C# Class inVtero.net.Mem

Physical to Virtual and Physical to Hypervisor Guest Virtual memory dump class Convienent generic interfaces for extracting preferred types * Type has to be a value/struct type and is expected to be 64 bits width * TODO: Adjust for other size structs & values stradling page boundries

Inheritance: IDisposable

Show file Open project: ShaneK2/inVtero.net Class Usage Examples

Public Properties

Property	Type	Description
StartOfMemory	long
cntInAccessor	ulong
cntOutAccsor	ulong

Private Properties

Property	Type	Description
Mem	System
SetupStreams	void

Public Methods

Method	Description
Dispose ( ) : void	Dispose streams held in class instance
DumpPFNIndex ( ) : void
GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block ) : long	Extract a single page of data from a physical address in source dump accounts for memory gaps/run layout
GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block, bool &GotData ) : long
GetPageFromFileOffset ( long FileOffset, long &block, bool &DataRead ) : long	Get a pagesized block that contains the data from the byte offset specified
GetValueAtPhysicalAddr ( HARDWARE_ADDRESS_ENTRY PAddr ) : long	Get a long back for the address specified
InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : Mem
Mem ( Mem parent ) : System
OffsetToMemIndex ( long aPFN ) : long	Code to convert a PFN, which is based on file offset >> PAGE_SHIFT, into an indexed PFN. Physical memory is meant to have "gaps" historically reserved for hw interactions. This means we need to adjust the byte offset into an index accounting for gaps. TODO: Something similar is needed to natively support "extent" based sources.
RawOffsetToPFN ( long offset ) : long
VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY eptp, HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY

Protected Methods

Method	Description
Dispose ( bool disposing ) : void

Private Methods

Method	Description
Mem ( ) : System
SetupStreams ( ) : void

Method Details

Dispose() public method

Dispose streams held in class instance

public Dispose ( ) : void
return	void

Dispose() protected method

protected Dispose ( bool disposing ) : void
disposing	bool
return	void

DumpPFNIndex() public method

public DumpPFNIndex ( ) : void
return	void

GetPageForPhysAddr() public method

Extract a single page of data from a physical address in source dump accounts for memory gaps/run layout

public GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block ) : long
PAddr	HARDWARE_ADDRESS_ENTRY	byte address an address contained in the block
block	long	array to be filled
return	long

GetPageForPhysAddr() public method

public GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block, bool &GotData ) : long
PAddr	HARDWARE_ADDRESS_ENTRY
block	long
GotData	bool
return	long

GetPageFromFileOffset() public method

Get a pagesized block that contains the data from the byte offset specified

public GetPageFromFileOffset ( long FileOffset, long &block, bool &DataRead ) : long
FileOffset	long	byte offset of long aligned page block
block	long	to be filled on return optionally
DataRead	bool	signals success
return	long

GetValueAtPhysicalAddr() public method

Get a long back for the address specified

public GetValueAtPhysicalAddr ( HARDWARE_ADDRESS_ENTRY PAddr ) : long
PAddr	HARDWARE_ADDRESS_ENTRY	physical address (byte address)
return	long

InitMem() public static method

public static InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : Mem
mFile	String
Detector	AMemoryRunDetector
BitmapArray	uint
return	Mem

Mem() public method

public Mem ( Mem parent ) : System
parent	Mem
return	System

OffsetToMemIndex() public method

Code to convert a PFN, which is based on file offset >> PAGE_SHIFT, into an indexed PFN. Physical memory is meant to have "gaps" historically reserved for hw interactions. This means we need to adjust the byte offset into an index accounting for gaps. TODO: Something similar is needed to natively support "extent" based sources.

public OffsetToMemIndex ( long aPFN ) : long
aPFN	long	PFN (PAGE NUMBER)
return	long

RawOffsetToPFN() public method

public RawOffsetToPFN ( long offset ) : long
offset	long
return	long

VirtualToPhysical() public method

public VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY eptp, HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
eptp	HARDWARE_ADDRESS_ENTRY
aCR3	HARDWARE_ADDRESS_ENTRY
Addr	long
return	HARDWARE_ADDRESS_ENTRY

VirtualToPhysical() public method

public VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
aCR3	HARDWARE_ADDRESS_ENTRY
Addr	long
return	HARDWARE_ADDRESS_ENTRY

Property Details

StartOfMemory public property

public long StartOfMemory
return	long

cntInAccessor public static property

public static ulong cntInAccessor
return	ulong

cntOutAccsor public static property

public static ulong cntOutAccsor
return	ulong