Public Member Functions
def	WK_pack_2bits (self, source_buf, source_end, dest_buf, dest_start)
	WK_pack_2bits(): Pack some multiple of four words holding two-bit tags (in the low two bits of each byte) into an integral number of words, i.e., one fourth as many. More...

def	WK_pack_4bits (self, source_buf, source_end, dest_buf, dest_start)
	WK_pack_4bits(): Pack an even number of words holding 4-bit patterns in the low bits of each byte into half as many words. More...

def	WK_pack_3_tenbits (self, source_buf, source_end, dest_buf, dest_start)
	WK_pack_3_tenbits(): Pack a sequence of three ten bit items into one word. More...

def	WK_unpack_2bits (self, input_buf, input_start, input_end, output_buf)

def	WK_unpack_4bits (self, input_buf, input_start, input_end, output_buf)
	WK_unpack_4bits(): Unpack four bits consumes any number of words holding 8 4-bit values per word, and unpacks them into twice as many words, with each value in a separate byte. More...

def	WK_unpack_3_tenbits (self, input_buf, input_start, input_end, output_buf)
	WK_unpack_3_tenbits(): Unpack three 10-bit items from the low 30 bits of any number of 32-bit words. More...

def	WKdm_compress (self, src_buf, dest_buf, num_input_words, compression_budget)
	WKdm_compress(): Compress a src_buf containing num_input_words 32-bit words into a dest_buf of 32-bit words. More...

def	WKdm_decompress (self, src_buf, dest_buf)
	WKdm_decompress(): Decompress a src_buf containing 32-bit words into a dest_buf of 32-bit words. More...

Static Public Attributes
int	WORD_SIZE_IN_BYTES = 4
	DO NOT CHANGE THESE: Correct operation depends on 4K page size and there are various other non-trivial dependencies. More...

int	PAGE_SIZE_IN_WORDS = 1024

int	PAGE_SIZE_IN_BYTES = 4096

int	DICTIONARY_SIZE_IN_WORDS = 16

int	HEADER_SIZE_IN_WORDS = 3

	TAGS_AREA_OFFSET_IN_WORDS = HEADER_SIZE_IN_WORDS

int	TAGS_AREA_SIZE_IN_WORDS = 64

int	NUM_LOW_BITS = 10

int	LOW_BITS_MASK = 0x3FF

int	ALL_ONES_MASK = 0xFFFFFFFF

int	TWO_BITS_PACKING_MASK = 0x03030303

int	FOUR_BITS_PACKING_MASK = 0x0F0F0F0F

int	TEN_LOW_BITS_MASK = 0x000003FF

int	TWENTY_TWO_HIGH_BITS_MASK = 0xFFFFFC00

int	ZERO_TAG = 0x0

int	PARTIAL_TAG = 0x1

int	MISS_TAG = 0x2

int	EXACT_TAG = 0x3

list	SINGLE_BYTE_MASKS = [0x000000FF, 0x0000FF00, 0x00FF0000, 0xFF000000]

list	HASH_LOOKUP_TABLE_CONTENTS
	These are the constants for the hash function lookup table. More...

Member Function Documentation

def volatility.plugins.mac.WKdm.WKdm.WK_pack_2bits	(	self,
		source_buf,
		source_end,
		dest_buf,
		dest_start
	)

WK_pack_2bits(): Pack some multiple of four words holding two-bit tags (in the low two bits of each byte) into an integral number of words, i.e., one fourth as many.

Data in the source_buf is used starting at index 0 up to and not including index source_end. The packed data is written into the dest_buf starting at index dest_start. NOTE: Pad the input with zeroes to a multiple of four words, or else.

def volatility.plugins.mac.WKdm.WKdm.WK_pack_3_tenbits	(	self,
		source_buf,
		source_end,
		dest_buf,
		dest_start
	)

WK_pack_3_tenbits(): Pack a sequence of three ten bit items into one word.

Data in the source_buf is used starting at index 0 up to and not including source_end. The packed data is written into the dest_buf starting at index dest_start. NOTE: Pad out the input with zeroes to an even number of words, or else.

def volatility.plugins.mac.WKdm.WKdm.WK_pack_4bits	(	self,
		source_buf,
		source_end,
		dest_buf,
		dest_start
	)

WK_pack_4bits(): Pack an even number of words holding 4-bit patterns in the low bits of each byte into half as many words.

