| Trees | Indices | Help |
|
|---|
|
|
Standard x86 32 bit non PAE address space.
Provides an address space for IA32 paged memory, aka the x86 architecture, without Physical Address Extensions (PAE). Allows callers to map virtual address to offsets in physical memory.
Create a new IA32 address space without PAE to sit on top of the base address space and a Directory Table Base (CR3 value) of 'dtb'.
Comments in this class mostly come from the Intel(R) 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide, Part 1, revision 031, pages 4-8 to 4-15. This book is available for free at http://www.intel.com/products/processor/manuals/index.htm. Similar information is also available from Advanced Micro Devices (AMD) at http://support.amd.com/us/Processor_TechDocs/24593.pdf.
This address space implements paging as described in section "4.3 32-BIT PAGING" of the above book.
This is simplified from previous versions of rekall, by removing caching and automated DTB searching (which is now performed by specific plugins in an OS specific way).
| Nested Classes | |
|
__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace) |
|
|
top_level_class This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace) |
|
| Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Inherited from |
|||
| Class Methods | |||
|
|||
|
|||
|
|||
| Class Variables | |
order = 70
|
|
valid_mask = 1
|
|
PAGE_MASK = -4096
(Inherited from rekall.addrspace.PagedReader)
|
|
PAGE_SIZE = 4096
(Inherited from rekall.addrspace.PagedReader)
|
|
classes = |
|
classes_by_name = |
|
name = |
|
plugin_feature = |
|
virtualized = False
(Inherited from rekall.addrspace.BaseAddressSpace)
|
|
volatile = False
(Inherited from rekall.addrspace.BaseAddressSpace)
|
|
| Properties | |
|
Inherited from |
| Method Details |
Instantiate an Intel 32 bit Address space over the layered AS. Args: dtb: The dtb address.
|
Translates virtual addresses into physical offsets. The function should return either None (no valid mapping) or the offset in physical memory where the address maps. This function is simply a wrapper around describe_vtop() which does all the hard work. You probably never need to override it.
|
Returns a Run object describing where addr can be read from.
|
A generator of descriptive statements about stages in translation.
While the regular vtop is called very frequently and therefore must be
fast, this variation is used to examine the translation process in
detail. We therefore emit data about each step of the way - potentially
re-implementing the vtop() method above, but yielding intermediate
results.
Args:
vaddr: The address to translate.
collection: An instance of DescriptorCollection() which will receive
the address descriptors. If not provided we create a new collection.
Returns
A list of AddressTranslationDescriptor() instances.
|
Read an unsigned 32-bit integer from physical memory. Note this always succeeds - reads outside mapped addresses in the image will simply return 0. |
Enumerate all valid memory ranges. Yields: tuples of (starting virtual address, size) for valid the memory ranges.
|
str(x)
|
|
|
|
|
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:59 2017 | http://epydoc.sourceforge.net |