Skip to content

Windows

Windows

Create generic volatility3 OS wrappers.

This module provides a way to interact with Volatility3 plugins in a more abstract way. It allows to automatically get all available plugins for a specific OS and run them with the required arguments.

Example (API recommandée) :

    $ python3
    >>> from pydfirram.modules.windows import Windows
    >>> from pathlib import Path
    >>> dumpfile = Path("tests/data/dump.raw")
    >>> windows = Windows(dumpfile)
    >>> windows.run_plugin("windows.pslist").to_df()

Migration depuis l'API dynamique :
    **Avant** : ``windows.pslist().to_df()``
    **Après** : ``windows.run_plugin("windows.pslist").to_df()``

    L'accès par attribut conserve le même comportement mais émet un
    :exc:`DeprecationWarning` et doit être évité dans le code pérenne vers un SDK stable.

Legacy / compatibilité :

    >>> windows.pslist(pid=[...]).to_list()

Windows

Bases: Generic

A wrapper class for utilizing Windows-specific functionalities around the base methods.

This class serves as a simplified interface for interacting with Windows operating system dumps. It inherits from the Generic class and initializes with Windows as the operating system.

Attributes:

dumpfile : str The path to the memory dump file.

Methods:

init(dumpfile) Initializes the Windows class with the given dump file.

Source code in pydfirram/modules/windows.py 
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
class Windows(Generic):
    """
    A wrapper class for utilizing Windows-specific functionalities around
    the base methods.

    This class serves as a simplified interface for interacting with
    Windows operating system dumps. It inherits from the Generic class and
    initializes with Windows as the operating system.

    Attributes:
    -----------
    dumpfile : str
        The path to the memory dump file.

    Methods:
    --------
    __init__(dumpfile)
        Initializes the Windows class with the given dump file.
    """
    def __init__(
        self,
        dumpfile: str | Path,
        timeout: Optional[float] = None,
        *,
        workspace_base: Optional[str | Path] = None,
        output_collision_policy: OutputCollisionPolicy = "fail",
        manifest_include_dump_sha256: bool = False,
        execution_runtime: ExecutionRuntime | None = None,
    ) -> None:
        """
        Initializes the Windows class.

        Parameters:
        -----------
        dumpfile : str
            The path to the memory dump file.

        Example:
        --------
        >>> windows = Windows("path/to/dump.raw": Path)
        """
        if isinstance(dumpfile, str):
            dumpfile = Path(dumpfile)
        self.dump_files = dumpfile
        resolved_workspace = (
            Path(workspace_base).expanduser().resolve() if workspace_base is not None else None
        )
        super().__init__(
            operating_system=OperatingSystem.WINDOWS,
            dump_file=dumpfile,
            timeout=timeout,
            workspace_base=resolved_workspace,
            output_collision_policy=output_collision_policy,
            manifest_include_dump_sha256=manifest_include_dump_sha256,
            execution_runtime=execution_runtime,
        )

    # (todo) : seems to be a boilerplate from `Context`
    # (todo) : add typing information
    def _set_argument(self, context, prefix, kwargs):
        for k, v in kwargs.items():
            print(k,v)
            context.config[prefix+k] = v
        return context

    def dumpfiles(
        self,
        timeout: Optional[float] = None,
        **_kwargs: dict[str,Any],
    ) -> None:
        """
            Dump memory files based on provided parameters.

            This method utilizes the "dumpfiles" plugin to create memory
            dumps from a Windows operating system context. The memory dumps
            can be filtered based on the provided arguments. If no
            parameters are provided, the method will dump the entire
            system by default.

            Parameters:
            -----------
            physaddr : int, optional
                The physical address offset for the memory dump.
            virtaddr : int, optional
                The virtual address offset for the memory dump.
            pid : int, optional
                The process ID for which the memory dump should be
                generated.

            Notes:
            ------
            - The method sets up the context with the operating system
                and dump files.
            - Automagic and context settings are configured before
                building the context.
            - If additional keyword arguments are provided, they are
                added as arguments to the context.
            - The resulting context is executed and rendered to a file
                using the Renderer class.
            - If no parameters are provided, the method will dump the
                entire system by default.

            Returns:
            --------
            None
            """
        self.run_plugin("dumpfiles", timeout=timeout, **_kwargs).file_render()

__init__(dumpfile, timeout=None, *, workspace_base=None, output_collision_policy='fail', manifest_include_dump_sha256=False, execution_runtime=None)

Initializes the Windows class.

Parameters:

dumpfile : str The path to the memory dump file.

Example:

windows = Windows("path/to/dump.raw": Path)

Source code in pydfirram/modules/windows.py 
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
def __init__(
    self,
    dumpfile: str | Path,
    timeout: Optional[float] = None,
    *,
    workspace_base: Optional[str | Path] = None,
    output_collision_policy: OutputCollisionPolicy = "fail",
    manifest_include_dump_sha256: bool = False,
    execution_runtime: ExecutionRuntime | None = None,
) -> None:
    """
    Initializes the Windows class.

    Parameters:
    -----------
    dumpfile : str
        The path to the memory dump file.

    Example:
    --------
    >>> windows = Windows("path/to/dump.raw": Path)
    """
    if isinstance(dumpfile, str):
        dumpfile = Path(dumpfile)
    self.dump_files = dumpfile
    resolved_workspace = (
        Path(workspace_base).expanduser().resolve() if workspace_base is not None else None
    )
    super().__init__(
        operating_system=OperatingSystem.WINDOWS,
        dump_file=dumpfile,
        timeout=timeout,
        workspace_base=resolved_workspace,
        output_collision_policy=output_collision_policy,
        manifest_include_dump_sha256=manifest_include_dump_sha256,
        execution_runtime=execution_runtime,
    )

dumpfiles(timeout=None, **_kwargs)

Dump memory files based on provided parameters.

This method utilizes the "dumpfiles" plugin to create memory dumps from a Windows operating system context. The memory dumps can be filtered based on the provided arguments. If no parameters are provided, the method will dump the entire system by default.

Parameters:

physaddr : int, optional The physical address offset for the memory dump. virtaddr : int, optional The virtual address offset for the memory dump. pid : int, optional The process ID for which the memory dump should be generated.

Notes:
  • The method sets up the context with the operating system and dump files.
  • Automagic and context settings are configured before building the context.
  • If additional keyword arguments are provided, they are added as arguments to the context.
  • The resulting context is executed and rendered to a file using the Renderer class.
  • If no parameters are provided, the method will dump the entire system by default.
Returns:

None

Source code in pydfirram/modules/windows.py 
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
def dumpfiles(
    self,
    timeout: Optional[float] = None,
    **_kwargs: dict[str,Any],
) -> None:
    """
        Dump memory files based on provided parameters.

        This method utilizes the "dumpfiles" plugin to create memory
        dumps from a Windows operating system context. The memory dumps
        can be filtered based on the provided arguments. If no
        parameters are provided, the method will dump the entire
        system by default.

        Parameters:
        -----------
        physaddr : int, optional
            The physical address offset for the memory dump.
        virtaddr : int, optional
            The virtual address offset for the memory dump.
        pid : int, optional
            The process ID for which the memory dump should be
            generated.

        Notes:
        ------
        - The method sets up the context with the operating system
            and dump files.
        - Automagic and context settings are configured before
            building the context.
        - If additional keyword arguments are provided, they are
            added as arguments to the context.
        - The resulting context is executed and rendered to a file
            using the Renderer class.
        - If no parameters are provided, the method will dump the
            entire system by default.

        Returns:
        --------
        None
        """
    self.run_plugin("dumpfiles", timeout=timeout, **_kwargs).file_render()