pid_hash(self):
method _get_kmem_cache (line 51) | def _get_kmem_cache(self):
method _get_task_parents (line 54) | def _get_task_parents(self):
method _get_thread_leaders (line 62) | def _get_thread_leaders(self):
method _get_psscan (line 65) | def _get_psscan(self):
method calculate (line 68) | def calculate(self):
method unified_output (line 96) | def unified_output(self, data):
method generator (line 108) | def generator(self, data):
method render_text (line 120) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/recover_filesystem.py
class linux_recover_filesystem (line 35) | class linux_recover_filesystem(linux_common.AbstractLinuxCommand):
method __init__ (line 38) | def __init__(self, config, *args, **kwargs):
method _fix_metadata (line 42) | def _fix_metadata(self, file_path, file_dentry):
method _write_file (line 53) | def _write_file(self, ff, file_path, file_dentry):
method _make_path (line 71) | def _make_path(self, file_path, file_dentry):
method calculate (line 86) | def calculate(self):
method render_text (line 105) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/route_cache.py
class linux_route_cache (line 33) | class linux_route_cache(linux_common.AbstractLinuxCommand):
method __init__ (line 36) | def __init__(self, config, *args, **kwargs):
method calculate (line 41) | def calculate(self):
method render_text (line 83) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/sk_buff_cache.py
class linux_sk_buff_cache (line 32) | class linux_sk_buff_cache(linux_common.AbstractLinuxCommand):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method write_sk_buff (line 41) | def write_sk_buff(self, s):
method walk_cache (line 58) | def walk_cache(self, cache_name):
method calculate (line 68) | def calculate(self):
method render_text (line 82) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/slab_info.py
class kmem_cache (line 30) | class kmem_cache(obj.CType):
method get_type (line 31) | def get_type(self):
method get_name (line 34) | def get_name(self):
class kmem_cache_slab (line 37) | class kmem_cache_slab(kmem_cache):
method get_type (line 38) | def get_type(self):
method _get_nodelist (line 43) | def _get_nodelist(self):
method _get_free_list (line 56) | def _get_free_list(self):
method _get_partial_list (line 63) | def _get_partial_list(self):
method _get_full_list (line 69) | def _get_full_list(self):
method _get_object (line 75) | def _get_object(self, offset):
method __iter__ (line 81) | def __iter__(self):
class LinuxKmemCacheOverlay (line 117) | class LinuxKmemCacheOverlay(obj.ProfileModification):
method modification (line 121) | def modification(self, profile):
class linux_slabinfo (line 126) | class linux_slabinfo(linux_common.AbstractLinuxCommand):
method get_all_kmem_caches (line 129) | def get_all_kmem_caches(self):
method get_kmem_cache (line 146) | def get_kmem_cache(self, cache_name, unalloc, struct_name = ""):
method calculate (line 160) | def calculate(self):
method render_text (line 193) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/threads.py
class linux_threads (line 27) | class linux_threads(linux_pslist.linux_pslist):
method unified_output (line 30) | def unified_output(self, data):
method generator (line 44) | def generator(self, data):
method get_addr_limit (line 64) | def get_addr_limit(self,thread, addrvar_offset = 8 ):
method render_text (line 79) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/tmpfs.py
class linux_tmpfs (line 33) | class linux_tmpfs(linux_common.AbstractLinuxCommand):
method __init__ (line 36) | def __init__(self, config, *args, **kwargs):
method fix_md (line 47) | def fix_md(self, new_file, perms, atime, mtime, isdir = 0):
method process_directory (line 60) | def process_directory(self, dentry, _recursive = 0, parent = ""):
method walk_sb (line 98) | def walk_sb(self, root_dentry):
method get_tmpfs_sbs (line 108) | def get_tmpfs_sbs(self):
method calculate (line 124) | def calculate(self):
method render_text (line 154) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/tty_check.py
class linux_check_tty (line 33) | class linux_check_tty(linux_common.AbstractLinuxCommand):
method calculate (line 36) | def calculate(self):
method unified_output (line 75) | def unified_output(self, data):
method generator (line 81) | def generator(self, data):
method render_text (line 85) | def render_text(self, outfd, data):
FILE: volatility/plugins/linux/vma_cache.py
class linux_vma_cache (line 31) | class linux_vma_cache(linux_common.AbstractLinuxCommand):
method __init__ (line 34) | def __init__(self, config, *args, **kwargs):
method calculate (line 41) | def calculate(self):
method render_text (line 65) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/WKdm.py
class WKdm (line 28) | class WKdm:
method WK_pack_2bits (line 92) | def WK_pack_2bits(self,
method WK_pack_4bits (line 127) | def WK_pack_4bits(self,
method WK_pack_3_tenbits (line 155) | def WK_pack_3_tenbits(self,
method WK_unpack_2bits (line 186) | def WK_unpack_2bits(self,
method WK_unpack_4bits (line 218) | def WK_unpack_4bits(self,
method WK_unpack_3_tenbits (line 245) | def WK_unpack_3_tenbits(self,
method WKdm_compress (line 273) | def WKdm_compress(self,
method WKdm_decompress (line 424) | def WKdm_decompress (self,
function main (line 517) | def main():
FILE: volatility/plugins/mac/adiummsgs.py
class mac_adium (line 35) | class mac_adium(pstasks.mac_tasks):
method __init__ (line 38) | def __init__(self, config, *args, **kwargs):
method _make_uni (line 43) | def _make_uni(self, msg):
method calculate (line 49) | def calculate(self):
method unified_output (line 116) | def unified_output(self, data):
method generator (line 125) | def generator(self, data):
method render_text (line 142) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/apihooks.py
class mac_apihooks (line 35) | class mac_apihooks(pstasks.mac_tasks):
method __init__ (line 38) | def __init__(self, config, *args, **kwargs):
method _is_api_hooked (line 43) | def _is_api_hooked(self, sym_addr, proc_as):
method _fill_mapping_cache (line 109) | def _fill_mapping_cache(self, proc):
method _find_mapping (line 124) | def _find_mapping(self, proc, addr):
method _find_mapping_proc_maps (line 139) | def _find_mapping_proc_maps(self, proc, addr):
method calculate (line 148) | def calculate(self):
method unified_output (line 205) | def unified_output(self, data):
method generator (line 218) | def generator(self, data):
method render_text (line 248) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/apihooks_kernel.py
class mac_apihooks_kernel (line 33) | class mac_apihooks_kernel(common.AbstractMacCommand):
method __init__ (line 36) | def __init__(self, config, *args, **kwargs):
method getKextSymbols (line 45) | def getKextSymbols(self, kext_obj = None, kext_name = None, kext_addr ...
method findKextWithAddress (line 134) | def findKextWithAddress(self, addr):
method isCallReferenceModified (line 156) | def isCallReferenceModified(self, model, distorm_mode, func_addr, kern...
method isPrologInlined (line 215) | def isPrologInlined(self, model, distorm_mode, func_addr):
method outside_module (line 251) | def outside_module(self, addr, kernel_syms, kmods):
method isInlined (line 256) | def isInlined(self, model, distorm_mode, func_addr, kernel_syms, kmods):
method calculate (line 360) | def calculate(self):
method unified_output (line 493) | def unified_output(self, data):
method generator (line 504) | def generator(self, data):
method render_text (line 540) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/arp.py
class mac_arp (line 31) | class mac_arp(route.mac_route):
method calculate (line 34) | def calculate(self):
FILE: volatility/plugins/mac/bash.py
class _mac_hist_entry (line 49) | class _mac_hist_entry(obj.CType):
method is_valid (line 52) | def is_valid(self):
method line (line 84) | def line(self):
method time_as_integer (line 99) | def time_as_integer(self):
method time_object (line 111) | def time_object(self):
method line_ptr (line 119) | def line_ptr(self):
method time_ptr (line 123) | def time_ptr(self):
class bash64_hist_entry (line 127) | class bash64_hist_entry(_mac_hist_entry):
method read_ptr (line 128) | def read_ptr(self, addr):
class bash32_hist_entry (line 133) | class bash32_hist_entry(_mac_hist_entry):
method read_ptr (line 134) | def read_ptr(self, addr):
class MacBashTypes (line 139) | class MacBashTypes(obj.ProfileModification):
method modification (line 142) | def modification(self, profile):
class mac_bash (line 146) | class mac_bash(mac_tasks.mac_tasks):
method __init__ (line 149) | def __init__(self, config, *args, **kwargs):
method unified_output (line 153) | def unified_output(self, data):
method generator (line 161) | def generator(self, data):
method render_text (line 174) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/bash_env.py
class mac_bash_env (line 37) | class mac_bash_env(mac_tasks.mac_tasks):
method unified_output (line 40) | def unified_output(self, data):
method generator (line 43) | def generator(self, data):
method render_text (line 46) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/bash_hash.py
class bash_funcs (line 83) | class bash_funcs(obj.CType):
method __init__ (line 84) | def __init__(self, ptr_size, theType, offset, vm, name = None, **kwargs):
method path (line 89) | def path(self):
method next_bucket (line 104) | def next_bucket(self):
method key (line 116) | def key(self):
method data (line 134) | def data(self):
method bucket_array (line 146) | def bucket_array(self):
method read_ptr_32 (line 150) | def read_ptr_32(self, addr):
method read_ptr_64 (line 155) | def read_ptr_64(self, addr):
method read_ptr (line 160) | def read_ptr(self, addr):
class mac64_bash_hash_table (line 168) | class mac64_bash_hash_table(bash_funcs):
method __init__ (line 169) | def __init__(self, theType, offset, vm, name = None, **kwargs):
method is_valid (line 172) | def is_valid(self):
method __iter__ (line 181) | def __iter__(self):
class mac32_bash_hash_table (line 195) | class mac32_bash_hash_table(bash_funcs):
method __init__ (line 196) | def __init__(self, theType, offset, vm, name = None, **kwargs):
method is_valid (line 199) | def is_valid(self):
method __iter__ (line 208) | def __iter__(self):
class mac64_pathdata (line 221) | class mac64_pathdata(bash_funcs):
method __init__ (line 222) | def __init__(self, theType, offset, vm, name = None, **kwargs):
class mac32_pathdata (line 225) | class mac32_pathdata(bash_funcs):
method __init__ (line 226) | def __init__(self, theType, offset, vm, name = None, **kwargs):
class mac64_bucket_contents (line 229) | class mac64_bucket_contents(bash_funcs):
method __init__ (line 230) | def __init__(self, theType, offset, vm, name = None, **kwargs):
class mac32_bucket_contents (line 233) | class mac32_bucket_contents(bash_funcs):
method __init__ (line 234) | def __init__(self, theType, offset, vm, name = None, **kwargs):
class MacBashHashTypes (line 237) | class MacBashHashTypes(obj.ProfileModification):
method modification (line 240) | def modification(self, profile):
class mac_bash_hash (line 252) | class mac_bash_hash(mac_pslist.mac_pslist):
method __init__ (line 255) | def __init__(self, config, *args, **kwargs):
method unified_output (line 259) | def unified_output(self, data):
method generator (line 267) | def generator(self, data):
method render_text (line 282) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/calendar.py
class mac_calendar (line 27) | class mac_calendar(pstasks.mac_tasks):
method calculate (line 30) | def calculate(self):
method unified_output (line 102) | def unified_output(self, data):
method generator (line 110) | def generator(self, data):
method render_text (line 128) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/check_fop.py
class mac_check_fop (line 32) | class mac_check_fop(common.AbstractMacCommand):
method _walk_vfstbllist (line 35) | def _walk_vfstbllist(self, kaddr_info):
method _walk_opv_desc (line 77) | def _walk_opv_desc(self, kaddr_info):
method calculate (line 113) | def calculate(self):
method render_text (line 124) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/check_mig_table.py
class mac_check_mig_table (line 32) | class mac_check_mig_table(common.AbstractMacCommand):
method calculate (line 35) | def calculate(self):
method unified_output (line 68) | def unified_output(self, data):
method generator (line 74) | def generator(self, data):
method render_text (line 82) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/check_syscall_shadow.py
class mac_check_syscall_shadow (line 38) | class mac_check_syscall_shadow(common.AbstractMacCommand):
method shadowedSyscalls (line 42) | def shadowedSyscalls(self, model, distorm_mode, sysents_addr):
method calculate (line 90) | def calculate(self):
method unified_output (line 103) | def unified_output(self, data):
method generator (line 109) | def generator(self, data):
method render_text (line 117) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/check_syscall_table.py
class mac_check_syscalls (line 32) | class mac_check_syscalls(common.AbstractMacCommand):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method _parse_handler_names (line 39) | def _parse_handler_names(self):
method calculate (line 62) | def calculate(self):
method unified_output (line 95) | def unified_output(self, data):
