Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package addrspaces :: Module hibernate :: Class WindowsHiberFileSpace
[frames] | no frames]

Class WindowsHiberFileSpace

source code

This is a hibernate address space for windows hibernation files.

In order for us to work we need to: 1) have a valid baseAddressSpace 2) the first 4 bytes must be 'hibr'

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace)
  top_level_class
This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace)
Instance Methods
 
__init__(self, **kwargs)
Base is the AS we will be stacking on top of, opts are options which we may use.		 source code
 
build_page_cache(self) source code
 
convert_to_raw(self, ofile) source code
 
next_xpress(self, XpressHeader, XpressBlockSize) source code
 
get_xpress_block_size(self, xpress_header) source code
 
get_header(self) source code
 
get_base(self) source code
 
get_signature(self) source code
 
get_system_time(self) source code
 
is_paging(self) source code
 
is_pse(self) source code
 
is_pae(self) source code
 
get_number_of_memranges(self) source code
 
get_number_of_pages(self) source code
 
get_addr(self, addr) source code
 
get_block_offset(self, _xb, addr) source code
 
is_valid_address(self, addr)
Tell us if the address is valid		 source code
 
read_xpress(self, baddr, BlockSize) source code
 
fread(self, length) source code
 
read(self, addr, length)
Should be overridden by derived classes.		 source code
 
read_long(self, addr) source code
 
get_available_pages(self) source code
 
get_address_range(self)
This relates to the logical address range that is indexable		 source code
 
check_address_range(self, addr) source code
 
get_available_addresses(self)
This returns the ranges of valid addresses		 source code
 
close(self) source code
 
ConfigureSession(self, session_obj)
Implement this method if you need to configure the session. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__eq__(self, other) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
__repr__(self)
repr(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__str__(self)
str(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__unicode__(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
as_assert(self, assertion, error=None)
Duplicate for the assert command (so that optimizations don't disable them) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
describe(self, addr)
Return a string describing an address. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
end(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
get_address_ranges(self, start=0, end=4503599627370495)
Generates the runs which fall between start and end. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_file_address_space(self, filename)
Implement this to return an address space for filename. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_mapped_offset(self, filename, offset)
Implement this if we can map files into this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_mappings(self, start=0, end=18446744073709551616)
Generates a sequence of Run() objects. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
merge_base_ranges(self, start=0, end=4503599627370495)
Generates merged address ranges from get_mapping(). (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
vtop(self, addr)
Return the physical address of this virtual address. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
vtop_run(self, addr)
Returns a Run object describing where addr can be read from. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
write(self, addr, buf)
Write to the address space, if writable. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
ImplementationByName(self, name) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
metadata(cls, name, default=None)
Obtain metadata about this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
Class Variables
  order = 100
  classes = {'AFF4AddressSpace': <class 'rekall.plugins.addrspac... (Inherited from rekall.addrspace.BaseAddressSpace)
  classes_by_name = {'': [<class 'rekall.addrspace.BufferAddress... (Inherited from rekall.addrspace.BaseAddressSpace)
  name = '' (Inherited from rekall.addrspace.BaseAddressSpace)
  plugin_feature = 'BaseAddressSpace' (Inherited from rekall.addrspace.BaseAddressSpace)
  virtualized = False (Inherited from rekall.addrspace.BaseAddressSpace)
  volatile = False (Inherited from rekall.addrspace.BaseAddressSpace)
Properties

Inherited from object: __class__

Method Details

__init__(self, **kwargs)
(Constructor)

source code  
Base is the AS we will be stacking on top of, opts are options which
we may use.

Args:
  base: A base address space to stack on top of (i.e. delegate to it for
      satisfying read requests).

  session: An optional session object.

  profile: An optional profile to use for parsing the address space
      (e.g. needed for hibernation, crash etc.)
Overrides: object.__init__
(inherited documentation)

is_valid_address(self, addr)

source code 

Tell us if the address is valid

Overrides: addrspace.BaseAddressSpace.is_valid_address
(inherited documentation)

read(self, addr, length)

source code 

Should be overridden by derived classes.

Overrides: addrspace.BaseAddressSpace.read
(inherited documentation)

close(self)

source code 
Overrides: addrspace.BaseAddressSpace.close

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:59 2017 http://epydoc.sourceforge.net