Re: [Vol-dev] Pythonisms and volatility-isms for structs

Followup question: can I use yara to match an integer(32) between a specific range? I did not find this in the documentation, but that does not always mean it is not possible. For example, I want to find a pointer of which I know it's in the 0xBFFFF000-0xBFFFFFFF range. I suppose I could work around that by searching for a hex string like "BF FF F? ??", but this does not feel quite the same... Plus the ranges are not known beforehand, I have to generate these rules. On 16 April 2013 10:22, Edwin Smulders <edwin.smulders(a)gmail.com> wrote: > On 16 April 2013 05:10, Michael Hale Ligh <michael.hale(a)gmail.com> > wrote: >> Hey Edwin, >> >> 1) It depends what type of pattern you're trying to match. If the >> pattern is >> a simple byte string like "one" or "\x0d\x0a" you can just do >> address_space.zread(address, size) == "one". If the pattern is a >> regular >> expression you can also use the python re module (some examples in the >> moddump and driverirp plugins). Also you can use yara for pattern >> matching >> (there's a yarascan for windows and now a linux_yarascan plugin so look >> in >> there for examples). Also if you do happen to want to search also, you >> can >> use proc.search_process_memory(["one", "two"]) etc. > > Ahh, yara is more than I thought it was. I'll have a look at the > rulesystem, see if it works for my purpose. > >> >> 2) There is partial documentation on the wiki, see the 2.0 developers >> guide >> https://code.google.com/p/volatility/wiki/VolatilityObjects20. Its >> obviously >> a little dated since we're almost in 2.3 but most is still accurate. Or >> just >> check out how its done in one of the other plugins like dumpcerts >> >> (https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…) >> which manually defines a vtype (the structure name, members, offsets, >> types) >> and then creates an "object class" (inherits from obj.CType) to give it >> custom methods etc. > > I'll have a look at the example in dumpcerts, thanks. > >> >> Hope it helps, >> MHL >> >> >> >> On Mon, Apr 15, 2013 at 8:37 AM, Edwin Smulders >> <edwin.smulders(a)gmail.com> >> wrote: >>> >>> Hello all, >>> >>> I have arrived at an implementation part of my research and I was >>> wondering if you have any advice or documentation on some "pythonisms" >>> and "volatility-isms" I could be using to do this implementation. >>> >>> My question is two-fold: >>> >>> 1) I have acquired a small part of memory using read/zread and want to >>> match (not search) this part of memory to a specific pattern. Do you >>> know of any pythonisms I could be using, other than checking and >>> matching byte by byte? Is there some type pattern I could use? I >>> suspect I'll just have to evaluate a list of rules, but I figured I'd >>> ask anyway. >>> 2) Some parts of memory I am interested in are originally (C) structs, >>> I'd like to map these to objects similar to the way this is done for >>> structs like 'task_struct' and 'mm_struct', is there any documentation >>> on the way this is done? >>> >>> If it matters, this is all in process address space. >>> >>> Cheers, >>> Edwin >>> _______________________________________________ >>> Vol-dev mailing list >>> Vol-dev(a)volatilityfoundation.org >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev >> >>