method generator (line 103) | def generator(self, data):
method render_text (line 117) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/check_sysctl.py
class mac_check_sysctl (line 33) | class mac_check_sysctl(common.AbstractMacCommand):
method _parse_global_variable_sysctls (line 37) | def _parse_global_variable_sysctls(self, name):
method _process_sysctl_list (line 55) | def _process_sysctl_list(self, sysctl_list, r = 0):
method calculate (line 95) | def calculate(self):
method unified_output (line 117) | def unified_output(self, data):
method generator (line 128) | def generator(self, data):
method render_text (line 140) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/check_trap_table.py
class mac_check_trap_table (line 32) | class mac_check_trap_table(common.AbstractMacCommand):
method _set_vtypes (line 35) | def _set_vtypes(self):
method calculate (line 79) | def calculate(self):
method unified_output (line 106) | def unified_output(self, data):
method generator (line 113) | def generator(self, data):
method render_text (line 122) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/classes.py
class mac_kernel_classes (line 32) | class mac_kernel_classes(common.AbstractMacCommand):
method _struct_or_class (line 35) | def _struct_or_class(self, type_name):
method calculate (line 47) | def calculate(self):
method render_text (line 89) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/common.py
function set_plugin_members (line 33) | def set_plugin_members(obj_ref):
class AbstractMacCommand (line 36) | class AbstractMacCommand(commands.Command):
method __init__ (line 37) | def __init__(self, *args, **kwargs):
method profile (line 42) | def profile(self):
method execute (line 47) | def execute(self, *args, **kwargs):
method register_options (line 51) | def register_options(config):
method is_valid_profile (line 55) | def is_valid_profile(profile):
function is_in_kernel_or_module (line 58) | def is_in_kernel_or_module(handler, ktext_start, ktext_end, kmods):
function get_handler_name (line 76) | def get_handler_name(kaddr_info, handler):
function is_known_address_name (line 98) | def is_known_address_name(handler, kernel_symbol_addresses, kmods):
function is_64bit_capable (line 116) | def is_64bit_capable(addr_space):
function get_kernel_function_addrs (line 133) | def get_kernel_function_addrs(obj_ref):
function get_kernel_addrs_start_end (line 143) | def get_kernel_addrs_start_end(obj_ref):
function get_handler_name_addrs (line 164) | def get_handler_name_addrs(obj_ref):
function get_kernel_addrs (line 187) | def get_kernel_addrs(obj_ref):
function get_string (line 200) | def get_string(addr, addr_space, maxlen = 256):
function get_cpp_sym (line 213) | def get_cpp_sym(name, profile):
function write_vnode_to_file (line 220) | def write_vnode_to_file(vnode, file_path):
function write_macho_file (line 233) | def write_macho_file(out_dir, proc, exe_address):
FILE: volatility/plugins/mac/compressed_swap.py
class mac_compressed_swap (line 34) | class mac_compressed_swap(common.AbstractMacCommand):
method __init__ (line 37) | def __init__(self, config, *args, **kwargs):
method calculate (line 62) | def calculate(self):
method render_text (line 204) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/contacts.py
class mac_contacts (line 26) | class mac_contacts(pstasks.mac_tasks):
method calculate (line 29) | def calculate(self):
method unified_output (line 58) | def unified_output(self, data):
method generator (line 63) | def generator(self, data):
method render_text (line 73) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/dead_procs.py
class mac_dead_procs (line 32) | class mac_dead_procs(pslist.mac_pslist):
method calculate (line 35) | def calculate(self):
FILE: volatility/plugins/mac/dead_sockets.py
class mac_dead_sockets (line 32) | class mac_dead_sockets(netstat.mac_netstat):
method calculate (line 35) | def calculate(self):
method render_text (line 47) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/dead_vnodes.py
class mac_dead_vnodes (line 32) | class mac_dead_vnodes(pslist.mac_pslist):
method calculate (line 35) | def calculate(self):
method render_text (line 47) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/devfs.py
class mac_devfs (line 31) | class mac_devfs(common.AbstractMacCommand):
method calculate (line 34) | def calculate(self):
method render_text (line 76) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/dlyd_maps.py
class mac_dyld_maps (line 33) | class mac_dyld_maps(pstasks.mac_tasks):
method unified_output (line 36) | def unified_output(self, data):
method generator (line 45) | def generator(self, data):
method render_text (line 55) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/dmesg.py
class mac_dmesg (line 30) | class mac_dmesg(common.AbstractMacCommand):
method calculate (line 33) | def calculate(self):
method render_text (line 60) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/dump_files.py
class mac_dump_file (line 32) | class mac_dump_file(common.AbstractMacCommand):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method calculate (line 40) | def calculate(self):
method render_text (line 58) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/dump_map.py
class mac_dump_maps (line 34) | class mac_dump_maps(pstasks.mac_tasks):
method __init__ (line 37) | def __init__(self, config, *args, **kwargs):
method render_text (line 47) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/find_aslr_shift.py
class mac_find_aslr_shift (line 30) | class mac_find_aslr_shift(common.AbstractMacCommand):
method calculate (line 33) | def calculate(self):
method render_text (line 38) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/get_profile.py
class catfishScan (line 189) | class catfishScan(scan.BaseScanner):
method __init__ (line 193) | def __init__(self, needles = None):
method scan (line 198) | def scan(self, address_space, offset = 0, maxlen = None):
class mac_get_profile (line 203) | class mac_get_profile(common.AbstractMacCommand):
method check_address (line 207) | def check_address(profile, ver_addr, aspace):
method guess_profile (line 236) | def guess_profile(aspace):
method calculate (line 270) | def calculate(self):
method unified_output (line 280) | def unified_output(self, data):
method generator (line 285) | def generator(self, data):
method render_text (line 292) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/gkextmap.py
class mac_lsmod_kext_map (line 31) | class mac_lsmod_kext_map(lsmod.mac_lsmod):
method calculate (line 34) | def calculate(self):
FILE: volatility/plugins/mac/ifconfig.py
class mac_ifconfig (line 30) | class mac_ifconfig(common.AbstractMacCommand):
method calculate (line 33) | def calculate(self):
method render_text (line 68) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/interest_handlers.py
class mac_interest_handlers (line 34) | class mac_interest_handlers(common.AbstractMacCommand):
method _struct_or_class (line 37) | def _struct_or_class(self, type_name):
method parse_properties (line 49) | def parse_properties(self, fdict):
method walk_reg_entry (line 69) | def walk_reg_entry(self, reg_addr):
method walk_child_links (line 156) | def walk_child_links(self, addr):
method calculate (line 168) | def calculate(self):
method render_text (line 180) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/ip_filters.py
class mac_ip_filters (line 34) | class mac_ip_filters(lsmod.mac_lsmod):
method check_filter (line 37) | def check_filter(self, context, fname, ptr, kernel_symbol_addresses, k...
method calculate (line 46) | def calculate(self):
method unified_output (line 70) | def unified_output(self, data):
method generator (line 77) | def generator(self, data):
method render_text (line 89) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/kevents.py
class mac_kevents (line 30) | class mac_kevents(common.AbstractMacCommand):
method _walk_karray (line 33) | def _walk_karray(self, address, count):
method calculate (line 44) | def calculate(self):
method _get_flags (line 71) | def _get_flags(self, fflags, filters):
method render_text (line 84) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/keychaindump.py
class mac_keychaindump (line 34) | class mac_keychaindump(pstasks.mac_tasks):
method calculate (line 37) | def calculate(self):
method unified_output (line 68) | def unified_output(self, data):
method generator (line 72) | def generator(self, data):
method render_text (line 81) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/ldrmodules.py
class mac_ldrmodules (line 34) | class mac_ldrmodules(mac_pslist.mac_pslist):
method calculate (line 37) | def calculate(self):
method unified_output (line 81) | def unified_output(self, data):
method generator (line 90) | def generator(self, data):
method render_text (line 111) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/librarydump.py
class mac_librarydump (line 36) | class mac_librarydump(mac_tasks.mac_tasks):
method __init__ (line 39) | def __init__(self, config, *args, **kwargs):
method unified_output (line 44) | def unified_output(self, data):
method generator (line 54) | def generator(self, data):
method render_text (line 74) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/list_files.py
class mac_list_files (line 32) | class mac_list_files(common.AbstractMacCommand):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method walk_vnodelist (line 45) | def walk_vnodelist(listhead, loop_vnodes):
method list_files (line 62) | def list_files(config):
method calculate (line 213) | def calculate(self):
method render_text (line 220) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/list_kauth_listeners.py
class mac_list_kauth_listeners (line 35) | class mac_list_kauth_listeners(kauth_scopes.mac_list_kauth_scopes):
method unified_output (line 38) | def unified_output(self, data):
method generator (line 49) | def generator(self, data):
method render_text (line 68) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/list_kauth_scopes.py
class mac_list_kauth_scopes (line 33) | class mac_list_kauth_scopes(common.AbstractMacCommand):
method calculate (line 36) | def calculate(self):
method unified_output (line 47) | def unified_output(self, data):
method generator (line 59) | def generator(self, data):
method render_text (line 76) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/list_raw.py
class mac_list_raw (line 36) | class mac_list_raw(mac_common.AbstractMacCommand):
method __init__ (line 39) | def __init__(self, config, *args, **kwargs):
method _fill_cache (line 43) | def _fill_cache(self):
method calculate (line 51) | def calculate(self):
method unified_output (line 71) | def unified_output(self, data):
method generator (line 78) | def generator(self, data):
method render_text (line 87) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/list_zones.py
class mac_list_zones (line 31) | class mac_list_zones(common.AbstractMacCommand):
method calculate (line 34) | def calculate(self):
method unified_output (line 53) | def unified_output(self, data):
method generator (line 60) | def generator(self, data):
method render_text (line 76) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/lsmod.py
class mac_lsmod (line 32) | class mac_lsmod(common.AbstractMacCommand):
method __init__ (line 35) | def __init__(self, config, *args, **kwargs):
method calculate (line 40) | def calculate(self):
method unified_output (line 68) | def unified_output(self, data):
method generator (line 76) | def generator(self, data):
method render_text (line 87) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/lsmod_iokit.py
class mac_lsmod_iokit (line 33) | class mac_lsmod_iokit(common.AbstractMacCommand):
method _struct_or_class (line 36) | def _struct_or_class(self, type_name):
method calculate (line 49) | def calculate(self):
method unified_output (line 68) | def unified_output(self, data):
method generator (line 78) | def generator(self, data):
method render_text (line 95) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/lsof.py
class mac_lsof (line 32) | class mac_lsof(pstasks.mac_tasks):
method unified_output (line 35) | def unified_output(self, data):
method generator (line 41) | def generator(self, data):
method render_text (line 51) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/mac_strings.py
class mac_strings (line 25) | class mac_strings(strings.Strings, mac_common.AbstractMacCommand):
method is_valid_profile (line 29) | def is_valid_profile(profile):
method get_processes (line 32) | def get_processes(self, addr_space):
method get_modules (line 52) | def get_modules(cls, addr_space):
method find_module (line 69) | def find_module(cls, modlist, mod_addrs, addr_space, vpage):
method get_module_name (line 93) | def get_module_name(cls, module):
method get_task_pid (line 104) | def get_task_pid(cls, task):
FILE: volatility/plugins/mac/mac_volshell.py
class mac_volshell (line 25) | class mac_volshell(volshell.volshell):
method is_valid_profile (line 29) | def is_valid_profile(profile):
method modules (line 32) | def modules(self):
method getpidlist (line 38) | def getpidlist(self):
method ps (line 41) | def ps(self, procs = None):
method context_display (line 46) | def context_display(self):
method set_context (line 51) | def set_context(self, offset = None, pid = None, name = None, physical...
