Hey Edwin,
1) It depends what type of pattern you're trying to match. If the pattern
is a simple byte string like "one" or "\x0d\x0a" you can just do
address_space.zread(address, size) == "one". If the pattern is a regular
expression you can also use the python re module (some examples in the
moddump and driverirp plugins). Also you can use yara for pattern matching
(there's a yarascan for windows and now a linux_yarascan plugin so look in
there for examples). Also if you do happen to want to search also, you can
use proc.search_process_memory(["one", "two"]) etc.
2) There is partial documentation on the wiki, see the 2.0 developers guide
https://code.google.com/p/volatility/wiki/VolatilityObjects20. Its
obviously a little dated since we're almost in 2.3 but most is still
accurate. Or just check out how its done in one of the other plugins like
dumpcerts (
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…)
which manually defines a vtype (the structure name, members, offsets,
types) and then creates an "object class" (inherits from obj.CType) to give
it custom methods etc.
Hope it helps,
MHL
On Mon, Apr 15, 2013 at 8:37 AM, Edwin Smulders <edwin.smulders(a)gmail.com>wrote:
Hello all,
I have arrived at an implementation part of my research and I was
wondering if you have any advice or documentation on some "pythonisms"
and "volatility-isms" I could be using to do this implementation.
My question is two-fold:
1) I have acquired a small part of memory using read/zread and want to
match (not search) this part of memory to a specific pattern. Do you
know of any pythonisms I could be using, other than checking and
matching byte by byte? Is there some type pattern I could use? I
suspect I'll just have to evaluate a list of rules, but I figured I'd
ask anyway.
2) Some parts of memory I am interested in are originally (C) structs,
I'd like to map these to objects similar to the way this is done for
structs like 'task_struct' and 'mm_struct', is there any documentation
on the way this is done?
If it matters, this is all in process address space.
Cheers,
Edwin
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev