Pkg.Memory — API for memory analysis

Overview

The Pkg.Memory module contains the API for memory analysis.

Enumerating Processes

The following code example demonstrates how to enumerate processes:

from Pro.Core import *
from Pkg.Memory import *

def enumerateProcesses(fname):
    c = createContainerFromFile(fname)
    if c.isNull():
        return
    obj = MemoryObject(MEMORY_TYPE_WINDOWS)
    if not obj.Load(c):
        return
    profiles = obj.DetectMemoryProfiles(stop_at_first=True)
    if not profiles or not obj.SetMemoryProfile(profiles[0]):
        return
    procs = obj.GetProcesses()
    for p in procs:
        print("PID: %d - Name: %s" % (p.pid, p.name))

Enumerating Referenced Files

The following code example demonstrates how to enumerate files referenced by a specific process:

from Pro.Core import *
from Pkg.Memory import *

def enumerateReferencedFiles(fname):
    c = createContainerFromFile(fname)
    if c.isNull():
        return
    obj = MemoryObject(MEMORY_TYPE_WINDOWS)
    if not obj.Load(c):
        return
    profiles = obj.DetectMemoryProfiles(stop_at_first=True)
    if not profiles or not obj.SetMemoryProfile(profiles[0]):
        return
    procs = obj.GetProcesses()
    for p in procs:
        if p.name.casefold() == "explorer.exe":
            files = obj.GetProcessReferencedObjects(p, type_filter=lambda t: 1 if t == "File" else 0)
            for f in files:
                print("Handle: %08X - Path: %s" % (f.handle, f.fields.get("path", "")))
            break

Reading a Windows Registry Key

The following code example demonstrates how to enumerate the values of a Windows registry key:

from Pro.Core import *
from Pkg.Memory import *

def enumerateRegistryValues(fname):
    c = createContainerFromFile(fname)
    if c.isNull():
        return
    obj = MemoryObject(MEMORY_TYPE_WINDOWS)
    if not obj.Load(c):
        return
    profiles = obj.DetectMemoryProfiles(stop_at_first=True)
    if not profiles or not obj.SetMemoryProfile(profiles[0]):
        return
    key = obj.GetWindowsRegistryKey(r"\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
    if not key:
        return
    for value in key.IterateValues():
        print('Name: %s - Value: %s' % (value.name, str(value.value)))

Module API

Pkg.Memory module API.

Attributes:

MEMORY_ARCH_X64	Represents the x64 architecture.
MEMORY_ARCH_X86	Represents the x86 architecture.
MEMORY_FLAG_COPY_ON_WRITE	Indicates that the memory region is marked copy-on-write.
MEMORY_FLAG_EXECUTE	Indicates that the memory region has execute permissions.
MEMORY_FLAG_GUARD	Indicates that the memory region is guarded (raises an exception on first access).
MEMORY_FLAG_NO_CACHE	Indicates that caching is disabled for this memory region.
MEMORY_FLAG_READ	Indicates that the memory region has read permissions.
MEMORY_FLAG_WRITE	Indicates that the memory region has write permissions.
MEMORY_FLAG_WRITE_COMBINE	Indicates that the memory region uses write-combining.
MEMORY_NETWORK_CONNECTION_IPV_4	Represents an IPv4 connection.
MEMORY_NETWORK_CONNECTION_IPV_6	Represents an IPv6 connection.
MEMORY_NETWORK_CONNECTION_PROTOCOL_TCP	Represents a TCP connection.
MEMORY_NETWORK_CONNECTION_PROTOCOL_UDP	Represents a UDP connection.
MEMORY_NETWORK_CONNECTION_STATE_CLOSED	Represents a closed connection state.
MEMORY_NETWORK_CONNECTION_STATE_CLOSE_WAIT	Represents a CLOSE_WAIT connection state.
MEMORY_NETWORK_CONNECTION_STATE_CLOSING	Represents a CLOSING connection state.
MEMORY_NETWORK_CONNECTION_STATE_DELETE_TCB	Represents a DELETE_TCB connection state (TCP control block is being deleted).
MEMORY_NETWORK_CONNECTION_STATE_ESTABLISHED	Represents an established connection state.
MEMORY_NETWORK_CONNECTION_STATE_FIN_WAIT1	Represents a FIN_WAIT1 connection state (TCP closing).
MEMORY_NETWORK_CONNECTION_STATE_FIN_WAIT2	Represents a FIN_WAIT2 connection state (TCP closing).
MEMORY_NETWORK_CONNECTION_STATE_LAST_ACK	Represents a LAST_ACK connection state.
MEMORY_NETWORK_CONNECTION_STATE_LISTENING	Represents a listening connection state.
MEMORY_NETWORK_CONNECTION_STATE_SYN_RCVD	Represents a SYN_RCVD connection state (TCP handshake in progress).
MEMORY_NETWORK_CONNECTION_STATE_SYN_SENT	Represents a SYN_SENT connection state (TCP handshake in progress).
MEMORY_NETWORK_CONNECTION_STATE_TIME_WAIT	Represents a TIME_WAIT connection state.
MEMORY_NETWORK_CONNECTION_STATE_UNKNOWN	Represents an unknown connection state.
MEMORY_PACKAGE_NAME	The name of the memory analysis package.
MEMORY_TYPE_WINDOWS	Represents the Windows memory type.
MEMORY_WINDOWS_REG_BINARY	Represents a registry value of type REG_BINARY (raw binary data).
MEMORY_WINDOWS_REG_DWORD	Represents a registry value of type REG_DWORD (32-bit integer).
MEMORY_WINDOWS_REG_DWORD_BIG_ENDIAN	Represents a registry value of type REG_DWORD_BIG_ENDIAN (32-bit big-endian integer).
MEMORY_WINDOWS_REG_EXPAND_SZ	Represents a registry value of type REG_EXPAND_SZ (expandable string).
MEMORY_WINDOWS_REG_FILETIME	Represents a registry value containing a Windows FILETIME structure.
MEMORY_WINDOWS_REG_FULL_RESOURCE_DESCRIPTOR	Represents a registry value of type REG_FULL_RESOURCE_DESCRIPTOR.
MEMORY_WINDOWS_REG_LINK	Represents a registry value of type REG_LINK (symbolic link).
MEMORY_WINDOWS_REG_MULTI_SZ	Represents a registry value of type REG_MULTI_SZ (multiple strings).
MEMORY_WINDOWS_REG_NONE	Represents a registry value with no type.
MEMORY_WINDOWS_REG_QWORD	Represents a registry value of type REG_QWORD (64-bit integer).
MEMORY_WINDOWS_REG_RESOURCE_LIST	Represents a registry value of type REG_RESOURCE_LIST.
MEMORY_WINDOWS_REG_RESOURCE_REQUIREMENTS_LIST	Represents a registry value of type REG_RESOURCE_REQUIREMENTS_LIST.
MEMORY_WINDOWS_REG_SZ	Represents a registry value of type REG_SZ (string).
MODULE_OPTION_METADATA	Indicates that metadata (e.g., additional descriptive fields) should be retrieved for modules.
MODULE_TYPE_APP	Represents an application module.
MODULE_TYPE_CONSOLE_APP	Represents a console application module.
MODULE_TYPE_DRIVER	Represents a driver module (e.g., a kernel driver).
MODULE_TYPE_LIBRARY	Represents a library module (DLL).
MODULE_TYPE_UNKNOWN	Represents an unknown or unclassified module type.
OBJECT_TYPE_FILE	Represents a file object.
OBJECT_TYPE_PROCESS	Represents a process object.
OBJECT_TYPE_REGISTRY_KEY	Represents a Windows registry key object.
OBJECT_TYPE_THREAD	Represents a thread object.
OBJECT_TYPE_UNKNOWN	Represents an unknown or unclassified object type.
PROCESS_ARCH_X64	Indicates that the process is running on x64 architecture.
PROCESS_ARCH_X86	Indicates that the process is running on x86 architecture.
PROCESS_FLAG_EXITED	Indicates that the process has exited.
PROCESS_FLAG_ORPHAN	Indicates that the process is orphaned (no valid parent).
PROCESS_OPTION_ICON	Indicates that process icons should be retrieved.
PROCESS_OPTION_INCLUDE_EXITED	Indicates that exited (terminated) processes should be included.
PROCESS_OPTION_METADATA	Indicates that metadata (e.g., additional descriptive fields) should be retrieved.
PROCESS_TYPE_CONSOLE	Represents a console process (e.g., a command-line application).
PROCESS_TYPE_GUI	Represents a graphical user interface (GUI) process.
PROCESS_TYPE_UNKNOWN	Represents an unknown or unclassified process type.
THREAD_OPTION_INCLUDE_TERMINATED	Indicates that terminated threads should be included.
THREAD_STATE_RUNNING	Represents a running thread state.
THREAD_STATE_SUSPENDED	Represents a suspended thread state.
THREAD_STATE_TERMINATED	Represents a terminated thread state.
THREAD_STATE_UNKNOWN	Represents an unknown or uninitialized thread state.