FILE: volatility/plugins/mac/mac_yarascan.py
class MapYaraScanner (line 34) | class MapYaraScanner(malfind.BaseYaraScanner):
method __init__ (line 37) | def __init__(self, task = None, **kwargs):
method scan (line 46) | def scan(self, offset = 0, maxlen = None, max_size = None):
class mac_yarascan (line 55) | class mac_yarascan(malfind.YaraScan):
method __init__ (line 58) | def __init__(self, config, *args, **kwargs):
method is_valid_profile (line 63) | def is_valid_profile(profile):
method filter_tasks (line 66) | def filter_tasks(self):
method calculate (line 93) | def calculate(self):
method render_text (line 134) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/machine_info.py
class mac_machine_info (line 30) | class mac_machine_info(common.AbstractMacCommand):
method calculate (line 33) | def calculate(self):
method render_text (line 40) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/malfind.py
class mac_malfind (line 34) | class mac_malfind(mac_pstasks.mac_tasks):
method render_text (line 37) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/memdump.py
class mac_memdump (line 24) | class mac_memdump(pstasks.mac_tasks):
method __init__ (line 27) | def __init__(self, config, *args, **kwargs):
method render_text (line 31) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/moddump.py
class mac_moddump (line 34) | class mac_moddump(common.AbstractMacCommand):
method __init__ (line 37) | def __init__(self, config, *args, **kwargs):
method calculate (line 44) | def calculate(self):
method unified_output (line 73) | def unified_output(self, data):
method generator (line 82) | def generator(self, data):
method render_text (line 98) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/mount.py
class mac_mount (line 31) | class mac_mount(common.AbstractMacCommand):
method calculate (line 34) | def calculate(self):
method unified_output (line 45) | def unified_output(self, data):
method generator (line 53) | def generator(self, data):
method render_text (line 61) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/netconns.py
class mac_network_conns (line 32) | class mac_network_conns(common.AbstractMacCommand):
method _walk_pcb_hash (line 36) | def _walk_pcb_hash(self, proto_pcbinfo):
method _walk_pcb_list (line 52) | def _walk_pcb_list(self, proto_pcbinfo):
method _walk_pcb_entries (line 59) | def _walk_pcb_entries(self, inpcbinfo_addr):
method calculate (line 74) | def calculate(self):
method unified_output (line 93) | def unified_output(self, data):
method generator (line 103) | def generator(self, data):
method render_text (line 115) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/netstat.py
class mac_netstat (line 31) | class mac_netstat(mac_tasks.mac_tasks):
method unified_output (line 34) | def unified_output(self, data):
method generator (line 46) | def generator(self, data):
method render_text (line 76) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/notesapp.py
class mac_notesapp (line 36) | class mac_notesapp(pstasks.mac_tasks):
method __init__ (line 39) | def __init__(self, config, *args, **kwargs):
method calculate (line 43) | def calculate(self):
method unified_output (line 83) | def unified_output(self, data):
method generator (line 96) | def generator(self, data):
method render_text (line 113) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/notifiers.py
class mac_notifiers (line 33) | class mac_notifiers(lsmod.mac_lsmod):
method _struct_or_class (line 36) | def _struct_or_class(self, type_name):
method calculate (line 48) | def calculate(self):
method get_matching (line 108) | def get_matching(self, notifier):
method unified_output (line 129) | def unified_output(self, data):
method generator (line 137) | def generator(self, data):
method render_text (line 153) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/orphan_threads.py
class mac_orphan_threads (line 33) | class mac_orphan_threads(pstasks.mac_tasks):
method unified_output (line 36) | def unified_output(self, data):
method generator (line 47) | def generator(self, data):
method render_text (line 94) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/pgrp_hash_table.py
class mac_pgrp_hash_table (line 31) | class mac_pgrp_hash_table(pslist.mac_pslist):
method calculate (line 34) | def calculate(self):
FILE: volatility/plugins/mac/pid_hash_table.py
class mac_pid_hash_table (line 31) | class mac_pid_hash_table(pslist.mac_pslist):
method calculate (line 34) | def calculate(self):
FILE: volatility/plugins/mac/print_boot_cmdline.py
class mac_print_boot_cmdline (line 32) | class mac_print_boot_cmdline(common.AbstractMacCommand):
method calculate (line 35) | def calculate(self):
method unified_output (line 44) | def unified_output(self, data):
method generator (line 48) | def generator(self, data):
method render_text (line 52) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/proc_maps.py
class mac_proc_maps (line 33) | class mac_proc_maps(pstasks.mac_tasks):
method calculate (line 36) | def calculate(self):
method unified_output (line 45) | def unified_output(self, data):
method generator (line 54) | def generator(self, data):
method render_text (line 70) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/procdump.py
class mac_procdump (line 35) | class mac_procdump(mac_tasks.mac_tasks):
method __init__ (line 38) | def __init__(self, config, *args, **kwargs):
method unified_output (line 42) | def unified_output(self, data):
method generator (line 52) | def generator(self, data):
method render_text (line 65) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/psaux.py
class mac_psaux (line 31) | class mac_psaux(pstasks.mac_tasks):
method unified_output (line 34) | def unified_output(self, data):
method generator (line 44) | def generator(self, data):
method render_text (line 56) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/psenv.py
class mac_psenv (line 30) | class mac_psenv(pstasks.mac_tasks):
method unified_output (line 33) | def unified_output(self, data):
method generator (line 40) | def generator(self, data):
method render_text (line 49) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/pslist.py
class mac_pslist (line 33) | class mac_pslist(common.AbstractMacCommand):
method __init__ (line 36) | def __init__(self, config, *args, **kwargs):
method virtual_process_from_physical_offset (line 42) | def virtual_process_from_physical_offset(addr_space, offset):
method allprocs (line 49) | def allprocs(self):
method calculate (line 68) | def calculate(self):
method unified_output (line 92) | def unified_output(self, data):
method generator (line 104) | def generator(self, data):
method render_text (line 125) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/pstasks.py
class mac_tasks (line 30) | class mac_tasks(pslist.mac_pslist):
method __init__ (line 32) | def __init__(self, config, *args, **kwargs):
method allprocs (line 35) | def allprocs(self):
FILE: volatility/plugins/mac/pstree.py
class mac_pstree (line 29) | class mac_pstree(pstasks.mac_tasks):
method render_text (line 32) | def render_text(self, outfd, data):
method _recurse_task (line 45) | def _recurse_task(self, outfd, proc, level):
FILE: volatility/plugins/mac/psxview.py
class mac_psxview (line 32) | class mac_psxview(common.AbstractMacCommand):
method _get_pslist (line 35) | def _get_pslist(self):
method _get_parent_pointers (line 38) | def _get_parent_pointers(self):
method _get_pid_hash_table (line 41) | def _get_pid_hash_table(self):
method _get_pgrp_hash_table (line 44) | def _get_pgrp_hash_table(self):
method _get_session_hash_table (line 47) | def _get_session_hash_table(self):
method _get_procs_from_tasks (line 50) | def _get_procs_from_tasks(self):
method calculate (line 53) | def calculate(self):
method unified_output (line 75) | def unified_output(self, data):
method generator (line 87) | def generator(self, data):
method render_text (line 103) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/recover_filesystem.py
class mac_recover_filesystem (line 36) | class mac_recover_filesystem(mac_common.AbstractMacCommand):
method __init__ (line 39) | def __init__(self, config, *args, **kwargs):
method _fix_metadata (line 43) | def _fix_metadata(self, vnode, path):
method _write_file (line 58) | def _write_file(self, vnode, out_path):
method _make_path (line 80) | def _make_path(self, vnode, file_path):
method calculate (line 97) | def calculate(self):
method render_text (line 115) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/route.py
class mac_route (line 31) | class mac_route(common.AbstractMacCommand):
method _get_table (line 34) | def _get_table(self, tbl):
method calculate (line 91) | def calculate(self):
method unified_output (line 107) | def unified_output(self, data):
method generator (line 118) | def generator(self, data):
method render_text (line 131) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/session_hash_table.py
class mac_list_sessions (line 32) | class mac_list_sessions(pslist.mac_pslist):
method calculate (line 35) | def calculate(self):
method unified_output (line 52) | def unified_output(self, data):
method generator (line 58) | def generator(self, data):
method render_text (line 72) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/socket_filters.py
class mac_socket_filters (line 33) | class mac_socket_filters(lsmod.mac_lsmod):
method calculate (line 36) | def calculate(self):
method unified_output (line 73) | def unified_output(self, data):
method generator (line 83) | def generator(self, data):
method render_text (line 99) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/threads.py
class queue_entry (line 85) | class queue_entry(obj.CType):
method thread_walk_list (line 87) | def thread_walk_list(self, list_head):
method walk_list (line 97) | def walk_list(self, list_head):
class MacObjectClasses2 (line 107) | class MacObjectClasses2(obj.ProfileModification):
method modification (line 112) | def modification(self, profile):
class MacObjectClasses4 (line 117) | class MacObjectClasses4(obj.ProfileModification):
method modification (line 122) | def modification(self, profile):
class mac_threads (line 191) | class mac_threads(mac_tasks.mac_tasks):
method get_active_threads (line 194) | def get_active_threads(self):
method is_thread_active (line 204) | def is_thread_active(self, thread, active_threads):
method get_stack_map (line 210) | def get_stack_map(self, proc, proc_threads, bit_string):
method get_thread_registers (line 262) | def get_thread_registers(self, thread, bit_string):
method calculate (line 300) | def calculate(self):
method unified_output (line 370) | def unified_output(self, data):
method generator (line 387) | def generator(self, data):
method render_text (line 409) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/threads_simple.py
class mac_threads_simple (line 33) | class mac_threads_simple(pstasks.mac_tasks):
method unified_output (line 36) | def unified_output(self, data):
method generator (line 47) | def generator(self, data):
method render_text (line 71) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/timers.py
class mac_timers (line 29) | class mac_timers(common.AbstractMacCommand):
method calculate (line 32) | def calculate(self):
method render_text (line 77) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/trustedbsd.py
class mac_trustedbsd (line 35) | class mac_trustedbsd(mac_lsmod):
method get_members (line 38) | def get_members(self):
method calculate (line 42) | def calculate(self):
method unified_output (line 75) | def unified_output(self, data):
method generator (line 83) | def generator(self, data):
method render_text (line 97) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/version.py
class mac_version (line 30) | class mac_version(common.AbstractMacCommand):
method calculate (line 33) | def calculate(self):
method render_text (line 37) | def render_text(self, outfd, data):
FILE: volatility/plugins/mac/vfsevents.py
class mac_vfsevents (line 30) | class mac_vfsevents(common.AbstractMacCommand):
method calculate (line 33) | def calculate(self):
method render_text (line 69) | def render_text(self, outfd, data):
FILE: volatility/plugins/machoinfo.py
class MachOInfo (line 22) | class MachOInfo(crashinfo.CrashInfo):
method render_text (line 27) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/apihooks.py
class MalwareWSPVTypes (line 107) | class MalwareWSPVTypes(obj.ProfileModification):
method modification (line 111) | def modification(self, profile):
class ModuleGroup (line 121) | class ModuleGroup(object):
method __init__ (line 124) | def __init__(self, mod_list):
method find_module (line 142) | def find_module(self, address):
class Hook (line 162) | class Hook(object):
method __init__ (line 166) | def __init__(self, hook_type, hook_mode, function_name,
method add_hop_chunk (line 204) | def add_hop_chunk(self, address, data):
method _module_name (line 208) | def _module_name(self, module):
method Type (line 223) | def Type(self):
method Mode (line 228) | def Mode(self):
method Function (line 236) | def Function(self):
method Detail (line 241) | def Detail(self):
method HookModule (line 253) | def HookModule(self):
method VictimModule (line 258) | def VictimModule(self):
class ApiHooks (line 332) | class ApiHooks(procdump.ProcDump):
method __init__ (line 335) | def __init__(self, config, *args, **kwargs):
method compile (line 379) | def compile(self):
method whitelist (line 399) | def whitelist(self, rule_key, process, src_mod, dst_mod, function):
method check_syscall (line 432) | def check_syscall(addr_space, module, module_group):
method check_ucpcall (line 528) | def check_ucpcall(self, addr_space, module, module_group):
method check_wsp (line 605) | def check_wsp(self, addr_space, module, module_group):
method check_inline (line 703) | def check_inline(va, addr_space, mem_start, mem_end, mode = distorm3.D...
