Python volatility.addrspace.AbstractRunBasedMemory() Examples
The following are 26
code examples of volatility.addrspace.AbstractRunBasedMemory().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.addrspace
, or try the search function
.
.
Example #1
| Source File: macho.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "mac: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
if sig == '\xce\xfa\xed\xfe':
self.bits = 32
elif sig == '\xcf\xfa\xed\xfe':
self.bits = 64
else:
self.as_assert(0, "MachO Header signature invalid")
self.runs = []
self.header = None
self.addr_cache = {}
self.parse_macho()
Example #2
| Source File: macho.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "mac: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
if sig == '\xce\xfa\xed\xfe':
self.bits = 32
elif sig == '\xcf\xfa\xed\xfe':
self.bits = 64
else:
self.as_assert(0, "MachO Header signature invalid")
self.runs = []
self.header = None
self.addr_cache = {}
self.parse_macho()
Example #3
| Source File: lime.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "lime: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
## ARM processors are bi-endian, but little is the default and currently
## the only mode we support; unless it comes a common request.
if sig == '\x4c\x69\x4d\x45':
debug.debug("Big-endian ARM not supported, please submit a feature request")
self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
self.addr_cache = {}
self.parse_lime()
Example #4
| Source File: crash.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Must start with the magic PAGEDUMP
self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid")
self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile")
self.header = obj.Object(self.headertype, 0, base)
self.as_assert((self.header.DumpType == 0x1), "Unsupported dump format")
offset = self.headerpages
for x in self.header.PhysicalMemoryBlockBuffer.Run:
self.runs.append((x.BasePage.v() * 0x1000,
offset * 0x1000,
x.PageCount.v() * 0x1000))
offset += x.PageCount.v()
self.dtb = self.header.DirectoryTableBase.v()
Example #5
| Source File: crash.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Must start with the magic PAGEDUMP
self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid")
self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile")
self.header = obj.Object(self.headertype, 0, base)
self.as_assert((self.header.DumpType == 0x1), "Unsupported dump format")
offset = self.headerpages
for x in self.header.PhysicalMemoryBlockBuffer.Run:
self.runs.append((x.BasePage.v() * 0x1000,
offset * 0x1000,
x.PageCount.v() * 0x1000))
offset += x.PageCount.v()
self.dtb = self.header.DirectoryTableBase.v()
Example #6
| Source File: macho.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "mac: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
if sig == '\xce\xfa\xed\xfe':
self.bits = 32
elif sig == '\xcf\xfa\xed\xfe':
self.bits = 64
else:
self.as_assert(0, "MachO Header signature invalid")
self.runs = []
self.header = None
self.addr_cache = {}
self.parse_macho()
Example #7
| Source File: lime.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "lime: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
## ARM processors are bi-endian, but little is the default and currently
## the only mode we support; unless it comes a common request.
if sig == '\x4c\x69\x4d\x45':
debug.debug("Big-endian ARM not supported, please submit a feature request")
self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
self.addr_cache = {}
self.parse_lime()
Example #8
| Source File: crash.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Must start with the magic PAGEDUMP
self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid")
self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile")
self.header = obj.Object(self.headertype, 0, base)
self.as_assert((self.header.DumpType == 0x1), "Unsupported dump format")
offset = self.headerpages
for x in self.header.PhysicalMemoryBlockBuffer.Run:
self.runs.append((x.BasePage.v() * 0x1000,
offset * 0x1000,
x.PageCount.v() * 0x1000))
offset += x.PageCount.v()
self.dtb = self.header.DirectoryTableBase.v()
Example #9
| Source File: lime.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "lime: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
## ARM processors are bi-endian, but little is the default and currently
## the only mode we support; unless it comes a common request.
if sig == '\x4c\x69\x4d\x45':
debug.debug("Big-endian ARM not supported, please submit a feature request")
self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
self.addr_cache = {}
self.parse_lime()
Example #10
| Source File: crash.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Must start with the magic PAGEDUMP
self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid")
self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile")
self.header = obj.Object(self.headertype, 0, base)
self.as_assert((self.header.DumpType == 0x1), "Unsupported dump format")
offset = self.headerpages
for x in self.header.PhysicalMemoryBlockBuffer.Run:
self.runs.append((x.BasePage.v() * 0x1000,
offset * 0x1000,
x.PageCount.v() * 0x1000))
offset += x.PageCount.v()
self.dtb = self.header.DirectoryTableBase.v()
Example #11
| Source File: lime.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "lime: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