Classes:

MemoryBaseInfo()	Base class for memory-related structures, providing common information such as structure address and name.
MemoryGroupInfo()	This class contains information about a user group found in the memory snapshot.
MemoryIconCache()	This class provides a cache for application icons extracted from memory.
MemoryModuleInfo()	This class holds information about a module (DLL, driver, etc.) in the memory snapshot.
MemoryNetworkConnectionInfo()	This class holds information about a network connection in the memory snapshot.
MemoryObject(memory_type)	The main class for memory analysis.
MemoryObjectInfo()	This class contains generic information about an object in memory (file, process, thread, registry key, etc.).
MemoryProcessInfo()	This class holds information about a process in the memory snapshot.
MemoryRegionInfo()	This class represents information about a specific memory region.
MemorySymbolInfo()	This class provides symbol information such as module, symbol name, base address, and size.
MemoryThreadInfo()	This class holds information about a thread in the memory snapshot.
MemoryUserInfo()	This class contains information about a user account found in the memory snapshot.
MemoryWindowsRegistryHive()	This class represents a Windows registry hive in memory.
MemoryWindowsRegistryKey()	This class represents a Windows registry key in memory.
MemoryWindowsRegistryValue()	This class represents a Windows registry value in memory.
MemoryWindowsServiceDescriptorEntryInfo()	This class represents a Windows Service Descriptor Table entry (SDT entry).
MemoryX86GlobalDescriptorTableEntryInfo()	This class provides information about an x86 Global Descriptor Table (GDT) entry.
MemoryX86InterruptDescriptorTableEntryInfo()	This class provides information about an x86 Interrupt Descriptor Table (IDT) entry.

MEMORY_ARCH_X64

Represents the x64 architecture.

See also MemoryObject.GetArchitecture().

MEMORY_ARCH_X86

Represents the x86 architecture.

See also MemoryObject.GetArchitecture().

MEMORY_FLAG_COPY_ON_WRITE

Indicates that the memory region is marked copy-on-write.

MEMORY_FLAG_EXECUTE

Indicates that the memory region has execute permissions.

MEMORY_FLAG_GUARD

Indicates that the memory region is guarded (raises an exception on first access).

MEMORY_FLAG_NO_CACHE

Indicates that caching is disabled for this memory region.

MEMORY_FLAG_READ

Indicates that the memory region has read permissions.

MEMORY_FLAG_WRITE

Indicates that the memory region has write permissions.

MEMORY_FLAG_WRITE_COMBINE

Indicates that the memory region uses write-combining.

MEMORY_NETWORK_CONNECTION_IPV_4

Represents an IPv4 connection.

MEMORY_NETWORK_CONNECTION_IPV_6

Represents an IPv6 connection.

MEMORY_NETWORK_CONNECTION_PROTOCOL_TCP

Represents a TCP connection.

MEMORY_NETWORK_CONNECTION_PROTOCOL_UDP

Represents a UDP connection.

MEMORY_NETWORK_CONNECTION_STATE_CLOSED

Represents a closed connection state.

MEMORY_NETWORK_CONNECTION_STATE_CLOSE_WAIT

Represents a CLOSE_WAIT connection state.

MEMORY_NETWORK_CONNECTION_STATE_CLOSING

Represents a CLOSING connection state.

MEMORY_NETWORK_CONNECTION_STATE_DELETE_TCB

Represents a DELETE_TCB connection state (TCP control block is being deleted).

MEMORY_NETWORK_CONNECTION_STATE_ESTABLISHED

Represents an established connection state.

MEMORY_NETWORK_CONNECTION_STATE_FIN_WAIT1

Represents a FIN_WAIT1 connection state (TCP closing).

MEMORY_NETWORK_CONNECTION_STATE_FIN_WAIT2

Represents a FIN_WAIT2 connection state (TCP closing).

MEMORY_NETWORK_CONNECTION_STATE_LAST_ACK

Represents a LAST_ACK connection state.

MEMORY_NETWORK_CONNECTION_STATE_LISTENING

Represents a listening connection state.

MEMORY_NETWORK_CONNECTION_STATE_SYN_RCVD

Represents a SYN_RCVD connection state (TCP handshake in progress).

MEMORY_NETWORK_CONNECTION_STATE_SYN_SENT

Represents a SYN_SENT connection state (TCP handshake in progress).

MEMORY_NETWORK_CONNECTION_STATE_TIME_WAIT

Represents a TIME_WAIT connection state.

MEMORY_NETWORK_CONNECTION_STATE_UNKNOWN

Represents an unknown connection state.

MEMORY_PACKAGE_NAME

The name of the memory analysis package.

MEMORY_TYPE_WINDOWS

Represents the Windows memory type.

See also MemoryObject.GetMemoryType().

MEMORY_WINDOWS_REG_BINARY

Represents a registry value of type REG_BINARY (raw binary data).

MEMORY_WINDOWS_REG_DWORD

Represents a registry value of type REG_DWORD (32-bit integer).

MEMORY_WINDOWS_REG_DWORD_BIG_ENDIAN

Represents a registry value of type REG_DWORD_BIG_ENDIAN (32-bit big-endian integer).

MEMORY_WINDOWS_REG_EXPAND_SZ

Represents a registry value of type REG_EXPAND_SZ (expandable string).

