Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package addrspaces :: Module vmem :: Class VMSSAddressSpace
[frames] | no frames]

Class VMSSAddressSpace

source code

Support ESX .vmsn file format.

The VMSN file format contains a set of metadata in the form of tags, grouped
by groups at the header. There is a lot of metadata but the most interesting
metadata for us is the metadata in the "memory" group.

The file includes a "memory.Memory" data blob which contains the entire
memory snapshot of the running machine. The memory blob is serialized into
the file as a single large blob but contains physical memory runs stored
back to back inside it.

The following tags are used:

- memory.regionsCount: Stores the total number of regions.

- memory.regionPPN: In an array of physical addresses for each physical
  memory regions in the virtual machine (in pages).

- memory.regionSize: Is the size of each physical memory region (in pages).

- memory.regionPageNum: Is the offset into the memory.Memory blob for each
  region (in pages). This may be omitted if there is only one region.
Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace)
  top_level_class
This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace)
Instance Methods
 
__init__(self, base=None, **kwargs)
Base is the AS we will be stacking on top of, opts are options which we may use.		 source code
 
ConfigureSession(self, session_obj)
Implement this method if you need to configure the session. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__eq__(self, other) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
__repr__(self)
repr(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__str__(self)
str(x) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
__unicode__(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
add_run(self, virt_addr, file_address, file_len, address_space=None, data=None)
Add a new run to this address space. (Inherited from rekall.addrspace.RunBasedAddressSpace)		 source code
 
as_assert(self, assertion, error=None)
Duplicate for the assert command (so that optimizations don't disable them) (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
close(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
describe(self, addr)
Return a string describing an address. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
end(self) (Inherited from rekall.addrspace.BaseAddressSpace) source code
 
get_address_ranges(self, start=0, end=4503599627370495)
Generates the runs which fall between start and end. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_file_address_space(self, filename)
Implement this to return an address space for filename. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_mapped_offset(self, filename, offset)
Implement this if we can map files into this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
get_mappings(self, start=0, end=18446744073709551616)
Yields the mappings. (Inherited from rekall.addrspace.RunBasedAddressSpace)		 source code
 
is_valid_address(self, addr)
Tell us if the address is valid (Inherited from rekall.addrspace.RunBasedAddressSpace)		 source code
 
merge_base_ranges(self, start=0, end=4503599627370495)
Generates merged address ranges from get_mapping(). (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
 
read(self, addr, length)
Read 'length' bytes from the virtual address 'vaddr'. (Inherited from rekall.addrspace.PagedReader)		 source code
 
vtop(self, addr)
Returns the physical address for this virtual address. (Inherited from rekall.addrspace.RunBasedAddressSpace)		 source code
 
vtop_run(self, addr)
Returns a Run object describing where addr can be read from. (Inherited from rekall.addrspace.RunBasedAddressSpace)		 source code
 
write(self, addr, buf)
Write to the address space, if writable. (Inherited from rekall.addrspace.PagedReader)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
metadata(cls, name, default=None)
Obtain metadata about this address space. (Inherited from rekall.addrspace.BaseAddressSpace)		 source code
Class Variables
  PAGE_MASK = -4096 (Inherited from rekall.addrspace.PagedReader)
  PAGE_SIZE = 4096 (Inherited from rekall.addrspace.PagedReader)
  classes = {'AFF4AddressSpace': <class 'rekall.plugins.addrspac... (Inherited from rekall.addrspace.BaseAddressSpace)
  classes_by_name = {'': [<class 'rekall.addrspace.BufferAddress... (Inherited from rekall.addrspace.BaseAddressSpace)
  name = '' (Inherited from rekall.addrspace.BaseAddressSpace)
  order = 10 (Inherited from rekall.addrspace.BaseAddressSpace)
  plugin_feature = 'BaseAddressSpace' (Inherited from rekall.addrspace.BaseAddressSpace)
  runs = None
hash(x) (Inherited from rekall.addrspace.RunBasedAddressSpace)
  virtualized = False (Inherited from rekall.addrspace.BaseAddressSpace)
  volatile = False (Inherited from rekall.addrspace.BaseAddressSpace)
Properties

Inherited from object: __class__

Method Details

__init__(self, base=None, **kwargs)
(Constructor)

source code  
Base is the AS we will be stacking on top of, opts are options which
we may use.

Args:
  base: A base address space to stack on top of (i.e. delegate to it for
      satisfying read requests).

  session: An optional session object.

  profile: An optional profile to use for parsing the address space
      (e.g. needed for hibernation, crash etc.)
Overrides: object.__init__
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: addrspace.BaseAddressSpace.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: addrspace.BaseAddressSpace.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:01 2017 http://epydoc.sourceforge.net