Re: [Vol-dev] Pythonisms and volatility-isms for structs
16 Apr
2013
16 Apr
'13
4:22 a.m.
On 16 April 2013 05:10, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
Hey Edwin,
1) It depends what type of pattern you're trying to match. If the pattern is
a simple byte string like "one" or "\x0d\x0a" you can just do
address_space.zread(address, size) == "one". If the pattern is a regular
expression you can also use the python re module (some examples in the
moddump and driverirp plugins). Also you can use yara for pattern matching
(there's a yarascan for windows and now a linux_yarascan plugin so look in
there for examples). Also if you do happen to want to search also, you can
use proc.search_process_memory(["one", "two"]) etc.
Ahh, yara is more than I thought it was. I'll have a look at the
rulesystem, see if it works for my purpose.
2) There is partial documentation on the wiki, see the 2.0 developers guide
https://code.google.com/p/volatility/wiki/VolatilityObjects20. Its obviously
a little dated since we're almost in 2.3 but most is still accurate. Or just
check out how its done in one of the other plugins like dumpcerts
(https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…)
which manually defines a vtype (the structure name, members, offsets, types)
and then creates an "object class" (inherits from obj.CType) to give it
custom methods etc.
I'll have a look at the example in dumpcerts, thanks.
Hope it helps,
MHL
On Mon, Apr 15, 2013 at 8:37 AM, Edwin Smulders <edwin.smulders(a)gmail.com>
wrote:
Hello all,
I have arrived at an implementation part of my research and I was
wondering if you have any advice or documentation on some "pythonisms"
and "volatility-isms" I could be using to do this implementation.
My question is two-fold:
1) I have acquired a small part of memory using read/zread and want to
match (not search) this part of memory to a specific pattern. Do you
know of any pythonisms I could be using, other than checking and
matching byte by byte? Is there some type pattern I could use? I
suspect I'll just have to evaluate a list of rules, but I figured I'd
ask anyway.
2) Some parts of memory I am interested in are originally (C) structs,
I'd like to map these to objects similar to the way this is done for
structs like 'task_struct' and 'mm_struct', is there any documentation
on the way this is done?
If it matters, this is all in process address space.
Cheers,
Edwin
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev