Python AMD64PagedMemory Examples

Programming Language: Python

Namespace/Package Name: volatility.plugins.addrspaces.amd64

Method/Function: AMD64PagedMemory

Examples at hotexamples.com: 2

Python AMD64PagedMemory - 2 examples found. These are the top rated real world Python examples of volatility.plugins.addrspaces.amd64.AMD64PagedMemory extracted from open source projects. You can rate examples to help us improve the quality of examples.

Example #1

Show file

    def get_process_address_space(self):

        cr3 = self.task.map.pmap.pm_cr3
        map_val = str(self.task.map.pmap.pm_task_map or '')

        # if the machine is 64 bit capable
        is_64bit_cap = common.is_64bit_capable(self.obj_vm)

        if map_val == "TASK_MAP_32BIT" and is_64bit_cap:
            # A 32 bit process on a 64 bit system, requires 64 bit paging

            # Catch exceptions when trying to get a process AS for kernel_task
            # which isn't really even a process. It needs to use the default cr3
            try:
                proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
                                                 self.obj_vm.get_config(),
                                                 dtb=cr3,
                                                 skip_as_check=True)
            except IOError:
                proc_as = self.obj_vm

        elif map_val == "TASK_MAP_32BIT":

            # A 32 bit process on a 32 bit system need
            # bypass b/c no sharing of address space

            proc_as = intel.IA32PagedMemoryPae(self.obj_vm.base,
                                               self.obj_vm.get_config(),
                                               dtb=cr3,
                                               skip_as_check=True)

        elif (map_val == "TASK_MAP_64BIT_SHARED"
              and self.obj_vm.profile.metadata.get('memory_model',
                                                   '32bit') == "32bit"):

            # A 64 bit process running on a 32 bit system
            proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
                                             self.obj_vm.get_config(),
                                             dtb=cr3,
                                             skip_as_check=True)

        elif map_val in ["TASK_MAP_64BIT", "TASK_MAP_64BIT_SHARED"]:

            # A 64 bit process on a 64 bit system
            cr3 &= 0xFFFFFFE0
            proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
                                             self.obj_vm.get_config(),
                                             dtb=cr3,
                                             skip_as_check=True)
        else:
            proc_as = obj.NoneObject(
                "Cannot get process AS for pm_task_map: {0}".format(map_val))

        return proc_as

Example #2

Show file

    def _get_dtb_m_lion(self):
        tbl = self.obj_vm.profile.sys_map["kernel"]
        config = self.obj_vm.get_config()

        if config.SHIFT:
            shift_address = config.SHIFT
        else:
            scanner = catfishScan(needles=["Catfish \x00\x00"])
            for catfish_offset in scanner.scan(self.obj_vm):
                shift_address = catfish_offset - (tbl["_lowGlo"][0][0] %
                                                  0xFFFFFF80)
                break

        self.obj_vm.profile.shift_address = shift_address

        bootpml4 = (tbl["_BootPML4"][0][0] % 0xFFFFFF80) + shift_address
        boot_pml4_dtb = amd64.AMD64PagedMemory(self.obj_vm,
                                               config,
                                               dtb=bootpml4)

        idlepml4_addr = (tbl['_IdlePML4'][0][0]) + shift_address
        idlepml4_ptr = obj.Object("unsigned int",
                                  offset=idlepml4_addr,
                                  vm=boot_pml4_dtb)

        return idlepml4_ptr.v()