C# Класс inVtero.net.Mem

Physical to Virtual and Physical to Hypervisor Guest Virtual memory dump class Convienent generic interfaces for extracting preferred types * Type has to be a value/struct type and is expected to be 64 bits width * TODO: Adjust for other size structs & values stradling page boundries

Наследование: IDisposable

Показать файл Открыть проект Примеры использования класса

Открытые свойства

Свойство	Тип	Описание
StartOfMemory	long
cntInAccessor	ulong
cntOutAccsor	ulong

Private Properties

Свойство	Тип	Описание
Mem	System
SetupStreams	void

Открытые методы

Метод	Описание
Dispose ( ) : void	Dispose streams held in class instance
DumpPFNIndex ( ) : void
GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block ) : long	Extract a single page of data from a physical address in source dump accounts for memory gaps/run layout
GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block, bool &GotData ) : long
GetPageFromFileOffset ( long FileOffset, long &block, bool &DataRead ) : long	Get a pagesized block that contains the data from the byte offset specified
GetValueAtPhysicalAddr ( HARDWARE_ADDRESS_ENTRY PAddr ) : long	Get a long back for the address specified
InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : Mem
Mem ( Mem parent ) : System
OffsetToMemIndex ( long aPFN ) : long	Code to convert a PFN, which is based on file offset >> PAGE_SHIFT, into an indexed PFN. Physical memory is meant to have "gaps" historically reserved for hw interactions. This means we need to adjust the byte offset into an index accounting for gaps. TODO: Something similar is needed to natively support "extent" based sources.
RawOffsetToPFN ( long offset ) : long
VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY eptp, HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY

Защищенные методы

Метод	Описание
Dispose ( bool disposing ) : void

Приватные методы

Метод	Описание
Mem ( ) : System
SetupStreams ( ) : void

Описание методов

Dispose() публичный Метод

Dispose streams held in class instance

public Dispose ( ) : void
Результат	void

Dispose() защищенный Метод

protected Dispose ( bool disposing ) : void
disposing	bool
Результат	void

DumpPFNIndex() публичный Метод

public DumpPFNIndex ( ) : void
Результат	void

GetPageForPhysAddr() публичный Метод

Extract a single page of data from a physical address in source dump accounts for memory gaps/run layout

public GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block ) : long
PAddr	HARDWARE_ADDRESS_ENTRY	byte address an address contained in the block
block	long	array to be filled
Результат	long

GetPageForPhysAddr() публичный Метод

public GetPageForPhysAddr ( HARDWARE_ADDRESS_ENTRY PAddr, long &block, bool &GotData ) : long
PAddr	HARDWARE_ADDRESS_ENTRY
block	long
GotData	bool
Результат	long

GetPageFromFileOffset() публичный Метод

Get a pagesized block that contains the data from the byte offset specified

public GetPageFromFileOffset ( long FileOffset, long &block, bool &DataRead ) : long
FileOffset	long	byte offset of long aligned page block
block	long	to be filled on return optionally
DataRead	bool	signals success
Результат	long

GetValueAtPhysicalAddr() публичный Метод

Get a long back for the address specified

public GetValueAtPhysicalAddr ( HARDWARE_ADDRESS_ENTRY PAddr ) : long
PAddr	HARDWARE_ADDRESS_ENTRY	physical address (byte address)
Результат	long

InitMem() публичный статический Метод

public static InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : Mem
mFile	String
Detector	AMemoryRunDetector
BitmapArray	uint
Результат	Mem

Mem() публичный Метод

public Mem ( Mem parent ) : System
parent	Mem
Результат	System

OffsetToMemIndex() публичный Метод

Code to convert a PFN, which is based on file offset >> PAGE_SHIFT, into an indexed PFN. Physical memory is meant to have "gaps" historically reserved for hw interactions. This means we need to adjust the byte offset into an index accounting for gaps. TODO: Something similar is needed to natively support "extent" based sources.

public OffsetToMemIndex ( long aPFN ) : long
aPFN	long	PFN (PAGE NUMBER)
Результат	long

RawOffsetToPFN() публичный Метод

public RawOffsetToPFN ( long offset ) : long
offset	long
Результат	long

VirtualToPhysical() публичный Метод

public VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY eptp, HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
eptp	HARDWARE_ADDRESS_ENTRY
aCR3	HARDWARE_ADDRESS_ENTRY
Addr	long
Результат	HARDWARE_ADDRESS_ENTRY

VirtualToPhysical() публичный Метод

public VirtualToPhysical ( HARDWARE_ADDRESS_ENTRY aCR3, long Addr ) : HARDWARE_ADDRESS_ENTRY
aCR3	HARDWARE_ADDRESS_ENTRY
Addr	long
Результат	HARDWARE_ADDRESS_ENTRY

Описание свойств

StartOfMemory публичное свойство

public long StartOfMemory
Результат	long

cntInAccessor публичное статическое свойство

public static ulong cntInAccessor
Результат	ulong

cntOutAccsor публичное статическое свойство

public static ulong cntOutAccsor
Результат	ulong