MEMORY_WINDOWS_REG_FILETIME

Represents a registry value containing a Windows FILETIME structure.

MEMORY_WINDOWS_REG_FULL_RESOURCE_DESCRIPTOR

Represents a registry value of type REG_FULL_RESOURCE_DESCRIPTOR.

MEMORY_WINDOWS_REG_LINK

Represents a registry value of type REG_LINK (symbolic link).

MEMORY_WINDOWS_REG_MULTI_SZ

Represents a registry value of type REG_MULTI_SZ (multiple strings).

MEMORY_WINDOWS_REG_NONE

Represents a registry value with no type.

MEMORY_WINDOWS_REG_QWORD

Represents a registry value of type REG_QWORD (64-bit integer).

MEMORY_WINDOWS_REG_RESOURCE_LIST

Represents a registry value of type REG_RESOURCE_LIST.

MEMORY_WINDOWS_REG_RESOURCE_REQUIREMENTS_LIST

Represents a registry value of type REG_RESOURCE_REQUIREMENTS_LIST.

MEMORY_WINDOWS_REG_SZ

Represents a registry value of type REG_SZ (string).

MODULE_OPTION_METADATA

Indicates that metadata (e.g., additional descriptive fields) should be retrieved for modules.

See also MemoryObject.GetProcessModules() and MemoryObject.GetKernelModules().

MODULE_TYPE_APP

Represents an application module.

MODULE_TYPE_CONSOLE_APP

Represents a console application module.

MODULE_TYPE_DRIVER

Represents a driver module (e.g., a kernel driver).

MODULE_TYPE_LIBRARY

Represents a library module (DLL).

MODULE_TYPE_UNKNOWN

Represents an unknown or unclassified module type.

class MemoryBaseInfo

Base class for memory-related structures, providing common information such as structure address and name.

Attributes:

pt_name	The type of the page table.
pt_offset	The offset of the page table.
struct_address	The address of the structure in memory.
struct_name	The name of the structure.

pt_name

The type of the page table.

pt_offset

The offset of the page table.

struct_address

The address of the structure in memory.

struct_name

The name of the structure.

class MemoryGroupInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class contains information about a user group found in the memory snapshot.

See also MemoryObject.GetSystemGroups() and MemoryObject.GetUserGroups().

Attributes:

description	A description of the group.
fields	Additional fields describing the group.
full_name	The full name of the group.
id	The group identifier.
name	The short name of the group.
security_identifier	The security identifier (SID) of the group.

description

A description of the group.

fields

Additional fields describing the group.

full_name

The full name of the group.

id

The group identifier.

name

The short name of the group.

security_identifier

The security identifier (SID) of the group.

class MemoryIconCache

This class provides a cache for application icons extracted from memory.

See also MemoryObject.GetIconCache().

Methods:

AddIcon(app_path, icon)	Adds a new icon to the cache.
GetIcon(app_path)	Retrieves an icon from the cache.

AddIcon(app_path: str, icon: bytes) → int

Adds a new icon to the cache.

Parameters

• app_path (str) – The path of the application.

• icon (bytes) – The raw icon PNG data.

Returns

Returns the identifier of the newly stored icon.

Return type

int

See also GetIcon().

GetIcon(app_path: str) → int

Retrieves an icon from the cache.

Parameters

app_path (str) – The path of the application whose icon to retrieve.

Returns

Returns an icon identifier if found; otherwise returns -1.

Return type

int

See also AddIcon().

class MemoryModuleInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class holds information about a module (DLL, driver, etc.) in the memory snapshot.

See also MemoryObject.GetProcessModules() and MemoryObject.GetKernelModules().

Attributes:

author	The author of the module binary (if available).
description	A description of the module (if available).
format	The file format of the module.
image_base	The base address of the module in memory.
image_size	The size of the module in memory.
name	The name of the module.
path	The full path of the module binary.
type	The type of the module (e.g., MODULE_TYPE_LIBRARY).

author

The author of the module binary (if available).

description

A description of the module (if available).

format

The file format of the module.

image_base

The base address of the module in memory.

image_size

The size of the module in memory.

name

The name of the module.

path

The full path of the module binary.

type

The type of the module (e.g., MODULE_TYPE_LIBRARY).

class MemoryNetworkConnectionInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class holds information about a network connection in the memory snapshot.

See also MemoryObject.GetNetworkConnections() and MemoryObject.GetProcessNetworkConnections().

Methods:

ProtocolToString([include_ip_version])	Converts the protocol (TCP/UDP) and possibly IP version into a human-readable string.
StateToString()	Converts the numeric connection state into a human-readable string.

Attributes:

ip_version	The IP version (e.g., MEMORY_NETWORK_CONNECTION_IPV_4).
local_address	The local IP address.
local_port	The local port.
pid	The process identifier associated with this connection (if available).
protocol	The protocol (e.g., MEMORY_NETWORK_CONNECTION_PROTOCOL_TCP).
remote_address	The remote IP address.
remote_port	The remote port.
start_time	The time when the connection was established as an ISO date/time string.
state	The state of the connection (e.g., MEMORY_NETWORK_CONNECTION_STATE_ESTABLISHED).

ProtocolToString(include_ip_version: bool = True) → str

Converts the protocol (TCP/UDP) and possibly IP version into a human-readable string.

Parameters

include_ip_version (bool) – Whether to include the IP version in the string.

Returns

A string describing the protocol and optionally the IP version.

Return type

str

StateToString() → str

Converts the numeric connection state into a human-readable string.

Returns

A string describing the current state of the connection.

Return type

str

ip_version

The IP version (e.g., MEMORY_NETWORK_CONNECTION_IPV_4).

local_address

The local IP address.

local_port

The local port.

pid

The process identifier associated with this connection (if available).

protocol

The protocol (e.g., MEMORY_NETWORK_CONNECTION_PROTOCOL_TCP).

remote_address

The remote IP address.

remote_port

The remote port.

start_time

The time when the connection was established as an ISO date/time string.

state

The state of the connection (e.g., MEMORY_NETWORK_CONNECTION_STATE_ESTABLISHED).

class MemoryObject(memory_type: int)

Bases: Pro.Core.CFFObject

The main class for memory analysis.

Parameters

memory_type (int) – The memory type (e.g., MEMORY_TYPE_WINDOWS).

