--- Volatility-1.3_Beta/forensics/x86.py 2008-08-15 04:04:39.000000000 -0400 +++ Volatility-1.3_Beta_local/forensics/x86.py 2008-10-14 17:22:56.000000000 -0400 @@ -21,7 +21,7 @@ # """ -@author: AAron Walters +@author: AAron Walters and Jesse Kornblum @license: GNU General Public License 2.0 or later @contact: awalters@volatilityfoundation.org @organization: Volatile Systems @@ -67,6 +67,15 @@ self.base = baseAddressSpace self.pgd_vaddr = pdbr self.pae = False + self.pgd_value = [] + + def cache(self): + self.pgd_value = [ 0 for i in range(0, 1025)] + # RBF - Is there a way to read the whole page at once and + # RBF - then unpack values from that buffer? + for index in range(0, 1024): + pgd_entry = self.pgd_vaddr + index * pointer_size + self.pgd_value[index] = self.read_long_phys(pgd_entry) def entry_present(self, entry): if (entry & (0x00000001)) == 0x00000001: @@ -82,8 +91,11 @@ return (pgd >> pgdir_shift) & (ptrs_per_pgd - 1) def get_pgd(self, vaddr): - pgd_entry = self.pgd_vaddr + self.pgd_index(vaddr) * pointer_size - return self.read_long_phys(pgd_entry) + if self.pgd_value == []: + self.cache() + + print self.pgd_value[self.pgd_index(vaddr)] + return self.pgd_value[self.pgd_index(vaddr)] def pte_pfn(self, pte): return pte >> page_shift @@ -194,7 +206,7 @@ string = self.base.read(addr, 4) if not string: return None - (longval, ) = struct.unpack('=L', string) + (longval, ) = struct.unpack('