Python volatility.addrspace.BufferAddressSpace() Examples
The following are 30
code examples of volatility.addrspace.BufferAddressSpace().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.addrspace
, or try the search function
.
.
Example #1
| Source File: auditpol.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
elif version == (6, 1):
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
elif version == (6, 2) or version == (6, 3):
ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap
Example #2
| Source File: mac.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def start_time(self):
nsecs_per = 1000000
start_time = self.p_start
start_secs = start_time.tv_sec + (start_time.tv_usec / nsecs_per)
# convert the integer as little endian. we catch struct.error
# here because if the process has exited (i.e. detected with mac_dead_procs)
# then the timestamp may not be valid. start_secs could be negative
# or higher than can fit in a 32-bit "I" integer field.
try:
data = struct.pack("<I", start_secs)
except struct.error:
return ""
bufferas = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = data)
dt = obj.Object("UnixTimeStamp", offset = 0, vm = bufferas, is_utc = True)
return dt
Example #3
| Source File: mac.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def start_time(self):
nsecs_per = 1000000
start_time = self.p_start
start_secs = start_time.tv_sec + (start_time.tv_usec / nsecs_per)
# convert the integer as little endian. we catch struct.error
# here because if the process has exited (i.e. detected with mac_dead_procs)
# then the timestamp may not be valid. start_secs could be negative
# or higher than can fit in a 32-bit "I" integer field.
try:
data = struct.pack("<I", start_secs)
except struct.error:
return ""
bufferas = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = data)
dt = obj.Object("UnixTimeStamp", offset = 0, vm = bufferas, is_utc = True)
return dt
Example #4
| Source File: auditpol.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap
Example #5
| Source File: userassist.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def parse_data(self, dat_raw):
bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw)
uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas)
if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None:
return None
output = ""
if hasattr(uadata, "ID"):
output = "\n{0:15} {1}".format("ID:", uadata.ID)
if hasattr(uadata, "Count"):
output += "\n{0:15} {1}".format("Count:", uadata.Count)
else:
output += "\n{0:15} {1}".format("Count:", uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5)
if hasattr(uadata, "FocusCount"):
seconds = (uadata.FocusTime + 500) / 1000.0
time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime
output += "\n{0:15} {1}\n{2:15} {3}".format("Focus Count:", uadata.FocusCount, "Time Focused:", time)
output += "\n{0:15} {1}\n".format("Last updated:", uadata.LastUpdated)
return output
Example #6
| Source File: userassist.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def parse_data(self, dat_raw):
bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw)
uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas)
if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None:
return None
output = ""
if hasattr(uadata, "ID"):
output = "\n{0:15} {1}".format("ID:", uadata.ID)
if hasattr(uadata, "Count"):
output += "\n{0:15} {1}".format("Count:", uadata.Count)
else:
output += "\n{0:15} {1}".format("Count:", uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5)
if hasattr(uadata, "FocusCount"):
seconds = (uadata.FocusTime + 500) / 1000.0
time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime
output += "\n{0:15} {1}\n{2:15} {3}".format("Focus Count:", uadata.FocusCount, "Time Focused:", time)
output += "\n{0:15} {1}\n".format("Last updated:", uadata.LastUpdated)
return output
Example #7
| Source File: auditpol.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
elif version == (6, 1):
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
elif version == (6, 2) or version == (6, 3):
ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap
Example #8
| Source File: userassist.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def parse_data_dict(self, dat_raw):
item = {}
item["ID"] = -1
item["focus"] = -1
item["time"] = "N/A"
bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw)
uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas)
if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None:
return None
if hasattr(uadata, "ID"):
item["ID"] = int(uadata.ID)
if hasattr(uadata, "Count"):
item["count"] = int(uadata.Count)
else:
item["count"] = int(uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5)
if hasattr(uadata, "FocusCount"):
seconds = (uadata.FocusTime + 500) / 1000.0
time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime
item["focus"] = int(uadata.FocusCount)
item["time"] = str(time)
item["lastupdate"] = str(uadata.LastUpdated)
return item
Example #9
| Source File: userassist.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def parse_data(self, dat_raw):
bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw)
uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas)
if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None:
return None
output = ""
if hasattr(uadata, "ID"):
output = "\n{0:15} {1}".format("ID:", uadata.ID)
if hasattr(uadata, "Count"):
output += "\n{0:15} {1}".format("Count:", uadata.Count)
else:
output += "\n{0:15} {1}".format("Count:", uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5)
if hasattr(uadata, "FocusCount"):
seconds = (uadata.FocusTime + 500) / 1000.0
time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime
output += "\n{0:15} {1}\n{2:15} {3}".format("Focus Count:", uadata.FocusCount, "Time Focused:", time)
output += "\n{0:15} {1}\n".format("Last updated:", uadata.LastUpdated)
return output
Example #10
| Source File: evtlogs.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def get_sid_string(self, data):
"""Take a buffer of data from the event record
and parse it as a SID.
@param data: buffer of data from SidOffset of the
event record to SidOffset + SidLength.