Methods:

AskUser()	Returns True if user interaction is enabled; otherwise False.
DetectMemoryProfiles(*[, wo, stop_at_first])	Detects possible memory profiles applicable to the provided memory image.
GetArchitecture()	Returns the architecture constant (e.g., MEMORY_ARCH_X64).
GetCurrentProcess()	Retrieves the current process context used by the analysis (if any).
GetExtraHeader(name)	Retrieves an extra header by name.
GetExtraHeaderFile(name)	Retrieves the file name for an extra header by name.
GetGroupMembers(group, *[, wo])	Retrieves the list of members belonging to a given group.
GetIconCache()	Returns the global icon cache for the current analysis.
GetKernelHeader()	Returns the kernel header.
GetKernelHeaderFile()	Returns the kernel header file name.
GetKernelModules(*[, wo, options])	Retrieves the list of kernel modules from the memory snapshot.
GetKernelObject()	Retrieves an object representing the kernel in the memory snapshot.
GetKernelVersion()	Returns the kernel version as a tuple of major, minor, build, revision.
GetMemoryProfile()	Retrieves the currently set memory profile.
GetMemoryType()	Returns the memory type (e.g., MEMORY_TYPE_WINDOWS).
GetNetworkConnections(*[, wo])	Retrieves the list of network connections found in the memory snapshot.
GetProcessAddressSpace(process)	Retrieves the address space of a specific process.
GetProcessAddressSpaceObject(process)	Retrieves the address space as a CFFObject for a specific process.
GetProcessEnvironmentVariables(process, *[, wo])	Retrieves environment variables for a given process.
GetProcessModules(process, *[, wo, options])	Retrieves the list of modules loaded by a given process.
GetProcessNetworkConnections(process, *[, wo])	Retrieves the list of network connections associated with a specific process.
GetProcessReferencedObjects(process, *[, …])	Retrieves objects referenced by a given process (files, registry keys, etc.).
GetProcessThreads(process, *[, wo, options])	Retrieves the list of threads belonging to a given process.
GetProcessUserModeMemoryAddressSpace(process, *)	Retrieves the user-mode address space as an NTContainer for a given process.
GetProcessUserModeMemoryRegions(process, *)	Retrieves user-mode memory regions for a given process.
GetProcesses(*[, wo, options])	Retrieves the list of processes from the memory snapshot.
GetSymbolInfoFromAddress(address)	Retrieves symbol information given an address.
GetSystemAddressSpace()	Retrieves the system-wide address space.
GetSystemAddressSpaceObject()	Retrieves the system address space as a CFFObject.
GetSystemGroups(*[, wo])	Retrieves the list of user groups found in the system.
GetSystemStruct(name, *[, address, process])	Retrieves a system structure by name.
GetSystemSymbol(name, *[, pointer, …])	Retrieves the address of a system symbol by name.
GetSystemUsers(*[, wo])	Retrieves the list of user accounts found in the system.
GetUserGroups(user, *[, wo])	Retrieves the groups to which a given user belongs.
GetWindowsRegistryHives(*[, wo])	Retrieves a list of Windows registry hives found in the memory image.
GetWindowsRegistryKey(name, *[, wo])	Retrieves a Windows registry key by full path.
GetWindowsServiceDescriptorTable()	Retrieves the Windows Service Descriptor Table (SDT).
GetX86GlobalDescriptorTable()	Retrieves the Global Descriptor Table (GDT) entries for x86/x64 architectures.
GetX86InterruptDescriptorTable()	Retrieves the Interrupt Descriptor Table (IDT) entries for x86/x64 architectures.
Is64Bit()	Returns True if the architecture is 64-bit; otherwise returns False.
OutputGroupPermissions(out, group)	Outputs permission information for a given group.
OutputProcessInfo(out, process)	Outputs process information to a text stream.
OutputSystemInfo(out)	Outputs basic system information to a provided text stream.
OutputUserPermissions(out, user)	Outputs permission information for a given user.
PointerSize()	Retrieves the pointer size of the current architecture (4 or 8 bytes).
ReadPointer(obj, address[, index])	Reads a pointer-sized value from memory at a specified address.
SetAskUser(ask_user)	Enables or disables user interaction for certain operations.
SetCurrentProcess(process)	Sets the current process context for the analysis.
SetMemoryProfile(profile, *[, wo])	Sets the memory profile for the current analysis.
SetVerbose(verbose)	Enables or disables verbose mode for analysis operations.
Verbose()	Returns True if verbose mode is enabled; otherwise False.

AskUser() → bool

Returns

Returns True if user interaction is enabled; otherwise False.

Return type

bool

See also SetAskUser().

DetectMemoryProfiles(*, wo: Optional[Pro.Core.NTIWait] = None, stop_at_first: bool = False) → List[Dict[str, Any]]

Detects possible memory profiles applicable to the provided memory image.

Parameters

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

• stop_at_first (bool) – If True, stops after finding the first matching profile.

Returns

A list of dictionaries describing each detected profile.

Return type

List[Dict[str, Any]]

See also SetMemoryProfile().

GetArchitecture() → int

Returns

Returns the architecture constant (e.g., MEMORY_ARCH_X64).

Return type

int

GetCurrentProcess() → Optional[Pkg.Memory.MemoryProcessInfo]

Retrieves the current process context used by the analysis (if any).

Returns

Returns the current MemoryProcessInfo if set; otherwise returns None.

Return type

Optional[MemoryProcessInfo]

See also SetCurrentProcess().

GetExtraHeader(name: str) → Optional[Pro.Core.CFFHeader]

Retrieves an extra header by name.

Parameters

name (str) – The name of the extra header.

Returns

Returns the header if available; otherwise returns None.

Return type

Optional[CFFHeader]

See also GetExtraHeaderFile() and GetKernelHeader().

GetExtraHeaderFile(name: str) → str

Retrieves the file name for an extra header by name.

Parameters

name (str) – The name of the extra header to retrieve.

Returns

Returns the extra header file name if available; otherwise returns an empty string.

Return type

str

See also GetExtraHeader().

GetGroupMembers(group: Pkg.Memory.MemoryGroupInfo, *, wo: Optional[Pro.Core.NTIWait] = None) → List[Pkg.Memory.MemoryUserInfo]

Retrieves the list of members belonging to a given group.

Parameters

• group (MemoryGroupInfo) – The group for which to retrieve members.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a list of MemoryUserInfo objects.

Return type

List[MemoryUserInfo]

See also GetSystemGroups() and GetSystemUsers().

GetIconCache() → Pkg.Memory.MemoryIconCache

Returns

Returns the global icon cache for the current analysis.

Return type

MemoryIconCache

See also MemoryIconCache.

GetKernelHeader() → Pro.Core.CFFHeader

Returns

Returns the kernel header.

Return type

CFFHeader

See also GetKernelHeaderFile() and GetExtraHeader().

GetKernelHeaderFile() → str

Returns

Returns the kernel header file name.

Return type

str

See also GetKernelHeader().

GetKernelModules(*, wo: Optional[Pro.Core.NTIWait] = None, options: int = 0) → List[Pkg.Memory.MemoryModuleInfo]

Retrieves the list of kernel modules from the memory snapshot.

Parameters

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

• options (int) – A bitmask of options (e.g., MODULE_OPTION_METADATA).

Returns

Returns a list of MemoryModuleInfo objects representing kernel modules.

Return type

List[MemoryModuleInfo]

See also GetProcessModules().

GetKernelObject() → Pro.Core.CFFObject

Retrieves an object representing the kernel in the memory snapshot.

Returns

Returns a CFFObject for the kernel.

Return type

CFFObject

GetKernelVersion() → Tuple[int, int, int, int]

Returns

Returns the kernel version as a tuple of major, minor, build, revision.

Return type

Tuple[int, int, int, int]

GetMemoryProfile() → Optional[Dict[str, Any]]

Retrieves the currently set memory profile.

Returns

Returns a dictionary describing the memory profile if available; otherwise returns None.

Return type

Optional[Dict[str, Any]]

See also DetectMemoryProfiles().

