Sure, both the BaseYaraScanner.scan() and DiscontigYaraScanner.scan()
functions take starting addresses and maxlen parameters. So you can just
set start to 0xBFFFF000 and maxlen to 0xFFF.
On Wed, Apr 17, 2013 at 9:24 AM, Edwin Smulders <edwin.smulders(a)gmail.com>wrote:
  Followup question: can I use yara to match an
integer(32) between a
 specific range? I did not find this in the documentation, but that
 does not always mean it is not possible.
 For example, I want to find a pointer of which I know it's in the
 0xBFFFF000-0xBFFFFFFF range. I suppose I could work around that by
 searching for a hex string like "BF FF F? ??", but this does not feel
 quite the same... Plus the ranges are not known beforehand, I have to
 generate these rules.
 On 16 April 2013 10:22, Edwin Smulders <edwin.smulders(a)gmail.com> wrote:
  On 16 April 2013 05:10, Michael Hale Ligh
<michael.hale(a)gmail.com> 
 wrote:
 > Hey Edwin,
>
> 1) It depends what type of pattern you're trying to match. If the 
 pattern
is
 > a simple byte string like "one" or
"\x0d\x0a" you can just do
> address_space.zread(address, size) == "one". If the pattern is a regular
> expression you can also use the python re module (some examples in the
> moddump and driverirp plugins). Also you can use yara for pattern 
 matching
 > (there's a yarascan for windows and now a
linux_yarascan plugin so look 
 in
 > there for examples). Also if you do happen to
want to search also, you 
 can
   use
proc.search_process_memory(["one", "two"]) etc. 
 Ahh, yara is more than I thought it was. I'll have a look at the
 rulesystem, see if it works for my purpose.
>
> 2) There is partial documentation on the wiki, see the 2.0 developers 
  guide
 obviously
 > a little dated since we're almost in 2.3
but most is still accurate. Or 
 just
 > check out how its done in one of the other
plugins like dumpcerts
> ( 
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…
 )
 > which manually defines a vtype (the structure
name, members, offsets, 
 types)
   and then
creates an "object class" (inherits from obj.CType) to give it
 custom methods etc. 
 I'll have a look at the example in dumpcerts, thanks.
>
> Hope it helps,
> MHL
>
>
>
> On Mon, Apr 15, 2013 at 8:37 AM, Edwin Smulders < 
 
edwin.smulders(a)gmail.com>
 > wrote:
>>
>> Hello all,
>>
>> I have arrived at an implementation part of my research and I was
>> wondering if you have any advice or documentation on some "pythonisms"
>> and "volatility-isms" I could be using to do this implementation.
>>
>> My question is two-fold:
>>
>> 1) I have acquired a small part of memory using read/zread and want to
>> match (not search) this part of memory to a specific pattern. Do you
>> know of any pythonisms I could be using, other than checking and
>> matching byte by byte? Is there some type pattern I could use? I
>> suspect I'll just have to evaluate a list of rules, but I figured I'd
>> ask anyway.
>> 2) Some parts of memory I am interested in are originally (C) structs,
>> I'd like to map these to objects similar to the way this is done for
>> structs like 'task_struct' and 'mm_struct', is there any
documentation
>> on the way this is done?
>>
>> If it matters, this is all in process address space.
>>
>> Cheers,
>> Edwin
>> _______________________________________________
>> Vol-dev mailing list
>> Vol-dev(a)volatilityfoundation.org
>> 
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>
>