Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Module hypervisors :: Class VirtualMachine
[frames] | no frames]

Class VirtualMachine

source code

Represents a virtual machine.

A virtual machine is made of VMCS. In Intel processors, each CPU that runs a VM will have its own VMCS.

Instance Methods
 
__init__(self, host_rip=None, ept=None, parent=None, name=None, session=None)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
add_vmcs(self, vmcs, validate=True)
Add a VMCS to this virtual machine.		 source code
 
set_parent(self, parent)
Sets the parent of this VM and resets the validation cache.		 source code
 
unset_parent(self) source code
 
validate_vmcs(self, vmcs)
Validates a VMCS and returns if it's valid in this VM's context.		 source code
 
is_valid_vmcs(self, vmcs)
Returns whether the vmcs is valid or None if it wasn't validated.		 source code
 
GetSession(self)
Returns a session valid for this VM.		 source code
 
RunPlugin(self, plugin_name, *args, **kwargs)
Runs a plugin in the context of this virtual machine.		 source code
 
add_nested_vms(self, vm_list, validate_all=True)
Tries to add the list of VMs as nested VMs of this one.		 source code
 
__str__(self)
str(x)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
get_vmcs_guest_as_type(cls, vmcs)
Returns the address space type of the guest of a VMCS.		 source code
 
get_vmcs_host_as_type(cls, vmcs)
Returns the address space type of the host of a VMCS.		 source code
 
get_vmcs_host_address_space(cls, vmcs, base_as=None)
Returns the address_space of the host of the VMCS.		 source code
 
get_vmcs_guest_address_space(cls, vmcs, base_as=None)
Returns the address_space of the guest of the VMCS.		 source code
 
get_vmcs_address_space(cls, vmcs, host=True, base_as=None)
Returns the address_space of the host or guest process of a VMCS.		 source code
Properties
  is_valid
A VM is valid if at least one of its VMCS is valid.
  is_nested
A VM is nested if it has a parent or all its VMCS are nested.
  hostname
  num_cores
The number of virtual cores of this VM.
  host_arch
The architecture of the host that started this VM.
  guest_arch
The architecture of the guest OS of the VM.
  ept_list
The list of EPT values needed to instantiate VM guest physical AS.
  physical_address_space
The physical address space of this VM's guest.

Inherited from object: __class__

Method Details

__init__(self, host_rip=None, ept=None, parent=None, name=None, session=None)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

get_vmcs_guest_as_type(cls, vmcs)
Class Method

source code 

Returns the address space type of the guest of a VMCS.

One of I386, I386+PAE, AMD64 or None.

get_vmcs_host_as_type(cls, vmcs)
Class Method

source code 

Returns the address space type of the host of a VMCS.

One of I386, I386+PAE, AMD64 or None.

add_vmcs(self, vmcs, validate=True)

source code  
Add a VMCS to this virtual machine.

Raises:
  UnrelatedVmcsError if the VMCS doesn't match the VM's HOST_RIP or EPT.

validate_vmcs(self, vmcs)

source code 

Validates a VMCS and returns if it's valid in this VM's context.

A VMCS is valid if the page where it's mapped is found in the HOST_CR3 that it points to. The result of this validation is cached. Use the _reset_validation_state method if you need to invalidate cache entries.

A VMCS object will only validate properly if its defined in the context of the address space of the physical AS of the parent of the VM.

is_valid_vmcs(self, vmcs)

source code 

Returns whether the vmcs is valid or None if it wasn't validated.

Doesn't force validation.

add_nested_vms(self, vm_list, validate_all=True)

source code 

Tries to add the list of VMs as nested VMs of this one.

To validate nested VMs, we need to see if its identifying VMCS are mapped in our physical AS and then try to validate them via HOST_CR3 in our context.

__str__(self)
(Informal representation operator)

source code 

str(x)

Overrides: object.__str__
(inherited documentation)

Property Details

is_valid

A VM is valid if at least one of its VMCS is valid.

Get Method:
unreachable.is_valid(self) - A VM is valid if at least one of its VMCS is valid.

is_nested

A VM is nested if it has a parent or all its VMCS are nested.

Get Method:
unreachable.is_nested(self) - A VM is nested if it has a parent or all its VMCS are nested.

hostname

Get Method:
unreachable.hostname(self)

num_cores

The number of virtual cores of this VM.

Get Method:
unreachable.num_cores(self) - The number of virtual cores of this VM.

host_arch

The architecture of the host that started this VM.

Get Method:
unreachable.host_arch(self) - The architecture of the host that started this VM.

guest_arch

The architecture of the guest OS of the VM.

Get Method:
unreachable.guest_arch(self) - The architecture of the guest OS of the VM.

ept_list

The list of EPT values needed to instantiate VM guest physical AS.

This is used in conjunction with the VTxPagedMemory AS.

Get Method:
unreachable.ept_list(self) - The list of EPT values needed to instantiate VM guest physical AS.

physical_address_space

The physical address space of this VM's guest.

Get Method:
unreachable.physical_address_space(self) - The physical address space of this VM's guest.

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:17 2017 http://epydoc.sourceforge.net