Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package addrspaces :: Module amd64 :: Class XenParaVirtAMD64PagedMemory
[frames] | no frames]

Class XenParaVirtAMD64PagedMemory

source code

XEN ParaVirtualized guest address space.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace)
  top_level_class
This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace)
Instance Methods
 
__init__(self, **kwargs)
Instantiate an Intel 32 bit Address space over the layered AS.		 source code
 
xen_feature(self, flag)
Obtains the state of a XEN feature.		 source code
 
IDENTITY_FRAME(self, pfn)
Returns the identity frame of pfn.		 source code
 
m2p(self, machine_address)
Translates from a machine address to a physical address.		 source code
 
read_pte(self, vaddr, collection=None)
Returns an unsigned 64-bit integer from the address addr in physical memory.		 source code
 
vtop(self, vaddr)
Translates virtual addresses into physical offsets.		 source code
 
ConfigureSession(self, session_obj)
Implement this method if you need to configure the session. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__eq__(self, other) (Inherited from rekall.plugins.addrspaces.intel.IA32PagedMemory) source code
 
__repr__(self)
repr(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__str__(self)
str(x) (Inherited from rekall.plugins.addrspaces.intel.IA32PagedMemory)		 source code
 
__unicode__(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
as_assert(self, assertion, error=None)
Duplicate for the assert command (so that optimizations don't disable them) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
close(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
describe(self, addr)
Return a string describing an address. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
describe_pte(self, collection, pte_addr, pte_value, vaddr) (Inherited from rekall.plugins.addrspaces.intel.IA32PagedMemoryPae) source code
 
describe_vtop(self, vaddr, collection=None)
Describe the resolution process of a Virtual Address. (Inherited from rekall.plugins.addrspaces.amd64.AMD64PagedMemory)		 source code
 
end(self) (Inherited from rekall.plugins.addrspaces.amd64.AMD64PagedMemory) source code
 
get_address_ranges(self, start=0, end=4503599627370495)
Generates the runs which fall between start and end. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_file_address_space(self, filename)
Implement this to return an address space for filename. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_mapped_offset(self, filename, offset)
Implement this if we can map files into this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_mappings(self, start=0, end=18446744073709551616)
Enumerate all available ranges. (Inherited from rekall.plugins.addrspaces.amd64.AMD64PagedMemory)		 source code
 
get_pml4(self)
Returns the PML4, the base of the paging tree. (Inherited from rekall.plugins.addrspaces.amd64.AMD64PagedMemory)		 source code
 
is_valid_address(self, addr)
Tell us if the address is valid (Inherited from rekall.addrspace.PagedReader)		 source code
 
merge_base_ranges(self, start=0, end=4503599627370495)
Generates merged address ranges from get_mapping(). (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
read(self, addr, length)
Read 'length' bytes from the virtual address 'vaddr'. (Inherited from rekall.addrspace.PagedReader)		 source code
 
vtop_run(self, addr)
Returns a Run object describing where addr can be read from. (Inherited from rekall.plugins.addrspaces.intel.IA32PagedMemory)		 source code
 
write(self, addr, buf)
Write to the address space, if writable. (Inherited from rekall.addrspace.PagedReader)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
metadata(cls, name, default=None)
Obtain metadata about this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
Class Variables
  PAGE_SIZE = 4096
  P2M_MID_PER_PAGE = 512
  P2M_TOP_PER_PAGE = 512
  P2M_PER_PAGE = 512
  XENFEAT_writable_page_tables = 0
  XENFEAT_writable_descriptor_tables = 1
  XENFEAT_auto_translated_physmap = 2
  XENFEAT_supervisor_mode_kernel = 3
  XENFEAT_pae_pgdir_above_4gb = 4
  XENFEAT_mmu_pt_update_preserve_ad = 5
  XENFEAT_hvm_callback_vector = 8
  XENFEAT_hvm_safe_pvclock = 9
  XENFEAT_hvm_pirqs = 10
  XENFEAT_dom0 = 11
  PAGE_MASK = -4096 (Inherited from rekall.addrspace.PagedReader)
  classes = {'AFF4AddressSpace': <class 'rekall.plugins.addrspac... (Inherited from rekall.addrspace.BaseAddressSpace)
  classes_by_name = {'': [<class 'rekall.addrspace.BufferAddress... (Inherited from rekall.addrspace.BaseAddressSpace)
  name = '' (Inherited from rekall.addrspace.BaseAddressSpace)
  order = 60 (Inherited from rekall.plugins.addrspaces.amd64.AMD64PagedMemory)
  plugin_feature = 'BaseAddressSpace' (Inherited from rekall.addrspace.BaseAddressSpace)
  valid_mask = 1 (Inherited from rekall.plugins.addrspaces.intel.IA32PagedMemory)
  virtualized = False (Inherited from rekall.addrspace.BaseAddressSpace)
  volatile = False (Inherited from rekall.addrspace.BaseAddressSpace)
Properties

Inherited from object: __class__

Method Details

__init__(self, **kwargs)
(Constructor)

source code  
Instantiate an Intel 32 bit Address space over the layered AS.

Args:
  dtb: The dtb address.
Overrides: object.__init__
(inherited documentation)

IDENTITY_FRAME(self, pfn)

source code 

Returns the identity frame of pfn.

From http://lxr.free-electrons.com/source/arch/x86/include/asm/xen/page.h?v=3.8#L36

m2p(self, machine_address)

source code 

Translates from a machine address to a physical address.

This translates host physical addresses to guest physical. Requires a machine to physical mapping to have been calculated.

read_pte(self, vaddr, collection=None)

source code 

Returns an unsigned 64-bit integer from the address addr in physical memory. If unable to read from that location, returns None.

Overrides: intel.IA32PagedMemory.read_pte
(inherited documentation)

vtop(self, vaddr)

source code 

Translates virtual addresses into physical offsets.

The function should return either None (no valid mapping) or the offset in physical memory where the address maps.

This function is simply a wrapper around describe_vtop() which does all the hard work. You probably never need to override it.

Overrides: addrspace.BaseAddressSpace.vtop
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: addrspace.BaseAddressSpace.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: addrspace.BaseAddressSpace.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:58 2017 http://epydoc.sourceforge.net