This AS supports the VMEM format with VMSN/VMSS metadata. More...
Public Member Functions | |
def | __init__ (self, base, config, kwargs) |
Public Member Functions inherited from volatility.addrspace.AbstractRunBasedMemory | |
def | __init__ (self, base, config, args, kwargs) |
def | get_runs (self) |
Get the memory block info. | |
def | get_header (self) |
Get the header info. | |
def | translate (self, addr) |
Find the offset in the file where a memory address can be found. More... | |
def | get_available_allocs (self) |
Get a list of accessible physical memory regions. | |
def | get_available_addresses (self) |
Get a list of physical memory runs. | |
def | is_valid_address (self, phys_addr) |
Check if a physical address is in the file. More... | |
def | get_address_range (self) |
This relates to the logical address range that is indexable. | |
def | write (self, phys_addr, buf) |
This is mostly for support of raw2dmp so that it can modify the kernel CONTEXT after the crash dump has been written to disk. | |
Public Member Functions inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
def | __init__ (self, base, config, args, kwargs) |
def | translate (self, vaddr) |
def | get_available_allocs (self) |
A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset. | |
def | calculate_alloc_stats (self) |
Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread. | |
def | read (self, addr, length) |
This method reads 'length' bytes from the specified 'addr'. More... | |
def | zread (self, addr, length) |
This method reads 'length' bytes from the specified 'addr'. More... | |
Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
def | __init__ (self, base, config, _args, _kwargs) |
base is the AS we will be stacking on top of, opts are options which we may use. | |
def | get_config (self) |
Returns the config object used by the vm for use in other vms. | |
def | is_valid_profile (self, profile) |
Determines whether a selected profile is compatible with this address space. | |
def | as_assert |
Duplicate for the assert command (so that optimizations don't disable them) More... | |
def | __eq__ (self, other) |
def | __ne__ (self, other) |
def | read (self, addr, length) |
Read some data from a certain offset. | |
def | zread (self, addr, length) |
Read data from a certain offset padded with where data is not available. | |
def | get_available_addresses (self) |
Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. More... | |
def | is_valid_address (self, _addr) |
Tell us if the address is valid. | |
def | write (self, _addr, _buf) |
def | __getstate__ (self) |
Serialise this address space efficiently. | |
def | __setstate__ (self, state) |
def | address_mask (cls, addr) |
Masks an address value for this address space. | |
def | address_compare (cls, a, b) |
Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b. | |
def | address_equality (cls, a, b) |
Compare two addresses and returns True if they're the same, or False if they're not. | |
def | physical_space (self) |
Return the underlying physical layer, if there is one. More... | |
Public Attributes | |
runs | |
We must have an AS below us. More... | |
header | |
Second AS for VMSN/VMSS manipulation. More... | |
Public Attributes inherited from volatility.addrspace.AbstractRunBasedMemory | |
runs | |
header | |
Public Attributes inherited from volatility.addrspace.BaseAddressSpace | |
base | |
name | |
profile | |
Static Public Attributes | |
int | order = 30 |
vmem_address_space = True | |
int | PAGE_SIZE = 4096 |
Static Public Attributes inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
minimum_size = None | |
alignment_gcd = None | |
Additional Inherited Members | |
Static Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
def | register_options (config) |
This AS supports the VMEM format with VMSN/VMSS metadata.
volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace.header |
Second AS for VMSN/VMSS manipulation.
The number of memory regions contained in the file Create multiple runs - one for each region in the header Code from vmware.py Make sure we found at least one memory run
volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace.runs |
We must have an AS below us.
Build a path to the vmss - it should be relative to the vmem and have the same base name This is a tuple of (physical memory offset, file offset, length)