dissect.cstruct.cstruct#

Module Contents#

Classes#

cstruct

Main class of cstruct. All types are registered in here.

Functions#

ctypes

Create ctypes structures from cstruct structures.

ctypes_type

class dissect.cstruct.cstruct.cstruct(endian: str = '<', pointer: str = None)#

Main class of cstruct. All types are registered in here.

Parameters:

  • endian – The endianness to use when parsing.

  • pointer – The pointer type to use for Pointers.

DEF_CSTYLE = 1#
DEF_LEGACY = 2#
__getattr__(attr: str) Any#
addtype(name: str, type_: dissect.cstruct.types.BaseType, replace: bool = False) None#

Add a type or type reference.

Parameters:

  • name – Name of the type to be added.

  • type – The type to be added. Can be a str reference to another type or a compatible type class.

Raises:

ValueError – If the type already exists.

load(definition: str, deftype: int = None, **kwargs) None#

Parse structures from the given definitions using the given definition type.

Definitions can be parsed using different parsers. Currently, there’s only one supported parser - DEF_CSTYLE. Parsers can add types and modify this cstruct instance. Arguments can be passed to parsers using kwargs.

The CSTYLE parser was recently replaced with token based parser, instead of a strictly regex based one. The old parser is still available by using DEF_LEGACY.

Parameters:

  • definition – The definition to parse.

  • deftype – The definition type to parse the definitions with.

  • **kwargs – Keyword arguments for parsers.

loadfile(path: str, deftype: int = None, **kwargs) None#

Load structure definitions from a file.

The given path will be read and parsed using the .load() function.

Parameters:

  • path – The path to load definitions from.

  • deftype – The definition type to parse the definitions with.

  • **kwargs – Keyword arguments for parsers.

read(name: str, stream: BinaryIO) Any#

Parse data using a given type.

Parameters:

  • name – Type name to read.

  • stream – File-like object or byte string to parse.

Returns:

The parsed data.

resolve(name: str) dissect.cstruct.types.BaseType#

Resolve a type name to get the actual type object.

Types can be referenced using different names. When we want the actual type object, we need to resolve these references.

Parameters:

name – Type name to resolve.

Returns:

The resolved type object.

Raises:

ResolveError – If the type can’t be resolved.

dissect.cstruct.cstruct.ctypes(structure: dissect.cstruct.types.Structure) ctypes.Structure#

Create ctypes structures from cstruct structures.

dissect.cstruct.cstruct.ctypes_type(type_: dissect.cstruct.types.BaseType) Any#