## ARM processors are bi-endian, but little is the default and currently
## the only mode we support; unless it comes a common request.
if sig == '\x4c\x69\x4d\x45':
debug.debug("Big-endian ARM not supported, please submit a feature request")
self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
self.addr_cache = {}
self.parse_lime()
Example #12
| Source File: macho.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "mac: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
if sig == '\xce\xfa\xed\xfe':
self.bits = 32
elif sig == '\xcf\xfa\xed\xfe':
self.bits = 64
else:
self.as_assert(0, "MachO Header signature invalid")
self.runs = []
self.header = None
self.addr_cache = {}
self.parse_macho()
Example #13
| Source File: lime.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "lime: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
## ARM processors are bi-endian, but little is the default and currently
## the only mode we support; unless it comes a common request.
if sig == '\x4c\x69\x4d\x45':
debug.debug("Big-endian ARM not supported, please submit a feature request")
self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
self.addr_cache = {}
self.parse_lime()
Example #14
| Source File: crash.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Must start with the magic PAGEDUMP
self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid")
self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile")
self.header = obj.Object(self.headertype, 0, base)
self.as_assert((self.header.DumpType == 0x1), "Unsupported dump format")
offset = self.headerpages
for x in self.header.PhysicalMemoryBlockBuffer.Run:
self.runs.append((x.BasePage.v() * 0x1000,
offset * 0x1000,
x.PageCount.v() * 0x1000))
offset += x.PageCount.v()
self.dtb = self.header.DirectoryTableBase.v()
Example #15
| Source File: macho.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "mac: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
if sig == '\xce\xfa\xed\xfe':
self.bits = 32
elif sig == '\xcf\xfa\xed\xfe':
self.bits = 64
else:
self.as_assert(0, "MachO Header signature invalid")
self.runs = []
self.header = None
self.addr_cache = {}
self.parse_macho()
Example #16
| Source File: osxpmemelf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.as_assert(len(self.runs) > 0, "No PT_LOAD segments found")
Example #17
| Source File: osxpmemelf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
Example #18
| Source File: osxpmemelf.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.as_assert(len(self.runs) > 0, "No PT_LOAD segments found")
Example #19
| Source File: osxpmemelf.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.as_assert(len(self.runs) > 0, "No PT_LOAD segments found")
Example #20
| Source File: osxpmemelf.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## Tuple of (physical memory address, file offset, length)
self.runs = []
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
Example #21
| Source File: win32pmem.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def __init__(self, base, config, **kwargs):
self.as_assert(base == None, 'Must be first Address Space')
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
self.fhandle = win32file.CreateFile(
"\\\\.\\pmem",
win32file.GENERIC_READ | win32file.GENERIC_WRITE,
win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE,
None,
win32file.OPEN_EXISTING,
win32file.FILE_ATTRIBUTE_NORMAL,
None)
self.ParseMemoryRuns()
Example #22
| Source File: elfcoredump.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'],
"ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## Make sure its a core dump
self.as_assert(str(elf.e_type) == 'ET_CORE',
"ELF type is not a Core file")
## Tuple of (physical memory address, file offset, length)
self.runs = []
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
## The first note should be the VBCORE segment
if str(phdr.p_type) == 'PT_NOTE':
note = obj.Object("elf_note", offset = phdr.p_offset, vm = base, parent = phdr)
self.check_note(note)
continue
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.validate()
Example #23
| Source File: elfcoredump.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'],
"ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## Make sure its a core dump
self.as_assert(str(elf.e_type) == 'ET_CORE',
"ELF type is not a Core file")
## Tuple of (physical memory address, file offset, length)
self.runs = []
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
## The first note should be the VBCORE segment
if str(phdr.p_type) == 'PT_NOTE':
note = obj.Object("elf_note", offset = phdr.p_offset, vm = base, parent = phdr)
self.check_note(note)
continue
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.validate()
Example #24
| Source File: elfcoredump.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'],
"ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## Make sure its a core dump
self.as_assert(str(elf.e_type) == 'ET_CORE',
"ELF type is not a Core file")
## Tuple of (physical memory address, file offset, length)
self.runs = []
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
## The first note should be the VBCORE segment
if str(phdr.p_type) == 'PT_NOTE':
note = obj.Object("elf_note", offset = phdr.p_offset, vm = base, parent = phdr)
self.check_note(note)
continue
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.validate()
Example #25
| Source File: elfcoredump.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'],
"ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## Make sure its a core dump
self.as_assert(str(elf.e_type) == 'ET_CORE',
"ELF type is not a Core file")
## Tuple of (physical memory address, file offset, length)
self.runs = []
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
## The first note should be the VBCORE segment
if str(phdr.p_type) == 'PT_NOTE':
note = obj.Object("elf_note", offset = phdr.p_offset, vm = base, parent = phdr)
self.check_note(note)
continue
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.validate()
Example #26
| Source File: elfcoredump.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'],
"ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## Make sure its a core dump
self.as_assert(str(elf.e_type) == 'ET_CORE',
"ELF type is not a Core file")
## Tuple of (physical memory address, file offset, length)
self.runs = []
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
## The first note should be the VBCORE segment
if str(phdr.p_type) == 'PT_NOTE':
note = obj.Object("elf_note", offset = phdr.p_offset, vm = base, parent = phdr)
self.check_note(note)
continue
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.validate()