@returns: sid string
"""
sid_name = ""
bufferas = addrspace.BufferAddressSpace(self._config, data = data)
sid = obj.Object("_SID", offset = 0, vm = bufferas)
for i in sid.IdentifierAuthority.Value:
id_auth = i
sid_string = "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority))
if sid_string in getsids.well_known_sids:
sid_name = " ({0})".format(getsids.well_known_sids[sid_string])
else:
sid_name_re = getsids.find_sid_re(sid_string, getsids.well_known_sid_re)
if sid_name_re:
sid_name = " ({0})".format(sid_name_re)
else:
sid_name = self.extrasids.get(sid_string, "")
sid_string += sid_name
return sid_string
Example #11
| Source File: auditpol.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap
Example #12
| Source File: mftparser.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __str__(self):
bufferas = addrspace.BufferAddressSpace(self.obj_vm._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00")
nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True)
try:
modified = str(self.ModifiedTime)
except struct.error:
modified = nulltime
try:
mftaltered = str(self.MFTAlteredTime)
except struct.error:
mftaltered = nulltime
try:
creation = str(self.CreationTime)
except struct.error:
creation = nulltime
try:
accessed = str(self.FileAccessedTime)
except struct.error:
accessed = nulltime
return "{0:20} {1:30} {2:30} {3:30} {4}".format(creation, modified, mftaltered, accessed,
self.remove_unprintable(self.get_name()))
Example #13
| Source File: mac.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def start_time(self):
nsecs_per = 1000000
start_time = self.p_start
start_secs = start_time.tv_sec + (start_time.tv_usec / nsecs_per)
# convert the integer as little endian. we catch struct.error
# here because if the process has exited (i.e. detected with mac_dead_procs)
# then the timestamp may not be valid. start_secs could be negative
# or higher than can fit in a 32-bit "I" integer field.
try:
data = struct.pack("<I", start_secs)
except struct.error:
return ""
bufferas = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = data)
dt = obj.Object("UnixTimeStamp", offset = 0, vm = bufferas, is_utc = True)
return dt
Example #14
| Source File: mac.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def start_time(self):
nsecs_per = 1000000
start_time = self.p_start
start_secs = start_time.tv_sec + (start_time.tv_usec / nsecs_per)
# convert the integer as little endian. we catch struct.error
# here because if the process has exited (i.e. detected with mac_dead_procs)
# then the timestamp may not be valid. start_secs could be negative
# or higher than can fit in a 32-bit "I" integer field.
try:
data = struct.pack("<I", start_secs)
except struct.error:
return ""
bufferas = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = data)
dt = obj.Object("UnixTimeStamp", offset = 0, vm = bufferas, is_utc = True)
return dt
Example #15
| Source File: mftparser.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __str__(self):
bufferas = addrspace.BufferAddressSpace(self.obj_vm._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00")
nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True)
try:
modified = str(self.ModifiedTime)
except struct.error:
modified = nulltime
try:
mftaltered = str(self.MFTAlteredTime)
except struct.error:
mftaltered = nulltime
try:
creation = str(self.CreationTime)
except struct.error:
creation = nulltime
try:
accessed = str(self.FileAccessedTime)
except struct.error:
accessed = nulltime
return "{0:20} {1:30} {2:30} {3:30} {4}".format(creation, modified, mftaltered, accessed, self.get_type())
Example #16
| Source File: userassist.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def parse_data(self, dat_raw):
bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw)
uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas)
if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None:
return None
output = ""
if hasattr(uadata, "ID"):
output = "\n{0:15} {1}".format("ID:", uadata.ID)
if hasattr(uadata, "Count"):
output += "\n{0:15} {1}".format("Count:", uadata.Count)
else:
output += "\n{0:15} {1}".format("Count:", uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5)
if hasattr(uadata, "FocusCount"):
seconds = (uadata.FocusTime + 500) / 1000.0
time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime
output += "\n{0:15} {1}\n{2:15} {3}".format("Focus Count:", uadata.FocusCount, "Time Focused:", time)
output += "\n{0:15} {1}\n".format("Last updated:", uadata.LastUpdated)
return output
Example #17
| Source File: linux.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def as_timestamp(self):
time_val = struct.pack("<I", self.tv_sec)
time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val)
time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True)
return time_obj
Example #18
| Source File: commands.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def format_value(self, value, fmt):
""" Formats an individual field using the table formatting codes"""
profile = addrspace.BufferAddressSpace(self._config).profile
return ("{0:" + self._formatlookup(profile, fmt) + "}").format(value)
Example #19
| Source File: bash.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def time_object(self):
nsecs = self.time_as_integer
# Build a timestamp object from the integer
time_val = struct.pack("<I", nsecs)
time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val)
time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True)
return time_obj
Example #20
| Source File: mac.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def get_time(self):
if not hasattr(self, "base_calendartime"):
return "N/A"
data = struct.pack("<I", self.base_calendartime)
bufferas = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = data)
dt = obj.Object("UnixTimeStamp", offset = 0, vm = bufferas, is_utc = True)
return dt
Example #21
| Source File: linux.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def as_timestamp(self):
time_val = struct.pack("<I", self.tv_sec)
time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val)
time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True)
return time_obj
Example #22
| Source File: bash.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def time_object(self):
nsecs = self.time_as_integer
# Build a timestamp object from the integer
time_val = struct.pack("<I", nsecs)
time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val)
time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True)
return time_obj
Example #23
| Source File: commands.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def table_header(self, outfd, title_format_list = None):
"""Table header renders the title row of a table
This also stores the header types to ensure
everything is formatted appropriately.
