Python IA32PagedMemoryPae Beispiele

Programmiersprache: Python

Namespace / Paketname: rekall.plugins.addrspaces.intel

Methode / Funktion: IA32PagedMemoryPae

Beispiele auf hotexamples.com: 2

Python IA32PagedMemoryPae - 2 Beispiele gefunden. Dies sind die am besten bewerteten Python Beispiele für die rekall.plugins.addrspaces.intel.IA32PagedMemoryPae, die aus Open Source-Projekten extrahiert wurden. Sie können Beispiele bewerten, um die Qualität der Beispiele zu verbessern.

Beispiel #1

Datei anzeigen

Datei: guess_profile.py Projekt: youngjun-chang/rvmi-rekall

    def DetectWindowsDTB(self, filename_offset, address_space):
        """Checks the possible filename hit for a valid DTB address."""
        for dtb_rel_offset, arch in self.eprocess_index.filename_to_dtb:
            # We only apply indexes to 64 bit images.
            if arch == "AMD64":
                possible_dtb = self.eprocess_index.Object(
                    "unsigned long", offset=filename_offset - dtb_rel_offset,
                    vm=address_space).v()

                # Discard impossible DTB values immediately. On 64 bit
                # architectures, the DTB must be page aligned.
                if not possible_dtb or possible_dtb & 0xFFF:
                    continue

                test_as = amd64.AMD64PagedMemory(
                    session=self.session, base=address_space, dtb=possible_dtb)
                if self.VerifyAMD64DTB(test_as):
                    yield test_as

            elif arch == "I386":
                possible_dtb = self.eprocess_index.Object(
                    "unsigned long", offset=filename_offset - dtb_rel_offset,
                    vm=address_space).v()

                # Discard impossible DTB values immediately. On 32 bit
                # architectures, the DTB must be aligned to 0x20 (with PAE).
                if not possible_dtb or possible_dtb & 0x1F:
                    continue

                # Only support PAE - we dont really see non PAE images any more.
                test_as = intel.IA32PagedMemoryPae(
                    session=self.session, base=address_space, dtb=possible_dtb)
                if self.VerifyI386DTB(test_as):
                    yield test_as

Beispiel #2

Datei anzeigen

Datei: hypervisors.py Projekt: yuchou/rekall

    def get_vmcs_address_space(cls, vmcs, host=True, base_as=None):
        """Returns the address_space of the host or guest process of a VMCS."""
        address_space = None
        base_as = base_as or vmcs.obj_vm

        if host:
            cr4 = vmcs.HOST_CR4
            cr3 = vmcs.HOST_CR3
            controls = vmcs.EXIT_CONTROLS
        else:
            cr4 = vmcs.GUEST_CR4
            cr3 = vmcs.GUEST_CR3
            controls = vmcs.ENTRY_CONTROLS

        if not cr4 & (1 << 5):  # PAE bit
            # No PAE
            address_space = intel.IA32PagedMemory(dtb=cr3, base=base_as)

        elif not controls & (1 << 9):  # long mode bit
            # PAE and no long mode = 32bit PAE
            address_space = intel.IA32PagedMemoryPae(dtb=cr3, base=base_as)

        elif controls & (1 << 9):  # long mode bit
            # Long mode AND PAE = IA-32e
            address_space = amd64.AMD64PagedMemory(dtb=cr3, base=base_as)
        return address_space