Repository: volatilityfoundation/volatility Branch: master Commit: 328a178edeec Files: 459 Total size: 32.7 MB Directory structure: gitextract_cqwfp5mv/ ├── .gitattributes ├── .gitignore ├── AUTHORS.txt ├── CHANGELOG.txt ├── CREDITS.txt ├── LEGAL.txt ├── LICENSE.txt ├── MANIFEST.in ├── Makefile ├── PKG-INFO ├── README.txt ├── contrib/ │ ├── __init__.py │ ├── library_example/ │ │ ├── libapi.py │ │ └── pslist_json.py │ └── plugins/ │ ├── README.md │ ├── __init__.py │ ├── aspaces/ │ │ └── README.md │ ├── disablewarnings.py │ ├── example.py │ └── malware/ │ └── README.md ├── pyinstaller/ │ ├── hook-distorm3.py │ ├── hook-openpyxl.py │ ├── hook-volatility.py │ └── hook-yara.py ├── pyinstaller.spec ├── setup.py ├── tools/ │ ├── doxygen/ │ │ ├── config │ │ └── d3/ │ │ ├── createtree.py │ │ └── tree.html │ ├── linux/ │ │ ├── Makefile │ │ ├── Makefile.enterprise │ │ ├── kcore/ │ │ │ ├── Makefile │ │ │ ├── elf.h │ │ │ ├── getkcore.c │ │ │ └── getkcore.h │ │ └── module.c │ ├── mac/ │ │ ├── convert.py │ │ ├── generate_profile_list.py │ │ ├── mac_create_all_profiles.py │ │ └── parse_pbzx2.py │ ├── vtype_diff.py │ └── windows/ │ └── parsesummary.py ├── vol.py └── volatility/ ├── __init__.py ├── addrspace.py ├── cache.py ├── commands.py ├── conf.py ├── constants.py ├── debug.py ├── dwarf.py ├── exceptions.py ├── fmtspec.py ├── obj.py ├── plugins/ │ ├── __init__.py │ ├── addrspaces/ │ │ ├── __init__.py │ │ ├── amd64.py │ │ ├── arm.py │ │ ├── crash.py │ │ ├── crashbmp.py │ │ ├── elfcoredump.py │ │ ├── hibernate.py │ │ ├── hpak.py │ │ ├── ieee1394.py │ │ ├── intel.py │ │ ├── lime.py │ │ ├── macho.py │ │ ├── osxpmemelf.py │ │ ├── paged.py │ │ ├── standard.py │ │ ├── vmem.py │ │ └── vmware.py │ ├── bigpagepools.py │ ├── bioskbd.py │ ├── cmdline.py │ ├── common.py │ ├── connections.py │ ├── connscan.py │ ├── crashinfo.py │ ├── dlldump.py │ ├── drivermodule.py │ ├── dumpcerts.py │ ├── dumpfiles.py │ ├── envars.py │ ├── evtlogs.py │ ├── fileparam.py │ ├── filescan.py │ ├── getservicesids.py │ ├── getsids.py │ ├── gui/ │ │ ├── __init__.py │ │ ├── atoms.py │ │ ├── clipboard.py │ │ ├── constants.py │ │ ├── desktops.py │ │ ├── editbox.py │ │ ├── eventhooks.py │ │ ├── gahti.py │ │ ├── gditimers.py │ │ ├── messagehooks.py │ │ ├── screenshot.py │ │ ├── sessions.py │ │ ├── userhandles.py │ │ ├── vtypes/ │ │ │ ├── __init__.py │ │ │ ├── vista.py │ │ │ ├── win10.py │ │ │ ├── win2003.py │ │ │ ├── win7.py │ │ │ ├── win7_sp0_x64_vtypes_gui.py │ │ │ ├── win7_sp0_x86_vtypes_gui.py │ │ │ ├── win7_sp1_x64_vtypes_gui.py │ │ │ ├── win7_sp1_x86_vtypes_gui.py │ │ │ ├── win8.py │ │ │ └── xp.py │ │ ├── win32k_core.py │ │ ├── windows.py │ │ └── windowstations.py │ ├── handles.py │ ├── heaps.py │ ├── hibinfo.py │ ├── hpakinfo.py │ ├── iehistory.py │ ├── imagecopy.py │ ├── imageinfo.py │ ├── joblinks.py │ ├── kdbgscan.py │ ├── kpcrscan.py │ ├── linux/ │ │ ├── __init__.py │ │ ├── apihooks.py │ │ ├── arp.py │ │ ├── aslr_shift.py │ │ ├── banner.py │ │ ├── bash.py │ │ ├── bash_hash.py │ │ ├── check_afinfo.py │ │ ├── check_creds.py │ │ ├── check_evt_arm.py │ │ ├── check_fops.py │ │ ├── check_idt.py │ │ ├── check_inline_kernel.py │ │ ├── check_modules.py │ │ ├── check_syscall.py │ │ ├── check_syscall_arm.py │ │ ├── common.py │ │ ├── cpuinfo.py │ │ ├── dentry_cache.py │ │ ├── dmesg.py │ │ ├── dump_map.py │ │ ├── elfs.py │ │ ├── enumerate_files.py │ │ ├── find_file.py │ │ ├── flags.py │ │ ├── getcwd.py │ │ ├── hidden_modules.py │ │ ├── ifconfig.py │ │ ├── info_regs.py │ │ ├── iomem.py │ │ ├── kernel_opened_files.py │ │ ├── keyboard_notifiers.py │ │ ├── ld_env.py │ │ ├── ldrmodules.py │ │ ├── libc_env.py │ │ ├── library_list.py │ │ ├── librarydump.py │ │ ├── lime.py │ │ ├── linux_strings.py │ │ ├── linux_truecrypt.py │ │ ├── linux_volshell.py │ │ ├── linux_yarascan.py │ │ ├── list_raw.py │ │ ├── lsmod.py │ │ ├── lsof.py │ │ ├── malfind.py │ │ ├── mount.py │ │ ├── mount_cache.py │ │ ├── netfilter.py │ │ ├── netscan.py │ │ ├── netstat.py │ │ ├── pidhashtable.py │ │ ├── pkt_queues.py │ │ ├── plthook.py │ │ ├── proc_maps.py │ │ ├── proc_maps_rb.py │ │ ├── procdump.py │ │ ├── process_hollow.py │ │ ├── process_info.py │ │ ├── process_stack.py │ │ ├── psaux.py │ │ ├── psenv.py │ │ ├── pslist.py │ │ ├── pslist_cache.py │ │ ├── psscan.py │ │ ├── pstree.py │ │ ├── psxview.py │ │ ├── recover_filesystem.py │ │ ├── route_cache.py │ │ ├── sk_buff_cache.py │ │ ├── slab_info.py │ │ ├── threads.py │ │ ├── tmpfs.py │ │ ├── tty_check.py │ │ └── vma_cache.py │ ├── mac/ │ │ ├── WKdm.py │ │ ├── __init__.py │ │ ├── adiummsgs.py │ │ ├── apihooks.py │ │ ├── apihooks_kernel.py │ │ ├── arp.py │ │ ├── bash.py │ │ ├── bash_env.py │ │ ├── bash_hash.py │ │ ├── calendar.py │ │ ├── check_fop.py │ │ ├── check_mig_table.py │ │ ├── check_syscall_shadow.py │ │ ├── check_syscall_table.py │ │ ├── check_sysctl.py │ │ ├── check_trap_table.py │ │ ├── classes.py │ │ ├── common.py │ │ ├── compressed_swap.py │ │ ├── contacts.py │ │ ├── dead_procs.py │ │ ├── dead_sockets.py │ │ ├── dead_vnodes.py │ │ ├── devfs.py │ │ ├── dlyd_maps.py │ │ ├── dmesg.py │ │ ├── dump_files.py │ │ ├── dump_map.py │ │ ├── find_aslr_shift.py │ │ ├── get_profile.py │ │ ├── gkextmap.py │ │ ├── ifconfig.py │ │ ├── interest_handlers.py │ │ ├── ip_filters.py │ │ ├── kevents.py │ │ ├── keychaindump.py │ │ ├── ldrmodules.py │ │ ├── librarydump.py │ │ ├── list_files.py │ │ ├── list_kauth_listeners.py │ │ ├── list_kauth_scopes.py │ │ ├── list_raw.py │ │ ├── list_zones.py │ │ ├── lsmod.py │ │ ├── lsmod_iokit.py │ │ ├── lsof.py │ │ ├── mac_strings.py │ │ ├── mac_volshell.py │ │ ├── mac_yarascan.py │ │ ├── machine_info.py │ │ ├── malfind.py │ │ ├── memdump.py │ │ ├── moddump.py │ │ ├── mount.py │ │ ├── netconns.py │ │ ├── netstat.py │ │ ├── notesapp.py │ │ ├── notifiers.py │ │ ├── orphan_threads.py │ │ ├── pgrp_hash_table.py │ │ ├── pid_hash_table.py │ │ ├── print_boot_cmdline.py │ │ ├── proc_maps.py │ │ ├── procdump.py │ │ ├── psaux.py │ │ ├── psenv.py │ │ ├── pslist.py │ │ ├── pstasks.py │ │ ├── pstree.py │ │ ├── psxview.py │ │ ├── recover_filesystem.py │ │ ├── route.py │ │ ├── session_hash_table.py │ │ ├── socket_filters.py │ │ ├── threads.py │ │ ├── threads_simple.py │ │ ├── timers.py │ │ ├── trustedbsd.py │ │ ├── version.py │ │ └── vfsevents.py │ ├── machoinfo.py │ ├── malware/ │ │ ├── __init__.py │ │ ├── apihooks.py │ │ ├── callbacks.py │ │ ├── cmdhistory.py │ │ ├── devicetree.py │ │ ├── idt.py │ │ ├── impscan.py │ │ ├── malfind.py │ │ ├── psxview.py │ │ ├── servicediff.py │ │ ├── svcscan.py │ │ ├── threads.py │ │ └── timers.py │ ├── mbrparser.py │ ├── mftparser.py │ ├── moddump.py │ ├── modscan.py │ ├── modules.py │ ├── multiscan.py │ ├── netscan.py │ ├── notepad.py │ ├── objtypescan.py │ ├── overlays/ │ │ ├── __init__.py │ │ ├── basic.py │ │ ├── linux/ │ │ │ ├── __init__.py │ │ │ ├── elf.py │ │ │ └── linux.py │ │ ├── mac/ │ │ │ ├── __init__.py │ │ │ ├── mac.py │ │ │ └── macho.py │ │ ├── native_types.py │ │ └── windows/ │ │ ├── __init__.py │ │ ├── crash_vtypes.py │ │ ├── hibernate_vtypes.py │ │ ├── kdbg_vtypes.py │ │ ├── kpcr_vtypes.py │ │ ├── pe_vtypes.py │ │ ├── ssdt_vtypes.py │ │ ├── tcpip_vtypes.py │ │ ├── vad_vtypes.py │ │ ├── vista.py │ │ ├── vista_sp0_x64_syscalls.py │ │ ├── vista_sp0_x64_vtypes.py │ │ ├── vista_sp0_x86_syscalls.py │ │ ├── vista_sp0_x86_vtypes.py │ │ ├── vista_sp12_x64_syscalls.py │ │ ├── vista_sp12_x86_syscalls.py │ │ ├── vista_sp1_x64_vtypes.py │ │ ├── vista_sp1_x86_vtypes.py │ │ ├── vista_sp2_x64_vtypes.py │ │ ├── vista_sp2_x86_vtypes.py │ │ ├── win10.py │ │ ├── win10_x64_10240_17770_vtypes.py │ │ ├── win10_x64_10586_syscalls.py │ │ ├── win10_x64_14393_syscalls.py │ │ ├── win10_x64_15063_syscalls.py │ │ ├── win10_x64_15063_vtypes.py │ │ ├── win10_x64_16299_syscalls.py │ │ ├── win10_x64_16299_vtypes.py │ │ ├── win10_x64_17134_vtypes.py │ │ ├── win10_x64_17763_vtypes.py │ │ ├── win10_x64_18362_vtypes.py │ │ ├── win10_x64_19041_vtypes.py │ │ ├── win10_x64_1AC738FB_vtypes.py │ │ ├── win10_x64_DD08DD42_vtypes.py │ │ ├── win10_x64_vtypes.py │ │ ├── win10_x86_10240_17770_vtypes.py │ │ ├── win10_x86_10586_syscalls.py │ │ ├── win10_x86_14393_syscalls.py │ │ ├── win10_x86_15063_syscalls.py │ │ ├── win10_x86_15063_vtypes.py │ │ ├── win10_x86_16299_syscalls.py │ │ ├── win10_x86_16299_vtypes.py │ │ ├── win10_x86_17134_vtypes.py │ │ ├── win10_x86_17763_vtypes.py │ │ ├── win10_x86_18362_vtypes.py │ │ ├── win10_x86_19041_vtypes.py │ │ ├── win10_x86_44B89EEA_vtypes.py │ │ ├── win10_x86_9619274A_vtypes.py │ │ ├── win10_x86_vtypes.py │ │ ├── win2003.py │ │ ├── win2003_sp0_x86_syscalls.py │ │ ├── win2003_sp0_x86_vtypes.py │ │ ├── win2003_sp12_x64_syscalls.py │ │ ├── win2003_sp12_x86_syscalls.py │ │ ├── win2003_sp1_x64_vtypes.py │ │ ├── win2003_sp1_x86_vtypes.py │ │ ├── win2003_sp2_x64_vtypes.py │ │ ├── win2003_sp2_x86_vtypes.py │ │ ├── win7.py │ │ ├── win7_sp01_x64_syscalls.py │ │ ├── win7_sp01_x86_syscalls.py │ │ ├── win7_sp0_x64_vtypes.py │ │ ├── win7_sp0_x86_vtypes.py │ │ ├── win7_sp1_x64_24000_vtypes.py │ │ ├── win7_sp1_x64_632B36E0_vtypes.py │ │ ├── win7_sp1_x64_vtypes.py │ │ ├── win7_sp1_x86_24000_vtypes.py │ │ ├── win7_sp1_x86_BBA98F40_vtypes.py │ │ ├── win7_sp1_x86_vtypes.py │ │ ├── win8.py │ │ ├── win81_u1_x64_vtypes.py │ │ ├── win81_u1_x86_vtypes.py │ │ ├── win8_kdbg.py │ │ ├── win8_sp0_x64_syscalls.py │ │ ├── win8_sp0_x64_vtypes.py │ │ ├── win8_sp0_x86_syscalls.py │ │ ├── win8_sp0_x86_vtypes.py │ │ ├── win8_sp1_x64_54B5A1C6_vtypes.py │ │ ├── win8_sp1_x64_syscalls.py │ │ ├── win8_sp1_x64_vtypes.py │ │ ├── win8_sp1_x86_syscalls.py │ │ ├── win8_sp1_x86_vtypes.py │ │ ├── windows.py │ │ ├── windows64.py │ │ ├── xp.py │ │ ├── xp_sp2_x86_syscalls.py │ │ ├── xp_sp2_x86_vtypes.py │ │ └── xp_sp3_x86_vtypes.py │ ├── patcher.py │ ├── patchguard.py │ ├── pooltracker.py │ ├── privileges.py │ ├── procdump.py │ ├── pstree.py │ ├── raw2dmp.py │ ├── registry/ │ │ ├── __init__.py │ │ ├── amcache.py │ │ ├── auditpol.py │ │ ├── dumpregistry.py │ │ ├── hivelist.py │ │ ├── hivescan.py │ │ ├── lsadump.py │ │ ├── printkey.py │ │ ├── registryapi.py │ │ ├── shellbags.py │ │ ├── shimcache.py │ │ ├── shutdown.py │ │ └── userassist.py │ ├── sockets.py │ ├── sockscan.py │ ├── ssdt.py │ ├── strings.py │ ├── taskmods.py │ ├── tcaudit.py │ ├── timeliner.py │ ├── vadinfo.py │ ├── vboxinfo.py │ ├── verinfo.py │ ├── vmwareinfo.py │ ├── volshell.py │ └── win10cookie.py ├── poolscan.py ├── protos.py ├── registry.py ├── renderers/ │ ├── __init__.py │ ├── basic.py │ ├── dot.py │ ├── html.py │ ├── sqlite.py │ ├── text.py │ └── xlsx.py ├── scan.py ├── timefmt.py ├── utils.py ├── validity.py └── win32/ ├── __init__.py ├── crashdump.py ├── domcachedump.py ├── hashdump.py ├── hive.py ├── lsasecrets.py ├── modules.py ├── network.py ├── rawreg.py ├── tasks.py └── xpress.py ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitattributes ================================================ * text=auto ================================================ FILE: .gitignore ================================================ *.py[cod] # Pycharm ide library .idea *.swp # C extensions *.so # Packages *.egg *.egg-info dist build eggs parts bin var sdist develop-eggs .installed.cfg lib lib64 # Installer logs pip-log.txt # Unit test / coverage reports .coverage .tox nosetests.xml # Translations *.mo # Mr Developer .mr.developer.cfg .project .pydevproject .svn/ .DS_Store # compressed files *.zip *.7z *.rar *.tar.gz *.gz # common memory extensions: *.vmem *.mem *.img *.dmp *.sys *.bin *.001 *.raw ================================================ FILE: AUTHORS.txt ================================================ =============================================== This file identifies core Volatility authors. All lists are alphabetical. =============================================== Volatility 2.6: ------------ Mike Auty Andrew Case Michael Hale Ligh Jamie Levy AAron Walters Nick L. Petroni, Jr. Volatility 2.4, 2.5: ------------ Mike Auty Andrew Case Michael Hale Ligh Jamie Levy AAron Walters Volatility 2.0, 2.1, 2.2, 2.3: ------------ Mike Auty Andrew Case Michael Cohen Brendan Dolan-Gavitt Michael Hale Ligh Jamie Levy AAron Walters Volatility 1.3: ------------ AAron Walters Volatile Systems LLC Brendan Dolan-Gavitt Volatools Basic authors: ------------ AAron Walters Komoku, Inc. Nick L. Petroni, Jr. Komoku, Inc. ================================================ FILE: CHANGELOG.txt ================================================ Changelog As of Volatility 2.4, all changes are now tracked on the GitHub site: https://github.com/volatilityfoundation/volatility Volatility 2.0-2.3: all changes were tracked on the Google Code site: http://code.google.com/p/volatility/source/list 04.8.2009 Volatility-1.3.1 moyix * Update: Introduce BufferAddressSpace and refactor * Files: forensics/addrspace.py forensics/object.py Description: Added a new BufferAddressSpace class that acts like a regular FileAddressSpace, but can be instantiated from a string buffer. This allows any function that expects an address space to work on a buffer instead. Also refactored the *_buf functions in object.py to use this class instead (reduces code duplication). Thanks to Michael Cohen for the idea. 04.8.2009 Volatility-1.3.1 moyix * Update: Add support for inactive hiberfiles to hibinfo * Files: forensics/win32/hiber_addrspace.py Description: Added the ability to convert hibernation files that are in the "inactive" state (their first page is zeroed) to dd format. It is still not possible to run Volatility directly on such files, but they can now be converted for analysis. Thanks to Jon Evans for the suggestion. 04.8.2009 Volatility-1.3.1 moyix * Update: Pool scanning enhancements * Files: forensics/win32/scan2.py forensics/object.py Description: Incorporated new functions written by Andreas Schuster to allow more fine-grained checks in pool scanners, and modularize some of the accessors (get_poolsize, get_poolsize, etc.). The patch also adds read_unicode_string_buf and read_string_buf, which operate on string buffers. Thanks to Andreas Schuster for the patch. 04.7.2009 Volatility-1.3 awalters * Update: Handle table parsing * Files: forensics/win32/handles.py Description: Updated handle parsing code to fix typo. It was not adding the correct offset for Level 3 tables. It was also not traversing all the entries. Thanks to Brendan Dolan-Gavitt. 04.7.2009 Volatility-1.3 awalters * Update: Network Offsets * Files: forensics/win32/network.py Description: Added new offset updates. Thanks to Jun Koi. 03.17.2009 Volatility-1.3 awalters * Update: x86.py robustness * Files: forensics/x86.py Description: Added more robustness to the x86 address space. This time it focused on PAE. Certain samples were reading outside of the physical address space. Thanks to Brendan Dolan-Gavitt for patch. 03.17.2009 Volatility-1.3.1 awalters * Bug: Hiberfil Address space w * Files: forensics\win32\hiber_addrspace.py Description: Needed to import the PAE address space. This only meant that hibinfo was having some issue. It would still process hiberfil's just fine. Thanks to Andreas Schuster for the bug report. 03.17.2009 Volatility-1.3.1 awalters * Update: New version of tcp driver needed new offsets in SP3 * Files: forensics/win32/network.py forensics/win32/scan2.py forensics/win32/scan.py Description: Added new offsets to network to handle new driver. Updated scan2 and scan as well to support new pool allocation size. Thanks to Brendan Dolan-Gavitt. 02.22.2009 Volatility-1.3.1 awalters * Update: procdump check peb * Files: vmodules.py Description: Added a check to make sure that the PEB is memory resident. 02.05.2009 Volatility-1.3.1 awalters * Update: Handle parsing * Files: forensics/win32/handles.py vmodules.py Description: Updated handle parsing code to correctly handle middle and upper layer handles in multi-level schemes. Also changed files to now use the common parsing code. 12.11.2008 Volatility-1.3.1 awalters * Update: Plugin Generators * Files: forensics/commands.py memory_plugins/example4.py vutils.py Description: Added the ability to use generators in your plugins. This is extremely powerful and allows us to support arbitrary output formats. Thanks to Michael Cohen for the patch. 12.11.2008 Volatility-1.3.1 awalters * Update: Object Inheritance * Files: forensics/object2.py forensics/registry.py memory_plugins/example3.py Description: Plugins creators are now able to express an inheritance order associated with an object. The default is the Profile objects. This fixes a problem associated with collisions. Thanks to Cameron C Caffee for the bug report and thanks to Brendan Dolan-Gavitt and Michael Cohen for insightful discussions. 12.10.2008 Volatility-1.3.1 awalters * Update: lists.py * Files: forensics/win32/lists.py Description: Added Brendan Dolan-Gavitt lists.py file for traversing kernel linked lists. Thanks Brendan. 12.06.2008 Volatility-1.3.1 awalters * Bug: Crashdump base address space * Files: forensics/win32/tasks.py Description: Changed find_csdversion so that it does not pass in the filename. Made fname an optional parameter to process_addr_space since it is no longer being used and only maintained for backward compatibility. Thanks to Richard Austin for the bug report. 11.25.2008 Volatility-1.3.1 awalters * Bug: modules_list * Files: forensics/win32/modules.py Description: Added a check to make sure both PsLoadedModuleList and this module were defined. 11.25.2008 Volatility-1.3.1 awalters * Update: Tabs and spaces * Files: Too Many Description: Spent some quality time with the tab nanny. 11.25.2008 Volatility-1.3.1 awalters * Bug: Added more checks for registry objects * Files: forensics/win32/registry.py Description: Added more checks in print_entry_keys for invalid pages. Some of the key path was crossing page boundaries so more checks needed to be added. Thanks to Christian Herndler for the bug report. 11.22.2008 Volatility-1.3.1 awalters * Update: get_obj_offset no longer modifies passed in list * Files: forensics/object.py Description: get_obj_offset previously modified the passed-in list used to represent type information. Now it works on a copy to prevent unexpected behavior. Thanks to Brendan Dolan-Gavitt for the update. 11.17.2008 Volatility-1.3.1 awalters * Bug: Checks to make sure KeyControlBlock is a valid address * Files: forensics/win32/registry.py Description: print_entry_keys has been updated to check that KeyControlBlock is a valid address. Thanks to Christian Herndler for the bug report and Brendan Dolan-Gavitt for the bug fix. 11.15.2008 Volatility-1.3.1 awalters * Update: removed sha module from crashdump * Files: forensics/win32/crashdump.py Description: Removed the attempt to import the sha module since it generates a warning with Python 2.6. Thanks to STC for reporting the issue. 11.14.2008 Volatility-1.3.1 awalters * Bug: added more checks in object parsing for invalid pages * Files: forensics/win32/handles.py forensics/win32/registry.py vmodules.py Description: Added more checks for invalid pages while processing the object directory. Thanks to Christian Herndler for the bug report. 11.03.2008 Volatility-1.3.1 awalters * Bug: Python 2.5 finally * Files: vmodules.py Description: Removed the finally clause that is only available in Python 2.5. Thanks to Cameron Caffee for the bug report and Brendan Dolan-Gavitt for the bug fix. 10.17.2008 Volatility-1.3.1 awalters * Bug: Checking for invalid pages * Files: forensics/object2.py Description: Added more checks to object2 to makes sure the addresses being accessed are valid. If not, then they now return a None. Thanks to Jesse Kornblum for submitting a patch. 9.27.2008 Volatility-1.3.1 awalters * Update: plugin directory now relative to registry * Files: forensics/registry.py Description: The plugin search is now performed relative to registry.py. Thanks to Michael Cohen for the patch. 9.4.2008 Volatility-1.3.1 awalters * Bug: length bug in hiberaddrspace * Files: forensics\win32\hiber_addrspace.py Description: We were referencing an undefined length variable. Thanks to Andreas Schuster for sending the patch. 9.4.2008 Volatility-1.3.1 awalters * Update: Find the plugin modules * Files: forensics/registry.py Description: Added the absolute path to search for dynamic plugins. This allows volatility to be called from anywhere on the system. Thanks to Andreas Schuster for sending the patch. 8.14.2008 Volatility-1.3 awalters * Update: x86.py robustness * Files: forensics/x86.py Description: Added more robustness to the x86 address space. Thanks to Brendan Dolan-Gavitt for sending in a bug report. 8.14.2008 Volatility-1.3 awalters * Update: Standardized _LDR_MODULE -> _LDR_DATA_TABLE_ENTRY * Files: forensics/win32/modules.py forensics/win32/scan.py forensics/win32/scan2.py Description: Changed the data type names to make them more standardized across operating system versions. Thanks Brendan Dolan-Gavitt for sending in update request. 6.26.2008 Volatility-1.3 awalters * Bug: regobjkey initialize list * Files: vmodules.py Description: When specifying a offset for regobjkey the list had not been initialized yet. Thanks to Brendan Dolan-Gavitt for sending in a bug report. 6.24.2008 Volatility-1.3 awalters * Update: 64-bit hosts * Files: forensics/object.py forensics/win32/crashdump.py forensics/win32/scan2.py forensics/win32/network.py forensics/win32/executable.py Description: Updated so that modules will work correctly when run from 64-bit hosts using python 2.5. Thanks to sham for sending in the bug report. 6.23.2008 Volatility-1.3 awalters * Bug: Non-resident Vad address * Files: forensics/win32/vad.py vmodules.py Description: Updated the vad modules to handle invalid addresses in low memory situations. Thanks to Bryan D. Payne for sending in a bug report. 6.23.2008 Volatility-1.3 awalters * Bug: Handle count paged * Files: forensics/win32/tasks.py Description: Received a sample where the ObjectTable was not a valid address. Added a check to make sure it is valid. Thanks to Bryan D. Payne for sending in a bug report. 6.22.2008 Volatility-1.3 awalters * Update: Ident info * Files: forensics/win32/tasks.py vutils.py Description: Updated ident command so that it correctly finds the version of XP, now that we have support for SP3. Thanks to jeremie0 for noticing and to Brendan Dolan-Gavitt for helping with the fix. 6.11.2008 Volatility-1.3 awalters * Update: Array Types * Files: forensics/object2.py Description: Changed arrays so that they now return objects in cases where they are not native types. Thanks to Brendan Dolan-Gavitt for the update! 6.8.2008 Volatility-1.3 awalters * Bug: Invalid page directories * Files: vmodules.py Description: Added code to catch the cases when we encounter invalid page directories. Thanks to both Angelo Cavallini and Brendan Dolan-Gavitt for reporting this bug. 6.8.2008 Volatility-1.3 awalters * Update: potential bad string characters (unicode escaping) * Files: forensics/win32/scan2.py forensics/object.py Description: Attempting to standardize error handling related to unicode conversions. Thus we are now passing an explicit error string argument. Thanks to Brendan Dolan-Gavitt. 6.8.2008 Volatility-1.3 awalters * Update: psscan2 check_dtb * Files: forensics/win32/scan2.py Description: Added a check from psscan to psscan2 in the check_dtb constraint to make sure the DTB had a value. Thanks Andreas Schuster! 6.7.2008 Volatility-1.3 awalters * Update: SP3 support * Files: forensics/win32/network.py Description: Made changes to support SP3. 5.21.2008 Volatility-1.3 awalters * Update: Changed create_addr_space api * Files: forensics/win32/tasks.py memory_objects/Windows/xp_sp2.py memory_plugins/example2.py memory_plugins/example3.py vmodules.py Description: Changed the create_addr_space API so that it does not require types or filname. This was an artifact of the way the function used to work. 5.17.2008 Volatility-1.3 awalters * Feature: New Object Model * Files: forensics/registry.py memory_objects/Windows/xp_sp2.py memory_plugins/example3.py forensics/object2.py forensics/win32/meta_info.py vutils.py Description: Added a new object model to make navigating the data structures more intuitive. All future modules will be transition to use this new model. Thanks to Brendan Dolan-Gavitt for all his help! 5.14.2008 Volatility-1.3 awalters * Feature: Plugin Architecture * Files: forensics/commands.py forensics/registry.py volatility memory_plugins/example1.py memory_plugins/example2.py Description: Added an entirely new plugin infrastructure. Now it is possible to load the commands dynamically just by adding them to the correct directory. This will allow people to support their own modules. This work is based on a similar registry implementation found in PyFlag. Thanks to Michael Cohen and David Collett for the great work they have done and help getting this code integrated. 5.13.2008 Volatility-1.3 awalters * Feature: Hiberfil support * Files: vmodules.py volatility forensics/win32/hiber_addrspace.py forensics/win32/xpress.py forensics/win32/scan.py forensics/win32/network.py forensics/win32/datetime.py Description: Added native hiberfil support. Also added the ability to convert from hiberfil to linear format. Now all the commands can be run against hiberfils natively. This is accomplished through the new hiberfil address space. Thanks to Matthieu Suiche and Brendan Dolan-Gavitt for all the great work they have done with hiberfil parsing and the xpress compression algorithm. 5.13.2008 Volatility-1.3 awalters * Feature: New scanning infrastructure * Files: vmodules.py volatility forensics/win32/scan2.py forensics/win32/globals.py forensics/win32/crash_addrspace.py forensics/win32/datetime.py Description: Added an entirely new OO scanning infrastructure. This allows for extremely fast scanning and easier scanning across the logical address spaces. As part of this we also ported the scanning modules over to the new infrastructure. Thanks to Michael Cohen and Andreas Schuster for the help and ideas to get this working! 5.7.2008 Volatility-1.3 awalters * Bug: get_available_addresses * Files: forensics/x86.py vmodules.py volatility Description: Fixed an off by 1 error in get_available_address for non-pae machines that seemed to have crept back in. Also changed the name of usrdmp to memdmp since it is really dumping a processes addressable memory. Thanks Eoghan Casey! 4.30.2008 Volatility-1.3 awalters * New Module: procdump * Files: forensics/win32/executable.py vtypes.py vmodules.py Description: Added a new module that will allow the analyst to extract the executable from memory for further analysis. Thanks to Brendan Dolan-Gavitt for all your hard work! 4.28.2008 Volatility-1.3 awalters * Bug: open registry keys * Files: forensics/win32/handles.py Description: During testing Brendan found a bug when processing object types. It would have been possible to enumerate KeyedEvents. Thanks Brendan Dolan-Gavitt! 4.28.2008 Volatility-1.3 awalters * New Module: regobjkey * Files: vmodules.py forensics/win32/registry.py forensics/win32/handles.py vtypes.py Description: Added a new module that will allow an analyst to dump the open registry keys found in the object table. Thanks to Brendan Dolan-Gavitt for his contributions! 4.27.2008 Volatility-1.3 awalters * Feature: psscan dot format * Files: vmodules.py forensics/win32/scan.py Description: Added the ability to print the output of psscan in dot format. Similar to that available by ptfinder by Andreas Schuster. This was requested by Eoghan Casey. 4.23.2008 Volatility-1.3 awalters * Useability: Pass pid or EPROCESS offset Files: vmodules.py forensics/win32/handles.py Description: Added the ability to dump files and dlllist by pid or EPROCESS offset. One reason this was asked for was to deal with data only attacks which may remove the process from process list. Thanks to Eoghan Casey for the feedback! 4.23.2008 Volatility-1.3 awalters * New Modules: dmp2raw, raw2dmp Files: vtypes.py vmodules.py forensics/win32/crashdump.py forensics/win32/info.py forensics/win32/tasks.py Description: Added modules to convert from raw dumps to crash dumps and vice versa. Thanks to Andreas Schuster for helping to get this started and thanks to Brendan Dolan-Gavitt for helping get it perfected! 4.23.2008 Volatility-1.3 awalters * Optimization: KUSER_SHARED_DATA Files: vmodules.py Description: Changed KUSER_SHARED_DATA in get_image_info and get_datetime to point to 0xFFDF0000 instead of 0x7ffe0000. Thanks Brendan Dolan-Gavitt! 4.1.2008 Volatility-1.2.3pre awalters * Bug: socket crash Files: forensics/win32/network.py Description: In get_open_sockets, we needed to make sure that the AddrObjAddr and AddrTableSize were not none and if they were fail gracefully. Thanks to Eoghan Casey for the bug report. 3.3.2008 Volatility-1.2.3pre awalters * Bug: get_obj_offset() non-builtin Files: forensics/object.py Description: Modified get_obj_offset to support arrays of non-builtin types. Thanks Brendan Dolan-Gavitt! 2.27.2008 Volatility-1.2.3pre awalters * Bug: Not traversing complete module list Files: forensics/win32/modules.py Description: Traversing the module list should not stop when it reaches a None but continue to the next module 2.27.2008 Volatility-1.2.3pre awalters * Bug: is_valid_address(addr) Files: forensics/addrspace.py forensics/x86.py Description: is_valid_address was failing to check if addr was None. This was found by analyzing hiberfile images. Thanks to Brendan Dolan-Gavitt and Andreas Schuster for helping me find the problem! 2.25.2008 Volatility-1.2.3pre awalters * Bug: hidden processes Files: vmodules.py Description: Both usrdmp and memmap were unable to handle hidden processes. They can now be passed the offset to an EPROCESS object. Thanks to Eoghan Casey for the bug report. 12.28.2007 Volatility-1.2.3pre awalters * Bug: 64 bit Files: forensics/addrspace.py forensics/object.py forensics/win32/scan.py forensics/x86.py forensics/win32/crash_addrspace.py Description: Fixed a bug that occurs when people are running Python 2.5 on a 64 bit OS. Python 2.5 changed the way that Python native types are stored and thus changed the unpack usage. Thanks to Jamie Levy and students! 11.28.2007 Volatility-1.2.2pre awalters * Bug: memmap Files: vmodules.py Description: mem_map fixed so that you can specifiy a particular process. 11.28.2007 Volatility-1.2.2pre awalters * Bug: dtb_aligned Files: forensics/win32/scan.py Description: On systems using PAE, EPROCESS.DirectoryTableBase actually points to the base of the page directory pointer array. Thanks Andreas Schuster. 11.27.2007 Volatility-1.2.2pre awalters * Optimization: find_dtb Files: forensics/win32/tasks.py Description: Dramatically reduced the time for find_dtb. Thanks Michael Cohen. 09.21.2007 Volatility-1.2.1pre awalters * New Module: usrdmp Files: vmodules.py Description: Dumps a processes address space. Thanks Eoghan Casey. 09.20.2007 Volatility-1.2pre awalters * New Module: modscan Files: vmodules.py forensics/win32/scan.py forensics/win32/globals.py Description: Performs a linear scan for memory resident Windows modules. Contributed by Andreas Schuster. * New Module: memmap Files: vmodules.py forensics/x86.py Description: Provides a map of the virtual to physical address translations within a particular address space. Based on similar tools by Andreas Schuster (memdump.pl) and Brendan Dolan-Gavitt (memdump.py). * New Module: dmpchk Files: vmodules.py forensics/win32/crash_addrspace.py Description: Prints auxiliary information about the crash dump file. * New Module: WindowsCrashDumpSpace32 Files: forensics/x86.py forensics/win32/crash_addrspace.py Description: Provides the ability to use crash dumps as input to Volatility. This is accomplished through the use of stackable address spaces. Contributions from Andreas Schuster. * New Feature: get_available_pages() Files: forensics/x86.py Description: This functions allows an investigator to find all available pages within a particular address space. Thanks Brendan Dolan-Gavitt. * New Feature: zread() Files: forensics/x86.py forensics/addrspace.py forensics/win32/crash_addrspace.py Description: Added the ability to continuing reading even if pages are unavailable. Invalid pages are replaced with zeros. Thanks Brendan Dolan-Gavitt. 