dissect.cstruct.cstruct

Module Contents

Classes

cstruct

Main class of cstruct. All types are registered in here.

Functions

ctypes

Create ctypes structures from cstruct structures.

ctypes_type

Attributes

T

dissect.cstruct.cstruct.T
class dissect.cstruct.cstruct.cstruct(load: str = '', *, endian: str = '<', pointer: str | None = None)

Main class of cstruct. All types are registered in here.

Parameters:

  • endian – The endianness to use when parsing.

  • pointer – The pointer type to use for pointers.

DEF_CSTYLE = 1
DEF_LEGACY = 2
endian = '<'
consts
lookups
includes = []
typedefs
pointer: type[dissect.cstruct.types.BaseType] = 'uint64'
__getattr__(attr: str) Any
add_type(name: str, type_: type[dissect.cstruct.types.BaseType] | str, replace: bool = False) None

Add a type or type reference.

Only use this method when creating type aliases or adding already bound types.

Parameters:

  • name – Name of the type to be added.

  • type – The type to be added. Can be a str reference to another type or a compatible type class.

Raises:

ValueError – If the type already exists.

addtype
add_custom_type(name: str, type_: type[dissect.cstruct.types.BaseType], size: int | None = None, alignment: int | None = None, **kwargs) None

Add a custom type.

Use this method to add custom types to this cstruct instance. This is largely a convenience method for the internal _make_type() method, which binds a class to this cstruct instance.

Parameters:

  • name – Name of the type to be added.

  • type – The type to be added.

  • size – The size of the type.

  • alignment – The alignment of the type.

  • **kwargs – Additional attributes to add to the type.

load(definition: str, deftype: int | None = None, **kwargs) cstruct

Parse structures from the given definitions using the given definition type.

Definitions can be parsed using different parsers. Currently, there’s only one supported parser - DEF_CSTYLE. Parsers can add types and modify this cstruct instance. Arguments can be passed to parsers using kwargs.

The CSTYLE parser was recently replaced with token based parser, instead of a strictly regex based one. The old parser is still available by using DEF_LEGACY.

Parameters:

  • definition – The definition to parse.

  • deftype – The definition type to parse the definitions with.

  • **kwargs – Keyword arguments for parsers.

loadfile(path: str, deftype: int | None = None, **kwargs) None

Load structure definitions from a file.

The given path will be read and parsed using the load() function.

Parameters:

  • path – The path to load definitions from.

  • deftype – The definition type to parse the definitions with.

  • **kwargs – Keyword arguments for parsers.

read(name: str, stream: BinaryIO) Any

Parse data using a given type.

Parameters:

  • name – Type name to read.

  • stream – File-like object or byte string to parse.

Returns:

The parsed data.

resolve(name: type[dissect.cstruct.types.BaseType] | str) type[dissect.cstruct.types.BaseType]

Resolve a type name to get the actual type object.

Types can be referenced using different names. When we want the actual type object, we need to resolve these references.

Parameters:

name – Type name to resolve.

Returns:

The resolved type object.

Raises:

ResolveError – If the type can’t be resolved.

dissect.cstruct.cstruct.ctypes(structure: type[dissect.cstruct.types.Structure]) type[ctypes.Structure]

Create ctypes structures from cstruct structures.

dissect.cstruct.cstruct.ctypes_type(type_: type[dissect.cstruct.types.BaseType]) Any