method gather_stuff (line 846) | def gather_stuff(self, _addr_space, module):
method get_hooks (line 865) | def get_hooks(self, hook_mode, addr_space, module, module_group):
method calculate (line 1018) | def calculate(self):
method unified_output (line 1088) | def unified_output(self, data):
method generator (line 1103) | def generator(self, data):
method render_text (line 1137) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/callbacks.py
class _SHUTDOWN_PACKET (line 147) | class _SHUTDOWN_PACKET(obj.CType):
method is_valid (line 150) | def is_valid(self):
class CallbackMods (line 180) | class CallbackMods(obj.ProfileModification):
method modification (line 183) | def modification(self, profile):
class AbstractCallbackScanner (line 196) | class AbstractCallbackScanner(poolscan.PoolScanner):
class PoolScanFSCallback (line 199) | class PoolScanFSCallback(AbstractCallbackScanner):
method __init__ (line 202) | def __init__(self, address_space):
class PoolScanShutdownCallback (line 218) | class PoolScanShutdownCallback(AbstractCallbackScanner):
method __init__ (line 221) | def __init__(self, address_space):
class PoolScanGenericCallback (line 237) | class PoolScanGenericCallback(AbstractCallbackScanner):
method __init__ (line 240) | def __init__(self, address_space):
class PoolScanDbgPrintCallback (line 257) | class PoolScanDbgPrintCallback(AbstractCallbackScanner):
method __init__ (line 260) | def __init__(self, address_space):
class PoolScanRegistryCallback (line 271) | class PoolScanRegistryCallback(AbstractCallbackScanner):
method __init__ (line 274) | def __init__(self, address_space):
class PoolScanPnp9 (line 285) | class PoolScanPnp9(AbstractCallbackScanner):
method __init__ (line 288) | def __init__(self, address_space):
class PoolScanPnpD (line 300) | class PoolScanPnpD(AbstractCallbackScanner):
method __init__ (line 303) | def __init__(self, address_space):
class PoolScanPnpC (line 314) | class PoolScanPnpC(AbstractCallbackScanner):
method __init__ (line 317) | def __init__(self, address_space):
class Callbacks (line 332) | class Callbacks(common.AbstractScanCommand):
method get_kernel_callbacks (line 338) | def get_kernel_callbacks(nt_mod):
method get_bugcheck_callbacks (line 414) | def get_bugcheck_callbacks(addr_space):
method get_registry_callbacks_legacy (line 429) | def get_registry_callbacks_legacy(nt_mod):
method get_bugcheck_reason_callbacks (line 486) | def get_bugcheck_reason_callbacks(nt_mod):
method calculate (line 536) | def calculate(self):
method unified_output (line 607) | def unified_output(self, data):
method generator (line 614) | def generator(self, data):
method render_text (line 630) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/cmdhistory.py
class _CONSOLE_INFORMATION (line 341) | class _CONSOLE_INFORMATION(obj.CType):
method get_histories (line 344) | def get_histories(self):
method get_exe_aliases (line 348) | def get_exe_aliases(self):
method get_processes (line 362) | def get_processes(self):
method get_screens (line 376) | def get_screens(self):
class _CONSOLE_PROCESS (line 398) | class _CONSOLE_PROCESS(obj.CType):
method reference_object_by_handle (line 401) | def reference_object_by_handle(self):
class _SCREEN_INFORMATION (line 415) | class _SCREEN_INFORMATION(obj.CType):
method get_buffer (line 418) | def get_buffer(self, truncate = True):
class _EXE_ALIAS_LIST (line 459) | class _EXE_ALIAS_LIST(obj.CType):
method get_aliases (line 462) | def get_aliases(self):
class _COMMAND_HISTORY (line 468) | class _COMMAND_HISTORY(obj.CType):
method is_valid (line 471) | def is_valid(self, max_history = MAX_HISTORY_DEFAULT): #pylint: disabl...
method get_commands (line 511) | def get_commands(self):
class CmdHistoryVTypesx86 (line 527) | class CmdHistoryVTypesx86(obj.ProfileModification):
method check (line 533) | def check(self, profile):
method modification (line 539) | def modification(self, profile):
class CmdHistoryVTypesx64 (line 542) | class CmdHistoryVTypesx64(obj.ProfileModification):
method check (line 548) | def check(self, profile):
method modification (line 554) | def modification(self, profile):
class CmdHistoryVTypesWin7x86 (line 557) | class CmdHistoryVTypesWin7x86(obj.ProfileModification):
method modification (line 566) | def modification(self, profile):
class CmdHistoryVTypesWin7x64 (line 569) | class CmdHistoryVTypesWin7x64(obj.ProfileModification):
method modification (line 578) | def modification(self, profile):
class CmdHistoryObjectClasses (line 581) | class CmdHistoryObjectClasses(obj.ProfileModification):
method modification (line 588) | def modification(self, profile):
class CmdScan (line 601) | class CmdScan(common.AbstractWindowsCommand):
method __init__ (line 604) | def __init__(self, config, *args, **kwargs):
method cmdhistory_process_filter (line 611) | def cmdhistory_process_filter(self, addr_space):
method calculate (line 632) | def calculate(self):
method unified_output (line 658) | def unified_output(self, data):
method generator (line 675) | def generator(self, data):
method render_text (line 711) | def render_text(self, outfd, data):
class Consoles (line 747) | class Consoles(CmdScan):
method __init__ (line 750) | def __init__(self, config, *args, **kwargs):
method calculate (line 757) | def calculate(self):
method unified_output (line 786) | def unified_output(self, data):
method _get_values (line 819) | def _get_values(self, task, console, process=None, console_proc=None,
method generator (line 921) | def generator(self, data):
method render_text (line 963) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/devicetree.py
class _DRIVER_OBJECT (line 130) | class _DRIVER_OBJECT(obj.CType, windows.ExecutiveObjectMixin):
method devices (line 133) | def devices(self):
method is_valid (line 141) | def is_valid(self):
class _DEVICE_OBJECT (line 145) | class _DEVICE_OBJECT(obj.CType, windows.ExecutiveObjectMixin):
method attached_devices (line 148) | def attached_devices(self):
class MalwareDrivers (line 160) | class MalwareDrivers(obj.ProfileModification):
method modification (line 163) | def modification(self, profile):
class DeviceTree (line 173) | class DeviceTree(filescan.DriverScan):
method render_text (line 176) | def render_text(self, outfd, data):
class DriverIrp (line 224) | class DriverIrp(filescan.DriverScan):
method __init__ (line 227) | def __init__(self, config, *args, **kwargs):
method render_text (line 233) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/idt.py
class _KIDTENTRY (line 75) | class _KIDTENTRY(obj.CType):
method Address (line 79) | def Address(self):
class _KGDTENTRY (line 87) | class _KGDTENTRY(obj.CType):
method Type (line 91) | def Type(self):
method Base (line 103) | def Base(self):
method Limit (line 109) | def Limit(self):
method CallGate (line 120) | def CallGate(self):
method Present (line 125) | def Present(self):
method Granularity (line 130) | def Granularity(self):
method Dpl (line 136) | def Dpl(self):
class MalwareIDTGDTx86 (line 144) | class MalwareIDTGDTx86(obj.ProfileModification):
method modification (line 148) | def modification(self, profile):
class GDT (line 168) | class GDT(common.AbstractWindowsCommand):
method is_valid_profile (line 172) | def is_valid_profile(profile):
method calculate (line 176) | def calculate(self):
method unified_output (line 189) | def unified_output(self, data):
method generator (line 201) | def generator(self, data):
method render_text (line 237) | def render_text(self, outfd, data):
class IDT (line 289) | class IDT(common.AbstractWindowsCommand):
method is_valid_profile (line 293) | def is_valid_profile(profile):
method get_section_name (line 298) | def get_section_name(mod, addr):
method calculate (line 322) | def calculate(self):
method unified_output (line 351) | def unified_output(self, data):
method generator (line 361) | def generator(self, data):
method render_text (line 383) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/impscan.py
class ImpScan (line 37) | class ImpScan(common.AbstractWindowsCommand):
method __init__ (line 40) | def __init__(self, config, *args, **kwargs):
method enum_apis (line 82) | def enum_apis(all_mods):
method _call_or_unc_jmp (line 105) | def _call_or_unc_jmp(self, op):
method _vicinity_scan (line 116) | def _vicinity_scan(self, addr_space, calls_imported,
method _original_import (line 183) | def _original_import(self, mod_name, func_name):
method call_scan (line 196) | def call_scan(self, addr_space, base_address, data, is_wow64 = False):
method calculate (line 262) | def calculate(self):
method unified_output (line 382) | def unified_output(self, data):
method generator (line 389) | def generator(self, data):
method render_text (line 400) | def render_text(self, outfd, data):
method render_idc (line 420) | def render_idc(self, outfd, data):
FILE: volatility/plugins/malware/malfind.py
function Disassemble (line 53) | def Disassemble(data, start, bits = '32bit', stoponret = False):
class BaseYaraScanner (line 87) | class BaseYaraScanner(object):
method __init__ (line 91) | def __init__(self, address_space = None, rules = None):
method scan (line 95) | def scan(self, offset, maxlen):
class VadYaraScanner (line 120) | class VadYaraScanner(BaseYaraScanner):
method __init__ (line 123) | def __init__(self, task = None, **kwargs):
method scan (line 132) | def scan(self, offset = 0, maxlen = None):
class DiscontigYaraScanner (line 145) | class DiscontigYaraScanner(BaseYaraScanner):
method scan (line 148) | def scan(self, start_offset = 0, maxlen = None):
class YaraScan (line 182) | class YaraScan(taskmods.DllList):
method __init__ (line 185) | def __init__(self, config, *args, **kwargs):
method _compile_rules (line 211) | def _compile_rules(self):
method _scan_process_memory (line 243) | def _scan_process_memory(self, addr_space, rules):
method _scan_kernel_memory (line 249) | def _scan_kernel_memory(self, addr_space, rules):
method calculate (line 287) | def calculate(self):
method unified_output (line 308) | def unified_output(self, data):
method generator (line 315) | def generator(self, data):
method render_text (line 338) | def render_text(self, outfd, data):
class Malfind (line 373) | class Malfind(vadinfo.VADDump):
method __init__ (line 376) | def __init__(self, config, *args, **kwargs):
method _is_vad_empty (line 390) | def _is_vad_empty(self, vad, address_space):
method unified_output (line 415) | def unified_output(self, data):
method generator (line 425) | def generator(self, data):
method render_text (line 454) | def render_text(self, outfd, data):
class LdrModules (line 523) | class LdrModules(taskmods.DllList):
method unified_output (line 526) | def unified_output(self, data):
method generator (line 549) | def generator(self, data):
