class documentation
class OssiContext:
Object that provide useful OSSI information for a particular context.
Warnings
Must not be directly constructed but retrieved through the following examples.
Examples
>>> # From a Transition >>> transition.context_before().ossi # from the context before the transition >>> transition.context_after().ossi # from the context after the transition
>>> # From a Context >>> context.ossi
| Method | __init__ |
Undocumented |
| Method | __repr__ |
Undocumented |
| Method | kernel |
Get a generator over kernel binary mappings that are loaded in memory at this context. |
| Method | location |
Useful OSSI information related to an address, such as the nearest symbol or the base address. |
| Method | process |
Information about the process currently executing at this context, such as the process's name and PID. |
| Method | thread |
Information about the thread currently executing at this context, such as the thread's ID. |
| Instance Variable | _ctx |
Undocumented |
| Instance Variable | _datasource |
Undocumented |
def __init__(self, _datasource, _ctx_id):
Undocumented
| Parameters | |
_datasource:DataSource | Undocumented |
_ctxint | Undocumented |
def kernel_mappings(self, pattern=None):
Get a generator over kernel binary mappings that are loaded in memory at this context.
Binary mapping can be filtered by the binary path:
- filter enabled if the `pattern` argument is not None.
- a `contains` approach is used.
- the filtered pattern is a regular expression.
- is case insensitive.
Examples
>>> # Get all kernel mappings >>> for mapping in context.ossi.kernel_mappings(): ... print(mapping.binary.path) c:/windows/system32/ntoskrnl.exe c:/windows/system32/hal.dll c:/windows/system32/kd.dll c:/windows/system32/mcupdate_authenticamd.dll c:/windows/system32/drivers/werkernel.sys c:/windows/system32/drivers/clfs.sys c:/windows/system32/drivers/tm.sys c:/windows/system32/pshed.dll c:/windows/system32/bootvid.dll c:/windows/system32/drivers/cmimcext.sys c:/windows/system32/drivers/ntosext.sys c:/windows/system32/ci.dll ...
>>> # Get all kernel mappings filtered by "hal.dll" >>> for mapping in context.ossi.kernel_mappings(r"hal\.dll$"): ... print(mapping.binary.path) c:/windows/system32/hal.dll
>>> # Get all kernel mappings filtered by "system32" >>> for mapping in context.ossi.kernel_mappings(r"system32"): ... print(mapping.binary.path) c:/windows/system32/ntoskrnl.exe c:/windows/system32/hal.dll c:/windows/system32/kd.dll c:/windows/system32/mcupdate_authenticamd.dll c:/windows/system32/drivers/werkernel.sys c:/windows/system32/drivers/clfs.sys c:/windows/system32/drivers/tm.sys c:/windows/system32/pshed.dll c:/windows/system32/bootvid.dll c:/windows/system32/drivers/cmimcext.sys c:/windows/system32/drivers/ntosext.sys c:/windows/system32/ci.dll ...
Information
| Parameters | |
pattern:_Optional[ | the regex used to filter mappings. |
| Returns | |
_Iterator[ | An iterator over ossi.BinaryMapping. |
def location(self, addr=None):
Useful OSSI information related to an address, such as the nearest symbol or the base address.
If the location could not be resolved, None is returned.
Examples
>>> print(context.ossi.location()) 'ntoskrnl!KiIsrLinkage+0x5a'
Information
| Parameters | |
| addr:int, long or None. | The address on which the symbol context is query. if None, the value stored in the pc register is used as address. |
| Returns | |
_Optional[ | A Location or None. |
def process(self):
Information about the process currently executing at this context, such as the process's name and PID.
If the current process cannot be resolved, None is returned.
Examples
>>> print(context.ossi.process()) MpCmdRun.exe (4936)
Information
| Returns | |
_Optional[ | A ossi.process.Process, or None. |
def thread(self):
Information about the thread currently executing at this context, such as the thread's ID.
If the current thread cannot be resolved, None is returned.
Examples
>>> print(context.ossi.thread()) 1600
Information
| Returns | |
_Optional[ | A reven2.ossi.Thread, or None. |