07.31.2007 Volatility-1.1.1 awalters * Virtual Address Descriptor modules: vadinfo, vaddump, vadwalk. Based on the research of Brendan Dolan-Gavitt to be presented at DFRWS 2007 * Constraint based linear scanning framework. New modules include psscan, thrdscan, sockscan, connscan. Inspired by the work of Andreas Schuster. * Completely open source. No third-party closed source dependencies. * Auto-identification speed enhancements * Bug fixes in network and socket modules * Removed symbol dependencies * Multiprocessor support ================================================ FILE: CREDITS.txt ================================================ =============================================== We would like to acknowledge individuals that have made significant contributions, code, or ideas toward the respective volatility releases. All lists are alphabetical. These lists exclude the core Volatility authors, who are identified in AUTHORS.txt. If you believe you've been left off, it is not intentional. Please bring it to our attention! =============================================== Volatility 2.6: jie-lin for fixing a pyinstaller NameError issue gcmoreira for fixing a recursive property issue in Linux plugins Adam Bridge for updating the EditBox plugin jie-lin for preventing a backtrace in the MBR parser plugin haco20292 for fixing a bug in linux_dmesg williamshowalter for updating mac_get_profile and convert.py for El Capitan support robbyFux for fixing a bug in the svcscan plugin f-s-p for adding unified output to the threads plugin Binary_Raider for adding the powershell empire plugins ozylol for updating create_all_profiles.py for Mac 10.11 JamesHabben for adjusting sqlite inserts to allow for more columns to exist in table Volatility 2.5: Adam Bridge for adding a --count option (humanly readable byte stats) to imagecopy/raw2dmp Sebastien Bourdon-Richard for various patches and bug fixes Bruno Constanzo for various patches to enhance performance/optimization Glenn P. Edwards, Jr for adding combined user/kernel scans, --case, and ascii/unicode options to yarascan @f-s-p for converting some plugins to unfied output format Cem Gurkok for submitting the mac_threads plugin Takahiro Haruyama for noticing and fixing a bug in impscan @masdif for contributing a fix for kernel 3.7+ in linux/module.c Wyatt Roersma for converting a large number of plugins to the unified output format Karl Vogel for pointing out an issue with IPv4 addresses on big endian systems Volatility 2.4: Steven Adair for assistance identifying a large memory PAE bug Sebastien Bourdon-Richard for his work on the VMware vmem/vmss split (with meta) AS Justin Capella and Espen Olsen for their work on the Qemu ELF core dumps Cem Gurkok for help updating Mac OS X support for 10.9 Matt McCormack for supplying a patch to rebase dumped PE files Stewart McIntyre for extending apihooks for detecting JMP FAR instructions Kevin Marker for contributing over 160 standard build Linux profiles synack33 for creating various Mac OS X profiles, including initial ones for 10.10 Raphaël Vinot for his patch to fix IPython within volshell Volatility 2.3: Cem Gurkok for his work on the privileges plugin for Windows Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project) @osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit) @osxreverser of reverse.put.as for his help with OSX memory analysis Carl Pulley for numerous bug reports, example patches, and plugin testing Andreas Schuster for his work on poison ivy plugins for Windows Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities Philippe Teuwen for his work on the virtual box address space Santiago Vicente for his work on the citadel plugins for Windows Volatility 2.2: ------------ Joe Sylve Volatility 2.1: ------------ --- Volatility 2.0: ------------ Frank Boldewin Carl Pulley Andreas Schuster Bradley Schatz Volatility 1.3: ------------ Harlan Carvey Michael Cohen David Collett Brendan Dolan-Gavitt Andreas Schuster Matthieu Suiche We would also like to acknowledge those who have provided valuable feedback, bug reports, and testing: Jide Abu Joseph Ayo Akinyele Tommaso Assandri Richard Austin Cameron C Caffee Eoghan Casey Angelo Cavallini Andre' DiMino Jon Evans Robert Guess Christian Herndler jeremie0 Jamie Levy Eugene Libster Erik Ligda Robert Lowe Tony Martin Timothy Morgan Bryan D. Payne Golden G. Richard III Wyatt Roersma RB Sam F. Stover Marko Thure ================================================ FILE: LEGAL.txt ================================================ Volatility =============== License ------- Copyright (C) 2007-2013 Volatility Foundation Volatility is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Volatility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Volatility. If not, see . ================================================ FILE: LICENSE.txt ================================================ GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS ================================================ FILE: MANIFEST.in ================================================ include *.txt include *.win include MANIFEST.in include setup.py include resources/* include pyinstaller/*.py include volatility/*.py include contrib/plugins/*.py include contrib/plugins/aspaces/*.py include tools/*.py include tools/linux/* include tools/linux/pmem/* include tools/mac/*.py include vol.py include Makefile include pyinstaller.spec ================================================ FILE: Makefile ================================================ all: build build: python setup.py build install: python setup.py install dist: python setup.py sdist clean: rm -f `find . -name "*.pyc" -o -name "*~"` rm -rf dist build ================================================ FILE: PKG-INFO ================================================ Metadata-Version: 1.0 Name: Volatility Version: GC1 Summary: Volatility -- Volatile memory framwork Home-page: http://www.volatilityfoundation.org Author: AAron Walters Author-email: awalters@4tphi.net License: GPL Description: UNKNOWN Platform: UNKNOWN ================================================ FILE: README.txt ================================================ This project is archived. See Volatility 3 for modern investigations: https://github.com/volatilityfoundation/volatility3 ============================================================================ Volatility Framework - Volatile memory extraction utility framework ============================================================================ The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. The Volatility distribution is available from: http://www.volatilityfoundation.org/#!releases/component_71401 Volatility should run on any platform that supports Python (http://www.python.org) Volatility supports investigations of the following memory images: Windows: * 32-bit Windows XP Service Pack 2 and 3 * 32-bit Windows 2003 Server Service Pack 0, 1, 2 * 32-bit Windows Vista Service Pack 0, 1, 2 * 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0) * 32-bit Windows 7 Service Pack 0, 1 * 32-bit Windows 8, 8.1, and 8.1 Update 1 * 32-bit Windows 10 (initial support) * 64-bit Windows XP Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows Vista Service Pack 0, 1, 2 * 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2008 R2 Server Service Pack 0 and 1 * 64-bit Windows 7 Service Pack 0 and 1 * 64-bit Windows 8, 8.1, and 8.1 Update 1 * 64-bit Windows Server 2012 and 2012 R2 * 64-bit Windows 10 (including at least 10.0.19041) * 64-bit Windows Server 2016 (including at least 10.0.19041) Note: Please see the guidelines at the following link for notes on compatibility with recently patched Windows 7 (or later) memory samples: https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles Linux: * 32-bit Linux kernels 2.6.11 to 5.5 * 64-bit Linux kernels 2.6.11 to 5.5 * OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc Mac OSX: * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) * 32-bit 10.6.x Snow Leopard * 64-bit 10.6.x Snow Leopard * 32-bit 10.7.x Lion * 64-bit 10.7.x Lion * 64-bit 10.8.x Mountain Lion (there is no 32-bit version) * 64-bit 10.9.x Mavericks (there is no 32-bit version) * 64-bit 10.10.x Yosemite (there is no 32-bit version) * 64-bit 10.11.x El Capitan (there is no 32-bit version) * 64-bit 10.12.x Sierra (there is no 32-bit version) * 64-bit 10.13.x High Sierra (there is no 32-bit version)) * 64-bit 10.14.x Mojave (there is no 32-bit version) * 64-bit 10.15.x Catalina (there is no 32-bit version) Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available. If you would like suggestions about suitable acquisition solutions, please contact us at: volatility (at) volatilityfoundation (dot) org Volatility supports a variety of sample file formats and the ability to convert between these formats: - Raw linear sample (dd) - Hibernation file (from Windows 7 and earlier) - Crash dump file - VirtualBox ELF64 core dump - VMware saved state and snapshot files - EWF format (E01) - LiME format - Mach-O file format - QEMU virtual machine dumps - Firewire - HPAK (FDPro) For a more detailed list of capabilities, see the following: https://github.com/volatilityfoundation/volatility/wiki Also see the community plugins repository: https://github.com/volatilityfoundation/community Example Data ============ If you want to give Volatility a try, you can download exemplar memory images from the following url: https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples Mailing Lists ============= Mailing lists to support the users and developers of Volatility can be found at the following address: http://lists.volatilesystems.com/mailman/listinfo Contact ======= For information or requests, contact: Volatility Foundation Web: http://www.volatilityfoundation.org http://volatility-labs.blogspot.com http://volatility.tumblr.com Email: volatility (at) volatilityfoundation (dot) org IRC: #volatility on freenode Twitter: @volatility Requirements ============ - Python 2.6 or later, but not 3.0. http://www.python.org Some plugins may have other requirements which can be found at: https://github.com/volatilityfoundation/volatility/wiki/Installation Quick Start =========== 1. Unpack the latest version of Volatility from volatilityfoundation.org 2. To see available options, run "python vol.py -h" or "python vol.py --info" Example: $ python vol.py --info Volatility Foundation Volatility Framework 2.6 Address Spaces -------------- AMD64PagedMemory - Standard AMD 64-bit address space. ArmAddressSpace - Address space for ARM processors FileAddressSpace - This is a direct file AS. HPAKAddressSpace - This AS supports the HPAK format IA32PagedMemory - Standard IA-32 paging address space. IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible LimeAddressSpace - Address space for Lime LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space. MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader OSXPmemELF - This AS supports VirtualBox ELF64 coredump format QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space. WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space. WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files. Profiles -------- VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win10x64 - A Profile for Windows 10 x64 Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23) Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16) Win10x86 - A Profile for Windows 10 x86 Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28) Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16) Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win2012R2x64 - A Profile for Windows Server 2012 R2 x64 Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13) Win2012x64 - A Profile for Windows Server 2012 x64 Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16) Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win7SP1x86 - A Profile for Windows 7 SP1 x86 Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09) Win81U1x64 - A Profile for Windows 8.1 Update 1 x64 Win81U1x86 - A Profile for Windows 8.1 Update 1 x86 Win8SP0x64 - A Profile for Windows 8 x64 Win8SP0x86 - A Profile for Windows 8 x86 Win8SP1x64 - A Profile for Windows 8.1 x64 Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13) Win8SP1x86 - A Profile for Windows 8.1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86 Plugins ------- amcache - Print AmCache information apihooks - Detect API hooks in process and kernel memory atoms - Print session and window station atom tables atomscan - Pool scanner for atom tables auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv bigpools - Dump the big page pools using BigPagePoolScanner bioskbd - Reads the keyboard buffer from Real Mode memory cachedump - Dumps cached domain hashes from memory callbacks - Print system-wide notification routines clipboard - Extract the contents of the windows clipboard cmdline - Display process command-line arguments cmdscan - Extract command history by scanning for _COMMAND_HISTORY connections - Print list of open connections [Windows XP and 2003 Only] connscan - Pool scanner for tcp connections consoles - Extract command history by scanning for _CONSOLE_INFORMATION crashinfo - Dump crash-dump information deskscan - Poolscaner for tagDESKTOP (desktops) devicetree - Show device tree dlldump - Dump DLLs from a process address space dlllist - Print list of loaded dlls for each process driverirp - Driver IRP hook detection drivermodule - Associate driver objects to kernel modules driverscan - Pool scanner for driver objects dumpcerts - Dump RSA private and public SSL keys dumpfiles - Extract memory mapped and cached files dumpregistry - Dumps registry files out to disk editbox - Displays information about Edit controls. (Listbox experimental.) envars - Display process environment variables eventhooks - Print details on windows event hooks evtlogs - Extract Windows Event Logs (XP/2003 only) filescan - Pool scanner for file objects gahti - Dump the USER handle type information gditimers - Print installed GDI timers and callbacks gdt - Display Global Descriptor Table getservicesids - Get the names of services in the Registry and return Calculated SID getsids - Print the SIDs owning each process handles - Print list of open handles for each process hashdump - Dumps passwords hashes (LM/NTLM) from memory hibinfo - Dump hibernation file information hivedump - Prints out a hive hivelist - Print list of registry hives. hivescan - Pool scanner for registry hives hpakextract - Extract physical memory from an HPAK file hpakinfo - Info on an HPAK file idt - Display Interrupt Descriptor Table iehistory - Reconstruct Internet Explorer cache / history imagecopy - Copies a physical address space out as a raw DD image imageinfo - Identify information for the image impscan - Scan for calls to imported functions joblinks - Print process job link information kdbgscan - Search for and dump potential KDBG values kpcrscan - Search for and dump potential KPCR values ldrmodules - Detect unlinked DLLs limeinfo - Dump Lime file format information linux_apihooks - Checks for userland apihooks linux_arp - Print the ARP table linux_aslr_shift - Automatically detect the Linux ASLR shift linux_banner - Prints the Linux banner information linux_bash - Recover bash history from bash process memory linux_bash_env - Recover a process' dynamic environment variables linux_bash_hash - Recover bash hash table from bash process memory linux_check_afinfo - Verifies the operation function pointers of network protocols linux_check_creds - Checks if any processes are sharing credential structures linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking linux_check_fop - Check file operation structures for rootkit modifications linux_check_idt - Checks if the IDT has been altered linux_check_inline_kernel - Check for inline kernel hooks linux_check_modules - Compares module list to sysfs info, if available linux_check_syscall - Checks if the system call table has been altered linux_check_syscall_arm - Checks if the system call table has been altered linux_check_tty - Checks tty devices for hooks linux_cpuinfo - Prints info about each active processor linux_dentry_cache - Gather files from the dentry cache linux_dmesg - Gather dmesg buffer linux_dump_map - Writes selected memory mappings to disk linux_dynamic_env - Recover a process' dynamic environment variables linux_elfs - Find ELF binaries in process mappings linux_enumerate_files - Lists files referenced by the filesystem cache linux_find_file - Lists and recovers files from memory linux_getcwd - Lists current working directory of each process linux_hidden_modules - Carves memory to find hidden kernel modules linux_ifconfig - Gathers active interfaces linux_info_regs - It's like 'info registers' in GDB. It prints out all the linux_iomem - Provides output similar to /proc/iomem linux_kernel_opened_files - Lists files that are opened from within the kernel linux_keyboard_notifiers - Parses the keyboard notifier call chain linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl linux_library_list - Lists libraries loaded into a process linux_librarydump - Dumps shared libraries in process memory to disk linux_list_raw - List applications with promiscuous sockets linux_lsmod - Gather loaded kernel modules linux_lsof - Lists file descriptors and their path linux_malfind - Looks for suspicious process mappings linux_memmap - Dumps the memory map for linux tasks linux_moddump - Extract loaded