method render_text (line 605) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/psxview.py
class _PSP_CID_TABLE (line 51) | class _PSP_CID_TABLE(windows._HANDLE_TABLE): #pylint: disable-msg=W0212
method get_item (line 54) | def get_item(self, entry, handle_value = 0):
class MalwarePspCid (line 69) | class MalwarePspCid(obj.ProfileModification):
method modification (line 73) | def modification(self, profile):
class PsXview (line 87) | class PsXview(common.AbstractWindowsCommand, sessions.SessionsMixin):
method __init__ (line 90) | def __init__(self, config, *args):
method get_file_offset (line 98) | def get_file_offset(process):
method check_pslist (line 121) | def check_pslist(self, all_tasks):
method check_psscan (line 125) | def check_psscan(self):
method check_thrdproc (line 130) | def check_thrdproc(self, _addr_space):
method check_sessions (line 151) | def check_sessions(self, addr_space):
method check_desktop_thread (line 161) | def check_desktop_thread(self, addr_space):
method check_pspcid (line 175) | def check_pspcid(self, addr_space):
method check_csrss_handles (line 191) | def check_csrss_handles(self, all_tasks):
method calculate (line 205) | def calculate(self):
method render_xlsx (line 235) | def render_xlsx(self, outfd, data):
method unified_output (line 362) | def unified_output(self, data):
method generator (line 376) | def generator(self, data):
method render_text (line 426) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/servicediff.py
class ServiceDiff (line 30) | class ServiceDiff(svcscan.SvcScan):
method is_valid_profile (line 34) | def is_valid_profile(profile):
method services_from_registry (line 39) | def services_from_registry(addr_space):
method services_from_memory_list (line 73) | def services_from_memory_list(addr_space):
method compare (line 150) | def compare(reg_list, mem_list):
method calculate (line 168) | def calculate(self):
method render_text (line 181) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/svcscan.py
class _SERVICE_RECORD_LEGACY (line 113) | class _SERVICE_RECORD_LEGACY(obj.CType):
method Binary (line 117) | def Binary(self):
method Pid (line 133) | def Pid(self):
method is_valid (line 142) | def is_valid(self):
method traverse (line 151) | def traverse(self):
class _SERVICE_RECORD_RECENT (line 158) | class _SERVICE_RECORD_RECENT(_SERVICE_RECORD_LEGACY):
method traverse (line 161) | def traverse(self):
class _SERVICE_HEADER (line 175) | class _SERVICE_HEADER(obj.CType):
method is_valid (line 178) | def is_valid(self):
class ServiceBase (line 188) | class ServiceBase(obj.ProfileModification):
method modification (line 194) | def modification(self, profile):
class ServiceBasex64 (line 204) | class ServiceBasex64(obj.ProfileModification):
method modification (line 211) | def modification(self, profile):
class ServiceVista (line 214) | class ServiceVista(obj.ProfileModification):
method modification (line 221) | def modification(self, profile):
class ServiceVistax86 (line 229) | class ServiceVistax86(obj.ProfileModification):
method modification (line 238) | def modification(self, profile):
class ServiceVistax64 (line 252) | class ServiceVistax64(obj.ProfileModification):
method modification (line 261) | def modification(self, profile):
class Service8x64 (line 275) | class Service8x64(obj.ProfileModification):
method modification (line 284) | def modification(self, profile):
class Service10_15063x64 (line 304) | class Service10_15063x64(obj.ProfileModification):
method modification (line 314) | def modification(self, profile):
class Service10_16299x64 (line 329) | class Service10_16299x64(obj.ProfileModification):
method modification (line 340) | def modification(self, profile):
class Service10_18362x64 (line 347) | class Service10_18362x64(obj.ProfileModification):
method modification (line 358) | def modification(self, profile):
class Service10_19041x64 (line 373) | class Service10_19041x64(obj.ProfileModification):
method modification (line 384) | def modification(self, profile):
class Service8x86 (line 392) | class Service8x86(obj.ProfileModification):
method modification (line 401) | def modification(self, profile):
class Service10_15063x86 (line 421) | class Service10_15063x86(obj.ProfileModification):
method modification (line 431) | def modification(self, profile):
class Service10_16299x86 (line 447) | class Service10_16299x86(obj.ProfileModification):
method modification (line 458) | def modification(self, profile):
class Service10_17763x86 (line 465) | class Service10_17763x86(obj.ProfileModification):
method modification (line 476) | def modification(self, profile):
class Service10_18362x86 (line 491) | class Service10_18362x86(obj.ProfileModification):
method modification (line 502) | def modification(self, profile):
class Service10_19041x86 (line 517) | class Service10_19041x86(obj.ProfileModification):
method modification (line 528) | def modification(self, profile):
class SvcScan (line 543) | class SvcScan(common.AbstractWindowsCommand):
method calculate (line 546) | def calculate(self):
method render_dot (line 595) | def render_dot(self, outfd, data):
method get_service_info (line 642) | def get_service_info(regapi):
method unified_output (line 675) | def unified_output(self, data):
method generator (line 702) | def generator(self, data):
method render_text (line 733) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/threads.py
class MalwareKthread (line 81) | class MalwareKthread(obj.ProfileModification):
method modification (line 84) | def modification(self, profile):
class AbstractThreadCheck (line 91) | class AbstractThreadCheck(object):
method __init__ (line 94) | def __init__(self, thread, mods, mod_addrs, \
method check (line 119) | def check(self):
class OrphanThread (line 122) | class OrphanThread(AbstractThreadCheck):
method check (line 125) | def check(self):
class DkomExit (line 138) | class DkomExit(AbstractThreadCheck):
method check (line 141) | def check(self):
class HideFromDebug (line 150) | class HideFromDebug(AbstractThreadCheck):
method check (line 153) | def check(self):
class SystemThread (line 159) | class SystemThread(AbstractThreadCheck):
method check (line 162) | def check(self):
class Impersonation (line 168) | class Impersonation(AbstractThreadCheck):
method check (line 171) | def check(self):
class HwBreakpoint (line 177) | class HwBreakpoint(AbstractThreadCheck):
method check (line 180) | def check(self):
class AttachedProcess (line 204) | class AttachedProcess(AbstractThreadCheck):
method check (line 207) | def check(self):
class HookedSSDT (line 215) | class HookedSSDT(AbstractThreadCheck):
method check (line 218) | def check(self):
class ScannerOnly (line 236) | class ScannerOnly(AbstractThreadCheck):
method check (line 239) | def check(self):
class Threads (line 249) | class Threads(taskmods.DllList):
method __init__ (line 252) | def __init__(self, config, *args, **kwargs):
method get_hooked_tables (line 261) | def get_hooked_tables(self, addr_space):
method calculate (line 319) | def calculate(self):
method unified_output (line 421) | def unified_output(self, data):
method generator (line 474) | def generator(self, data):
method render_text (line 605) | def render_text(self, outfd, data):
FILE: volatility/plugins/malware/timers.py
class _KTIMER (line 46) | class _KTIMER(obj.CType):
method Dpc (line 49) | def Dpc(self):
class TimerVTypes (line 92) | class TimerVTypes(obj.ProfileModification):
method modification (line 95) | def modification(self, profile):
class Timers (line 104) | class Timers(common.AbstractWindowsCommand):
method __init__ (line 107) | def __init__(self, config, *args, **kwargs):
method find_list_head (line 114) | def find_list_head(self, nt_mod, func, sig):
method calculate (line 141) | def calculate(self):
method unified_output (line 242) | def unified_output(self, data):
method generator (line 251) | def generator(self, data):
method render_text (line 268) | def render_text(self, outfd, data):
FILE: volatility/plugins/mbrparser.py
class PARTITION_ENTRY (line 126) | class PARTITION_ENTRY(obj.CType):
method get_value (line 127) | def get_value(self, char):
method get_type (line 132) | def get_type(self):
method is_bootable (line 135) | def is_bootable(self):
method is_bootable_and_used (line 138) | def is_bootable_and_used(self):
method is_valid (line 141) | def is_valid(self):
method is_used (line 144) | def is_used(self):
method StartingSector (line 147) | def StartingSector(self):
method StartingCylinder (line 150) | def StartingCylinder(self):
method EndingSector (line 153) | def EndingSector(self):
method EndingCylinder (line 156) | def EndingCylinder(self):
method __str__ (line 159) | def __str__(self):
class MbrObjectTypes (line 174) | class MbrObjectTypes(obj.ProfileModification):
method modification (line 175) | def modification(self, profile):
class MBRScanner (line 181) | class MBRScanner(scan.BaseScanner):
method __init__ (line 184) | def __init__(self, window_size = 512, needles = None):
method scan (line 189) | def scan(self, address_space, offset = 0, maxlen = None):
class MBRParser (line 193) | class MBRParser(commands.Command):
method __init__ (line 195) | def __init__(self, config, *args, **kwargs):
method levenshtein (line 232) | def levenshtein(self, s1, s2):
method calculate (line 252) | def calculate(self):
method Hexdump (line 293) | def Hexdump(self, data, given_offset = 0, width = 16):
method _get_instructions (line 301) | def _get_instructions(self, boot_code):
method get_disasm_text (line 314) | def get_disasm_text(self, boot_code, start):
method unified_output (line 327) | def unified_output(self, data):
method generator (line 360) | def generator(self, data):
method render_text (line 431) | def render_text(self, outfd, data):
FILE: volatility/plugins/mftparser.py
class UnicodeString (line 47) | class UnicodeString(basic.String):
method __str__ (line 48) | def __str__(self):
method v (line 54) | def v(self):
class MFT_FILE_RECORD (line 138) | class MFT_FILE_RECORD(obj.CType):
method remove_unprintable (line 139) | def remove_unprintable(self, str):
method add_path (line 142) | def add_path(self, fileinfo):
method get_full_path (line 156) | def get_full_path(self, fileinfo):
method is_directory (line 179) | def is_directory(self):
method is_file (line 182) | def is_file(self):
method is_inuse (line 185) | def is_inuse(self):
method get_mft_type (line 188) | def get_mft_type(self):
method parse_attributes (line 192) | def parse_attributes(self, mft_buff, check = True, entrysize = 1024):
method advance_one (line 298) | def advance_one(self, next_off, mft_buff, end):
class RESIDENT_ATTRIBUTE (line 317) | class RESIDENT_ATTRIBUTE(obj.CType):
method process_attr_list (line 318) | def process_attr_list(self, bufferas, mft_entry, attributes = [], chec...
class STANDARD_INFORMATION (line 343) | class STANDARD_INFORMATION(obj.CType):
method is_valid (line 346) | def is_valid(self):
method get_type_short (line 366) | def get_type_short(self):
method get_type (line 381) | def get_type(self):
method get_header (line 399) | def get_header(self):
method __str__ (line 407) | def __str__(self):
method body (line 429) | def body(self, path, record_num, size, offset):
class FILE_NAME (line 471) | class FILE_NAME(STANDARD_INFORMATION):
method remove_unprintable (line 472) | def remove_unprintable(self, str):
method is_valid (line 478) | def is_valid(self):
method get_name (line 499) | def get_name(self):
method get_header (line 504) | def get_header(self):
method __str__ (line 512) | def __str__(self):
method get_full (line 535) | def get_full(self, full):
method body (line 563) | def body(self, path, record_num, size, offset):
class OBJECT_ID (line 592) | class OBJECT_ID(obj.CType):
method FmtObjectID (line 594) | def FmtObjectID(self, item):
method __str__ (line 601) | def __str__(self):
class MFTTYPES (line 782) | class MFTTYPES(obj.ProfileModification):
method modification (line 785) | def modification(self, profile):
class MFTScanner (line 797) | class MFTScanner(scan.BaseScanner):
method __init__ (line 800) | def __init__(self, needles = None):
method scan (line 805) | def scan(self, address_space, offset = 0, maxlen = None):
class MFTParser (line 810) | class MFTParser(common.AbstractWindowsCommand):
method __init__ (line 812) | def __init__(self, config, *args, **kwargs):
method calculate (line 831) | def calculate(self):
method render_body (line 876) | def render_body(self, outfd, data):
method unified_output (line 927) | def unified_output(self, data):
method generator (line 939) | def generator(self, data):
method render_text (line 1002) | def render_text(self, outfd, data):
FILE: volatility/plugins/moddump.py
class ModDump (line 35) | class ModDump(procdump.ProcDump):
method __init__ (line 38) | def __init__(self, config, *args, **kwargs):
method calculate (line 54) | def calculate(self):
method generator (line 84) | def generator(self, data):
method unified_output (line 96) | def unified_output(self, data):
method render_text (line 108) | def render_text(self, outfd, data):
FILE: volatility/plugins/modscan.py
class PoolScanModule (line 41) | class PoolScanModule(poolscan.PoolScanner):
method __init__ (line 44) | def __init__(self, address_space):
class ModScan (line 55) | class ModScan(common.AbstractScanCommand):
method unified_output (line 71) | def unified_output(self, data):
method render_text (line 89) | def render_text(self, outfd, data):
class PoolScanThread (line 105) | class PoolScanThread(poolscan.PoolScanner):
method __init__ (line 108) | def __init__(self, address_space):
class ThrdScan (line 124) | class ThrdScan(common.AbstractScanCommand):
method unified_output (line 129) | def unified_output(self, data):
method render_text (line 148) | def render_text(self, outfd, data):
FILE: volatility/plugins/modules.py
class Modules (line 30) | class Modules(common.AbstractWindowsCommand):
method __init__ (line 32) | def __init__(self, config, *args, **kwargs):
method generator (line 37) | def generator(self, data):
method unified_output (line 50) | def unified_output(self, data):
method render_text (line 61) | def render_text(self, outfd, data):
method calculate (line 85) | def calculate(self):
class UnloadedModules (line 92) | class UnloadedModules(common.AbstractWindowsCommand):
method unified_output (line 95) | def unified_output(self, data):
method render_text (line 110) | def render_text(self, outfd, data):
method calculate (line 121) | def calculate(self):
FILE: volatility/plugins/multiscan.py
class MultiScan (line 12) | class MultiScan(common.AbstractScanCommand):
method __init__ (line 15) | def __init__(self, config, *args, **kwargs):
method calculate (line 30) | def calculate(self):
method render_text (line 57) | def render_text(self, outfd, data):
FILE: volatility/plugins/netscan.py
class PoolScanUdpEndpoint (line 47) | class PoolScanUdpEndpoint(poolscan.PoolScanner):
method __init__ (line 50) | def __init__(self, address_space):
class PoolScanTcpListener (line 61) | class PoolScanTcpListener(poolscan.PoolScanner):
method __init__ (line 64) | def __init__(self, address_space):
class PoolScanTcpEndpoint (line 75) | class PoolScanTcpEndpoint(poolscan.PoolScanner):
method __init__ (line 78) | def __init__(self, address_space):
class _TCP_LISTENER (line 93) | class _TCP_LISTENER(obj.CType):
method AddressFamily (line 97) | def AddressFamily(self):
method Owner (line 101) | def Owner(self):
method dual_stack_sockets (line 104) | def dual_stack_sockets(self):
method is_valid (line 127) | def is_valid(self):
class _TCP_ENDPOINT (line 130) | class _TCP_ENDPOINT(_TCP_LISTENER):
method _ipv4_or_ipv6 (line 133) | def _ipv4_or_ipv6(self, in_addr):
method LocalAddress (line 141) | def LocalAddress(self):
method RemoteAddress (line 148) | def RemoteAddress(self):
method is_valid (line 154) | def is_valid(self):
class _UDP_ENDPOINT (line 169) | class _UDP_ENDPOINT(_TCP_LISTENER):
class _LOCAL_ADDRESS (line 172) | class _LOCAL_ADDRESS(obj.CType):
method inaddr (line 175) | def inaddr(self):
class _LOCAL_ADDRESS_WIN10_UDP (line 178) | class _LOCAL_ADDRESS_WIN10_UDP(obj.CType):
method inaddr (line 181) | def inaddr(self):
class NetscanObjectClasses (line 188) | class NetscanObjectClasses(obj.ProfileModification):
method modification (line 197) | def modification(self, profile):
class Netscan (line 210) | class Netscan(common.AbstractScanCommand):
method is_valid_profile (line 216) | def is_valid_profile(profile):
method calculate (line 220) | def calculate(self):
method unified_output (line 246) | def unified_output(self, data):
method generator (line 257) | def generator(self, data):
method render_text (line 278) | def render_text(self, outfd, data):
FILE: volatility/plugins/notepad.py
class _HEAP (line 32) | class _HEAP(obj.CType):
method is_valid (line 35) | def is_valid(self):
method segments (line 38) | def segments(self):
class _HEAP_SEGMENT (line 47) | class _HEAP_SEGMENT(obj.CType):
method is_valid (line 50) | def is_valid(self):
method heap_entries (line 53) | def heap_entries(self):
class _HEAP_ENTRY (line 75) | class _HEAP_ENTRY(obj.CType):
method get_data (line 78) | def get_data(self):
method get_extra (line 87) | def get_extra(self):
class XPHeapModification (line 99) | class XPHeapModification(obj.ProfileModification):
method modification (line 107) | def modification(self, profile):
class Notepad (line 172) | class Notepad(taskmods.DllList):
method __init__ (line 175) | def __init__(self, config, *args, **kwargs):
method is_valid_profile (line 181) | def is_valid_profile(profile):
method unified_output (line 185) | def unified_output(self, data):
method generator (line 191) | def generator(self, data):
method render_text (line 221) | def render_text(self, outfd, data):
FILE: volatility/plugins/objtypescan.py
class ObjectTypeScanner (line 26) | class ObjectTypeScanner(poolscan.PoolSca
Copy disabled (too large)
Download .json
Condensed preview — 459 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (35,014K chars).
[
{
"path": ".gitattributes",
"chars": 12,
"preview": "* text=auto\n"
},
{
"path": ".gitignore",
"chars": 485,
"preview": "*.py[cod]\n\n# Pycharm ide library\n.idea\n\n*.swp\n\n# C extensions\n*.so\n\n# Packages\n*.egg\n*.egg-info\ndist\nbuild\neggs\nparts\nbi"
},
{
"path": "AUTHORS.txt",
"chars": 778,
"preview": "===============================================\nThis file identifies core Volatility authors. \n\nAll lists are alphabetic"
},
{
"path": "CHANGELOG.txt",
"chars": 23831,
"preview": "Changelog\n\nAs of Volatility 2.4, all changes are now tracked on the GitHub site:\n\nhttps://github.com/volatilityfoundatio"
},
{
"path": "CREDITS.txt",
"chars": 3927,
"preview": "===============================================\nWe would like to acknowledge individuals that \nhave made significant con"
},
{
"path": "LEGAL.txt",
"chars": 698,
"preview": "Volatility\n===============\n\nLicense\n-------\n\nCopyright (C) 2007-2013 Volatility Foundation\n\nVolatility is free software;"
},
{
"path": "LICENSE.txt",
"chars": 15127,
"preview": "\t\t GNU GENERAL PUBLIC LICENSE\n\t\t Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc."
