Standard IA-32 paging address space. More...
Public Member Functions | |
def | __init__ (self, base, config, dtb=0, skip_as_check=False, args, kwargs) |
def | is_valid_profile (self, profile) |
def | entry_present (self, entry) |
def | page_size_flag (self, entry) |
def | is_user_page (self, entry) |
def | is_supervisor_page (self, entry) |
def | is_writeable (self, entry) |
def | is_dirty (self, entry) |
def | is_nx (self, entry) |
def | is_accessed (self, entry) |
def | is_copyonwrite (self, entry) |
def | is_prototype (self, entry) |
def | pgd_index (self, pgd) |
def | get_pgd (self, vaddr) |
def | pte_pfn (self, pte) |
def | pte_index (self, pte) |
def | get_pte (self, vaddr, pgd) |
def | get_paddr (self, vaddr, pte) |
def | get_four_meg_paddr (self, vaddr, pgd_entry) |
def | vtop (self, vaddr) |
def | read_long_phys (self, addr) |
def | get_available_pages |
Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractWritablePagedMemory | |
def | write (self, vaddr, buf) |
Writes the data from buf to the vaddr specified. More... | |
Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
def | __init__ (self, base, config, dtb=0, skip_as_check=False, args, kwargs) |
def | is_user_page (self, entry) |
True if the page is accessible to ring 3 code. | |
def | is_supervisor_page (self, entry) |
True if the page is /only/ accessible to ring 0 code. | |
def | is_writeable (self, entry) |
True if the page can be written to. | |
def | is_dirty (self, entry) |
True if the page has been written to. | |
def | is_nx (self, entry) |
True if the page /cannot/ be executed. | |
def | is_accessed (self, entry) |
True if the page has been accessed. | |
def | is_copyonwrite (self, entry) |
True if the page is copy-on-write. | |
def | is_prototype (self, entry) |
True if the page is a prototype PTE. | |
def | load_dtb (self) |
Loads the DTB as quickly as possible from the config, then the base, then searching for it. | |
def | __getstate__ (self) |
def | vtop (self, addr) |
Abstract function that converts virtual (paged) addresses to physical addresses. | |
def | get_available_pages (self) |
A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset. | |
def | get_available_allocs (self) |
def | get_available_addresses (self) |
A generator that returns (addr, size) for each valid address block. | |
def | is_valid_address (self, vaddr) |
Returns whether a virtual address is valid. | |
Public Member Functions inherited from volatility.addrspace.AbstractVirtualAddressSpace | |
def | __init__ (self, base, config, astype='virtual ', args, kwargs) |
def | vtop (self, vaddr) |
def | translate (self, vaddr) |
Public Member Functions inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
def | __init__ (self, base, config, args, kwargs) |
def | translate (self, vaddr) |
def | get_available_allocs (self) |
A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset. | |
def | calculate_alloc_stats (self) |
Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread. | |
def | read (self, addr, length) |
This method reads 'length' bytes from the specified 'addr'. More... | |
def | zread (self, addr, length) |
This method reads 'length' bytes from the specified 'addr'. More... | |
Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
def | __init__ (self, base, config, _args, _kwargs) |
base is the AS we will be stacking on top of, opts are options which we may use. | |
def | get_config (self) |
Returns the config object used by the vm for use in other vms. | |
def | is_valid_profile (self, profile) |
Determines whether a selected profile is compatible with this address space. | |
def | as_assert |
Duplicate for the assert command (so that optimizations don't disable them) More... | |
def | __eq__ (self, other) |
def | __ne__ (self, other) |
def | read (self, addr, length) |
Read some data from a certain offset. | |
def | zread (self, addr, length) |
Read data from a certain offset padded with where data is not available. | |
def | get_available_addresses (self) |
Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. More... | |
def | is_valid_address (self, _addr) |
Tell us if the address is valid. | |
def | write (self, _addr, _buf) |
def | __getstate__ (self) |
Serialise this address space efficiently. | |
def | __setstate__ (self, state) |
def | address_mask (cls, addr) |
Masks an address value for this address space. | |
def | address_compare (cls, a, b) |
Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b. | |
def | address_equality (cls, a, b) |
Compare two addresses and returns True if they're the same, or False if they're not. | |
def | physical_space (self) |
Return the underlying physical layer, if there is one. More... | |
Static Public Attributes | |
int | order = 70 |
pae = False | |
paging_address_space = True | |
string | checkname = 'IA32ValidAS' |
int | minimum_size = 0x1000 |
int | alignment_gcd = 0x1000 |
Static Public Attributes inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
string | checkname = "Intel" |
Static Public Attributes inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
minimum_size = None | |
alignment_gcd = None | |
Additional Inherited Members | |
Static Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
def | register_options (config) |
Static Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
def | register_options (config) |
Public Attributes inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
dtb | |
We must be stacked on someone else: More... | |
name | |
Public Attributes inherited from volatility.addrspace.BaseAddressSpace | |
base | |
name | |
profile | |
Standard IA-32 paging address space.
This class implements the IA-32 paging address space. It is responsible for translating each virtual (linear) address to a physical address. This is accomplished using hierachical paging structures. Every paging structure is 4096 bytes and is composed of entries. Each entry is 32 bits. The first paging structure is located at the physical address found in CR3 (dtb).
Additional Resources: