Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package addrspaces :: Module intel
[frames] | no frames]

Module intel

source code

Implement the base translating address spaces.

This is a complete rewrite of the previous translating address spaces
implemented in Rekall. The goals are:

1) To make a system that is provable and traceable - i.e. It should be possible
   to trace the address translation process step by step as it is performed by
   Rekall so we can verify how it is implemented.

2) The system must be very fast at the same time. Address translation can be an
   expensive operation so we need to ensure we are very quick.

3) The system must be extensible and modifiable. Address translation is a
   complex algorithm and varies a lot between operating systems and
   architectures. Therefore this implementation is generic and tries to
   encapsulate all the nuances of address translation in the OS specific
   implementation itself.

How does it work?
-----------------

There are a few main entry points into the translating Address Spaces:

1) vtop(): (Virtual to Physical) This method accepts a virtual address and
   translates it to the physical address in the base address space. This is the
   workhorse method. It is designed to be very fast but does not give too much
   information about how the translation was performed.

2) describe_vtop(): This is the describing sister method of vtop(). It returns a
   list of AddressTranslationDescriptor() objects. Each of these describes a
   specific step in the translation process. If one was to render each step,
   this outlines exactly what happened in each step and how the address is
   derived. If the address space translation process succeeds the last
   descriptor will be a PhysicalAddressDescriptor() instance which describes the
   final physical address. Note that the translation process may request files
   to be mapped into the physical address space, so the
   PhysicalAddressDescriptor() will point at mapped files (i.e. it may not
   actually refer to the physical memory image).

3) get_mappings(): This method generates Run instances which encapsulate each
   region available in the virtual address space.

The vtop() method and the describe_vtop() method are very similar since they
implement the same algorithms. However, we do not want to implement the same
thing twice because that leads to maintenance problems and subtle
bugs. Therefore vtop() is simply a wrapper around describe_vtop(). To achieve
the required performance vtop() simply looks for the PhysicalAddressDescriptor()
and returns it. This is essentially a noop for any of the other descriptors and
therefore maintains the same speed benefits.
Classes
  AddressTranslationDescriptor
A descriptor of a step in the translation process.
  CommentDescriptor
  InvalidAddress
Mark an invalid address.
  DescriptorCollection
  PhysicalAddressDescriptorCollector
A descriptor collector which only cares about PhysicalAddressDescriptor.
  PhysicalAddressDescriptor
A descriptor to mark the final physical address resolution.
  VirtualAddressDescriptor
Mark a virtual address.
  IA32PagedMemory
Standard x86 32 bit non PAE address space.
  IA32PagedMemoryPae
Standard x86 32 bit PAE address space.
Variables
  PAGE_SHIFT = 12
  PAGE_MASK = -4096
  __package__ = 'rekall.plugins.addrspaces'
   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:46 2017 http://epydoc.sourceforge.net