C# 클래스 inVtero.net.Mem

Physical to Virtual and Physical to Hypervisor Guest Virtual memory dump class Convienent generic interfaces for extracting preferred types * Type has to be a value/struct type and is expected to be 64 bits width * TODO: Adjust for other size structs & values stradling page boundries

상속: IDisposable

파일 보기 프로젝트 열기: ShaneK2/inVtero.net 1 사용 예제들

공개 프로퍼티들

프로퍼티	타입	설명
StartOfMemory	long
cntInAccessor	ulong
cntOutAccsor	ulong

Private Properties

프로퍼티	타입	설명
Mem	System
SetupStreams	void

공개 메소드들

메소드	설명
Dispose ( ) : void	Dispose streams held in class instance
DumpPFNIndex ( ) : void
GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block ) : long	Extract a single page of data from a physical address in source dump accounts for memory gaps/run layout
GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block, bool &GotData ) : long
GetPageFromFileOffset ( long FileOffset, long &block, bool &DataRead ) : long	Get a pagesized block that contains the data from the byte offset specified
GetValueAtPhysicalAddr ( HARDWARE_ADDRESS_ENTRY PAddr ) : long	Get a long back for the address specified
InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : Mem
Mem ( Mem parent ) : System
OffsetToMemIndex ( long aPFN ) : long	Code to convert a PFN, which is based on file offset >> PAGE_SHIFT, into an indexed PFN. Physical memory is meant to have "gaps" historically reserved for hw interactions. This means we need to adjust the byte offset into an index accounting for gaps. TODO: Something similar is needed to natively support "extent" based sources.
RawOffsetToPFN ( long offset ) : long
VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY eptp, HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY

보호된 메소드들

메소드	설명
Dispose ( bool disposing ) : void

비공개 메소드들

메소드	설명
Mem ( ) : System
SetupStreams ( ) : void

메소드 상세

Dispose() 공개 메소드

Dispose streams held in class instance

public Dispose ( ) : void
리턴	void

Dispose() 보호된 메소드

protected Dispose ( bool disposing ) : void
disposing	bool
리턴	void

DumpPFNIndex() 공개 메소드

public DumpPFNIndex ( ) : void
리턴	void

GetPageForPhysAddr() 공개 메소드

Extract a single page of data from a physical address in source dump accounts for memory gaps/run layout

public GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block ) : long
PAddr	HARDWARE_ADDRESS_ENTRY	byte address an address contained in the block
block	long	array to be filled
리턴	long

GetPageForPhysAddr() 공개 메소드

public GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block, bool &GotData ) : long
PAddr	HARDWARE_ADDRESS_ENTRY
block	long
GotData	bool
리턴	long

GetPageFromFileOffset() 공개 메소드

Get a pagesized block that contains the data from the byte offset specified

public GetPageFromFileOffset ( long FileOffset, long &block, bool &DataRead ) : long
FileOffset	long	byte offset of long aligned page block
block	long	to be filled on return optionally
DataRead	bool	signals success
리턴	long

GetValueAtPhysicalAddr() 공개 메소드

Get a long back for the address specified

public GetValueAtPhysicalAddr ( HARDWARE_ADDRESS_ENTRY PAddr ) : long
PAddr	HARDWARE_ADDRESS_ENTRY	physical address (byte address)
리턴	long

InitMem() 공개 정적인 메소드

public static InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : Mem
mFile	String
Detector	AMemoryRunDetector
BitmapArray	uint
리턴	Mem

Mem() 공개 메소드

public Mem ( Mem parent ) : System
parent	Mem
리턴	System

OffsetToMemIndex() 공개 메소드

Code to convert a PFN, which is based on file offset >> PAGE_SHIFT, into an indexed PFN. Physical memory is meant to have "gaps" historically reserved for hw interactions. This means we need to adjust the byte offset into an index accounting for gaps. TODO: Something similar is needed to natively support "extent" based sources.

public OffsetToMemIndex ( long aPFN ) : long
aPFN	long	PFN (PAGE NUMBER)
리턴	long

RawOffsetToPFN() 공개 메소드

public RawOffsetToPFN ( long offset ) : long
offset	long
리턴	long

VirtualToPhysical() 공개 메소드

public VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY eptp, HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
eptp	HARDWARE_ADDRESS_ENTRY
aCR3	HARDWARE_ADDRESS_ENTRY
Addr	long
리턴	HARDWARE_ADDRESS_ENTRY

VirtualToPhysical() 공개 메소드

public VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
aCR3	HARDWARE_ADDRESS_ENTRY
Addr	long
리턴	HARDWARE_ADDRESS_ENTRY

프로퍼티 상세

StartOfMemory 공개적으로 프로퍼티

public long StartOfMemory
리턴	long

cntInAccessor 공개적으로 정적으로 프로퍼티

public static ulong cntInAccessor
리턴	ulong

cntOutAccsor 공개적으로 정적으로 프로퍼티

public static ulong cntOutAccsor
리턴	ulong