| Trees | Indices | Help |
|
|---|
|
|
Intel VT-x address space.
Provides an address space that does EPT page translation to provide access to the guest physical address space, thus allowing plugins to operate on a virtual machine running on a host operating system.
This is described in the Intel(R) 64 and IA-32 Architectures Software Developer's Manual Volume 3C: System Programming Guide, Part 3, pages 28-1 to 28-12. This book is available for free at http://www.intel.com/products/processor/manuals/index.htm.
This address space depends on the "ept" parameter. You can use the vmscan plugin to find valid ept values on a physical memory image.
Note that support for AMD's AMD-V address space is untested at the moment.
| Nested Classes | |
|
__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace) |
|
|
top_level_class This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace) |
|
| Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Inherited from |
|||
| Class Methods | |||
|
|||
|
|||
|
|||
| Class Variables | |
order = 110
|
|
valid_mask = 7
|
|
virtualized = True
|
|
PAGE_MASK = -4096
(Inherited from rekall.addrspace.PagedReader)
|
|
PAGE_SIZE = 4096
(Inherited from rekall.addrspace.PagedReader)
|
|
classes = |
|
classes_by_name = |
|
name = |
|
plugin_feature = |
|
volatile = False
(Inherited from rekall.addrspace.BaseAddressSpace)
|
|
| Properties | |
| ept | |
|
Inherited from |
|
| Method Details |
Instantiate an Intel 32 bit Address space over the layered AS. Args: dtb: The dtb address.
|
Returns the PML4, the base of the paging tree.
|
str(x)
|
|
|
| Property Details |
ept
|
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:58 2017 | http://epydoc.sourceforge.net |