kernel modules linux_mount - Gather mounted fs/devices linux_mount_cache - Gather mounted fs/devices from kmem_cache linux_netfilter - Lists Netfilter hooks linux_netscan - Carves for network connection structures linux_netstat - Lists open sockets linux_pidhashtable - Enumerates processes through the PID hash table linux_pkt_queues - Writes per-process packet queues out to disk linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images linux_proc_maps - Gathers process memory maps linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree linux_procdump - Dumps a process's executable image to disk linux_process_hollow - Checks for signs of process hollowing linux_psaux - Gathers processes along with full command line and start time linux_psenv - Gathers processes along with their static environment variables linux_pslist - Gather active tasks by walking the task_struct->task list linux_pslist_cache - Gather tasks from the kmem_cache linux_psscan - Scan physical memory for processes linux_pstree - Shows the parent/child relationship between processes linux_psxview - Find hidden processes with various process listings linux_recover_filesystem - Recovers the entire cached file system from memory linux_route_cache - Recovers the routing cache from memory linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache linux_slabinfo - Mimics /proc/slabinfo on a running machine linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) linux_threads - Prints threads of processes linux_tmpfs - Recovers tmpfs filesystems from memory linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases linux_vma_cache - Gather VMAs from the vm_area_struct cache linux_volshell - Shell in the memory image linux_yarascan - A shell in the Linux memory image lsadump - Dump (decrypted) LSA secrets from the registry mac_adium - Lists Adium messages mac_apihooks - Checks for API hooks in processes mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked mac_arp - Prints the arp table mac_bash - Recover bash history from bash process memory mac_bash_env - Recover bash's environment variables mac_bash_hash - Recover bash hash table from bash process memory mac_calendar - Gets calendar events from Calendar.app mac_check_fop - Validate File Operation Pointers mac_check_mig_table - Lists entires in the kernel's MIG table mac_check_syscall_shadow - Looks for shadow system call tables mac_check_syscalls - Checks to see if system call table entries are hooked mac_check_sysctl - Checks for unknown sysctl handlers mac_check_trap_table - Checks to see if mach trap table entries are hooked mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages mac_contacts - Gets contact names from Contacts.app mac_dead_procs - Prints terminated/de-allocated processes mac_dead_sockets - Prints terminated/de-allocated network sockets mac_dead_vnodes - Lists freed vnode structures mac_devfs - Lists files in the file cache mac_dmesg - Prints the kernel debug buffer mac_dump_file - Dumps a specified file mac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap mac_dyld_maps - Gets memory maps of processes from dyld data structures mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images mac_get_profile - Automatically detect Mac profiles mac_ifconfig - Lists network interface information for all devices mac_interest_handlers - Lists IOKit Interest Handlers mac_ip_filters - Reports any hooked IP filters mac_kernel_classes - Lists loaded c++ classes in the kernel mac_kevents - Show parent/child relationship of processes mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl mac_librarydump - Dumps the executable of a process mac_list_files - Lists files in the file cache mac_list_kauth_listeners - Lists Kauth Scope listeners mac_list_kauth_scopes - Lists Kauth Scopes and their status mac_list_raw - List applications with promiscuous sockets mac_list_sessions - Enumerates sessions mac_list_zones - Prints active zones mac_lsmod - Lists loaded kernel modules mac_lsmod_iokit - Lists loaded kernel modules through IOkit mac_lsmod_kext_map - Lists loaded kernel modules mac_lsof - Lists per-process opened files mac_machine_info - Prints machine information about the sample mac_malfind - Looks for suspicious process mappings mac_memdump - Dump addressable memory pages to a file mac_moddump - Writes the specified kernel extension to disk mac_mount - Prints mounted device information mac_netstat - Lists active per-process network connections mac_network_conns - Lists network connections from kernel network structures mac_notesapp - Finds contents of Notes messages mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) mac_orphan_threads - Lists threads that don't map back to known modules/processes mac_pgrp_hash_table - Walks the process group hash table mac_pid_hash_table - Walks the pid hash table mac_print_boot_cmdline - Prints kernel boot arguments mac_proc_maps - Gets memory maps of processes mac_procdump - Dumps the executable of a process mac_psaux - Prints processes with arguments in user land (**argv) mac_psenv - Prints processes with environment in user land (**envp) mac_pslist - List Running Processes mac_pstree - Show parent/child relationship of processes mac_psxview - Find hidden processes with various process listings mac_recover_filesystem - Recover the cached filesystem mac_route - Prints the routing table mac_socket_filters - Reports socket filters mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) mac_tasks - List Active Tasks mac_threads - List Process Threads mac_threads_simple - Lists threads along with their start time and priority mac_timers - Reports timers set by kernel drivers mac_trustedbsd - Lists malicious trustedbsd policies mac_version - Prints the Mac version mac_vfsevents - Lists processes filtering file system events mac_volshell - Shell in the memory image mac_yarascan - Scan memory for yara signatures machoinfo - Dump Mach-O file format information malfind - Find hidden and injected code mbrparser - Scans for and parses potential Master Boot Records (MBRs) memdump - Dump the addressable memory for a process memmap - Print the memory map messagehooks - List desktop and thread window message hooks mftparser - Scans for and parses potential MFT entries moddump - Dump a kernel driver to an executable file sample modscan - Pool scanner for kernel modules modules - Print list of loaded modules multiscan - Scan for various objects at once mutantscan - Pool scanner for mutex objects netscan - Scan a Vista (or later) image for connections and sockets notepad - List currently displayed notepad text objtypescan - Scan for Windows object type objects patcher - Patches memory based on page scans poolpeek - Configurable pool scanner plugin pooltracker - Show a summary of pool tag usage printkey - Print a registry key, and its subkeys and values privs - Display process privileges procdump - Dump a process to an executable file sample pslist - Print all running processes by following the EPROCESS lists psscan - Pool scanner for process objects pstree - Print process list as a tree psxview - Find hidden processes with various process listings qemuinfo - Dump Qemu information raw2dmp - Converts a physical memory sample to a windbg crash dump screenshot - Save a pseudo-screenshot based on GDI windows servicediff - List Windows services (ala Plugx) sessions - List details on _MM_SESSION_SPACE (user logon sessions) shellbags - Prints ShellBags info shimcache - Parses the Application Compatibility Shim Cache registry key shutdowntime - Print ShutdownTime of machine from registry sockets - Print list of open sockets sockscan - Pool scanner for tcp socket objects ssdt - Display SSDT entries strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan - Scan for Windows services symlinkscan - Pool scanner for symlink objects thrdscan - Pool scanner for thread objects threads - Investigate _ETHREAD and _KTHREADs timeliner - Creates a timeline from various artifacts in memory timers - Print kernel timers and associated module DPCs truecryptmaster - Recover TrueCrypt 7.1a Master Keys truecryptpassphrase - TrueCrypt Cached Passphrase Finder truecryptsummary - TrueCrypt Summary unloadedmodules - Print list of unloaded modules userassist - Print userassist registry keys and information userhandles - Dump the USER handle tables vaddump - Dumps out the vad sections to a file vadinfo - Dump the VAD info vadtree - Walk the VAD tree and display in tree format vadwalk - Walk the VAD tree vboxinfo - Dump virtualbox information verinfo - Prints out the version information from PE images vmwareinfo - Dump VMware VMSS/VMSN information volshell - Shell in the memory image win10cookie - Find the ObHeaderCookie value for Windows 10 windows - Print Desktop Windows (verbose details) wintree - Print Z-Order Desktop Windows Tree wndscan - Pool scanner for window stations yarascan - Scan process or kernel memory with Yara signatures 3. To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run 'python vol.py imageinfo -f ' or 'python vol.py kdbgscan -f ' Example: $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw Volatility Foundation Volatility Framework 2.6 Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64) AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw) PAE type : PAE DTB : 0x187000L KDBG : 0xf800016460a0 Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001647d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2012-03-24 19:30:53 UTC+0000 Image local date and time : 2012-03-25 03:30:53 +0800 If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing Windows 7 or later memory samples, please see the guidelines here: https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles 4. Run some other plugins. -f is a required option for all plugins. Some also require/accept other options. Run "python vol.py -h" for more information on a particular command. A Command Reference wiki is also available on the GitHub site: https://github.com/volatilityfoundation/volatility/wiki as well as Basic Usage: https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage Licensing and Copyright ======================= Copyright (C) 2007-2016 Volatility Foundation All Rights Reserved Volatility is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Volatility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Volatility. If not, see . Bugs and Support ================ There is no support provided with Volatility. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. If you think you've found a bug, please report it at: https://github.com/volatilityfoundation/volatility/issues In order to help us solve your issues as quickly as possible, please include the following information when filing a bug: * The version of volatility you're using * The operating system used to run volatility * The version of python used to run volatility * The suspected operating system of the memory image * The complete command line you used to run volatility Depending on the operating system of the memory image, you may need to provide additional information, such as: For Windows: * The suspected Service Pack of the memory image For Linux: * The suspected kernel version of the memory image Other options for communication can be found at: https://github.com/volatilityfoundation/volatility/wiki Missing or Truncated Information ================================ Volatility Foundation makes no claims about the validity or correctness of the output of Volatility. Many factors may contribute to the incorrectness of output from Volatility including, but not limited to, malicious modifications to the operating system, incomplete information due to swapping, and information corruption on image acquisition. Command Reference ==================== The following url contains a reference of all commands supported by Volatility. https://github.com/volatilityfoundation/volatility/wiki ================================================ FILE: contrib/__init__.py ================================================ ================================================ FILE: contrib/library_example/libapi.py ================================================ # Volatility # Copyright (c) 2015 Michael Ligh (michael.ligh@mnin.org) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import copy, StringIO, json import volatility.conf as conf import volatility.registry as registry import volatility.commands as commands import volatility.addrspace as addrspace registry.PluginImporter() def get_json(config, plugin_class): strio = StringIO.StringIO() plugin = plugin_class(copy.deepcopy(config)) plugin.render_json(strio, plugin.calculate()) return json.loads(strio.getvalue()) def get_config(profile, target_path): config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = profile config.LOCATION = "file://{0}".format(target_path) return config ================================================ FILE: contrib/library_example/pslist_json.py ================================================ # Volatility # Copyright (c) 2015 Michael Ligh (michael.ligh@mnin.org) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys import volatility.plugins.taskmods as taskmods import libapi def main(): ## sys.argv[1] = volatility profile ## sys.argv[2] = full path on disk to your memory sample config = libapi.get_config(sys.argv[1], sys.argv[2]) data = libapi.get_json(config, taskmods.PSList) ## `data` now contains json with two keys: `columns` and `rows`, where `columns` ## contains a list of column headings (matching the corresponding volatility ## plugin output) and `rows` contains a list of the values for each object found. ## you can either print/save all columns, or you can drill down to a particular ## column by getting the desired column's index as shown below and then accessing ## the index in each row. the following example prints each process' name. name_index = data['columns'].index('Name') for row in data['rows']: print row[name_index] if __name__ == "__main__": main() ================================================ FILE: contrib/plugins/README.md ================================================ Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository. ================================================ FILE: contrib/plugins/__init__.py ================================================ ================================================ FILE: contrib/plugins/aspaces/README.md ================================================ Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository. ================================================ FILE: contrib/plugins/disablewarnings.py ================================================ # Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.conf as conf import logging config = conf.ConfObject() def disable_warnings(_option, _opt_str, _value, _parser): """Sets the location variable in the parser to the filename in question""" rootlogger = logging.getLogger('') rootlogger.setLevel(logging.WARNING + 1) config.add_option("WARNINGS", default = False, action = "callback", callback = disable_warnings, short_option = 'W', nargs = 0, help = "Disable warning messages") ================================================ FILE: contrib/plugins/example.py ================================================ # Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.timefmt as timefmt import volatility.obj as obj import volatility.utils as utils import volatility.commands as commands #pylint: disable-msg=C0111 class DateTime(commands.Command): """A simple example plugin that gets the date/time information from a Windows image""" def calculate(self): """Calculate and carry out any processing that may take time upon the image""" # Load the address space addr_space = utils.load_as(self._config) # Call a subfunction so that it can be used by other plugins return self.get_image_time(addr_space) def get_image_time(self, addr_space): """Extracts the time and date from the KUSER_SHARED_DATA area""" # Get the Image Datetime result = {} # Create a VOLATILITY_MAGIC object to look up the location of certain constants # Get the KUSER_SHARED_DATA location KUSER_SHARED_DATA = obj.VolMagic(addr_space).KUSER_SHARED_DATA.v() # Create the _KUSER_SHARED_DATA object at the appropriate offset k = obj.Object("_KUSER_SHARED_DATA", offset = KUSER_SHARED_DATA, vm = addr_space) # Start reading members from it result['ImageDatetime'] = k.SystemTime result['ImageTz'] = timefmt.OffsetTzInfo(-k.TimeZoneBias.as_windows_timestamp() / 10000000) # Return any results we got return result def render_text(self, outfd, data): """Renders the calculated