Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package addrspaces :: Module arm :: Class ArmPagedMemory
[frames] | no frames]

Class ArmPagedMemory

source code

An address space to read virtual memory on ARM systems.

The ARM manual refers to the "Translation Table Base Register" (TTBR) as the equivalent of the Intel CR3 register. We just refer to it as the DTB (Directory Table Base) to be consistent with the other Rekall address spaces.

This implementation is guided by Figure 6.6 of ARM1176JZ-S Technical Reference Manual, Revision: r0p7. http://infocenter.arm.com/help/topic/com.arm.doc.ddi0333h/DDI0333H_arm1176jzs_r0p7_trm.pdf

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace)
  top_level_class
This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace)
Instance Methods
 
__init__(self, name=None, dtb=None, **kwargs)
Base is the AS we will be stacking on top of, opts are options which we may use.		 source code
 
read_long_phys(self, addr)
Read an unsigned 32-bit integer from physical memory.		 source code
 
vtop(self, vaddr)
Translates virtual addresses into physical offsets.		 source code
 
describe_vtop(self, vaddr, collection=None) source code
 
page_fault_handler(self, descriptor, vaddr)
A placeholder for handling page faults.		 source code
 
get_mappings(self, start=0, end=18446744073709551616)
Generate all valid addresses.		 source code
 
end(self) source code
 
ConfigureSession(self, session_obj)
Implement this method if you need to configure the session. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__eq__(self, other) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
__repr__(self)
repr(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__str__(self)
str(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__unicode__(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
as_assert(self, assertion, error=None)
Duplicate for the assert command (so that optimizations don't disable them) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
close(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
describe(self, addr)
Return a string describing an address. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_address_ranges(self, start=0, end=4503599627370495)
Generates the runs which fall between start and end. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_file_address_space(self, filename)
Implement this to return an address space for filename. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_mapped_offset(self, filename, offset)
Implement this if we can map files into this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
is_valid_address(self, addr)
Tell us if the address is valid (Inherited from rekall.addrspace.PagedReader)		 source code
 
merge_base_ranges(self, start=0, end=4503599627370495)
Generates merged address ranges from get_mapping(). (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
read(self, addr, length)
Read 'length' bytes from the virtual address 'vaddr'. (Inherited from rekall.addrspace.PagedReader)		 source code
 
vtop_run(self, addr)
Returns a Run object describing where addr can be read from. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
write(self, addr, buf)
Write to the address space, if writable. (Inherited from rekall.addrspace.PagedReader)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
metadata(cls, name, default=None)
Obtain metadata about this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
Class Variables
  section_index_mask = 1048575
  section_base_address_mask = -1048576
  super_section_mask = 262144
  super_section_index_mask = 33554431
  super_section_base_address_mask = -33554432
  table_index_mask = -1048576
  l2_table_index_mask = 1044480
  coarse_page_table_base_address_mask = -1024
  fine_page_table_base_address_mask = -4096
  fine_l2_table_index_mask = 1047552
  fine_page_table_index_mask = 3072
  large_page_index_mask = 65535
  large_page_base_address_mask = -65536
  small_page_index_mask = 4095
  small_page_base_address_mask = -4096
  tiny_page_index_mask = 1023
  tiny_page_base_address_mask = -1024
  PAGE_MASK = -4096 (Inherited from rekall.addrspace.PagedReader)
  PAGE_SIZE = 4096 (Inherited from rekall.addrspace.PagedReader)
  classes = {'AFF4AddressSpace': <class 'rekall.plugins.addrspac... (Inherited from rekall.addrspace.BaseAddressSpace)
  classes_by_name = {'': [<class 'rekall.addrspace.BufferAddress... (Inherited from rekall.addrspace.BaseAddressSpace)
  name = '' (Inherited from rekall.addrspace.BaseAddressSpace)
  order = 10 (Inherited from rekall.addrspace.BaseAddressSpace)
  plugin_feature = 'BaseAddressSpace' (Inherited from rekall.addrspace.BaseAddressSpace)
  virtualized = False (Inherited from rekall.addrspace.BaseAddressSpace)
  volatile = False (Inherited from rekall.addrspace.BaseAddressSpace)
Properties

Inherited from object: __class__

Method Details

__init__(self, name=None, dtb=None, **kwargs)
(Constructor)

source code  
Base is the AS we will be stacking on top of, opts are options which
we may use.

Args:
  base: A base address space to stack on top of (i.e. delegate to it for
      satisfying read requests).

  session: An optional session object.

  profile: An optional profile to use for parsing the address space
      (e.g. needed for hibernation, crash etc.)
Overrides: object.__init__
(inherited documentation)

read_long_phys(self, addr)

source code 

Read an unsigned 32-bit integer from physical memory.

Note this always succeeds - reads outside mapped addresses in the image will simply return 0.

vtop(self, vaddr)

source code 

Translates virtual addresses into physical offsets.

The function should return either None (no valid mapping) or the offset in physical memory where the address maps.

This function is simply a wrapper around describe_vtop() which does all the hard work. You probably never need to override it.

Overrides: addrspace.BaseAddressSpace.vtop

get_mappings(self, start=0, end=18446744073709551616)

source code 

Generate all valid addresses.

Note that ARM requires page table entries for large sections to be duplicated (e.g. a supersection first_level_descriptor must be duplicated 16 times). We don't actually check for this here.

Overrides: addrspace.BaseAddressSpace.get_mappings

end(self)

source code 
Overrides: addrspace.BaseAddressSpace.end

ImplementationByClass(self, name)
Class Method

source code 
Overrides: addrspace.BaseAddressSpace.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: addrspace.BaseAddressSpace.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:58 2017 http://epydoc.sourceforge.net