It must be a list of tuples rather than a dict for ordering purposes.
"""
titles = []
rules = []
self._formatlist = []
profile = addrspace.BufferAddressSpace(self._config).profile
for (k, v) in title_format_list:
spec = fmtspec.FormatSpec(self._formatlookup(profile, v))
# If spec.minwidth = -1, this field is unbounded length
if spec.minwidth != -1:
spec.minwidth = max(spec.minwidth, len(k))
# Get the title specification to follow the alignment of the field
titlespec = fmtspec.FormatSpec(formtype = 's', minwidth = max(spec.minwidth, len(k)))
titlespec.align = spec.align if spec.align in "<>^" else "<"
# Add this to the titles, rules, and formatspecs lists
titles.append(("{0:" + titlespec.to_string() + "}").format(k))
rules.append("-" * titlespec.minwidth)
self._formatlist.append(spec)
# Write out the titles and line rules
if outfd:
outfd.write(self.tablesep.join(titles) + "\n")
outfd.write(self.tablesep.join(rules) + "\n")
Example #24
| Source File: commands.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def format_value(self, value, fmt):
""" Formats an individual field using the table formatting codes"""
profile = addrspace.BufferAddressSpace(self._config).profile
return ("{0:" + self._formatlookup(profile, fmt) + "}").format(value)
Example #25
| Source File: scan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, window_size = 8):
self.buffer = addrspace.BufferAddressSpace(conf.DummyConfig(), data = '\x00' * 1024)
self.window_size = window_size
self.constraints = []
self.error_count = 0
Example #26
| Source File: mftparser.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def get_full(self, full):
bufferas = addrspace.BufferAddressSpace(self.obj_vm._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00")
nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True)
try:
modified = str(self.ModifiedTime)
except struct.error:
modified = nulltime
try:
mftaltered = str(self.MFTAlteredTime)
except struct.error:
mftaltered = nulltime
try:
creation = str(self.CreationTime)
except struct.error:
creation = nulltime
try:
accessed = str(self.FileAccessedTime)
except struct.error:
accessed = nulltime
try:
return "{0:20} {1:30} {2:30} {3:30} {4}".format(creation,
modified,
mftaltered,
accessed,
self.remove_unprintable(full))
except struct.error:
return None
Example #27
| Source File: bash.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def time_object(self):
nsecs = self.time_as_integer
# Build a timestamp object from the integer
time_val = struct.pack("<I", nsecs)
time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val)
time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True)
return time_obj
Example #28
| Source File: shimcache.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
currentcs = regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
xp = False
if version <= (5, 1):
key = currentcs + '\\' + "Control\\Session Manager\\AppCompatibility"
xp = True
else:
key = currentcs + '\\' + "Control\\Session Manager\\AppCompatCache"
data_raw = regapi.reg_get_value('system', key, "AppCompatCache")
if data_raw == None or len(data_raw) < 0x1c:
debug.warning("No ShimCache data found")
return
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
shimdata = obj.Object("ShimRecords", offset = 0, vm = bufferas)
if shimdata == None:
debug.warning("No ShimCache data found")
return
for e in shimdata.Entries:
if xp:
yield e.Path, e.LastModified, e.LastUpdate
else:
yield self.remove_unprintable(bufferas.read(int(e.PathOffset), int(e.Length))), e.LastModified, None
Example #29
| Source File: evtlogs.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def get_sid_string(self, data):
"""Take a buffer of data from the event record
and parse it as a SID.
@param data: buffer of data from SidOffset of the
event record to SidOffset + SidLength.
@returns: sid string
"""
sid_name = ""
bufferas = addrspace.BufferAddressSpace(self._config, data = data)
sid = obj.Object("_SID", offset = 0, vm = bufferas)
id_auth = ""
for i in sid.IdentifierAuthority.Value:
id_auth = i
sid_string = "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority))
if sid_string in getsids.well_known_sids:
sid_name = " ({0})".format(getsids.well_known_sids[sid_string])
else:
sid_name_re = getsids.find_sid_re(sid_string, getsids.well_known_sid_re)
if sid_name_re:
sid_name = " ({0})".format(sid_name_re)
else:
sid_name = self.extrasids.get(sid_string, "")
sid_string += sid_name
return sid_string
Example #30
| Source File: pe_vtypes.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def flags(self):
"""Returns the file's flags"""
data = struct.pack('=I', self.FileFlags & self.FileFlagsMask)
addr_space = addrspace.BufferAddressSpace(self.obj_vm.get_config(), 0, data)
bitmap = {'Debug': 0,
'Prerelease': 1,
'Patched': 2,
'Private Build': 3,
'Info Inferred': 4,
'Special Build' : 5,
}
return obj.Object('Flags', offset = 0, vm = addr_space, bitmap = bitmap)