data as text to outfd""" # Convert the result into a datetime object for display in local and non local format dt = data['ImageDatetime'].as_datetime() # Display the datetime in UTC as taken from the image outfd.write("Image date and time : {0}\n".format(data['ImageDatetime'])) # Display the datetime taking into account the timezone of the image itself outfd.write("Image local date and time : {0}\n".format(timefmt.display_datetime(dt, data['ImageTz']))) ================================================ FILE: contrib/plugins/malware/README.md ================================================ Plugins in this directory have moved. Please see the github.com/volatilityfoundation/community repository. ================================================ FILE: pyinstaller/hook-distorm3.py ================================================ # Distorm3 hook # # This currently contains the hardcoded location for the standard distorm3.dll install # It could be improved by carrying out a search, or using sys.path # # This also requires the distorm3 module to be modified with the following patch: # import sys # if hasattr(sys, '_MEIPASS'): # _distorm_path = sys._MEIPASS import os import sys datas = [] for path in sys.path: if os.path.exists(os.path.join(path, "distorm3", "distorm3.dll")): datas.append((os.path.join(path, "distorm3", "distorm3.dll"), ".")) if os.path.exists(os.path.join(path, "distorm3", "libdistorm3.so")): datas.append((os.path.join(path, "distorm3", "libdistorm3.so"), ".")) ================================================ FILE: pyinstaller/hook-openpyxl.py ================================================ # Openpyxl hook # # This currently contains the hardcoded location for the .constants.json file # It could be improved by carrying out a search, or using sys.path # # This also requires the openpyxl module to be modified with the following patch: # import sys # if hasattr(sys, '_MEIPASS'): # here = sys._MEIPASS import os import sys datas = [] for path in sys.path: if os.path.exists(os.path.join(path, "openpyxl", ".constants.json")): datas.append((os.path.join(path, "openpyxl", ".constants.json"), ".")) ================================================ FILE: pyinstaller/hook-volatility.py ================================================ import os projpath = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) modules = set(['volatility.plugins']) for dirpath, _dirnames, filenames in os.walk(os.path.join(projpath, 'volatility', 'plugins')): dirpath = dirpath[len(os.path.join(projpath, 'volatility', 'plugins')):] if dirpath and dirpath[0] == os.path.sep: dirpath = dirpath[1:] for filename in filenames: path = os.path.join(dirpath, os.path.splitext(filename)[0]) if "/." in path: continue if "__" in path: continue path = path.replace("-", "_") path = path.replace(os.path.sep, ".") modules.add("volatility.plugins." + path) hiddenimports = list(modules) ================================================ FILE: pyinstaller/hook-yara.py ================================================ import os import sys datas = [] for path in sys.path: if os.path.exists(os.path.join(path, "yara.pyd")): datas.append((os.path.join(path, "yara.pyd"), ".")) if os.path.exists(os.path.join(path, "yara.so")): datas.append((os.path.join(path, "yara.so"), ".")) ================================================ FILE: pyinstaller.spec ================================================ # -*- mode: python -*- import sys projpath = os.path.dirname(os.path.abspath(SPEC)) def get_plugins(list): for item in list: if item[0].startswith('volatility.plugins') and not (item[0] == 'volatility.plugins' and '__init__.py' in item[1]): yield item exeext = ".exe" if sys.platform.startswith("win") else "" a = Analysis([os.path.join(projpath, 'vol.py')], pathex = [HOMEPATH], hookspath = [os.path.join(projpath, 'pyinstaller')]) pyz = PYZ(a.pure) plugins = Tree(os.path.join(projpath, 'volatility', 'plugins'), os.path.join('plugins')) exe = EXE(pyz, a.scripts + [('u', '', 'OPTION')], a.binaries, a.zipfiles, a.datas, plugins, name = os.path.join(projpath, 'dist', 'pyinstaller', 'volatility' + exeext), debug = False, strip = False, upx = True, icon = os.path.join(projpath, 'resources', 'volatility.ico'), console = 1) ================================================ FILE: setup.py ================================================ #!/usr/bin/env python # Volatility # # Authors: # AAron Walters # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # try: from setuptools import setup except ImportError: from distutils.core import setup import volatility.constants import sys import os py2exe_available = True try: import py2exe #pylint: disable-msg=W0611,F0401 except ImportError: py2exe_available = False def find_files(topdirs, py = False): """Lists all python files under any topdir from the topdirs lists. Returns an appropriate list for data_files, with source and destination directories the same""" ret = [] for topdir in topdirs: for r, _ds, fs in os.walk(topdir): ret.append((r, [ os.path.join(r, f) for f in fs if (f.endswith('.py') or not py)])) return ret opts = {} opts['name'] = "volatility" opts['version'] = volatility.constants.VERSION opts['description'] = "Volatility -- Volatile memory framework" opts['author'] = "AAron Walters" opts['author_email'] = "awalters@4tphi.net" opts['url'] = "http://www.volatilityfoundation.org" opts['license'] = "GPL" opts['scripts'] = ["vol.py"] opts['packages'] = ["volatility", "volatility.win32", "volatility.renderers", "volatility.plugins", "volatility.plugins.addrspaces", "volatility.plugins.overlays", "volatility.plugins.overlays.windows", "volatility.plugins.overlays.linux", "volatility.plugins.overlays.mac", "volatility.plugins.gui", "volatility.plugins.gui.vtypes", "volatility.plugins.linux", "volatility.plugins.registry", "volatility.plugins.malware", "volatility.plugins.mac"] opts['data_files'] = find_files(['contrib'], py = True) + find_files(['tools']) if py2exe_available: py2exe_distdir = 'dist/py2exe' opts['console'] = [{ 'script': 'vol.py', 'icon_resources': [(1, 'resources/volatility.ico')] }] # Optimize must be 1 for plugins that use docstring for the help value, # otherwise the help gets optimized out opts['options'] = {'py2exe':{'optimize': 1, 'dist_dir': py2exe_distdir, 'packages': opts['packages'] + ['socket', 'ctypes', 'Crypto.Cipher', 'urllib', 'distorm3', 'yara', 'xml.etree.ElementTree'], # This, along with zipfile = None, ensures a single binary 'bundle_files': 1, } } opts['zipfile'] = None distrib = setup(**opts) #pylint: disable-msg=W0142 if 'py2exe' in sys.argv: # Any py2exe specific files or things that need doing can go in here pass ================================================ FILE: tools/doxygen/config ================================================ # Doxyfile 1.8.7 # This file describes the settings to be used by the documentation system # doxygen (www.doxygen.org) for a project. # # All text after a double hash (##) is considered a comment and is placed in # front of the TAG it is preceding. # # All text after a single hash (#) is considered a comment and will be ignored. # The format is: # TAG = value [value, ...] # For lists, items can also be appended using: # TAG += value [value, ...] # Values that contain spaces should be placed between quotes (\" \"). #--------------------------------------------------------------------------- # Project related configuration options #--------------------------------------------------------------------------- # This tag specifies the encoding used for all characters in the config file # that follow. The default is UTF-8 which is also the encoding used for all text # before the first occurrence of this tag. Doxygen uses libiconv (or the iconv # built into libc) for the transcoding. See http://www.gnu.org/software/libiconv # for the list of possible encodings. # The default value is: UTF-8. DOXYFILE_ENCODING = UTF-8 # The PROJECT_NAME tag is a single word (or a sequence of words surrounded by # double-quotes, unless you are using Doxywizard) that should identify the # project for which the documentation is generated. This name is used in the # title of most generated pages and in a few other places. # The default value is: My Project. PROJECT_NAME = "The Volatility Framework" # The PROJECT_NUMBER tag can be used to enter a project or revision number. This # could be handy for archiving the generated documentation or if some version # control system is used. PROJECT_NUMBER = # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a # quick idea about the purpose of the project. Keep the description short. PROJECT_BRIEF = # With the PROJECT_LOGO tag one can specify an logo or icon that is included in # the documentation. The maximum height of the logo should not exceed 55 pixels # and the maximum width should not exceed 200 pixels. Doxygen will copy the logo # to the output directory. PROJECT_LOGO = ./tools/doxygen/vol.png # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path # into which the generated documentation will be written. If a relative path is # entered, it will be relative to the location where doxygen was started. If # left blank the current directory will be used. OUTPUT_DIRECTORY = ./tools/doxygen/output # If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub- # directories (in 2 levels) under the output directory of each output format and # will distribute the generated files over these directories. Enabling this # option can be useful when feeding doxygen a huge amount of source files, where # putting all generated files in the same directory would otherwise causes # performance problems for the file system. # The default value is: NO. CREATE_SUBDIRS = YES # If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII # characters to appear in the names of generated files. If set to NO, non-ASCII # characters will be escaped, for example _xE3_x81_x84 will be used for Unicode # U+3044. # The default value is: NO. ALLOW_UNICODE_NAMES = NO # The OUTPUT_LANGUAGE tag is used to specify the language in which all # documentation generated by doxygen is written. Doxygen will use this # information to generate all constant output in the proper language. # Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese, # Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States), # Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian, # Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages), # Korean, Korean-en (Korean with English messages), Latvian, Lithuanian, # Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian, # Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish, # Ukrainian and Vietnamese. # The default value is: English. OUTPUT_LANGUAGE = English # If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member # descriptions after the members that are listed in the file and class # documentation (similar to Javadoc). Set to NO to disable this. # The default value is: YES. BRIEF_MEMBER_DESC = YES # If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief # description of a member or function before the detailed description # # Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the # brief descriptions will be completely suppressed. # The default value is: YES. REPEAT_BRIEF = YES # This tag implements a quasi-intelligent brief description abbreviator that is # used to form the text in various listings. Each string in this list, if found # as the leading text of the brief description, will be stripped from the text # and the result, after processing the whole list, is used as the annotated # text. Otherwise, the brief description is used as-is. If left blank, the # following values are used ($name is automatically replaced with the name of # the entity):The $name class, The $name widget, The $name file, is, provides, # specifies, contains, represents, a, an and the. ABBREVIATE_BRIEF = # If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then # doxygen will generate a detailed section even if there is only a brief # description. # The default value is: NO. ALWAYS_DETAILED_SEC = NO # If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all # inherited members of a class in the documentation of that class as if those # members were ordinary class members. Constructors, destructors and assignment # operators of the base classes will not be shown. # The default value is: NO. INLINE_INHERITED_MEMB = NO # If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path # before files name in the file list and in the header files. If set to NO the # shortest path that makes the file name unique will be used # The default value is: YES. FULL_PATH_NAMES = YES # The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path. # Stripping is only done if one of the specified strings matches the left-hand # part of the path. The tag can be used to show relative paths in the file list. # If left blank the directory from which doxygen is run is used as the path to # strip. # # Note that you can specify absolute paths here, but also relative paths, which # will be relative from the directory where doxygen is started. # This tag requires that the tag FULL_PATH_NAMES is set to YES. STRIP_FROM_PATH = # The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the # path mentioned in the documentation of a class, which tells the reader which # header file to include in order to use a class. If left blank only the name of # the header file containing the class definition is used. Otherwise one should # specify the list of include paths that are normally passed to the compiler # using the -I flag. STRIP_FROM_INC_PATH = # If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but # less readable) file names. This can be useful is your file systems doesn't # support long names like on DOS, Mac, or CD-ROM. # The default value is: NO. SHORT_NAMES = NO # If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the # first line (until the first dot) of a Javadoc-style comment as the brief # description. If set to NO, the Javadoc-style will behave just like regular Qt- # style comments (thus requiring an explicit @brief command for a brief # description.) # The default value is: NO. JAVADOC_AUTOBRIEF = NO # If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first # line (until the first dot) of a Qt-style comment as the brief description. If # set to NO, the Qt-style will behave just like regular Qt-style comments (thus # requiring an explicit \brief command for a brief description.) # The default value is: NO. QT_AUTOBRIEF = NO # The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a # multi-line C++ special comment block (i.e. a block of //! or /// comments) as # a brief description. This used to be the default behavior. The new default is # to treat a multi-line C++ comment block as a detailed description. Set this # tag to YES if you prefer the old behavior instead. # # Note that setting this tag to YES also means that rational rose comments are # not recognized any more. # The default value is: NO. MULTILINE_CPP_IS_BRIEF = NO # If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the # documentation from any documented member that it re-implements. # The default value is: YES. INHERIT_DOCS = YES # If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a # new page for each member. If set to NO, the documentation of a member will be # part of the file/class/namespace that contains it. # The default value is: NO. SEPARATE_MEMBER_PAGES = NO # The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen # uses this value to replace tabs by spaces in code fragments. # Minimum value: 1, maximum value: 16, default value: 4. TAB_SIZE = 4 # This tag can be used to specify a number of aliases that act as commands in # the documentation. An alias has the form: # name=value # For example adding # "sideeffect=@par Side Effects:\n" # will allow you to put the command \sideeffect (or @sideeffect) in the # documentation, which will result in a user-defined paragraph with heading # "Side Effects:". You can put \n's in the value part of an alias to insert # newlines. ALIASES = # This tag can be used to specify a number of word-keyword mappings (TCL only). # A mapping has the form "name=value". For example adding "class=itcl::class" # will allow you to use the command class in the itcl::class meaning. TCL_SUBST = # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources # only. Doxygen will then generate output that is more tailored for C. For # instance, some of the names that are used will be different. The list of all # members will be omitted, etc. # The