C# Class inVtero.net.Mem

Physical to Virtual and Physical to Hypervisor Guest Virtual memory dump class Convienent generic interfaces for extracting preferred types * Type has to be a value/struct type and is expected to be 64 bits width * TODO: Adjust for other size structs & values stradling page boundries

Inheritance: IDisposable

Afficher le fichier Open project: ShaneK2/inVtero.net Class Usage Examples

Méthodes publiques

Свойство	Type	Description
StartOfMemory	long
cntInAccessor	ulong
cntOutAccsor	ulong

Private Properties

Свойство	Type	Description
Mem	System
SetupStreams	void

Méthodes publiques

Méthode	Description
Dispose ( ) : void	Dispose streams held in class instance
DumpPFNIndex ( ) : void
GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block ) : long	Extract a single page of data from a physical address in source dump accounts for memory gaps/run layout
GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block, bool &GotData ) : long
GetPageFromFileOffset ( long FileOffset, long &block, bool &DataRead ) : long	Get a pagesized block that contains the data from the byte offset specified
GetValueAtPhysicalAddr ( HARDWARE_ADDRESS_ENTRY PAddr ) : long	Get a long back for the address specified
InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : Mem
Mem ( Mem parent ) : System
OffsetToMemIndex ( long aPFN ) : long	Code to convert a PFN, which is based on file offset >> PAGE_SHIFT, into an indexed PFN. Physical memory is meant to have "gaps" historically reserved for hw interactions. This means we need to adjust the byte offset into an index accounting for gaps. TODO: Something similar is needed to natively support "extent" based sources.
RawOffsetToPFN ( long offset ) : long
VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY eptp, HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY

Méthodes protégées

Méthode	Description
Dispose ( bool disposing ) : void

Private Methods

Méthode	Description
Mem ( ) : System
SetupStreams ( ) : void

Method Details

Dispose() public méthode

Dispose streams held in class instance

public Dispose ( ) : void
Résultat	void

Dispose() protected méthode

protected Dispose ( bool disposing ) : void
disposing	bool
Résultat	void

DumpPFNIndex() public méthode

public DumpPFNIndex ( ) : void
Résultat	void

GetPageForPhysAddr() public méthode

Extract a single page of data from a physical address in source dump accounts for memory gaps/run layout

public GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block ) : long
PAddr	HARDWARE_ADDRESS_ENTRY	byte address an address contained in the block
block	long	array to be filled
Résultat	long

GetPageForPhysAddr() public méthode

public GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block, bool &GotData ) : long
PAddr	HARDWARE_ADDRESS_ENTRY
block	long
GotData	bool
Résultat	long

GetPageFromFileOffset() public méthode

Get a pagesized block that contains the data from the byte offset specified

public GetPageFromFileOffset ( long FileOffset, long &block, bool &DataRead ) : long
FileOffset	long	byte offset of long aligned page block
block	long	to be filled on return optionally
DataRead	bool	signals success
Résultat	long

GetValueAtPhysicalAddr() public méthode

Get a long back for the address specified

public GetValueAtPhysicalAddr ( HARDWARE_ADDRESS_ENTRY PAddr ) : long
PAddr	HARDWARE_ADDRESS_ENTRY	physical address (byte address)
Résultat	long

InitMem() public static méthode

public static InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : Mem
mFile	String
Detector	AMemoryRunDetector
BitmapArray	uint
Résultat	Mem

Mem() public méthode

public Mem ( Mem parent ) : System
parent	Mem
Résultat	System

OffsetToMemIndex() public méthode

Code to convert a PFN, which is based on file offset >> PAGE_SHIFT, into an indexed PFN. Physical memory is meant to have "gaps" historically reserved for hw interactions. This means we need to adjust the byte offset into an index accounting for gaps. TODO: Something similar is needed to natively support "extent" based sources.

public OffsetToMemIndex ( long aPFN ) : long
aPFN	long	PFN (PAGE NUMBER)
Résultat	long

RawOffsetToPFN() public méthode

public RawOffsetToPFN ( long offset ) : long
offset	long
Résultat	long

VirtualToPhysical() public méthode

public VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY eptp, HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
eptp	HARDWARE_ADDRESS_ENTRY
aCR3	HARDWARE_ADDRESS_ENTRY
Addr	long
Résultat	HARDWARE_ADDRESS_ENTRY

VirtualToPhysical() public méthode

public VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
aCR3	HARDWARE_ADDRESS_ENTRY
Addr	long
Résultat	HARDWARE_ADDRESS_ENTRY

Property Details

StartOfMemory public_oe property

public long StartOfMemory
Résultat	long

cntInAccessor public_oe static_oe property

public static ulong cntInAccessor
Résultat	ulong

cntOutAccsor public_oe static_oe property

public static ulong cntOutAccsor
Résultat	ulong