GetMemoryType() → int

Returns

Returns the memory type (e.g., MEMORY_TYPE_WINDOWS).

Return type

int

GetNetworkConnections(*, wo: Optional[Pro.Core.NTIWait] = None) → List[Pkg.Memory.MemoryNetworkConnectionInfo]

Retrieves the list of network connections found in the memory snapshot.

Parameters

wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a list of MemoryNetworkConnectionInfo objects.

Return type

List[MemoryNetworkConnectionInfo]

See also GetProcessNetworkConnections().

GetProcessAddressSpace(process: Pkg.Memory.MemoryProcessInfo) → Pro.Core.NTContainer

Retrieves the address space of a specific process.

Parameters

process (MemoryProcessInfo) – The process for which to retrieve the address space.

Returns

Returns an NTContainer representing the process address space.

Return type

NTContainer

See also GetProcessAddressSpaceObject() and GetSystemAddressSpace().

GetProcessAddressSpaceObject(process: Pkg.Memory.MemoryProcessInfo) → Pro.Core.CFFObject

Retrieves the address space as a CFFObject for a specific process.

Parameters

process (MemoryProcessInfo) – The process for which to retrieve the address space object.

Returns

Returns a CFFObject for the process address space.

Return type

CFFObject

See also GetProcessAddressSpace() and GetSystemAddressSpaceObject().

GetProcessEnvironmentVariables(process: Pkg.Memory.MemoryProcessInfo, *, wo: Optional[Pro.Core.NTIWait] = None) → List[Tuple[str, str]]

Retrieves environment variables for a given process.

Parameters

• process (MemoryProcessInfo) – The process for which to retrieve environment variables.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a list of tuples containing (variable_name, variable_value).

Return type

List[Tuple[str, str]]

GetProcessModules(process: Pkg.Memory.MemoryProcessInfo, *, wo: Optional[Pro.Core.NTIWait] = None, options: int = 0) → List[Pkg.Memory.MemoryModuleInfo]

Retrieves the list of modules loaded by a given process.

Parameters

• process (MemoryProcessInfo) – The process for which to retrieve modules.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

• options (int) – A bitmask of options (e.g., MODULE_OPTION_METADATA).

Returns

Returns a list of MemoryModuleInfo objects.

Return type

List[MemoryModuleInfo]

See also GetKernelModules().

GetProcessNetworkConnections(process: Pkg.Memory.MemoryProcessInfo, *, wo: Optional[Pro.Core.NTIWait] = None) → List[Pkg.Memory.MemoryNetworkConnectionInfo]

Retrieves the list of network connections associated with a specific process.

Parameters

• process (MemoryProcessInfo) – The process for which to retrieve network connections.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a list of MemoryNetworkConnectionInfo objects.

Return type

List[MemoryNetworkConnectionInfo]

See also GetNetworkConnections().

GetProcessReferencedObjects(process: MemoryProcessInfo, *, wo: Optional[NTIWait] = None, limit: Optional[int] = None, filter: Optional[Callable[[MemoryObjectInfo], int]] = None, type_filter: Optional[Callable[[str], int]] = None) → List[MemoryObjectInfo]

Retrieves objects referenced by a given process (files, registry keys, etc.).

Note

The optional filter functions must return a positive number to add the current object to the returned list, 0 to continue the enumeration without including the current object to the returned list or a negative number to stop the enumeration.

Parameters

• process (MemoryProcessInfo) – The process for which to retrieve referenced objects.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

• limit (Optional[int]) – An optional limit on the number of objects to retrieve.

• filter (Optional[Callable[[MemoryObjectInfo], int]]) – A callable to filter objects by certain criteria.

• type_filter (Optional[Callable[[str], int]]) – A callable to filter objects by type name.

Returns

Returns a list of MemoryObjectInfo objects.

Return type

List[MemoryObjectInfo]

GetProcessThreads(process: Pkg.Memory.MemoryProcessInfo, *, wo: Optional[Pro.Core.NTIWait] = None, options: int = 0) → List[Pkg.Memory.MemoryThreadInfo]

Retrieves the list of threads belonging to a given process.

Parameters

• process (MemoryProcessInfo) – The process for which to retrieve threads.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

• options (int) – A bitmask of options (e.g., THREAD_OPTION_INCLUDE_TERMINATED).

Returns

Returns a list of MemoryThreadInfo objects.

Return type

List[MemoryThreadInfo]

GetProcessUserModeMemoryAddressSpace(process: Pkg.Memory.MemoryProcessInfo, *, wo: Optional[Pro.Core.NTIWait] = None) → Pro.Core.NTContainer

Retrieves the user-mode address space as an NTContainer for a given process.

Parameters

• process (MemoryProcessInfo) – The process for which to retrieve user-mode address space.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

An NTContainer representing the user-mode address space.

Return type

NTContainer

See also GetProcessUserModeMemoryRegions().

GetProcessUserModeMemoryRegions(process: Pkg.Memory.MemoryProcessInfo, *, wo: Optional[Pro.Core.NTIWait] = None) → List[Pkg.Memory.MemoryRegionInfo]

Retrieves user-mode memory regions for a given process.

Parameters

• process (MemoryProcessInfo) – The process for which to retrieve memory regions.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns list of MemoryRegionInfo objects.

Return type

List[MemoryRegionInfo]

See also GetProcessUserModeMemoryAddressSpace().

GetProcesses(*, wo: Optional[Pro.Core.NTIWait] = None, options: int = 0) → List[Pkg.Memory.MemoryProcessInfo]

Retrieves the list of processes from the memory snapshot.

Parameters

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

• options (int) – A bitmask of options (e.g., PROCESS_OPTION_METADATA and PROCESS_OPTION_ICON).

Returns

Returns a list of MemoryProcessInfo objects.

Return type

List[MemoryProcessInfo]

See also GetProcessModules() and GetProcessAddressSpace().

GetSymbolInfoFromAddress(address: int) → Optional[Pkg.Memory.MemorySymbolInfo]

Retrieves symbol information given an address.

Parameters

address (int) – The address to look up.

Returns

Returns a MemorySymbolInfo if the address matches a known symbol; otherwise returns None.

Return type

Optional[MemorySymbolInfo]

See also GetSystemSymbol().

GetSystemAddressSpace() → Pro.Core.NTContainer

Retrieves the system-wide address space.

Returns

Returns an NTContainer representing the system address space.

Return type

NTContainer

See also GetSystemAddressSpaceObject() and GetProcessAddressSpace().

GetSystemAddressSpaceObject() → Pro.Core.CFFObject

Retrieves the system address space as a CFFObject.

Returns

Returns the system CFFObject.

Return type

CFFObject

See also GetSystemAddressSpace() and GetProcessAddressSpaceObject().

GetSystemGroups(*, wo: Optional[Pro.Core.NTIWait] = None) → List[Pkg.Memory.MemoryGroupInfo]

Retrieves the list of user groups found in the system.

Parameters

wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a list of MemoryGroupInfo objects.

Return type

List[MemoryGroupInfo]

See also GetGroupMembers() and OutputGroupPermissions().

GetSystemStruct(name: str, *, address: Optional[int] = None, process: Optional[Pkg.Memory.MemoryProcessInfo] = None) → Pro.Core.CFFStruct

Retrieves a system structure by name.

Parameters

• name (str) – The name of the structure to retrieve.

• address (Optional[int]) – An optional override address.

• process (Optional[MemoryProcessInfo]) – An optional MemoryProcessInfo context.

Returns

Returns a CFFStruct representing the requested structure.

Return type

CFFStruct

See also GetSystemSymbol().

GetSystemSymbol(name: str, *, pointer: bool = False, relative: bool = False, header: Optional[Pro.Core.CFFHeader] = None, module: Optional[str] = None, base_address: Optional[int] = None, memory_object: Optional[Pro.Core.CFFObject] = None) → Optional[int]

Retrieves the address of a system symbol by name.

Parameters

• name (str) – The name of the symbol to look up.

• pointer (bool) – If True, treats the symbol as a pointer and returns its value.

• relative (bool) – If True, returns the relative address instead of absolute.

• header (Optional[CFFHeader]) – An optional CFFHeader if the symbol belongs to a header other than the default one.

• module (Optional[str]) – The name of the module containing the symbol.

• base_address (Optional[int]) – The base address to use if computing a relative address.

• memory_object (Optional[CFFObject]) – The memory object, if needed.

Returns

Returns the symbol address if found; otherwise returns None.

Return type

Optional[int]

See also GetSymbolInfoFromAddress() and GetSystemStruct().

GetSystemUsers(*, wo: Optional[Pro.Core.NTIWait] = None) → List[Pkg.Memory.MemoryUserInfo]

Retrieves the list of user accounts found in the system.

Parameters

wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a list of MemoryUserInfo objects.

Return type

List[MemoryUserInfo]

See also GetUserGroups() and OutputUserPermissions().

GetUserGroups(user: Pkg.Memory.MemoryUserInfo, *, wo: Optional[Pro.Core.NTIWait] = None) → List[Pkg.Memory.MemoryGroupInfo]

Retrieves the groups to which a given user belongs.

Parameters

• user (MemoryUserInfo) – The user for which to retrieve group information.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a list of MemoryGroupInfo objects.

Return type

List[MemoryGroupInfo]

See also GetSystemGroups() and OutputGroupPermissions().

GetWindowsRegistryHives(*, wo: Optional[Pro.Core.NTIWait] = None) → List[Pkg.Memory.MemoryWindowsRegistryHive]

Retrieves a list of Windows registry hives found in the memory image.

Parameters

wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a list of MemoryWindowsRegistryHive objects.

Return type

List[MemoryWindowsRegistryHive]

See also GetWindowsRegistryKey().

GetWindowsRegistryKey(name: str, *, wo: Optional[Pro.Core.NTIWait] = None) → Optional[Pkg.Memory.MemoryWindowsRegistryKey]

Retrieves a Windows registry key by full path.

Parameters

• name (str) – The full path to the registry key.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns a MemoryWindowsRegistryKey if found; otherwise returns None.

Return type

Optional[MemoryWindowsRegistryKey]

See also GetWindowsRegistryHives().

GetWindowsServiceDescriptorTable() → List[Pkg.Memory.MemoryWindowsServiceDescriptorEntryInfo]

Retrieves the Windows Service Descriptor Table (SDT).

Returns

Returns a list of MemoryWindowsServiceDescriptorEntryInfo objects.

Return type

List[MemoryWindowsServiceDescriptorEntryInfo]

GetX86GlobalDescriptorTable() → List[Pkg.Memory.MemoryX86GlobalDescriptorTableEntryInfo]

Retrieves the Global Descriptor Table (GDT) entries for x86/x64 architectures.

Returns

Returns a list of MemoryX86GlobalDescriptorTableEntryInfo objects.

Return type

List[MemoryX86GlobalDescriptorTableEntryInfo]

See also MemoryX86GlobalDescriptorTableEntryInfo and GetX86InterruptDescriptorTable().

GetX86InterruptDescriptorTable() → List[Pkg.Memory.MemoryX86InterruptDescriptorTableEntryInfo]

Retrieves the Interrupt Descriptor Table (IDT) entries for x86/x64 architectures.

Returns

Returns a list of MemoryX86InterruptDescriptorTableEntryInfo objects.

Return type

List[MemoryX86InterruptDescriptorTableEntryInfo]

See also MemoryX86InterruptDescriptorTableEntryInfo and GetX86GlobalDescriptorTable().

Is64Bit() → bool

Returns

Returns True if the architecture is 64-bit; otherwise returns False.

Return type

bool

See also GetArchitecture().

OutputGroupPermissions(out: Pro.Core.NTTextStream, group: Pkg.Memory.MemoryGroupInfo) → None

Outputs permission information for a given group.

Parameters

• out (NTTextStream) – The output stream to write the information to.

• group (MemoryGroupInfo) – The MemoryGroupInfo object.

See also GetSystemGroups().

OutputProcessInfo(out: Pro.Core.NTTextStream, process: Pkg.Memory.MemoryProcessInfo) → None

Outputs process information to a text stream.

Parameters

• out (NTTextStream) – The output stream to write the information to.

• process (MemoryProcessInfo) – The MemoryProcessInfo whose information will be written.

See also GetProcesses().

OutputSystemInfo(out: Pro.Core.NTTextStream) → None

Outputs basic system information to a provided text stream.

Parameters

out (NTTextStream) – The output stream.

OutputUserPermissions(out: Pro.Core.NTTextStream, user: Pkg.Memory.MemoryUserInfo) → None

Outputs permission information for a given user.

Parameters

• out (NTTextStream) – The output stream to write the information to.

• user (MemoryUserInfo) – The MemoryUserInfo object.

See also GetSystemUsers().

PointerSize() → int

Retrieves the pointer size of the current architecture (4 or 8 bytes).

Returns

Returns the pointer size in bytes.

Return type

int

See also ReadPointer().

ReadPointer(obj: Pro.Core.CFFObject, address: int, index: int = 0) → Tuple[int, bool]

Reads a pointer-sized value from memory at a specified address.

Parameters

• obj (CFFObject) – The CFFObject representing the memory container.

• address (int) – The address to read from.

• index (int) – An additional offset or index for advanced operations.

Returns

Returns a tuple containing the pointer read and a boolean. The boolean value is True if successful; otherwise it is False.

Return type

Tuple[int, bool]

See also PointerSize().

SetAskUser(ask_user: bool) → None

Enables or disables user interaction for certain operations.

Parameters

ask_user (bool) – True to allow user prompts; False otherwise.

See also AskUser().

SetCurrentProcess(process: Pkg.Memory.MemoryProcessInfo)

Sets the current process context for the analysis.

Parameters

process (MemoryProcessInfo) – The MemoryProcessInfo to set as the current context.

See also GetCurrentProcess().

SetMemoryProfile(profile: Dict[str, Any], *, wo: Optional[Pro.Core.NTIWait] = None) → bool

Sets the memory profile for the current analysis.

Parameters

• profile (Dict[str, Any]) – A dictionary describing the profile.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations.

Returns

Returns True if the profile was successfully set; otherwise returns False.

Return type

bool

See also GetMemoryProfile().

