Package rekall :: Module addrspace :: Class RunBasedAddressSpace

Class RunBasedAddressSpace

An address space which uses a list of runs to specify a mapping.

This essentially delegates certain address ranges to other address spaces
"mapped" into this address space.

The runs are tuples of this form:

(virtual_address, physical_address, length, address_space)

- Virtual Address - An address in this address space's virtual address
  space.

- Physical Address - An address in the delegate address space.

- Length - The length of the mapped region.

- Address space - the address space that should be read for this
  region. Note that the physical address above refers to addresses in this
  delegate address space.

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace)
	top_level_class This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace)

Instance Methods

__init__(self, **kwargs)
Base is the AS we will be stacking on top of, opts are options which we may use.

source code

add_run(self, virt_addr, file_address, file_len, address_space=None, data=None)
Add a new run to this address space.

source code

vtop_run(self, addr)
Returns a Run object describing where addr can be read from.

source code

vtop(self, addr)
Returns the physical address for this virtual address.

source code

is_valid_address(self, addr)
Tell us if the address is valid

source code

get_mappings(self, start=0, end=18446744073709551616)
Yields the mappings.

source code

ConfigureSession(self, session_obj)
Implement this method if you need to configure the session. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__eq__(self, other) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__repr__(self)
repr(x) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__str__(self)
str(x) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__unicode__(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

as_assert(self, assertion, error=None)
Duplicate for the assert command (so that optimizations don't disable them) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

close(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

describe(self, addr)
Return a string describing an address. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

end(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_address_ranges(self, start=0, end=4503599627370495)
Generates the runs which fall between start and end. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_file_address_space(self, filename)
Implement this to return an address space for filename. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_mapped_offset(self, filename, offset)
Implement this if we can map files into this address space. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

merge_base_ranges(self, start=0, end=4503599627370495)
Generates merged address ranges from get_mapping(). (Inherited from rekall.addrspace.BaseAddressSpace)

source code

read(self, addr, length)
Read 'length' bytes from the virtual address 'vaddr'. (Inherited from rekall.addrspace.PagedReader)

source code

write(self, addr, buf)
Write to the address space, if writable. (Inherited from rekall.addrspace.PagedReader)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

metadata(cls, name, default=None)
Obtain metadata about this address space. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

Class Variables
	runs = `None` hash(x)
	PAGE_MASK = `-4096` (Inherited from rekall.addrspace.PagedReader)
	PAGE_SIZE = `4096` (Inherited from rekall.addrspace.PagedReader)
	classes = `{'AFF4AddressSpace': <class 'rekall.plugins.addrspac...` (Inherited from rekall.addrspace.BaseAddressSpace)
	classes_by_name = `{'': [<class 'rekall.addrspace.BufferAddress...` (Inherited from rekall.addrspace.BaseAddressSpace)
	name = `''` (Inherited from rekall.addrspace.BaseAddressSpace)
	order = `10` (Inherited from rekall.addrspace.BaseAddressSpace)
	plugin_feature = `'BaseAddressSpace'` (Inherited from rekall.addrspace.BaseAddressSpace)
	virtualized = `False` (Inherited from rekall.addrspace.BaseAddressSpace)
	volatile = `False` (Inherited from rekall.addrspace.BaseAddressSpace)

Properties
Inherited from `object`: `__class__`

Method Details

init(self, **kwargs)
(Constructor)

source code

Base is the AS we will be stacking on top of, opts are options which
we may use.

Args:
  base: A base address space to stack on top of (i.e. delegate to it for
      satisfying read requests).

  session: An optional session object.

  profile: An optional profile to use for parsing the address space
      (e.g. needed for hibernation, crash etc.)