Class PEFileAddressSpace

source code

An address space which applies to PE files.

    This basically remaps sections in the PE file to the virtual address space.
    See http://code.google.com/p/corkami/downloads/detail?name=pe-20110117.pdf

    The PE file is divided into sections, each section is mapped into memory at
    a different place:

    File on Disk                 Memory Image
0-> ------------    image base-> ------------
     Header                      Header
    ------------                 ------------
     Section 1
    ------------                 ------------
     Section 2                    Section 1
    ------------                 ------------

                                 ------------
                                  Section 2
                                 ------------

    This address space expands the file from disk into the memory image view as
    shown. Since all internal pe RVA references are within the virtual space,
    this helps resolution.

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.addrspace.BaseAddressSpace)
	top_level_class This is the base class of all Address Spaces. (Inherited from rekall.addrspace.BaseAddressSpace)

Instance Methods

__init__(self, **kwargs)
We layer on top of the file address space.

source code

__str__(self)
str(x)

source code

ConfigureSession(self, session_obj)
Implement this method if you need to configure the session. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__eq__(self, other) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__repr__(self)
repr(x) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

__unicode__(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

add_run(self, virt_addr, file_address, file_len, address_space=None, data=None)
Add a new run to this address space. (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

as_assert(self, assertion, error=None)
Duplicate for the assert command (so that optimizations don't disable them) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

close(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

describe(self, addr)
Return a string describing an address. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

end(self) (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_address_ranges(self, start=0, end=4503599627370495)
Generates the runs which fall between start and end. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_file_address_space(self, filename)
Implement this to return an address space for filename. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_mapped_offset(self, filename, offset)
Implement this if we can map files into this address space. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

get_mappings(self, start=0, end=18446744073709551616)
Yields the mappings. (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

is_valid_address(self, addr)
Tell us if the address is valid (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

merge_base_ranges(self, start=0, end=4503599627370495)
Generates merged address ranges from get_mapping(). (Inherited from rekall.addrspace.BaseAddressSpace)

source code

read(self, addr, length)
Read 'length' bytes from the virtual address 'vaddr'. (Inherited from rekall.addrspace.PagedReader)

source code

vtop(self, addr)
Returns the physical address for this virtual address. (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

vtop_run(self, addr)
Returns a Run object describing where addr can be read from. (Inherited from rekall.addrspace.RunBasedAddressSpace)

source code

write(self, addr, buf)
Write to the address space, if writable. (Inherited from rekall.addrspace.PagedReader)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

metadata(cls, name, default=None)
Obtain metadata about this address space. (Inherited from rekall.addrspace.BaseAddressSpace)

source code

Class Variables
	PAGE_MASK = `-4096` (Inherited from rekall.addrspace.PagedReader)
	PAGE_SIZE = `4096` (Inherited from rekall.addrspace.PagedReader)
	classes = `{'AFF4AddressSpace': <class 'rekall.plugins.addrspac...` (Inherited from rekall.addrspace.BaseAddressSpace)
	classes_by_name = `{'': [<class 'rekall.addrspace.BufferAddress...` (Inherited from rekall.addrspace.BaseAddressSpace)
	name = `''` (Inherited from rekall.addrspace.BaseAddressSpace)
	order = `10` (Inherited from rekall.addrspace.BaseAddressSpace)
	plugin_feature = `'BaseAddressSpace'` (Inherited from rekall.addrspace.BaseAddressSpace)
	runs = `None` hash(x) (Inherited from rekall.addrspace.RunBasedAddressSpace)
	virtualized = `False` (Inherited from rekall.addrspace.BaseAddressSpace)
	volatile = `False` (Inherited from rekall.addrspace.BaseAddressSpace)