SetVerbose(verbose: bool) → None

Enables or disables verbose mode for analysis operations.

Parameters

verbose (bool) – True to enable verbose mode; False to disable it.

See also Verbose().

Verbose() → bool

Returns

Returns True if verbose mode is enabled; otherwise False.

Return type

bool

See also SetVerbose().

class MemoryObjectInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class contains generic information about an object in memory (file, process, thread, registry key, etc.).

See also MemoryObject.GetProcessReferencedObjects().

Attributes:

access	The access rights granted to this object.
fields	Additional fields describing the object.
handle	The native handle of this object (if relevant).
pid	The process identifier of the owner process.
type	The numeric type of this object (e.g., OBJECT_TYPE_FILE).
type_name	The textual name of the object type.

access

The access rights granted to this object.

fields

Additional fields describing the object.

handle

The native handle of this object (if relevant).

pid

The process identifier of the owner process.

type

The numeric type of this object (e.g., OBJECT_TYPE_FILE).

type_name

The textual name of the object type.

class MemoryProcessInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class holds information about a process in the memory snapshot.

See also MemoryObject.GetProcesses().

Attributes:

architecture	The architecture of the process (e.g., PROCESS_ARCH_X64).
author	The author of the process binary (if available).
description	A description of the process (if available).
flags	The flags set on this process (e.g., PROCESS_FLAG_EXITED).
icon	The icon associated with this process (if available).
image_base	The base address of the process in memory.
image_size	The size of the process image in memory.
name	The name of the process.
path	The full path of the process image.
pid	The process identifier.
ppid	The parent process identifier.
security_identifier	The security identifier (SID) of the process owner.
start_time	The start time of the process as an ISO date/time string.
stop_time	The stop or exit time of the process as an ISO date/time string.
type	The type of the process (e.g., PROCESS_TYPE_CONSOLE).

architecture

The architecture of the process (e.g., PROCESS_ARCH_X64).

author

The author of the process binary (if available).

description

A description of the process (if available).

flags

The flags set on this process (e.g., PROCESS_FLAG_EXITED).

icon

The icon associated with this process (if available).

image_base

The base address of the process in memory.

image_size

The size of the process image in memory.

name

The name of the process.

path

The full path of the process image.

pid

The process identifier.

ppid

The parent process identifier.

security_identifier

The security identifier (SID) of the process owner.

start_time

The start time of the process as an ISO date/time string.

stop_time

The stop or exit time of the process as an ISO date/time string.

type

The type of the process (e.g., PROCESS_TYPE_CONSOLE).

class MemoryRegionInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class represents information about a specific memory region.

See also MemoryObject.GetProcessUserModeMemoryRegions().

Methods:

FlagsToString([separator])

Converts the numeric flags value to a human-readable string.

Attributes:

address	The starting address of the memory region.
file_name	The file name mapped to this memory region (if available).
flags	The flags set on this memory region (e.g., MEMORY_FLAG_READ).
size	The size of the memory region in bytes.

FlagsToString(separator: str = '|') → str

Converts the numeric flags value to a human-readable string.

Parameters

separator (str) – A string used to separate different flags.

Returns

Returns a string containing the human-readable representation of the flags.

Return type

str

address

The starting address of the memory region.

file_name

The file name mapped to this memory region (if available).

flags

The flags set on this memory region (e.g., MEMORY_FLAG_READ).

size

The size of the memory region in bytes.

class MemorySymbolInfo

This class provides symbol information such as module, symbol name, base address, and size.

See also MemoryObject.GetSymbolInfoFromAddress().

Attributes:

image_base	The base address of the module in memory.
image_size	The size of the module in bytes.
module	The module name associated with this symbol.
name	The symbol name.

image_base

The base address of the module in memory.

image_size

The size of the module in bytes.

module

The module name associated with this symbol.

name

The symbol name.

class MemoryThreadInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class holds information about a thread in the memory snapshot.

See also MemoryObject.GetProcessThreads().

Methods:

StateToString()

Converts the numeric thread state into a human-readable string.

Attributes:

pid	The process identifier of the parent process.
start_address	The starting address of the thread in memory.
start_time	The start time of the thread as an ISO date/time string.
state	The state of the thread (e.g., THREAD_STATE_RUNNING).
stop_time	The stop time of the thread as an ISO date/time string.
tid	The thread identifier.

StateToString() → str

Converts the numeric thread state into a human-readable string.

Returns

A string describing the thread state.

Return type

str

pid

The process identifier of the parent process.

start_address

The starting address of the thread in memory.

start_time

The start time of the thread as an ISO date/time string.

state

The state of the thread (e.g., THREAD_STATE_RUNNING).

stop_time

The stop time of the thread as an ISO date/time string.

tid

The thread identifier.

class MemoryUserInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class contains information about a user account found in the memory snapshot.

See also MemoryObject.GetSystemUsers() and MemoryObject.GetGroupMembers().

Attributes:

description	A description of the user.
fields	Additional fields describing the user.
full_name	The full name of the user.
id	The user identifier.
name	The short name (username).
path	The home directory or profile path.
security_identifier	The security identifier (SID).

description

A description of the user.

fields

Additional fields describing the user.

full_name

The full name of the user.

id

The user identifier.

name

The short name (username).

path

The home directory or profile path.

security_identifier

The security identifier (SID).

class MemoryWindowsRegistryHive

This class represents a Windows registry hive in memory.

See also MemoryObject.GetWindowsRegistryHives().

Methods:

GetKey([name, wo])	Retrieves a registry key from this hive by name.
Identity()	Returns the hive identity as a string.
Name()	Returns the name of the registry hive as a string.

Attributes:

identity	Returns an identifier for this registry hive (e.g., a GUID or internal name).
name	Returns the name of this registry hive.

GetKey(name: str = str(), *, wo: Optional[Pro.Core.NTIWait] = None) → Optional[Pkg.Memory.MemoryWindowsRegistryKey]

Retrieves a registry key from this hive by name.

Parameters

• name (str) – The path of the key to retrieve.

• wo (Optional[NTIWait]) – An optional wait object for asynchronous operations (if applicable).

Returns

Returns the matching registry key if found; otherwise returns None.

Return type

Optional[MemoryWindowsRegistryKey]

See also MemoryWindowsRegistryKey.

Identity() → str

Returns

Returns the hive identity as a string.

Return type

str

Name() → str

Returns

Returns the name of the registry hive as a string.

Return type

str

property identity: str

Returns

Returns an identifier for this registry hive (e.g., a GUID or internal name).

Return type

str

property name: str

Returns

Returns the name of this registry hive.

Return type

str

class MemoryWindowsRegistryKey

This class represents a Windows registry key in memory.

See also MemoryObject.GetWindowsRegistryKey() and MemoryWindowsRegistryHive.GetKey().

Methods:

GetSecurityInfo()	Retrieves security information about the registry key.
GetValue([name])	Retrieves a registry value by name.
IterateSubKeys()	Iterates over all sub-keys of this registry key.
IterateValues()	Iterates over all values under this registry key.
Name()	Returns the name of the registry key as a string.
SubKeyCount()	Returns the number of sub-keys under this key.
TimeStamp()	Returns the last-write timestamp of the key as an ISO date/time string.
ValueCount()	Returns the number of values under this key.