},
{
"path": "MANIFEST.in",
"chars": 348,
"preview": "include *.txt\ninclude *.win\ninclude MANIFEST.in\ninclude setup.py\ninclude resources/*\ninclude pyinstaller/*.py\ninclude vo"
},
{
"path": "Makefile",
"chars": 178,
"preview": "all: build\n\nbuild:\n\tpython setup.py build\n\ninstall:\n\tpython setup.py install\n\ndist:\n\tpython setup.py sdist\n\nclean:\n\trm -"
},
{
"path": "PKG-INFO",
"chars": 254,
"preview": "Metadata-Version: 1.0\nName: Volatility\nVersion: GC1\nSummary: Volatility -- Volatile memory framwork\nHome-page: http://ww"
},
{
"path": "README.txt",
"chars": 32164,
"preview": "This project is archived. See Volatility 3 for modern investigations: https://github.com/volatilityfoundation/volatility"
},
{
"path": "contrib/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "contrib/library_example/libapi.py",
"chars": 1478,
"preview": "# Volatility\n# Copyright (c) 2015 Michael Ligh (michael.ligh@mnin.org)\n#\n# This file is part of Volatility.\n#\n# Volatili"
},
{
"path": "contrib/library_example/pslist_json.py",
"chars": 1698,
"preview": "# Volatility\n# Copyright (c) 2015 Michael Ligh (michael.ligh@mnin.org)\n#\n# This file is part of Volatility.\n#\n# Volatili"
},
{
"path": "contrib/plugins/README.md",
"chars": 107,
"preview": "Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository.\n"
},
{
"path": "contrib/plugins/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "contrib/plugins/aspaces/README.md",
"chars": 107,
"preview": "Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository.\n"
},
{
"path": "contrib/plugins/disablewarnings.py",
"chars": 1244,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "contrib/plugins/example.py",
"chars": 2769,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "contrib/plugins/malware/README.md",
"chars": 107,
"preview": "Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository.\n"
},
{
"path": "pyinstaller/hook-distorm3.py",
"chars": 692,
"preview": "# Distorm3 hook\n#\n# This currently contains the hardcoded location for the standard distorm3.dll install\n# It could be i"
},
{
"path": "pyinstaller/hook-openpyxl.py",
"chars": 528,
"preview": "# Openpyxl hook\n#\n# This currently contains the hardcoded location for the .constants.json file\n# It could be improved b"
},
{
"path": "pyinstaller/hook-volatility.py",
"chars": 729,
"preview": "\nimport os\n\nprojpath = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))\n\nmodules = set(['volatility.plugins']"
},
{
"path": "pyinstaller/hook-yara.py",
"chars": 284,
"preview": "import os\nimport sys\n\ndatas = []\n\nfor path in sys.path:\n if os.path.exists(os.path.join(path, \"yara.pyd\")):\n d"
},
{
"path": "pyinstaller.spec",
"chars": 1007,
"preview": "# -*- mode: python -*-\nimport sys\n\nprojpath = os.path.dirname(os.path.abspath(SPEC))\n\ndef get_plugins(list):\n for ite"
},
{
"path": "setup.py",
"chars": 3606,
"preview": "#!/usr/bin/env python\n\n# Volatility\n# \n# Authors:\n# AAron Walters <awalters@4tphi.net>\n# Mike Auty <mike.auty@gmail.com>"
},
{
"path": "tools/doxygen/config",
"chars": 100764,
"preview": "# Doxyfile 1.8.7\n\n# This file describes the settings to be used by the documentation system\n# doxygen (www.doxygen.org) "
},
{
"path": "tools/doxygen/d3/createtree.py",
"chars": 875,
"preview": "import os\nimport json\n\n'''\nAuthor: Gleeda <jamie@memoryanalysis.net>\n\nmodified from:\n http://stackoverflow.com/question"
},
{
"path": "tools/doxygen/d3/tree.html",
"chars": 4445,
"preview": "<!DOCTYPE html>\n<!-- modified from http://mbostock.github.io/d3/talk/20111018/tree.html -->\n<meta charset=\"utf-8\">\n<styl"
},
{
"path": "tools/linux/Makefile",
"chars": 384,
"preview": "obj-m += module.o\nKDIR ?= /\nKVER ?= $(shell uname -r)\n\n-include version.mk\n\nall: dwarf \n\ndwarf: module.c\n\t$(MAKE) -C $(K"
},
{
"path": "tools/linux/Makefile.enterprise",
"chars": 314,
"preview": "obj-m += module.o\nKDIR ?= /lib/modules/3.5.0-23-generic/build\n\n-include version.mk\n\nall: dwarf \n\ndwarf: module.c\n\t$(MAKE"
},
{
"path": "tools/linux/kcore/Makefile",
"chars": 107,
"preview": "CC=gcc\n\nall: getkcore\n\ngetkcore: getkcore.c\n\tgcc -o getkcore getkcore.c -Wall -Wextra\n\nclean:\n\trm getkcore\n"
},
{
"path": "tools/linux/kcore/elf.h",
"chars": 117593,
"preview": "/* This file defines standard ELF types, structures, and macros.\n Copyright (C) 1995-2003,2004,2005,2006,2007,2008,200"
},
{
"path": "tools/linux/kcore/getkcore.c",
"chars": 7799,
"preview": "/*\n\nAuthor: Andrew Case / andrew@dfir.org\nLicense: GPLv2\n\nTOOLS PURPOSE:\n64-bit Linux Physical Memory Acquistion from Us"
},
{
"path": "tools/linux/kcore/getkcore.h",
"chars": 238,
"preview": "#ifndef _GETKCORE_H\n#define _GETKCORE_H\n\ntypedef struct {\n\tunsigned int magic;\n\tunsigned int version;\n\tunsigned long lon"
},
{
"path": "tools/linux/module.c",
"chars": 17625,
"preview": "/*\n This module does absolutely nothings at all. We just build it with debugging\nsymbols and then read the DWARF symbol"
},
{
"path": "tools/mac/convert.py",
"chars": 20612,
"preview": "#!/usr/bin/env python\n\nimport os, sys, re\n\nclass DWARFParser(object):\n \"\"\"A parser for DWARF files.\"\"\"\n\n # Nasty, "
},
{
"path": "tools/mac/generate_profile_list.py",
"chars": 3305,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "tools/mac/mac_create_all_profiles.py",
"chars": 5635,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "tools/mac/parse_pbzx2.py",
"chars": 3121,
"preview": "#\n# parse_pbzx.py \n# Useful for extracting \"Payload\" files from newer Kernel Debug Kits\n# you can then decompress tha"
},
{
"path": "tools/vtype_diff.py",
"chars": 7414,
"preview": "#!/usr/bin/env python\n# -*- mode: python; -*-\n#\n# Volatility\n# Authors:\n# Brendan Dolan-Gavitt\n# Mike Auty\n#\n# This"
},
{
"path": "tools/windows/parsesummary.py",
"chars": 2256,
"preview": "import json\nimport sys\nimport os\n\n\"\"\"\nAuthor: Gleeda <jamie.levy@gmail.com>\n\nThis program is free software; you can redi"
},
{
"path": "vol.py",
"chars": 6517,
"preview": "#!/usr/bin/env python\n# -*- mode: python; -*-\n#\n# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This f"
},
{
"path": "volatility/__init__.py",
"chars": 1,
"preview": "\n"
},
{
"path": "volatility/addrspace.py",
"chars": 15615,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# Original Source:\n# Copyright (C) 2004,2005,2006 4tphi R"
},
{
"path": "volatility/cache.py",
"chars": 24520,
"preview": "# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify\n# it under the"
},
{
"path": "volatility/commands.py",
"chars": 13114,
"preview": "# Volatility\n# Copyright (C) 2008-2015 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/conf.py",
"chars": 15263,
"preview": "## This file was taken from PyFlag http://www.pyflag.net/\n# Michael Cohen <scudette@users.sourceforge.net>\n# David Colle"
},
{
"path": "volatility/constants.py",
"chars": 1154,
"preview": "# Volatility\n# Copyright (C) 2008-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/debug.py",
"chars": 2716,
"preview": "# Volatility\n#\n# Authors:\n# Michael Cohen <scudette@users.sourceforge.net>\n#\n# This file is part of Volatility.\n#\n# Vola"
},
{
"path": "volatility/dwarf.py",
"chars": 14474,
"preview": "# Volatility\n# Copyright (C) 2010 Brendan Dolan-Gavitt\n# Copyright (c) 2011 Michael Cohen <scudette@gmail.com>\n#\n# This "
},
{
"path": "volatility/exceptions.py",
"chars": 1764,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/fmtspec.py",
"chars": 3516,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/obj.py",
"chars": 47149,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# Copyright (C) 2005,2006 4tphi Research\n# Author: {npetr"
},
{
"path": "volatility/plugins/__init__.py",
"chars": 1067,
"preview": "import volatility.conf as conf\nimport volatility.constants as constants\nimport os\nimport sys\n\nconfig = conf.ConfObject()"
},
{
"path": "volatility/plugins/addrspaces/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "volatility/plugins/addrspaces/amd64.py",
"chars": 13881,
"preview": "# Volatility\n# Copyright (C) 2013 Volatility Foundation\n#\n# Authors:\n# Mike Auty\n#\n# This file is part of Volatility.\n#\n"
},
{
"path": "volatility/plugins/addrspaces/arm.py",
"chars": 6220,
"preview": "# Volatility\n#\n# Authors:\n# attc - atcuno@gmail.com\n# Joe Sylve - joe.sylve@gmail.com\n#\n# This file is part of Volatilit"
},
{
"path": "volatility/plugins/addrspaces/crash.py",
"chars": 3033,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2005,2006,2007 4tphi Research\n#\n# Authors:\n"
},
{
"path": "volatility/plugins/addrspaces/crashbmp.py",
"chars": 5375,
"preview": "# Volatility\n# Copyright (C) 2014 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free soft"
},
{
"path": "volatility/plugins/addrspaces/elfcoredump.py",
"chars": 5422,
"preview": "# Volatility\n# Copyright (C) 2007-2014 Volatility Foundation\n#\n# Authors: \n# phil@teuwen.org (Philippe Teuwen)\n# espen@m"
},
{
"path": "volatility/plugins/addrspaces/hibernate.py",
"chars": 12141,
"preview": "# Volatility\n#\n# Copyright (c) 2008-2013 Volatility Foundation\n# Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@w"
},
{
"path": "volatility/plugins/addrspaces/hpak.py",
"chars": 4585,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/addrspaces/ieee1394.py",
"chars": 9319,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "volatility/plugins/addrspaces/intel.py",
"chars": 12296,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2004,2005,2006 4tphi Research\n#\n# Authors:\n"
},
{
"path": "volatility/plugins/addrspaces/lime.py",
"chars": 2858,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# Authors:\n# attc - atcuno@gmail.com\n#\n# This file is par"
},
{
"path": "volatility/plugins/addrspaces/macho.py",
"chars": 3042,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redi"
},
{
"path": "volatility/plugins/addrspaces/osxpmemelf.py",
"chars": 2601,
"preview": "# Volatility\n# Copyright (C) 2007-2014 Volatility Foundation\n#\n# Authors: \n# phil@teuwen.org (Philippe Teuwen)\n# espen@m"
},
{
"path": "volatility/plugins/addrspaces/paged.py",
"chars": 7257,
"preview": "# Volatility\n# Copyright (c) 2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free soft"
},
{
"path": "volatility/plugins/addrspaces/standard.py",
"chars": 5438,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2004,2005,2006 4tphi Research\n#\n# Authors:\n"
},
{
"path": "volatility/plugins/addrspaces/vmem.py",
"chars": 4855,
"preview": "# Volatility\n#\n# Authors:\n# Sebastien Bourdon-Richard\n#\n# This program is free software; you can redistribute it and/or "
},
{
"path": "volatility/plugins/addrspaces/vmware.py",
"chars": 10557,
"preview": "# VMware snapshot file parser\n# Copyright (C) 2012 Nir Izraeli (nirizr at gmail dot com)\n#\n# This file is part of Volati"
},
{
"path": "volatility/plugins/bigpagepools.py",
"chars": 9367,
"preview": "# Volatility\n# Copyright (C) Michael Ligh <michael.ligh@mnin.org>\n#\n# This program is free software; you can redistribut"
},
{
"path": "volatility/plugins/bioskbd.py",
"chars": 2916,
"preview": "# Volatility\n#\n# Authors:\n# Adam Boileau <metlstorm@storm.net.nz>\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is par"
},
{
"path": "volatility/plugins/cmdline.py",
"chars": 2759,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/common.py",
"chars": 3759,
"preview": "# Volatility\n#\n# Authors:\n# Michael Cohen <scudette@users.sourceforge.net>\n#\n# This file is part of Volatility.\n#\n# Vola"
},
{
"path": "volatility/plugins/connections.py",
"chars": 3953,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "volatility/plugins/connscan.py",
"chars": 3640,
"preview": "# Volatility\n# Copyright (C) 2008-2013 Volatility Foundation\n# Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wes"
},
{
"path": "volatility/plugins/crashinfo.py",
"chars": 8288,
"preview": "# Volatility\n# Copyright (C) 2009-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/dlldump.py",
"chars": 6282,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wes"
},
{
"path": "volatility/plugins/drivermodule.py",
"chars": 4416,
"preview": "# Volatility\n# Copyright (c) 2008-2015 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/dumpcerts.py",
"chars": 10953,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# Authors:\n# Michael Hale Ligh <michael.ligh@mnin.org>\n#\n"
},
{
"path": "volatility/plugins/dumpfiles.py",
"chars": 58987,
"preview": "# Volatility\n# Copyright (C) 2012-13 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free s"
},
{
"path": "volatility/plugins/envars.py",
"chars": 5382,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (c) 2012 Michael Ligh <michael.ligh@mnin.org>\n#"
},
{
"path": "volatility/plugins/evtlogs.py",
"chars": 13656,
"preview": "# Volatility\n# Copyright (C) 2008-2013 Volatility Foundation\n# Copyright (C) 2011 Jamie Levy (Gleeda) <jamie@memoryanaly"
},
{
"path": "volatility/plugins/fileparam.py",
"chars": 1840,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "volatility/plugins/filescan.py",
"chars": 17270,
"preview": "# fileobjscan.py\n# Copyright 2009 Andreas Schuster <a.schuster@yendor.net>\n# Copyright (C) 2009-2013 Volatility Foundati"
},
{
"path": "volatility/plugins/getservicesids.py",
"chars": 41003,
"preview": "# Volatility\n# Copyright (C) 2011-2013 Volatility Foundation\n# Copyright (C) 2011 Jamie Levy (Gleeda) <jamie@memoryanaly"
},
{
"path": "volatility/plugins/getsids.py",
"chars": 10343,
"preview": "# Volatility\n# Copyright (C) 2008-2013 Volatility Foundation\n#\n# Additional Authors:\n# Mike Auty <mike.auty@gmail.com>\n#"
},
{
"path": "volatility/plugins/gui/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "volatility/plugins/gui/atoms.py",
"chars": 8545,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/clipboard.py",
"chars": 7405,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/constants.py",
"chars": 8456,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/desktops.py",
"chars": 5500,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/editbox.py",
"chars": 19270,
"preview": "# Volatility EditBox plugin\n#\n# Author: Bridgey the Geek <bridgeythegeek@gmail.com>\n#\n# This plugin is free software; yo"
},
{
"path": "volatility/plugins/gui/eventhooks.py",
"chars": 2622,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/gahti.py",
"chars": 2736,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/gditimers.py",
"chars": 3051,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/messagehooks.py",
"chars": 11453,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/screenshot.py",
"chars": 3878,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/sessions.py",
"chars": 4306,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/userhandles.py",
"chars": 3646,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation \n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael."