Data in the source_buf is used starting at index 0 up to and not including index source_end. The packed data is written into the dest_buf starting at index dest_start. NOTE: Pad the input with zeroes to an even number of words, or else.

def volatility.plugins.mac.WKdm.WKdm.WK_unpack_3_tenbits	(	self,
		input_buf,
		input_start,
		input_end,
		output_buf
	)

WK_unpack_3_tenbits(): Unpack three 10-bit items from the low 30 bits of any number of 32-bit words.

Data is read from input_buf starting at index input_start and up to but not including input_end. Unpacked data is placed in output_buf.

def volatility.plugins.mac.WKdm.WKdm.WK_unpack_4bits	(	self,
		input_buf,
		input_start,
		input_end,
		output_buf
	)

WK_unpack_4bits(): Unpack four bits consumes any number of words holding 8 4-bit values per word, and unpacks them into twice as many words, with each value in a separate byte.

(The four-bit values occupy the low halves of the bytes in the result). Data is read from input_buf starting at index input_start and up to but not including input_end. Unpacked data is placed in output_buf.

def volatility.plugins.mac.WKdm.WKdm.WKdm_compress	(	self,
		src_buf,
		dest_buf,
		num_input_words,
		compression_budget
	)

WKdm_compress(): Compress a src_buf containing num_input_words 32-bit words into a dest_buf of 32-bit words.

Returns size of dest_buf or -1 if the compression budget (expressed in bytes) is exceeeded, which also results in undefined contents in dest_buf.

def volatility.plugins.mac.WKdm.WKdm.WKdm_decompress	(	self,
		src_buf,
		dest_buf
	)

WKdm_decompress(): Decompress a src_buf containing 32-bit words into a dest_buf of 32-bit words.

Returns size of decompressed buffer or -1 on decompression error (in which case the dest_buf contents are undefined).

Member Data Documentation

list volatility.plugins.mac.WKdm.WKdm.HASH_LOOKUP_TABLE_CONTENTS

static

Initial value:

 = [ 
         0, 52,  8, 56, 16, 12, 28, 20,  4, 36, 48, 24, 44, 40, 32, 60, 
         8, 12, 28, 20,  4, 60, 16, 36, 24, 48, 44, 32, 52, 56, 40, 12, 
         8, 48, 16, 52, 60, 28, 56, 32, 20, 24, 36, 40, 44,  4,  8, 40, 
         60, 32, 20, 44,  4, 36, 52, 24, 16, 56, 48, 12, 28, 16,  8, 40, 
         36, 28, 32, 12,  4, 44, 52, 20, 24, 48, 60, 56, 40, 48,  8, 32, 
         28, 36,  4, 44, 20, 56, 60, 24, 52, 16, 12, 12,  4, 48, 20,  8, 
         52, 16, 60, 24, 36, 44, 28, 56, 40, 32, 36, 20, 24, 60, 40, 44, 
         52, 16, 32,  4, 48,  8, 28, 56, 12, 28, 32, 40, 52, 36, 16, 20, 
         48,  8,  4, 60, 24, 56, 44, 12,  8, 36, 24, 28, 16, 60, 20, 56, 
         32, 40, 48, 12,  4, 44, 52, 44, 40, 12, 56,  8, 36, 24, 60, 28, 
         48,  4, 32, 20, 16, 52, 60, 12, 24, 36,  8,  4, 16, 56, 48, 44, 
         40, 52, 32, 20, 28, 32, 12, 36, 28, 24, 56, 40, 16, 52, 44,  4, 
         20, 60,  8, 48, 48, 52, 12, 20, 32, 44, 36, 28,  4, 40, 24,  8, 
         56, 60, 16, 36, 32,  8, 40,  4, 52, 24, 44, 20, 12, 28, 48, 56, 
         16, 60,  4, 52, 60, 48, 20, 16, 56, 44, 24,  8, 40, 12, 32, 28, 
         36, 24, 32, 12,  4, 20, 16, 60, 36, 28,  8, 52, 40, 48, 44, 56  
     ]

These are the constants for the hash function lookup table.

Only zero maps to zero. The rest of the table is the result of appending 17 randomizations of the multiples of 4 from 4 to 56.

int volatility.plugins.mac.WKdm.WKdm.WORD_SIZE_IN_BYTES = 4

static

DO NOT CHANGE THESE: Correct operation depends on 4K page size and there are various other non-trivial dependencies.

The documentation for this class was generated from the following file:

volatility/plugins/mac/WKdm.py

Public Member Functions

Static Public Attributes

Member Function Documentation

Member Data Documentation