Attributes:

name	Returns the name of this registry key.

GetSecurityInfo() → Dict[str, Any]

Retrieves security information about the registry key.

Returns

Returns a dictionary containing security-related fields (owner, group, DACL, etc.).

Return type

Dict[str, Any]

GetValue(name: str = str()) → Optional[Pkg.Memory.MemoryWindowsRegistryValue]

Retrieves a registry value by name.

Parameters

name (str) – The name of the value to retrieve.

Returns

Returns the matching registry value if found; otherwise returns None.

Return type

Optional[MemoryWindowsRegistryValue]

See also ValueCount() and IterateValues().

IterateSubKeys() → Iterator[Pkg.Memory.MemoryWindowsRegistryKey]

Iterates over all sub-keys of this registry key.

Returns

Yields MemoryWindowsRegistryKey objects.

Return type

Iterator[MemoryWindowsRegistryKey]

See also SubKeyCount().

IterateValues() → Iterator[Pkg.Memory.MemoryWindowsRegistryValue]

Iterates over all values under this registry key.

Returns

Yields MemoryWindowsRegistryValue objects.

Return type

Iterator[MemoryWindowsRegistryValue]

See also ValueCount().

Name() → str

Returns

Returns the name of the registry key as a string.

Return type

str

SubKeyCount() → int

Returns

Returns the number of sub-keys under this key.

Return type

int

See also IterateSubKeys().

TimeStamp() → str

Returns

Returns the last-write timestamp of the key as an ISO date/time string.

Return type

str

ValueCount() → int

Returns

Returns the number of values under this key.

Return type

int

See also IterateValues().

property name: str

Returns

Returns the name of this registry key.

Return type

str

class MemoryWindowsRegistryValue

This class represents a Windows registry value in memory.

See also MemoryWindowsRegistryKey.IterateValues().

Attributes:

name	Returns the name of the registry value.
raw_value	Returns the raw byte content of the registry value.
raw_value_type	Returns the type of the registry value as an integer (e.g., MEMORY_WINDOWS_REG_SZ).
value	Returns the interpreted value (string, int, etc.) if possible.
value_type	Returns the type of the registry value as string.

property name: str

Returns

Returns the name of the registry value.

Return type

str

property raw_value: bytes

Returns

Returns the raw byte content of the registry value.

Return type

bytes

property raw_value_type: int

Returns

Returns the type of the registry value as an integer (e.g., MEMORY_WINDOWS_REG_SZ).

Return type

str

property value: Optional[Union[int, float, bool, bytes, str]]

Returns

Returns the interpreted value (string, int, etc.) if possible.

Return type

BasicType

property value_type: str

Returns

Returns the type of the registry value as string.

Return type

str

class MemoryWindowsServiceDescriptorEntryInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class represents a Windows Service Descriptor Table entry (SDT entry).

See also MemoryObject.GetWindowsServiceDescriptorTable().

Attributes:

argument_count_table_address	The address of the argument count table.
call_count_table_address	The address of the call count table.
service_count	The number of services in this table.
service_handlers	A list of addresses for service handlers.
service_table_address	The address of the service table.

argument_count_table_address

The address of the argument count table.

call_count_table_address

The address of the call count table.

service_count

The number of services in this table.

service_handlers

A list of addresses for service handlers.

service_table_address

The address of the service table.

class MemoryX86GlobalDescriptorTableEntryInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class provides information about an x86 Global Descriptor Table (GDT) entry.

See also MemoryObject.GetX86GlobalDescriptorTable().

Attributes:

base_address	The base address of this GDT entry.
default_big	The default operation size (16/32-bit).
dpl	The descriptor privilege level.
granularity	The granularity of this GDT entry.
limit	The limit value of this GDT entry.
long_mode	Indicates if this entry is used for 64-bit code.
present	Indicates if this entry is present.
system	Indicates if this is a system segment descriptor.
type	The type of this GDT entry.

base_address

The base address of this GDT entry.

default_big

The default operation size (16/32-bit).

dpl

The descriptor privilege level.

granularity

The granularity of this GDT entry.

limit

The limit value of this GDT entry.

long_mode

Indicates if this entry is used for 64-bit code.

present

Indicates if this entry is present.

system

Indicates if this is a system segment descriptor.

type

The type of this GDT entry.

class MemoryX86InterruptDescriptorTableEntryInfo

Bases: Pkg.Memory.MemoryBaseInfo

This class provides information about an x86 Interrupt Descriptor Table (IDT) entry.

See also MemoryObject.GetX86InterruptDescriptorTable().

Methods:

TypeToString()

Converts the numeric gate type into a human-readable representation.

Attributes:

dpl	The descriptor privilege level.
handler_address	The address of the interrupt handler.
ist_index	The Interrupt Stack Table index.
present	Indicates if this entry is present.
selector	The code segment selector used by this IDT entry.
type	The gate type for this IDT entry (e.g.

TypeToString() → str

Converts the numeric gate type into a human-readable representation.

Returns

Returns a string representing the type.

Return type

int

dpl

The descriptor privilege level.

handler_address

The address of the interrupt handler.

ist_index

The Interrupt Stack Table index.

present

Indicates if this entry is present.

selector

The code segment selector used by this IDT entry.

type

The gate type for this IDT entry (e.g. interrupt gate).

OBJECT_TYPE_FILE

Represents a file object.

OBJECT_TYPE_PROCESS

Represents a process object.

OBJECT_TYPE_REGISTRY_KEY

Represents a Windows registry key object.

OBJECT_TYPE_THREAD

Represents a thread object.

OBJECT_TYPE_UNKNOWN

Represents an unknown or unclassified object type.

PROCESS_ARCH_X64

Indicates that the process is running on x64 architecture.

PROCESS_ARCH_X86

Indicates that the process is running on x86 architecture.

PROCESS_FLAG_EXITED

Indicates that the process has exited.

PROCESS_FLAG_ORPHAN

Indicates that the process is orphaned (no valid parent).

PROCESS_OPTION_ICON

Indicates that process icons should be retrieved.

See also MemoryObject.GetProcesses().

PROCESS_OPTION_INCLUDE_EXITED

Indicates that exited (terminated) processes should be included.

See also MemoryObject.GetProcesses().

PROCESS_OPTION_METADATA

Indicates that metadata (e.g., additional descriptive fields) should be retrieved.

See also MemoryObject.GetProcesses().

PROCESS_TYPE_CONSOLE

Represents a console process (e.g., a command-line application).

PROCESS_TYPE_GUI

Represents a graphical user interface (GUI) process.

PROCESS_TYPE_UNKNOWN

Represents an unknown or unclassified process type.

THREAD_OPTION_INCLUDE_TERMINATED

Indicates that terminated threads should be included.

See also MemoryObject.GetProcessThreads().

THREAD_STATE_RUNNING

Represents a running thread state.

THREAD_STATE_SUSPENDED

Represents a suspended thread state.

THREAD_STATE_TERMINATED

Represents a terminated thread state.

THREAD_STATE_UNKNOWN

Represents an unknown or uninitialized thread state.