},
{
"path": "volatility/plugins/gui/vtypes/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "volatility/plugins/gui/vtypes/vista.py",
"chars": 4880,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/vtypes/win10.py",
"chars": 4119,
"preview": "# Volatility\n# Copyright (C) 2007-2017 Volatility Foundation\n# Copyright (C) 2017 Michael Hale Ligh <michael.ligh@mnin.o"
},
{
"path": "volatility/plugins/gui/vtypes/win2003.py",
"chars": 2168,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/vtypes/win7.py",
"chars": 8200,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/vtypes/win7_sp0_x64_vtypes_gui.py",
"chars": 137579,
"preview": "win32k_types = {\n'_HANDLEENTRY': [0x18, {\n 'pOwner': [8, ['pointer64', ['void']]],\n 'phead': [0, ['pointer64', ['_"
},
{
"path": "volatility/plugins/gui/vtypes/win7_sp0_x86_vtypes_gui.py",
"chars": 121571,
"preview": "win32k_types = {\n'_HANDLEENTRY': [0xc, {\n 'pOwner': [4, ['pointer', ['void']]],\n 'phead': [0, ['pointer', ['_HEAD'"
},
{
"path": "volatility/plugins/gui/vtypes/win7_sp1_x64_vtypes_gui.py",
"chars": 137547,
"preview": "win32k_types = {\n'_HANDLEENTRY': [0x18, {\n 'pOwner': [8, ['pointer64', ['void']]],\n 'phead': [0, ['pointer64', ['_"
},
{
"path": "volatility/plugins/gui/vtypes/win7_sp1_x86_vtypes_gui.py",
"chars": 122182,
"preview": "win32k_types = {\n'_HANDLEENTRY': [0xc, {\n 'pOwner': [4, ['pointer', ['void']]],\n 'phead': [0, ['pointer', ['_HEAD'"
},
{
"path": "volatility/plugins/gui/vtypes/win8.py",
"chars": 7917,
"preview": "# Volatility\n# Copyright (C) 2007-2014 Volatility Foundation\n# Copyright (C) 2014 Michael Hale Ligh <michael.ligh@mnin.o"
},
{
"path": "volatility/plugins/gui/vtypes/xp.py",
"chars": 16283,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/win32k_core.py",
"chars": 35724,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/windows.py",
"chars": 4862,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/gui/windowstations.py",
"chars": 4640,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.l"
},
{
"path": "volatility/plugins/handles.py",
"chars": 5757,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# Additional Authors:\n# Michael Ligh <michael.ligh@mnin.o"
},
{
"path": "volatility/plugins/heaps.py",
"chars": 1322,
"preview": "# Volatility\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU Ge"
},
{
"path": "volatility/plugins/hibinfo.py",
"chars": 2990,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "volatility/plugins/hpakinfo.py",
"chars": 2123,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/iehistory.py",
"chars": 11800,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh"
},
{
"path": "volatility/plugins/imagecopy.py",
"chars": 4509,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "volatility/plugins/imageinfo.py",
"chars": 5461,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "volatility/plugins/joblinks.py",
"chars": 6448,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/kdbgscan.py",
"chars": 11872,
"preview": "# Volatility\n#\n# Authors:\n# Mike Auty <mike.auty@gmail.com>\n#\n# This file is part of Volatility.\n#\n# Volatility is free "
},
{
"path": "volatility/plugins/kpcrscan.py",
"chars": 7363,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/plugins/linux/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "volatility/plugins/linux/apihooks.py",
"chars": 3082,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/arp.py",
"chars": 4511,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/aslr_shift.py",
"chars": 1381,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/plugins/linux/banner.py",
"chars": 1801,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/bash.py",
"chars": 6837,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/bash_hash.py",
"chars": 6322,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/check_afinfo.py",
"chars": 4450,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/check_creds.py",
"chars": 2845,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/check_evt_arm.py",
"chars": 3261,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/plugins/linux/check_fops.py",
"chars": 10645,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/check_idt.py",
"chars": 4747,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/check_inline_kernel.py",
"chars": 13204,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/check_modules.py",
"chars": 3088,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/check_syscall.py",
"chars": 11455,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/check_syscall_arm.py",
"chars": 4200,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/plugins/linux/common.py",
"chars": 9766,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/cpuinfo.py",
"chars": 4830,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/dentry_cache.py",
"chars": 2509,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/dmesg.py",
"chars": 3262,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/dump_map.py",
"chars": 3166,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/elfs.py",
"chars": 2718,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2014 CrowdStrike, Inc.\n#\n# This file is par"
},
{
"path": "volatility/plugins/linux/enumerate_files.py",
"chars": 2031,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/find_file.py",
"chars": 14240,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# \n# This file is part of Volatility.\n#\n# Volatility is fre"
},
{
"path": "volatility/plugins/linux/flags.py",
"chars": 1831,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/getcwd.py",
"chars": 1396,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/hidden_modules.py",
"chars": 4763,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/ifconfig.py",
"chars": 3845,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/info_regs.py",
"chars": 4080,
"preview": "# Volatility\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU Ge"
},
{
"path": "volatility/plugins/linux/iomem.py",
"chars": 2075,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/kernel_opened_files.py",
"chars": 4675,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/keyboard_notifiers.py",
"chars": 2364,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/plugins/linux/ld_env.py",
"chars": 1532,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/ldrmodules.py",
"chars": 2663,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/libc_env.py",
"chars": 1734,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/library_list.py",
"chars": 2354,
"preview": "# Volatility\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU Ge"
},
{
"path": "volatility/plugins/linux/librarydump.py",
"chars": 2953,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/lime.py",
"chars": 1825,
"preview": "# Volatility\n# Copyright (C) 2009-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/linux_strings.py",
"chars": 3684,
"preview": "# Volatility\n# Copyright (C) 2007,2008 Volatile Systems\n# Copyright (C) 2009 Timothy D. Morgan (strings optimization)\n#\n"
},
{
"path": "volatility/plugins/linux/linux_truecrypt.py",
"chars": 4951,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/linux_volshell.py",
"chars": 3600,
"preview": "# Volatility\n# Copyright (C) 2008-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/linux_yarascan.py",
"chars": 5145,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/list_raw.py",
"chars": 4800,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/lsmod.py",
"chars": 24028,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/lsof.py",
"chars": 2137,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/malfind.py",
"chars": 2845,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/mount.py",
"chars": 8344,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/mount_cache.py",
"chars": 3037,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/plugins/linux/netfilter.py",
"chars": 3329,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/netscan.py",
"chars": 4393,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/netstat.py",
"chars": 4139,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/pidhashtable.py",
"chars": 13155,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/pkt_queues.py",
"chars": 3457,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/plthook.py",
"chars": 2857,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (C) 2014 CrowdStrike, Inc.\n#\n# This file is par"
},
{
"path": "volatility/plugins/linux/proc_maps.py",
"chars": 3546,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/proc_maps_rb.py",
"chars": 1532,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/procdump.py",
"chars": 2335,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/process_hollow.py",
"chars": 4604,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/process_info.py",
"chars": 26549,
"preview": "#\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU\n# General Public License for more details. \n#\n# You"
},
{
"path": "volatility/plugins/linux/process_stack.py",
"chars": 34144,
"preview": "# Volatility\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU Ge"
},
{
"path": "volatility/plugins/linux/psaux.py",
"chars": 1817,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/psenv.py",
"chars": 1740,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/pslist.py",
"chars": 7523,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/pslist_cache.py",
"chars": 1844,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/plugins/linux/psscan.py",
"chars": 2709,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/pstree.py",
"chars": 3458,
"preview": "# This file is part of Volatility.\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# Volatility is free software; you "
},
{
"path": "volatility/plugins/linux/psxview.py",
"chars": 5933,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n# Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh"
},
{
"path": "volatility/plugins/linux/recover_filesystem.py",
"chars": 3677,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/route_cache.py",
"chars": 4092,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/sk_buff_cache.py",
"chars": 2810,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/slab_info.py",
"chars": 6997,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
},
{
"path": "volatility/plugins/linux/threads.py",
"chars": 3427,
"preview": "# Volatility\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU Ge"
},
{
"path": "volatility/plugins/linux/tmpfs.py",
"chars": 5718,
"preview": "# Volatility\n# Copyright (C) 2007-2013 Volatility Foundation\n#\n# This file is part of Volatility.\n#\n# Volatility is free"
},
{
"path": "volatility/plugins/linux/tty_check.py",
"chars": 3302,
"preview": "# Volatility\n#\n# This file is part of Volatility.\n#\n# Volatility is free software; you can redistribute it and/or modify"
}
]
// ... and 259 more files (download for full content)
About this extraction
This page contains the full source code of the volatilityfoundation/volatility GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 459 files (32.7 MB), approximately 8.6M tokens, and a symbol index with 4417 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.