 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
This AS supports Qemu ELF32 and ELF64 coredump format. More...
Public Member Functions | |
| def | check_note (self, note) |
| Check the Note type. | |
| def | validate (self) |
 Public Member Functions inherited from volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64 | |
| def | __init__ (self, base, config, kwargs) |
| def | check_note (self, note) |
| Check the Note type. | |
| def | validate (self) |
| Public Member Functions inherited from volatility.addrspace.AbstractRunBasedMemory | |
| def | __init__ (self, base, config, args, kwargs) |
| def | get_runs (self) |
| Get the memory block info. | |
| def | get_header (self) |
| Get the header info. | |
| def | translate (self, addr) |
| Find the offset in the file where a memory address can be found. More... | |
| def | get_available_allocs (self) |
| Get a list of accessible physical memory regions. | |
| def | get_available_addresses (self) |
| Get a list of physical memory runs. | |
| def | is_valid_address (self, phys_addr) |
| Check if a physical address is in the file. More... | |
| def | get_address_range (self) |
| This relates to the logical address range that is indexable. | |
| def | write (self, phys_addr, buf) |
| This is mostly for support of raw2dmp so that it can modify the kernel CONTEXT after the crash dump has been written to disk. | |
| Public Member Functions inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
| def | __init__ (self, base, config, args, kwargs) |
| def | translate (self, vaddr) |
| def | get_available_allocs (self) |
| A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset. | |
| def | calculate_alloc_stats (self) |
| Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread. | |
| def | read (self, addr, length) |
| This method reads 'length' bytes from the specified 'addr'. More... | |
| def | zread (self, addr, length) |
| This method reads 'length' bytes from the specified 'addr'. More... | |
| Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
| def | __init__ (self, base, config, _args, _kwargs) |
| base is the AS we will be stacking on top of, opts are options which we may use. | |
| def | get_config (self) |
| Returns the config object used by the vm for use in other vms. | |
| def | is_valid_profile (self, profile) |
| Determines whether a selected profile is compatible with this address space. | |
| def | as_assert |
| Duplicate for the assert command (so that optimizations don't disable them) More... | |
| def | __eq__ (self, other) |
| def | __ne__ (self, other) |
| def | read (self, addr, length) |
| Read some data from a certain offset. | |
| def | zread (self, addr, length) |
| Read data from a certain offset padded with where data is not available. | |
| def | get_available_addresses (self) |
| Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. More... | |
| def | is_valid_address (self, _addr) |
| Tell us if the address is valid. | |
| def | write (self, _addr, _buf) |
| def | __getstate__ (self) |
| Serialise this address space efficiently. | |
| def | __setstate__ (self, state) |
| def | address_mask (cls, addr) |
| Masks an address value for this address space. | |
| def | address_compare (cls, a, b) |
| Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b. | |
| def | address_equality (cls, a, b) |
| Compare two addresses and returns True if they're the same, or False if they're not. | |
| def | physical_space (self) |
| Return the underlying physical layer, if there is one. More... | |
Public Attributes | |
| header | |
| Fake the header since we don't know what structure Qemu uses. More... | |
| Public Attributes inherited from volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64 | |
| runs | |
| We must have an AS below us. More... | |
| header | |
| The PT_NOTE core descriptor structure. | |
| Public Attributes inherited from volatility.addrspace.AbstractRunBasedMemory | |
| runs | |
| header | |
| Public Attributes inherited from volatility.addrspace.BaseAddressSpace | |
| base | |
| name | |
| profile | |
Additional Inherited Members | |
| Static Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
| def | register_options (config) |
| Static Public Attributes inherited from volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64 | |
| int | order = 30 |
| Static Public Attributes inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
| minimum_size = None | |
| alignment_gcd = None | |
This AS supports Qemu ELF32 and ELF64 coredump format.
| volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf.header |
Fake the header since we don't know what structure Qemu uses.
It just has to pass the assertion check.
1.8.9.1