 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
Standard AMD 64-bit address space. More...
Public Member Functions | |
| def | entry_present (self, entry) |
| def | page_size_flag (self, entry) |
| def | is_user_page (self, entry) |
| def | is_supervisor_page (self, entry) |
| def | is_writeable (self, entry) |
| def | is_dirty (self, entry) |
| def | is_nx (self, entry) |
| def | is_accessed (self, entry) |
| def | is_copyonwrite (self, entry) |
| def | is_prototype (self, entry) |
| def | get_2MB_paddr (self, vaddr, pgd_entry) |
| def | is_valid_profile (self, profile) |
| This method checks to make sure the address space is being used with a supported profile. | |
| def | pml4e_index (self, vaddr) |
| This method returns the Page Map Level 4 Entry Index number from the given virtual address. More... | |
| def | get_pml4e (self, vaddr) |
| This method returns the Page Map Level 4 (PML4) entry for the virtual address. More... | |
| def | get_pdpi (self, vaddr, pml4e) |
| This method returns the Page Directory Pointer entry for the virtual address. More... | |
| def | get_1GB_paddr (self, vaddr, pdpte) |
| If the Page Directory Pointer Table entry represents a 1-GByte page, this method extracts the physical address of the page. More... | |
| def | pde_index (self, vaddr) |
| def | pdba_base (self, pdpe) |
| def | get_pgd (self, vaddr, pdpe) |
| def | pte_index (self, vaddr) |
| def | ptba_base (self, pde) |
| def | get_pte (self, vaddr, pgd) |
| def | pte_pfn (self, pte) |
| def | get_paddr (self, vaddr, pte) |
| def | vtop (self, vaddr) |
| This method translates an address in the virtual address space to its associated physical address. More... | |
| def | read_long_long_phys (self, addr) |
| This method returns a 64-bit little endian unsigned integer from the specified address in the physical address space. More... | |
| def | get_available_pages |
| This method generates a list of pages that are available within the address space. More... | |
| def | address_mask (cls, addr) |
 Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractWritablePagedMemory | |
| def | write (self, vaddr, buf) |
| Writes the data from buf to the vaddr specified. More... | |
| Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
| def | __init__ (self, base, config, dtb=0, skip_as_check=False, args, kwargs) |
| def | is_user_page (self, entry) |
| True if the page is accessible to ring 3 code. | |
| def | is_supervisor_page (self, entry) |
| True if the page is /only/ accessible to ring 0 code. | |
| def | is_writeable (self, entry) |
| True if the page can be written to. | |
| def | is_dirty (self, entry) |
| True if the page has been written to. | |
| def | is_nx (self, entry) |
| True if the page /cannot/ be executed. | |
| def | is_accessed (self, entry) |
| True if the page has been accessed. | |
| def | is_copyonwrite (self, entry) |
| True if the page is copy-on-write. | |
| def | is_prototype (self, entry) |
| True if the page is a prototype PTE. | |
| def | load_dtb (self) |
| Loads the DTB as quickly as possible from the config, then the base, then searching for it. | |
| def | __getstate__ (self) |
| def | vtop (self, addr) |
| Abstract function that converts virtual (paged) addresses to physical addresses. | |
| def | get_available_pages (self) |
| A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset. | |
| def | get_available_allocs (self) |
| def | get_available_addresses (self) |
| A generator that returns (addr, size) for each valid address block. | |
| def | is_valid_address (self, vaddr) |
| Returns whether a virtual address is valid. | |
| Public Member Functions inherited from volatility.addrspace.AbstractVirtualAddressSpace | |
| def | __init__ (self, base, config, astype='virtual ', args, kwargs) |
| def | vtop (self, vaddr) |
| def | translate (self, vaddr) |
| Public Member Functions inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
| def | __init__ (self, base, config, args, kwargs) |
| def | translate (self, vaddr) |
| def | get_available_allocs (self) |
| A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset. | |
| def | calculate_alloc_stats (self) |
| Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread. | |
| def | read (self, addr, length) |
| This method reads 'length' bytes from the specified 'addr'. More... | |
| def | zread (self, addr, length) |
| This method reads 'length' bytes from the specified 'addr'. More... | |
| Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
| def | __init__ (self, base, config, _args, _kwargs) |
| base is the AS we will be stacking on top of, opts are options which we may use. | |
| def | get_config (self) |
| Returns the config object used by the vm for use in other vms. | |
| def | is_valid_profile (self, profile) |
| Determines whether a selected profile is compatible with this address space. | |
| def | as_assert |
| Duplicate for the assert command (so that optimizations don't disable them) More... | |
| def | __eq__ (self, other) |
| def | __ne__ (self, other) |
| def | read (self, addr, length) |
| Read some data from a certain offset. | |
| def | zread (self, addr, length) |
| Read data from a certain offset padded with where data is not available. | |
| def | get_available_addresses (self) |
| Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. More... | |
| def | is_valid_address (self, _addr) |
| Tell us if the address is valid. | |
| def | write (self, _addr, _buf) |
| def | __getstate__ (self) |
| Serialise this address space efficiently. | |
| def | __setstate__ (self, state) |
| def | address_mask (cls, addr) |
| Masks an address value for this address space. | |
| def | address_compare (cls, a, b) |
| Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b. | |
| def | address_equality (cls, a, b) |
| Compare two addresses and returns True if they're the same, or False if they're not. | |
| def | physical_space (self) |
| Return the underlying physical layer, if there is one. More... | |
Static Public Attributes | |
| int | order = 60 |
| pae = False | |
| string | checkname = 'AMD64ValidAS' |
| paging_address_space = True | |
| int | minimum_size = 0x1000 |
| int | alignment_gcd = 0x1000 |
| Static Public Attributes inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
| string | checkname = "Intel" |
| Static Public Attributes inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
| minimum_size = None | |
| alignment_gcd = None | |
Additional Inherited Members | |
| Static Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
| def | register_options (config) |
| Static Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
| def | register_options (config) |
| Public Attributes inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
| dtb | |
| We must be stacked on someone else: More... | |
| name | |
| Public Attributes inherited from volatility.addrspace.BaseAddressSpace | |
| base | |
| name | |
| profile | |
Standard AMD 64-bit address space.
This class implements the AMD64/IA-32E paging address space. It is responsible for translating each virtual (linear) address to a physical address. This is accomplished using hierachical paging structures. Every paging structure is 4096 bytes and is composed of entries. Each entry is 64 bits. The first paging structure is located at the physical address found in CR3 (dtb).
Additional Resources:
| def volatility.plugins.addrspaces.amd64.AMD64PagedMemory.get_1GB_paddr | ( | self, | |
| vaddr, | |||
| pdpte | |||
| ) |
If the Page Directory Pointer Table entry represents a 1-GByte page, this method extracts the physical address of the page.
"Bits 51:30 are from the PDPTE" [Intel] "Bits 29:0 are from the original linear address" [Intel]
| def volatility.plugins.addrspaces.amd64.AMD64PagedMemory.get_available_pages | ( | self, | |
with_pte = False |
|||
| ) |
This method generates a list of pages that are available within the address space.
The entries in are composed of the virtual address of the page and the size of the particular page (address, size). It walks the 0x1000/0x8 (0x200) entries in each Page Map, Page Directory, and Page Table to determine which pages are accessible.
| def volatility.plugins.addrspaces.amd64.AMD64PagedMemory.get_pdpi | ( | self, | |
| vaddr, | |||
| pml4e | |||
| ) |
This method returns the Page Directory Pointer entry for the virtual address.
Bits 32:30 are used to select the appropriate 8 byte entry in the Page Directory Pointer table.
"Bits 51:12 are from the PML4E" [Intel] "Bits 11:3 are bits 38:30 of the linear address" [Intel] "Bits 2:0 are all 0" [Intel]
| def volatility.plugins.addrspaces.amd64.AMD64PagedMemory.get_pml4e | ( | self, | |
| vaddr | |||
| ) |
This method returns the Page Map Level 4 (PML4) entry for the virtual address.
Bits 47:39 are used to the select the appropriate 8 byte entry in the Page Map Level 4 Table.
"Bits 51:12 are from CR3" [Intel] "Bits 11:3 are bits 47:39 of the linear address" [Intel] "Bits 2:0 are 0" [Intel]
| def volatility.plugins.addrspaces.amd64.AMD64PagedMemory.pml4e_index | ( | self, | |
| vaddr | |||
| ) |
This method returns the Page Map Level 4 Entry Index number from the given virtual address.
The index number is in bits 47:39.
| def volatility.plugins.addrspaces.amd64.AMD64PagedMemory.read_long_long_phys | ( | self, | |
| addr | |||
| ) |
This method returns a 64-bit little endian unsigned integer from the specified address in the physical address space.
If the address cannot be accessed, then the method returns None.
This code was derived directly from legacyintel.py
| def volatility.plugins.addrspaces.amd64.AMD64PagedMemory.vtop | ( | self, | |
| vaddr | |||
| ) |
This method translates an address in the virtual address space to its associated physical address.
Invalid entries should be handled with operating system abstractions.
1.8.9.1