default value is: NO. OPTIMIZE_OUTPUT_FOR_C = NO # Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or # Python sources only. Doxygen will then generate output that is more tailored # for that language. For instance, namespaces will be presented as packages, # qualified scopes will look different, etc. # The default value is: NO. OPTIMIZE_OUTPUT_JAVA = NO # Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran # sources. Doxygen will then generate output that is tailored for Fortran. # The default value is: NO. OPTIMIZE_FOR_FORTRAN = NO # Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL # sources. Doxygen will then generate output that is tailored for VHDL. # The default value is: NO. OPTIMIZE_OUTPUT_VHDL = NO # Doxygen selects the parser to use depending on the extension of the files it # parses. With this tag you can assign which parser to use for a given # extension. Doxygen has a built-in mapping, but you can override or extend it # using this tag. The format is ext=language, where ext is a file extension, and # language is one of the parsers supported by doxygen: IDL, Java, Javascript, # C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran: # FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran: # Fortran. In the later case the parser tries to guess whether the code is fixed # or free formatted code, this is the default for Fortran type files), VHDL. For # instance to make doxygen treat .inc files as Fortran files (default is PHP), # and .f files as C (default is Fortran), use: inc=Fortran f=C. # # Note For files without extension you can use no_extension as a placeholder. # # Note that for custom extensions you also need to set FILE_PATTERNS otherwise # the files are not read by doxygen. EXTENSION_MAPPING = # If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments # according to the Markdown format, which allows for more readable # documentation. See http://daringfireball.net/projects/markdown/ for details. # The output of markdown processing is further processed by doxygen, so you can # mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in # case of backward compatibilities issues. # The default value is: YES. MARKDOWN_SUPPORT = YES # When enabled doxygen tries to link words that correspond to documented # classes, or namespaces to their corresponding documentation. Such a link can # be prevented in individual cases by by putting a % sign in front of the word # or globally by setting AUTOLINK_SUPPORT to NO. # The default value is: YES. AUTOLINK_SUPPORT = YES # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want # to include (a tag file for) the STL sources as input, then you should set this # tag to YES in order to let doxygen match functions declarations and # definitions whose arguments contain STL classes (e.g. func(std::string); # versus func(std::string) {}). This also make the inheritance and collaboration # diagrams that involve STL classes more complete and accurate. # The default value is: NO. BUILTIN_STL_SUPPORT = NO # If you use Microsoft's C++/CLI language, you should set this option to YES to # enable parsing support. # The default value is: NO. CPP_CLI_SUPPORT = NO # Set the SIP_SUPPORT tag to YES if your project consists of sip (see: # http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen # will parse them like normal C++ but will assume all classes use public instead # of private inheritance when no explicit protection keyword is present. # The default value is: NO. SIP_SUPPORT = NO # For Microsoft's IDL there are propget and propput attributes to indicate # getter and setter methods for a property. Setting this option to YES will make # doxygen to replace the get and set methods by a property in the documentation. # This will only work if the methods are indeed getting or setting a simple # type. If this is not the case, or you want to show the methods anyway, you # should set this option to NO. # The default value is: YES. IDL_PROPERTY_SUPPORT = YES # If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC # tag is set to YES, then doxygen will reuse the documentation of the first # member in the group (if any) for the other members of the group. By default # all members of a group must be documented explicitly. # The default value is: NO. DISTRIBUTE_GROUP_DOC = NO # Set the SUBGROUPING tag to YES to allow class member groups of the same type # (for instance a group of public functions) to be put as a subgroup of that # type (e.g. under the Public Functions section). Set it to NO to prevent # subgrouping. Alternatively, this can be done per class using the # \nosubgrouping command. # The default value is: YES. SUBGROUPING = YES # When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions # are shown inside the group in which they are included (e.g. using \ingroup) # instead of on a separate page (for HTML and Man pages) or section (for LaTeX # and RTF). # # Note that this feature does not work in combination with # SEPARATE_MEMBER_PAGES. # The default value is: NO. INLINE_GROUPED_CLASSES = NO # When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions # with only public data fields or simple typedef fields will be shown inline in # the documentation of the scope in which they are defined (i.e. file, # namespace, or group documentation), provided this scope is documented. If set # to NO, structs, classes, and unions are shown on a separate page (for HTML and # Man pages) or section (for LaTeX and RTF). # The default value is: NO. INLINE_SIMPLE_STRUCTS = NO # When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or # enum is documented as struct, union, or enum with the name of the typedef. So # typedef struct TypeS {} TypeT, will appear in the documentation as a struct # with name TypeT. When disabled the typedef will appear as a member of a file, # namespace, or class. And the struct will be named TypeS. This can typically be # useful for C code in case the coding convention dictates that all compound # types are typedef'ed and only the typedef is referenced, never the tag name. # The default value is: NO. TYPEDEF_HIDES_STRUCT = NO # The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This # cache is used to resolve symbols given their name and scope. Since this can be # an expensive process and often the same symbol appears multiple times in the # code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small # doxygen will become slower. If the cache is too large, memory is wasted. The # cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range # is 0..9, the default is 0, corresponding to a cache size of 2^16=65536 # symbols. At the end of a run doxygen will report the cache usage and suggest # the optimal cache size from a speed point of view. # Minimum value: 0, maximum value: 9, default value: 0. LOOKUP_CACHE_SIZE = 0 #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- # If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in # documentation are documented, even if no documentation was available. Private # class members and static file members will be hidden unless the # EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES. # Note: This will also disable the warnings about undocumented members that are # normally produced when WARNINGS is set to YES. # The default value is: NO. EXTRACT_ALL = NO # If the EXTRACT_PRIVATE tag is set to YES all private members of a class will # be included in the documentation. # The default value is: NO. EXTRACT_PRIVATE = NO # If the EXTRACT_PACKAGE tag is set to YES all members with package or internal # scope will be included in the documentation. # The default value is: NO. EXTRACT_PACKAGE = NO # If the EXTRACT_STATIC tag is set to YES all static members of a file will be # included in the documentation. # The default value is: NO. EXTRACT_STATIC = NO # If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined # locally in source files will be included in the documentation. If set to NO # only classes defined in header files are included. Does not have any effect # for Java sources. # The default value is: YES. EXTRACT_LOCAL_CLASSES = YES # This flag is only useful for Objective-C code. When set to YES local methods, # which are defined in the implementation section but not in the interface are # included in the documentation. If set to NO only methods in the interface are # included. # The default value is: NO. EXTRACT_LOCAL_METHODS = NO # If this flag is set to YES, the members of anonymous namespaces will be # extracted and appear in the documentation as a namespace called # 'anonymous_namespace{file}', where file will be replaced with the base name of # the file that contains the anonymous namespace. By default anonymous namespace # are hidden. # The default value is: NO. EXTRACT_ANON_NSPACES = NO # If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all # undocumented members inside documented classes or files. If set to NO these # members will be included in the various overviews, but no documentation # section is generated. This option has no effect if EXTRACT_ALL is enabled. # The default value is: NO. HIDE_UNDOC_MEMBERS = NO # If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all # undocumented classes that are normally visible in the class hierarchy. If set # to NO these classes will be included in the various overviews. This option has # no effect if EXTRACT_ALL is enabled. # The default value is: NO. HIDE_UNDOC_CLASSES = NO # If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend # (class|struct|union) declarations. If set to NO these declarations will be # included in the documentation. # The default value is: NO. HIDE_FRIEND_COMPOUNDS = NO # If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any # documentation blocks found inside the body of a function. If set to NO these # blocks will be appended to the function's detailed documentation block. # The default value is: NO. HIDE_IN_BODY_DOCS = NO # The INTERNAL_DOCS tag determines if documentation that is typed after a # \internal command is included. If the tag is set to NO then the documentation # will be excluded. Set it to YES to include the internal documentation. # The default value is: NO. INTERNAL_DOCS = NO # If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file # names in lower-case letters. If set to YES upper-case letters are also # allowed. This is useful if you have classes or files whose names only differ # in case and if your file system supports case sensitive file names. Windows # and Mac users are advised to set this option to NO. # The default value is: system dependent. CASE_SENSE_NAMES = NO # If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with # their full class and namespace scopes in the documentation. If set to YES the # scope will be hidden. # The default value is: NO. HIDE_SCOPE_NAMES = NO # If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of # the files that are included by a file in the documentation of that file. # The default value is: YES. SHOW_INCLUDE_FILES = YES # If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each # grouped member an include statement to the documentation, telling the reader # which file to include in order to use the member. # The default value is: NO. SHOW_GROUPED_MEMB_INC = NO # If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include # files with double quotes in the documentation rather than with sharp brackets. # The default value is: NO. FORCE_LOCAL_INCLUDES = NO # If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the # documentation for inline members. # The default value is: YES. INLINE_INFO = YES # If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the # (detailed) documentation of file and class members alphabetically by member # name. If set to NO the members will appear in declaration order. # The default value is: YES. SORT_MEMBER_DOCS = YES # If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief # descriptions of file, namespace and class members alphabetically by member # name. If set to NO the members will appear in declaration order. Note that # this will also influence the order of the classes in the class list. # The default value is: NO. SORT_BRIEF_DOCS = NO # If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the # (brief and detailed) documentation of class members so that constructors and # destructors are listed first. If set to NO the constructors will appear in the # respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS. # Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief # member documentation. # Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting # detailed member documentation. # The default value is: NO. SORT_MEMBERS_CTORS_1ST = NO # If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy # of group names into alphabetical order. If set to NO the group names will # appear in their defined order. # The default value is: NO. SORT_GROUP_NAMES = NO # If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by # fully-qualified names, including namespaces. If set to NO, the class list will # be sorted only by class name, not including the namespace part. # Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. # Note: This option applies only to the class list, not to the alphabetical # list. # The default value is: NO. SORT_BY_SCOPE_NAME = NO # If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper # type resolution of all parameters of a function it will reject a match between # the prototype and the implementation of a member function even if there is # only one candidate or it is obvious which candidate to choose by doing a # simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still # accept a match between prototype and implementation in such cases. # The default value is: NO. STRICT_PROTO_MATCHING = NO # The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the # todo list. This list is created by putting \todo commands in the # documentation. # The default value is: YES. GENERATE_TODOLIST = YES # The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the # test list. This list is created by putting \test commands in the # documentation. # The default value is: YES. GENERATE_TESTLIST = YES # The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug # list. This list is created by putting \bug commands in the documentation. # The default value is: YES. GENERATE_BUGLIST = YES # The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO) # the deprecated list. This list is created by putting \deprecated commands in # the documentation. # The default value is: YES. GENERATE_DEPRECATEDLIST= YES # The ENABLED_SECTIONS tag can be used to enable conditional documentation # sections, marked by \if ... \endif and \cond # ... \endcond blocks. ENABLED_SECTIONS = # The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the # initial value of a variable or macro / define can have for it to appear in the # documentation. If the initializer consists of more lines than specified here # it will be hidden. Use a value of 0 to hide initializers completely. The # appearance of the value of individual variables and macros / defines can be # controlled using \showinitializer or \hideinitializer command in the # documentation regardless of this setting. # Minimum value: 0, maximum value: 10000, default value: 30. MAX_INITIALIZER_LINES = 30 # Set the SHOW_USED_FILES tag to NO to disable the list of files generated at # the bottom of the documentation of classes and structs. If set to YES the list # will mention the files that were used to generate the documentation. # The default value is: YES. SHOW_USED_FILES = YES # Set the SHOW_FILES tag to NO to disable the generation of the Files page. This # will remove the Files entry from the Quick Index and from the Folder Tree View # (if specified). # The default value is: YES. SHOW_FILES = YES # Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces # page. This will remove the Namespaces entry from the Quick Index and from the # Folder Tree View (if specified). # The default value is: YES. SHOW_NAMESPACES = YES # The FILE_VERSION_FILTER tag can be used to specify a program or script that # doxygen should invoke to get the current version for each file (typically from # the version control system). Doxygen will invoke the program by executing (via # popen()) the command command input-file, where command is the value of the # FILE_VERSION_FILTER tag, and input-file is the name of an input file provided # by doxygen. Whatever the program writes to standard output is used as the file # version. For an example see the documentation. FILE_VERSION_FILTER = # The LAYOUT_FILE tag can be used to specify a layout file which will be parsed # by doxygen. The layout file controls the global structure of the generated # output files in an output format independent way. To create the layout file # that represents doxygen's defaults, run doxygen with the -l option. You can # optionally specify a file name after the option, if omitted DoxygenLayout.xml # will be used as the name of the layout file. # # Note that if you run doxygen from a directory containing a file called # DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE # tag is left empty. LAYOUT_FILE = # The CITE_BIB_FILES tag can be used to specify one or more bib files containing # the reference definitions. This must be a list of .bib files. The .bib # extension is automatically appended if omitted. This requires the bibtex tool # to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info. # For LaTeX the style of the bibliography can be controlled using # LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the # search path. Do not use file names with spaces, bibtex cannot handle them. See # also \cite for info how to create references. CITE_BIB_FILES = #--------------------------------------------------------------------------- # Configuration options related to warning and progress messages #--------------------------------------------------------------------------- # The QUIET tag can be used to turn on/off the messages that are generated to # standard output by doxygen. If QUIET is set to YES this implies that the # messages are off. # The default value is: NO. QUIET = NO # The WARNINGS tag can be used to turn on/off the warning messages that are # generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES # this implies that the warnings are on. # # Tip: Turn warnings on while writing the documentation. # The default value is: YES. WARNINGS = YES # If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate # warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag # will automatically be disabled. # The default value is: YES. WARN_IF_UNDOCUMENTED = YES # If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for # potential errors in the documentation, such as not documenting some parameters # in a documented function, or documenting parameters that don't exist or using # markup commands wrongly. # The default value is: YES. WARN_IF_DOC_ERROR = YES # This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that # are documented, but have no documentation for their parameters or return # value. If set to NO doxygen will only warn about wrong or incomplete parameter # documentation, but not about the absence of documentation. # The default value is: NO. WARN_NO_PARAMDOC = NO # The WARN_FORMAT tag determines the format of the warning messages that doxygen # can produce. The string should contain the $file, $line, and $text tags, which # will be replaced by the file and line number from which the warning originated # and the warning text. Optionally the format may contain $version, which will # be replaced by the version of the file (if it could be obtained via # FILE_VERSION_FILTER) # The default value is: $file:$line: $text. WARN_FORMAT = "$file:$line: $text" # The WARN_LOGFILE tag can be used to specify a file to which warning and error # messages should be written. If left blank the output is written to standard # error (stderr). WARN_LOGFILE = #--------------------------------------------------------------------------- # Configuration options related to the input files #--------------------------------------------------------------------------- # The INPUT tag is used to specify the files and/or directories that contain # documented source files. You may enter file names like myfile.cpp or # directories like /usr/src/myproject. Separate the files or directories with # spaces. # Note: If this tag is empty the current directory is searched. INPUT = . # This tag can be used to specify the character encoding of the source files # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses # libiconv (or the iconv built into libc) for the transcoding. See the libiconv # documentation (see: http://www.gnu.org/software/libiconv) for the list of # possible encodings. # The default value is: UTF-8. INPUT_ENCODING = UTF-8 # If the value of the INPUT tag contains directories, you can use the # FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and # *.h) to filter out the source-files in the directories. If left blank the # following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii, # *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp, # *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown, # *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf, # *.qsf, *.as and *.js. FILE_PATTERNS = *.py # The RECURSIVE tag can be used to specify whether or not subdirectories should # be searched for input files as well. # The default value is: NO. RECURSIVE = YES # The EXCLUDE tag can be used to specify files and/or directories that should be # excluded from the INPUT source files. This way you can easily exclude a # subdirectory from a directory tree whose root is specified with the INPUT tag. # # Note that relative paths are relative to the directory from which doxygen is # run. EXCLUDE = # The EXCLUDE_SYMLINKS tag can be used to select whether or not files or # directories that are symbolic links (a Unix file system feature) are excluded # from the input. # The default value is: NO. EXCLUDE_SYMLINKS = NO # If the value of the INPUT tag contains directories, you can use the # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude # certain files from those directories. # # Note that the wildcards are matched against the file with absolute path, so to # exclude all test directories for example use the pattern */test/* EXCLUDE_PATTERNS = # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names # (namespaces, classes, functions, etc.) that should be excluded from the # output. The symbol name can be a fully qualified name, a word, or if the # wildcard * is used, a substring. Examples: ANamespace, AClass, # AClass::ANamespace, ANamespace::*Test # # Note that the wildcards are matched against the file with absolute path, so to # exclude all test directories use the pattern */test/* EXCLUDE_SYMBOLS = # The EXAMPLE_PATH tag can be used to specify one or more files or directories # that contain example code fragments that are included (see the \include # command). EXAMPLE_PATH = # If the value of the EXAMPLE_PATH tag contains directories, you can use the # EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and # *.h) to filter out the source-files in the directories. If left blank all # files are included. EXAMPLE_PATTERNS = # If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be # searched for input files to be used with the \include or \dontinclude commands # irrespective of the value of the RECURSIVE tag. # The default value is: NO. EXAMPLE_RECURSIVE = NO # The IMAGE_PATH tag can be used to specify one or more files or directories # that contain images that are to be included in the documentation (see the # \image command). IMAGE_PATH = # The INPUT_FILTER tag can be used to specify a program that doxygen should # invoke to filter for each input file. Doxygen will invoke the filter program # by executing (via popen()) the command: # # # # where is the value of the INPUT_FILTER tag, and is the # name of an input file. Doxygen will then use the output that the filter # program writes to standard output. If FILTER_PATTERNS is specified, this tag # will be ignored. # # Note that the filter must not add or remove lines; it is applied before the # code is scanned, but not when the output code is generated. If lines are added # or removed, the anchors will not be placed correctly. INPUT_FILTER = /usr/local/bin/doxypy.py # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern # basis. Doxygen will compare the file name with each pattern and apply the # filter if there is a match. The filters are a list of the form: pattern=filter # (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how # filters are used. If the FILTER_PATTERNS tag is empty or if none of the # patterns match the file name, INPUT_FILTER is applied. FILTER_PATTERNS = # If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using # INPUT_FILTER ) will also be used to filter the input files that are used for # producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES). # The default value is: NO. FILTER_SOURCE_FILES = YES # The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file # pattern. A pattern will override the setting for FILTER_PATTERN (if any) and # it is also possible to disable source filtering for a specific pattern using # *.ext= (so without naming a filter). # This tag requires that the tag FILTER_SOURCE_FILES is set to YES. FILTER_SOURCE_PATTERNS = # If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that # is part of the input, its contents will be placed on the main page # (index.html). This can be useful if you have a project on for instance GitHub # and want to reuse the introduction page also for the doxygen output. USE_MDFILE_AS_MAINPAGE = #--------------------------------------------------------------------------- # Configuration options related to source browsing #--------------------------------------------------------------------------- # If the SOURCE_BROWSER tag is set to YES then a list of source files will be # generated. Documented entities will be cross-referenced with these sources. # # Note: To get rid of all source code in the generated output, make sure that # also VERBATIM_HEADERS is set to NO. # The default value is: NO. SOURCE_BROWSER = NO # Setting the INLINE_SOURCES tag to YES will include the body of functions, # classes and enums directly into the documentation. # The default value is: NO. INLINE_SOURCES = NO # Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any # special comment blocks from generated source code fragments. Normal C, C++ and # Fortran comments will always remain visible. # The default value is: YES. STRIP_CODE_COMMENTS = YES # If the REFERENCED_BY_RELATION tag is set to YES then for each documented # function all documented functions referencing it will be listed. # The default value is: NO. REFERENCED_BY_RELATION = NO # If the REFERENCES_RELATION tag is set to YES then for each documented function # all documented entities called/used by that function will be listed. # The default value is: NO. REFERENCES_RELATION = NO # If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set # to YES, then the hyperlinks from functions in REFERENCES_RELATION and # REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will # link to the documentation. # The default value is: YES. REFERENCES_LINK_SOURCE = YES # If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the # source code will show a tooltip with additional information such as prototype, # brief description and links to the definition and documentation. Since this # will make the HTML file larger and loading of large files a bit slower, you # can opt to disable this feature. # The default value is: YES. # This tag requires that the tag SOURCE_BROWSER is set to YES. SOURCE_TOOLTIPS = YES # If the USE_HTAGS tag is set to YES then the references to source code will # point to the HTML generated by the htags(1) tool instead of doxygen built-in # source browser. The htags tool is part of GNU's global source tagging system # (see http://www.gnu.org/software/global/global.html). You will need version # 4.8.6 or higher. # # To use it do the following: # - Install the latest version of global # - Enable SOURCE_BROWSER and USE_HTAGS in the config file # - Make sure the INPUT points to the root of the source tree # - Run doxygen as normal # # Doxygen will invoke htags (and that will in turn invoke gtags), so these # tools must be available from the command line (i.e. in the search path). # # The result: instead of the source browser generated by doxygen, the links to # source code will now point to the output of htags. # The default value is: NO. # This tag requires that the tag SOURCE_BROWSER is set to YES. USE_HTAGS = NO # If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a # verbatim copy of the header file for each class for which an include is # specified. Set to NO to disable this. # See also: Section \class. # The default value is: YES. VERBATIM_HEADERS = YES #--------------------------------------------------------------------------- # Configuration options related to the alphabetical class index #--------------------------------------------------------------------------- # If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all # compounds will be generated. Enable this if the project contains a lot of # classes, structs, unions or interfaces. # The default value is: YES. ALPHABETICAL_INDEX = YES # The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in # which the alphabetical index list will be split. # Minimum value: 1, maximum value: 20, default value: 5. # This tag requires that the tag ALPHABETICAL_INDEX is set to YES. COLS_IN_ALPHA_INDEX = 5 # In case all classes in a project start with a common prefix, all classes will # be put under the same header in the alphabetical index. The IGNORE_PREFIX tag # can be used to specify a prefix (or a list of prefixes) that should be ignored # while generating the index headers. # This tag requires that the tag ALPHABETICAL_INDEX is set to YES. IGNORE_PREFIX = #--------------------------------------------------------------------------- # Configuration options related to the HTML output #--------------------------------------------------------------------------- # If the GENERATE_HTML tag is set to YES doxygen will generate HTML output # The default value is: YES. GENERATE_HTML = YES # The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a # relative path is entered the value of OUTPUT_DIRECTORY will be put in front of # it. # The default directory is: html. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_OUTPUT = html # The HTML_FILE_EXTENSION tag can be used to specify the file extension for each # generated HTML page (for example: .htm, .php, .asp). # The default value is: .html. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_FILE_EXTENSION = .html # The HTML_HEADER tag can be used to specify a user-defined HTML header file for # each generated HTML page. If the tag is left blank doxygen will generate a # standard header. # # To get valid HTML the header file that includes any scripts and style sheets # that doxygen needs, which is dependent on the configuration options used (e.g. # the setting GENERATE_TREEVIEW). It is highly recommended to start with a # default header using # doxygen -w html new_header.html new_footer.html new_stylesheet.css # YourConfigFile # and then modify the file new_header.html. See also section "Doxygen usage" # for information on how to generate the default header that doxygen normally # uses. # Note: The header is subject to change so you typically have to regenerate the # default header when upgrading to a newer version of doxygen. For a description # of the possible markers and block names see the documentation. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_HEADER = # The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each # generated HTML page. If the tag is left blank doxygen will generate a standard # footer. See HTML_HEADER for more information on how to generate a default # footer and what special commands can be used inside the footer. See also # section "Doxygen usage" for information on how to generate the default footer # that doxygen normally uses. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_FOOTER = # The HTML_STYLESHEET tag can be used to specify a user-defined cascading style # sheet that is used by each HTML page. It can be used to fine-tune the look of # the HTML output. If left blank doxygen will generate a default style sheet. # See also section "Doxygen usage" for information on how to generate the style # sheet that doxygen normally uses. # Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as # it is more robust and this tag (HTML_STYLESHEET) will in the future become # obsolete. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_STYLESHEET = # The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user- # defined cascading style sheet that is included after the standard style sheets # created by doxygen. Using this option one can overrule certain style aspects. # This is preferred over using HTML_STYLESHEET since it does not replace the # standard style sheet and is therefor more robust against future updates. # Doxygen will copy the style sheet file to the output directory. For an example # see the documentation. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_EXTRA_STYLESHEET = # The HTML_EXTRA_FILES tag can be used to specify one or more extra images or # other source files which should be copied to the HTML output directory. Note # that these files will be copied to the base HTML output directory. Use the # $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these # files. In the HTML_STYLESHEET file, use the file name only. Also note that the # files will be copied as-is; there are no commands or markers available. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_EXTRA_FILES = # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen # will adjust the colors in the stylesheet and background images according to # this color. Hue is specified as an angle on a colorwheel, see # http://en.wikipedia.org/wiki/Hue for more information. For instance the value # 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300 # purple, and 360 is red again. # Minimum value: 0, maximum value: 359, default value: 220. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_HUE = 220 # The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors # in the HTML output. For a value of 0 the output will use grayscales only. A # value of 255 will produce the most vivid colors. # Minimum value: 0, maximum value: 255, default value: 100. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_SAT = 100 # The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the # luminance component of the colors in the HTML output. Values below 100 # gradually make the output lighter, whereas values above 100 make the output # darker. The value divided by 100 is the actual gamma applied, so 80 represents # a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not # change the gamma. # Minimum value: 40, maximum value: 240, default value: 80. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_GAMMA = 80 # If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML # page will contain the date and time when the page was generated. Setting this # to NO can help when comparing the output of multiple runs. # The default value is: YES. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_TIMESTAMP = YES # If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML # documentation will contain sections that can be hidden and shown after the # page has loaded. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_DYNAMIC_SECTIONS = NO # With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries # shown in the various tree structured indices initially; the user can expand # and collapse entries dynamically later on. Doxygen will expand the tree to # such a level that at most the specified number of entries are visible (unless # a fully collapsed tree already exceeds this amount). So setting the number of # entries 1 will produce a full collapsed tree by default. 0 is a special value # representing an infinite number of entries and will result in a full expanded # tree by default. # Minimum value: 0, maximum value: 9999, default value: 100. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_INDEX_NUM_ENTRIES = 100 # If the GENERATE_DOCSET tag is set to YES, additional index files will be # generated that can be used as input for Apple's Xcode 3 integrated development # environment (see: http://developer.apple.com/tools/xcode/), introduced with # OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a # Makefile in the HTML output directory. Running make will produce the docset in # that directory and running make install will install the docset in # ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at # startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html # for more information. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_DOCSET = NO # This tag determines the name of the docset feed. A documentation feed provides # an umbrella under which multiple documentation sets from a single provider # (such as a company or product suite) can be grouped. # The default value is: Doxygen generated docs. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_FEEDNAME = "Doxygen generated docs" # This tag specifies a string that should uniquely identify the documentation # set bundle. This should be a reverse domain-name style string, e.g. # com.mycompany.MyDocSet. Doxygen will append .docset to the name. # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_BUNDLE_ID = org.doxygen.Project # The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify # the documentation publisher. This should be a reverse domain-name style # string, e.g. com.mycompany.MyDocSet.documentation. # The default value is: org.doxygen.Publisher. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_PUBLISHER_ID = org.doxygen.Publisher # The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher. # The default value is: Publisher. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_PUBLISHER_NAME = Publisher # If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three # additional HTML index files: index.hhp, index.hhc, and index.hhk. The # index.hhp is a project file that can be read by Microsoft's HTML Help Workshop # (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on # Windows. # # The HTML Help Workshop contains a compiler that can convert all HTML output # generated by doxygen into a single compiled HTML file (.chm). Compiled HTML # files are now used as the Windows 98 help format, and will replace the old # Windows help format (.hlp) on all Windows platforms in the future. Compressed # HTML files also contain an index, a table of contents, and you can search for # words in the documentation. The HTML workshop also contains a viewer for # compressed HTML files. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_HTMLHELP = NO # The CHM_FILE tag can be used to specify the file name of the resulting .chm # file. You can add a path in front of the file if the result should not be # written to the html output directory. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. CHM_FILE = # The HHC_LOCATION tag can be used to specify the location (absolute path # including file name) of the HTML help compiler ( hhc.exe). If non-empty # doxygen will try to run the HTML help compiler on the generated index.hhp. # The file has to be specified with full path. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. HHC_LOCATION = # The GENERATE_CHI flag controls if a separate .chi index file is generated ( # YES) or that it should be included in the master .chm file ( NO). # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. GENERATE_CHI = NO # The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc) # and project file content. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. CHM_INDEX_ENCODING = # The BINARY_TOC flag controls whether a binary table of contents is generated ( # YES) or a normal table of contents ( NO) in the .chm file. Furthermore it # enables the Previous and Next buttons. # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. BINARY_TOC = NO # The TOC_EXPAND flag can be set to YES to add extra items for group members to # the table of contents of the HTML help documentation and to the tree view. # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. TOC_EXPAND = YES # If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and # QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that # can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help # (.qch) of the generated HTML documentation. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_QHP = NO # If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify # the file name of the resulting .qch file. The path specified is relative to # the HTML output folder. # This tag requires that the tag GENERATE_QHP is set to YES. QCH_FILE = # The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help # Project output. For more information please see Qt Help Project / Namespace # (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace). # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_QHP is set to YES. QHP_NAMESPACE = org.doxygen.Project # The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt # Help Project output. For more information please see Qt Help Project / Virtual # Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual- # folders). # The default value is: doc. # This tag requires that the tag GENERATE_QHP is set to YES. QHP_VIRTUAL_FOLDER = doc # If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom # filter to add. For more information please see Qt Help Project / Custom # Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom- # filters). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_CUST_FILTER_NAME = # The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the # custom filter to add. For more information please see Qt Help Project / Custom # Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom- # filters). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_CUST_FILTER_ATTRS = # The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this # project's filter section matches. Qt Help Project / Filter Attributes (see: # http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_SECT_FILTER_ATTRS = # The QHG_LOCATION tag can be used to specify the location of Qt's # qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the # generated .qhp file. # This tag requires that the tag GENERATE_QHP is set to YES. QHG_LOCATION = # If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be # generated, together with the HTML files, they form an Eclipse help plugin. To # install this plugin and make it available under the help contents menu in # Eclipse, the contents of the directory containing the HTML and XML files needs # to be copied into the plugins directory of eclipse. The name of the directory # within the plugins directory should be the same as the ECLIPSE_DOC_ID value. # After copying Eclipse needs to be restarted before the help appears. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_ECLIPSEHELP = NO # A unique identifier for the Eclipse help plugin. When installing the plugin # the directory name containing the HTML and XML files should also have this # name. Each documentation set should have its own identifier. # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES. ECLIPSE_DOC_ID = org.doxygen.Project # If you want full control over the layout of the generated HTML pages it might # be necessary to disable the index and replace it with your own. The # DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top # of each HTML page. A value of NO enables the index and the value YES disables # it. Since the tabs in the index contain the same information as the navigation # tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. DISABLE_INDEX = YES # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index # structure should be generated to display hierarchical information. If the tag # value is set to YES, a side panel will be generated containing a tree-like # index structure (just like the one that is generated for HTML Help). For this # to work a browser that supports JavaScript, DHTML, CSS and frames is required # (i.e. any modern browser). Windows users are probably better off using the # HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can # further fine-tune the look of the index. As an example, the default style # sheet generated by doxygen has an example that shows how to put an image at # the root of the tree instead of the PROJECT_NAME. Since the tree basically has # the same information as the tab index, you could consider setting # DISABLE_INDEX to YES when enabling this option. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_TREEVIEW = YES # The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that # doxygen will group on one line in the generated HTML documentation. # # Note that a value of 0 will completely suppress the enum values from appearing # in the overview section. # Minimum value: 0, maximum value: 20, default value: 4. # This tag requires that the tag GENERATE_HTML is set to YES. ENUM_VALUES_PER_LINE = 4 # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used # to set the initial width (in pixels) of the frame in which the tree is shown. # Minimum value: 0, maximum value: 1500, default value: 250. # This tag requires that the tag GENERATE_HTML is set to YES. TREEVIEW_WIDTH = 250 # When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to # external symbols imported via tag files in a separate window. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. EXT_LINKS_IN_WINDOW = NO # Use this tag to change the font size of LaTeX formulas included as images in # the HTML documentation. When you change the font size after a successful # doxygen run you need to manually remove any form_*.png images from the HTML # output directory to force them to be regenerated. # Minimum value: 8, maximum value: 50, default value: 10. # This tag requires that the tag GENERATE_HTML is set to YES. FORMULA_FONTSIZE = 10 # Use the FORMULA_TRANPARENT tag to determine whether or not the images # generated for formulas are transparent PNGs. Transparent PNGs are not # supported properly for IE 6.0, but are supported on all modern browsers. # # Note that when changing this option you need to delete any form_*.png files in # the HTML output directory before the changes have effect. # The default value is: YES. # This tag requires that the tag GENERATE_HTML is set to YES. FORMULA_TRANSPARENT = YES # Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see # http://www.mathjax.org) which uses client side Javascript for the rendering # instead of using prerendered bitmaps. Use this if you do not have LaTeX # installed or if you want to formulas look prettier in the HTML output. When # enabled you may also need to install MathJax separately and configure the path # to it using the MATHJAX_RELPATH option. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. USE_MATHJAX = NO # When MathJax is enabled you can set the default output format to be used for # the MathJax output. See the MathJax site (see: # http://docs.mathjax.org/en/latest/output.html) for more details. # Possible values are: HTML-CSS (which is slower, but has the best # compatibility), NativeMML (i.e. MathML) and SVG. # The default value is: HTML-CSS. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_FORMAT = HTML-CSS # When MathJax is enabled you need to specify the location relative to the HTML # output directory using the MATHJAX_RELPATH option. The destination directory # should contain the MathJax.js script. For instance, if the mathjax directory # is located at the same level as the HTML output directory, then # MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax # Content Delivery Network so you can quickly see the result without installing # MathJax. However, it is strongly recommended to install a local copy of # MathJax from http://www.mathjax.org before deployment. # The default value is: http://cdn.mathjax.org/mathjax/latest. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest # The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax # extension names that should be enabled during MathJax rendering. For example # MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_EXTENSIONS = # The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces # of code that will be used on startup of the MathJax code. See the MathJax site # (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an # example see the documentation. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_CODEFILE = # When the SEARCHENGINE tag is enabled doxygen will generate a search box for # the HTML output. The underlying search engine uses javascript and DHTML and # should work on any modern browser. Note that when using HTML help # (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET) # there is already a search function so this one should typically be disabled. # For large projects the javascript based search engine can be slow, then # enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to # search using the keyboard; to jump to the search box use + S # (what the is depends on the OS and browser, but it is typically # , /