The Volatility Framework
Public Member Functions | Static Public Member Functions | Public Attributes | Static Public Attributes | List of all members
volatility.plugins.addrspaces.vmware.VMWareAddressSpace Class Reference

This AS supports VMware snapshot (VMSS) and saved state (VMSS) files. More...

Inheritance diagram for volatility.plugins.addrspaces.vmware.VMWareAddressSpace:
volatility.addrspace.AbstractRunBasedMemory volatility.addrspace.AbstractDiscreteAllocMemory volatility.addrspace.BaseAddressSpace

Public Member Functions

def __init__ (self, base, config, kwargs)
 
- Public Member Functions inherited from volatility.addrspace.AbstractRunBasedMemory
def __init__ (self, base, config, args, kwargs)
 
def get_runs (self)
 Get the memory block info.
 
def get_header (self)
 Get the header info.
 
def translate (self, addr)
 Find the offset in the file where a memory address can be found. More...
 
def get_available_allocs (self)
 Get a list of accessible physical memory regions.
 
def get_available_addresses (self)
 Get a list of physical memory runs.
 
def is_valid_address (self, phys_addr)
 Check if a physical address is in the file. More...
 
def get_address_range (self)
 This relates to the logical address range that is indexable.
 
def write (self, phys_addr, buf)
 This is mostly for support of raw2dmp so that it can modify the kernel CONTEXT after the crash dump has been written to disk.
 
- Public Member Functions inherited from volatility.addrspace.AbstractDiscreteAllocMemory
def __init__ (self, base, config, args, kwargs)
 
def translate (self, vaddr)
 
def get_available_allocs (self)
 A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset.
 
def calculate_alloc_stats (self)
 Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread.
 
def read (self, addr, length)
 This method reads 'length' bytes from the specified 'addr'. More...
 
def zread (self, addr, length)
 This method reads 'length' bytes from the specified 'addr'. More...
 
- Public Member Functions inherited from volatility.addrspace.BaseAddressSpace
def __init__ (self, base, config, _args, _kwargs)
 base is the AS we will be stacking on top of, opts are options which we may use.
 
def get_config (self)
 Returns the config object used by the vm for use in other vms.
 
def is_valid_profile (self, profile)
 Determines whether a selected profile is compatible with this address space.
 
def as_assert
 Duplicate for the assert command (so that optimizations don't disable them) More...
 
def __eq__ (self, other)
 
def __ne__ (self, other)
 
def read (self, addr, length)
 Read some data from a certain offset.
 
def zread (self, addr, length)
 Read data from a certain offset padded with where data is not available.
 
def get_available_addresses (self)
 Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. More...
 
def is_valid_address (self, _addr)
 Tell us if the address is valid.
 
def write (self, _addr, _buf)
 
def __getstate__ (self)
 Serialise this address space efficiently.
 
def __setstate__ (self, state)
 
def address_mask (cls, addr)
 Masks an address value for this address space.
 
def address_compare (cls, a, b)
 Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b.
 
def address_equality (cls, a, b)
 Compare two addresses and returns True if they're the same, or False if they're not.
 
def physical_space (self)
 Return the underlying physical layer, if there is one. More...
 

Static Public Member Functions

def get_tag
 Get a tag from the VMware headers. More...
 
- Static Public Member Functions inherited from volatility.addrspace.BaseAddressSpace
def register_options (config)
 

Public Attributes

 runs
 We must have an AS below us. More...
 
 header
 A VMware header is found at offset zero of the file.
 
- Public Attributes inherited from volatility.addrspace.AbstractRunBasedMemory
 runs
 
 header
 
- Public Attributes inherited from volatility.addrspace.BaseAddressSpace
 base
 
 name
 
 profile
 

Static Public Attributes

int order = 30
 
int PAGE_SIZE = 4096
 
- Static Public Attributes inherited from volatility.addrspace.AbstractDiscreteAllocMemory
 minimum_size = None
 
 alignment_gcd = None
 

Detailed Description

This AS supports VMware snapshot (VMSS) and saved state (VMSS) files.

Member Function Documentation

def volatility.plugins.addrspaces.vmware.VMWareAddressSpace.get_tag (   header,
  grp_name,
  tag_name,
  indices = None,
  data_type = None 
)
static

Get a tag from the VMware headers.

Parameters
grp_namethe group name (from _VMWARE_GROUP.Name)
tag_namethe tag name (from _VMWARE_TAG.Name)
indicesa group can contain multiple tags of the same name, and tags can also contain meta-tags. this parameter lets you specify which tag or meta-tag exactly to operate on. for example the 3rd CR register (CR3) of the first CPU would use [0][3] indices. If this parameter is None, then you just match on grp_name and tag_name.
data_typethe type of data depends on the purpose of the tag. If you supply this parameter, the function returns an object of the specified type (for example an int or long). If not supplied, you just get back the _VMWARE_TAG object itself.

Member Data Documentation

volatility.plugins.addrspaces.vmware.VMWareAddressSpace.runs

We must have an AS below us.

This is a tuple of (physical memory offset, file offset, length)

The documentation for this class was generated from the following file: