This class implements the IA-32 PAE paging address space. More...
Public Member Functions | |
def | get_pdptb (self, pdpr) |
def | pdpi_index (self, pdpi) |
def | get_pdpi (self, vaddr) |
def | pde_index (self, vaddr) |
def | pdba_base (self, pdpe) |
def | get_pgd (self, vaddr, pdpe) |
def | pte_pfn (self, pte) |
def | pte_index (self, vaddr) |
def | ptba_base (self, pde) |
def | get_pte (self, vaddr, pgd) |
def | get_paddr (self, vaddr, pte) |
def | get_large_paddr (self, vaddr, pgd_entry) |
def | vtop (self, vaddr) |
def | get_available_pages |
Public Member Functions inherited from volatility.plugins.addrspaces.intel.IA32PagedMemory | |
def | __init__ (self, base, config, dtb=0, skip_as_check=False, args, kwargs) |
def | is_valid_profile (self, profile) |
def | entry_present (self, entry) |
def | page_size_flag (self, entry) |
def | is_user_page (self, entry) |
def | is_supervisor_page (self, entry) |
def | is_writeable (self, entry) |
def | is_dirty (self, entry) |
def | is_nx (self, entry) |
def | is_accessed (self, entry) |
def | is_copyonwrite (self, entry) |
def | is_prototype (self, entry) |
def | pgd_index (self, pgd) |
def | get_pgd (self, vaddr) |
def | pte_pfn (self, pte) |
def | pte_index (self, pte) |
def | get_pte (self, vaddr, pgd) |
def | get_paddr (self, vaddr, pte) |
def | get_four_meg_paddr (self, vaddr, pgd_entry) |
def | vtop (self, vaddr) |
def | read_long_phys (self, addr) |
def | get_available_pages |
Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractWritablePagedMemory | |
def | write (self, vaddr, buf) |
Writes the data from buf to the vaddr specified. More... | |
Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
def | __init__ (self, base, config, dtb=0, skip_as_check=False, args, kwargs) |
def | is_user_page (self, entry) |
True if the page is accessible to ring 3 code. | |
def | is_supervisor_page (self, entry) |
True if the page is /only/ accessible to ring 0 code. | |
def | is_writeable (self, entry) |
True if the page can be written to. | |
def | is_dirty (self, entry) |
True if the page has been written to. | |
def | is_nx (self, entry) |
True if the page /cannot/ be executed. | |
def | is_accessed (self, entry) |
True if the page has been accessed. | |
def | is_copyonwrite (self, entry) |
True if the page is copy-on-write. | |
def | is_prototype (self, entry) |
True if the page is a prototype PTE. | |
def | load_dtb (self) |
Loads the DTB as quickly as possible from the config, then the base, then searching for it. | |
def | __getstate__ (self) |
def | vtop (self, addr) |
Abstract function that converts virtual (paged) addresses to physical addresses. | |
def | get_available_pages (self) |
A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset. | |
def | get_available_allocs (self) |
def | get_available_addresses (self) |
A generator that returns (addr, size) for each valid address block. | |
def | is_valid_address (self, vaddr) |
Returns whether a virtual address is valid. | |
Public Member Functions inherited from volatility.addrspace.AbstractVirtualAddressSpace | |
def | __init__ (self, base, config, astype='virtual ', args, kwargs) |
def | vtop (self, vaddr) |
def | translate (self, vaddr) |
Public Member Functions inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
def | __init__ (self, base, config, args, kwargs) |
def | translate (self, vaddr) |
def | get_available_allocs (self) |
A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset. | |
def | calculate_alloc_stats (self) |
Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread. | |
def | read (self, addr, length) |
This method reads 'length' bytes from the specified 'addr'. More... | |
def | zread (self, addr, length) |
This method reads 'length' bytes from the specified 'addr'. More... | |
Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
def | __init__ (self, base, config, _args, _kwargs) |
base is the AS we will be stacking on top of, opts are options which we may use. | |
def | get_config (self) |
Returns the config object used by the vm for use in other vms. | |
def | is_valid_profile (self, profile) |
Determines whether a selected profile is compatible with this address space. | |
def | as_assert |
Duplicate for the assert command (so that optimizations don't disable them) More... | |
def | __eq__ (self, other) |
def | __ne__ (self, other) |
def | read (self, addr, length) |
Read some data from a certain offset. | |
def | zread (self, addr, length) |
Read data from a certain offset padded with where data is not available. | |
def | get_available_addresses (self) |
Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. More... | |
def | is_valid_address (self, _addr) |
Tell us if the address is valid. | |
def | write (self, _addr, _buf) |
def | __getstate__ (self) |
Serialise this address space efficiently. | |
def | __setstate__ (self, state) |
def | address_mask (cls, addr) |
Masks an address value for this address space. | |
def | address_compare (cls, a, b) |
Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b. | |
def | address_equality (cls, a, b) |
Compare two addresses and returns True if they're the same, or False if they're not. | |
def | physical_space (self) |
Return the underlying physical layer, if there is one. More... | |
Static Public Attributes | |
int | order = 60 |
pae = True | |
Static Public Attributes inherited from volatility.plugins.addrspaces.intel.IA32PagedMemory | |
int | order = 70 |
pae = False | |
paging_address_space = True | |
string | checkname = 'IA32ValidAS' |
int | minimum_size = 0x1000 |
int | alignment_gcd = 0x1000 |
Static Public Attributes inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
string | checkname = "Intel" |
Static Public Attributes inherited from volatility.addrspace.AbstractDiscreteAllocMemory | |
minimum_size = None | |
alignment_gcd = None | |
Additional Inherited Members | |
Static Public Member Functions inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
def | register_options (config) |
Static Public Member Functions inherited from volatility.addrspace.BaseAddressSpace | |
def | register_options (config) |
Public Attributes inherited from volatility.plugins.addrspaces.paged.AbstractPagedMemory | |
dtb | |
We must be stacked on someone else: More... | |
name | |
Public Attributes inherited from volatility.addrspace.BaseAddressSpace | |
base | |
name | |
profile | |
This class implements the IA-32 PAE paging address space.
It is responsible for translating each 32-bit virtual (linear) address to a 52-bit physical address. When PAE paging is in use, CR3 references the base of a 32-Byte Page Directory Pointer Table.
Additional Resources: