The Volatility Framework
Public Member Functions | Static Public Attributes | List of all members
volatility.plugins.addrspaces.intel.IA32PagedMemory Class Reference

Standard IA-32 paging address space. More...

Inheritance diagram for volatility.plugins.addrspaces.intel.IA32PagedMemory:
volatility.plugins.addrspaces.paged.AbstractWritablePagedMemory volatility.plugins.addrspaces.paged.AbstractPagedMemory volatility.addrspace.AbstractVirtualAddressSpace volatility.addrspace.AbstractDiscreteAllocMemory volatility.addrspace.BaseAddressSpace volatility.plugins.addrspaces.intel.IA32PagedMemoryPae

Public Member Functions

def __init__ (self, base, config, dtb=0, skip_as_check=False, args, kwargs)
 
def is_valid_profile (self, profile)
 
def entry_present (self, entry)
 
def page_size_flag (self, entry)
 
def is_user_page (self, entry)
 
def is_supervisor_page (self, entry)
 
def is_writeable (self, entry)
 
def is_dirty (self, entry)
 
def is_nx (self, entry)
 
def is_accessed (self, entry)
 
def is_copyonwrite (self, entry)
 
def is_prototype (self, entry)
 
def pgd_index (self, pgd)
 
def get_pgd (self, vaddr)
 
def pte_pfn (self, pte)
 
def pte_index (self, pte)
 
def get_pte (self, vaddr, pgd)
 
def get_paddr (self, vaddr, pte)
 
def get_four_meg_paddr (self, vaddr, pgd_entry)
 
def vtop (self, vaddr)
 
def read_long_phys (self, addr)
 
def get_available_pages
 
- Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractWritablePagedMemory
def write (self, vaddr, buf)
 Writes the data from buf to the vaddr specified. More...
 
- Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory
def __init__ (self, base, config, dtb=0, skip_as_check=False, args, kwargs)
 
def is_user_page (self, entry)
 True if the page is accessible to ring 3 code.
 
def is_supervisor_page (self, entry)
 True if the page is /only/ accessible to ring 0 code.
 
def is_writeable (self, entry)
 True if the page can be written to.
 
def is_dirty (self, entry)
 True if the page has been written to.
 
def is_nx (self, entry)
 True if the page /cannot/ be executed.
 
def is_accessed (self, entry)
 True if the page has been accessed.
 
def is_copyonwrite (self, entry)
 True if the page is copy-on-write.
 
def is_prototype (self, entry)
 True if the page is a prototype PTE.
 
def load_dtb (self)
 Loads the DTB as quickly as possible from the config, then the base, then searching for it.
 
def __getstate__ (self)
 
def vtop (self, addr)
 Abstract function that converts virtual (paged) addresses to physical addresses.
 
def get_available_pages (self)
 A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset.
 
def get_available_allocs (self)
 
def get_available_addresses (self)
 A generator that returns (addr, size) for each valid address block.
 
def is_valid_address (self, vaddr)
 Returns whether a virtual address is valid.
 
- Public Member Functions inherited from volatility.addrspace.AbstractVirtualAddressSpace
def __init__ (self, base, config, astype='virtual ', args, kwargs)
 
def vtop (self, vaddr)
 
def translate (self, vaddr)
 
- Public Member Functions inherited from volatility.addrspace.AbstractDiscreteAllocMemory
def __init__ (self, base, config, args, kwargs)
 
def translate (self, vaddr)
 
def get_available_allocs (self)
 A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset.
 
def calculate_alloc_stats (self)
 Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread.
 
def read (self, addr, length)
 This method reads 'length' bytes from the specified 'addr'. More...
 
def zread (self, addr, length)
 This method reads 'length' bytes from the specified 'addr'. More...
 
- Public Member Functions inherited from volatility.addrspace.BaseAddressSpace
def __init__ (self, base, config, _args, _kwargs)
 base is the AS we will be stacking on top of, opts are options which we may use.
 
def get_config (self)
 Returns the config object used by the vm for use in other vms.
 
def is_valid_profile (self, profile)
 Determines whether a selected profile is compatible with this address space.
 
def as_assert
 Duplicate for the assert command (so that optimizations don't disable them) More...
 
def __eq__ (self, other)
 
def __ne__ (self, other)
 
def read (self, addr, length)
 Read some data from a certain offset.
 
def zread (self, addr, length)
 Read data from a certain offset padded with where data is not available.
 
def get_available_addresses (self)
 Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. More...
 
def is_valid_address (self, _addr)
 Tell us if the address is valid.
 
def write (self, _addr, _buf)
 
def __getstate__ (self)
 Serialise this address space efficiently.
 
def __setstate__ (self, state)
 
def address_mask (cls, addr)
 Masks an address value for this address space.
 
def address_compare (cls, a, b)
 Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b.
 
def address_equality (cls, a, b)
 Compare two addresses and returns True if they're the same, or False if they're not.
 
def physical_space (self)
 Return the underlying physical layer, if there is one. More...
 

Static Public Attributes

int order = 70
 
 pae = False
 
 paging_address_space = True
 
string checkname = 'IA32ValidAS'
 
int minimum_size = 0x1000
 
int alignment_gcd = 0x1000
 
- Static Public Attributes inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory
string checkname = "Intel"
 
- Static Public Attributes inherited from volatility.addrspace.AbstractDiscreteAllocMemory
 minimum_size = None
 
 alignment_gcd = None
 

Additional Inherited Members

- Static Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory
def register_options (config)
 
- Static Public Member Functions inherited from volatility.addrspace.BaseAddressSpace
def register_options (config)
 
- Public Attributes inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory
 dtb
 We must be stacked on someone else: More...
 
 name
 
- Public Attributes inherited from volatility.addrspace.BaseAddressSpace
 base
 
 name
 
 profile
 

Detailed Description

Standard IA-32 paging address space.

This class implements the IA-32 paging address space. It is responsible for translating each virtual (linear) address to a physical address. This is accomplished using hierachical paging structures. Every paging structure is 4096 bytes and is composed of entries. Each entry is 32 bits. The first paging structure is located at the physical address found in CR3 (dtb).

Additional Resources:

  • Intel(R) 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide. Section 4.3 http://www.intel.com/products/processor/manuals/index.htm
  • AMD64 Architecture Programmer's Manual Volume 2: System Programming http://support.amd.com/us/Processor_TechDocs/24593_APM_v2.pdf
  • N. Petroni, A. Walters, T. Fraser, and W. Arbaugh, "FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory" ,Digital Investigation Journal 3(4):197-210, December 2006. (submitted February 2006)
  • N. P. Maclean, "Acquisition and Analysis of Windows Memory," University of Strathclyde, Glasgow, April 2006.
  • Russinovich, M., & Solomon, D., & Ionescu, A. "Windows Internals, 5th Edition", Microsoft Press, 2009.
The documentation for this class was generated from the following file: