class documentation

class OssiContext:

View In Hierarchy

Object that provide useful OSSI information for a particular context.

Warnings

Must not be directly constructed but retrieved through the following examples.

Examples

>>> # From a Transition
>>> transition.context_before().ossi # from the context before the transition
>>> transition.context_after().ossi  # from the context after the transition
>>> # From a Context
>>> context.ossi
Method __init__ Undocumented
Method __repr__ Undocumented
Method current_process_mappings Get a generator over current process binary mappings that are loaded in memory at this context.
Method kernel_mappings Get a generator over kernel binary mappings that are loaded in memory at this context.
Method location Useful OSSI information related to an address, such as the nearest symbol or the base address.
Method process Information about the process currently executing at this context, such as the process's name and PID.
Method thread Information about the thread currently executing at this context, such as the thread's ID.
Instance Variable _ctx_id Undocumented
Instance Variable _datasource Undocumented
def __init__(self, _datasource, _ctx_id):

Undocumented

Parameters
_datasource:DataSourceUndocumented
_ctx_id:intUndocumented
def __repr__(self):

Undocumented

Returns
strUndocumented
def current_process_mappings(self, pattern=None):

Get a generator over current process binary mappings that are loaded in memory at this context.

Binary mapping can be filtered by the binary path:

  • filter enabled if the `pattern` argument is not None.
  • a `contains` approach is used.
  • the filtered pattern is a regular expression.
  • is case insensitive.

Examples

>>> # Get all current process mappings
>>> for mapping in context.ossi.current_process_mappings():
...     print(mapping.binary.path)
c:/users/robert/appdata/local/google/chrome/application/chrome.exe
c:/windows/system32/ntdll.dll
c:/windows/system32/kernel32.dll
c:/windows/system32/kernelbase.dll
c:/users/robert/appdata/local/google/chrome/application/85.0.4183.83/chrome_elf.dll
c:/windows/system32/version.dll
c:/windows/system32/msvcrt.dll
c:/windows/system32/bcryptprimitives.dll
c:/windows/system32/winmm.dll
c:/windows/system32/winmmbase.dll
c:/windows/system32/cfgmgr32.dll
c:/windows/system32/ucrtbase.dll
c:/windows/system32/advapi32.dll
c:/windows/system32/sechost.dll
c:/windows/system32/rpcrt4.dll
...
>>> # Get all current process mappings filtered by "chrome.exe"
>>> for mapping in context.ossi.current_process_mappings(r"chrome\.exe$"):
...     print(mapping.binary.path)
c:/users/robert/appdata/local/google/chrome/application/chrome.exe
>>> # Get all current process mappings filtered by "system32"
>>> for mapping in context.ossi.current_process_mappings(r"system32"):
...     print(mapping.binary.path)
c:/windows/system32/ntdll.dll
c:/windows/system32/kernel32.dll
c:/windows/system32/kernelbase.dll
c:/windows/system32/version.dll
c:/windows/system32/msvcrt.dll
c:/windows/system32/bcryptprimitives.dll
c:/windows/system32/winmm.dll
c:/windows/system32/winmmbase.dll
c:/windows/system32/cfgmgr32.dll
c:/windows/system32/ucrtbase.dll
c:/windows/system32/advapi32.dll
c:/windows/system32/sechost.dll
c:/windows/system32/rpcrt4.dll
...

Information

Parameters
pattern:_Optional[str]the regex used to filter mappings.
Returns
_Iterator[BinaryMapping]An iterator over ossi.BinaryMapping.
def kernel_mappings(self, pattern=None):

Get a generator over kernel binary mappings that are loaded in memory at this context.

Binary mapping can be filtered by the binary path:

  • filter enabled if the `pattern` argument is not None.
  • a `contains` approach is used.
  • the filtered pattern is a regular expression.
  • is case insensitive.

Examples

>>> # Get all kernel mappings
>>> for mapping in context.ossi.kernel_mappings():
...     print(mapping.binary.path)
c:/windows/system32/ntoskrnl.exe
c:/windows/system32/hal.dll
c:/windows/system32/kd.dll
c:/windows/system32/mcupdate_authenticamd.dll
c:/windows/system32/drivers/werkernel.sys
c:/windows/system32/drivers/clfs.sys
c:/windows/system32/drivers/tm.sys
c:/windows/system32/pshed.dll
c:/windows/system32/bootvid.dll
c:/windows/system32/drivers/cmimcext.sys
c:/windows/system32/drivers/ntosext.sys
c:/windows/system32/ci.dll
...
>>> # Get all kernel mappings filtered by "hal.dll"
>>> for mapping in context.ossi.kernel_mappings(r"hal\.dll$"):
...     print(mapping.binary.path)
c:/windows/system32/hal.dll
>>> # Get all kernel mappings filtered by "system32"
>>> for mapping in context.ossi.kernel_mappings(r"system32"):
...     print(mapping.binary.path)
c:/windows/system32/ntoskrnl.exe
c:/windows/system32/hal.dll
c:/windows/system32/kd.dll
c:/windows/system32/mcupdate_authenticamd.dll
c:/windows/system32/drivers/werkernel.sys
c:/windows/system32/drivers/clfs.sys
c:/windows/system32/drivers/tm.sys
c:/windows/system32/pshed.dll
c:/windows/system32/bootvid.dll
c:/windows/system32/drivers/cmimcext.sys
c:/windows/system32/drivers/ntosext.sys
c:/windows/system32/ci.dll
...

Information

Parameters
pattern:_Optional[str]the regex used to filter mappings.
Returns
_Iterator[BinaryMapping]An iterator over ossi.BinaryMapping.
def location(self, addr=None):

Useful OSSI information related to an address, such as the nearest symbol or the base address.

If the location could not be resolved, None is returned.

Examples

>>> print(context.ossi.location())
'ntoskrnl!KiIsrLinkage+0x5a'

Information

Parameters
addr:int, long or None.The address on which the symbol context is query. if None, the value stored in the pc register is used as address.
Returns
_Optional[Location]A Location or None.
def process(self):

Information about the process currently executing at this context, such as the process's name and PID.

If the current process cannot be resolved, None is returned.

Examples

>>> print(context.ossi.process())
MpCmdRun.exe (4936)

Information

Returns
_Optional[_Process]A ossi.process.Process, or None.
def thread(self):

Information about the thread currently executing at this context, such as the thread's ID.

If the current thread cannot be resolved, None is returned.

Examples

>>> print(context.ossi.thread())
 1600

Information

Returns
_Optional[_Thread]A reven2.ossi.Thread, or None.
_ctx_id =

Undocumented

_datasource =

Undocumented