[Vol-dev] Pythonisms and volatility-isms for structs

Michael Hale Ligh michael.hale at gmail.com
Wed Apr 17 13:23:56 CDT 2013


Sure, both the BaseYaraScanner.scan() and DiscontigYaraScanner.scan()
functions take starting addresses and maxlen parameters. So you can just
set start to 0xBFFFF000 and maxlen to 0xFFF.


On Wed, Apr 17, 2013 at 9:24 AM, Edwin Smulders <edwin.smulders at gmail.com>wrote:

> Followup question: can I use yara to match an integer(32) between a
> specific range? I did not find this in the documentation, but that
> does not always mean it is not possible.
> For example, I want to find a pointer of which I know it's in the
> 0xBFFFF000-0xBFFFFFFF range. I suppose I could work around that by
> searching for a hex string like "BF FF F? ??", but this does not feel
> quite the same... Plus the ranges are not known beforehand, I have to
> generate these rules.
>
> On 16 April 2013 10:22, Edwin Smulders <edwin.smulders at gmail.com> wrote:
> > On 16 April 2013 05:10, Michael Hale Ligh <michael.hale at gmail.com>
> wrote:
> >> Hey Edwin,
> >>
> >> 1) It depends what type of pattern you're trying to match. If the
> pattern is
> >> a simple byte string like "one" or "\x0d\x0a" you can just do
> >> address_space.zread(address, size) == "one". If the pattern is a regular
> >> expression you can also use the python re module (some examples in the
> >> moddump and driverirp plugins). Also you can use yara for pattern
> matching
> >> (there's a yarascan for windows and now a linux_yarascan plugin so look
> in
> >> there for examples). Also if you do happen to want to search also, you
> can
> >> use proc.search_process_memory(["one", "two"]) etc.
> >
> > Ahh, yara is more than I thought it was. I'll have a look at the
> > rulesystem, see if it works for my purpose.
> >
> >>
> >> 2) There is partial documentation on the wiki, see the 2.0 developers
> guide
> >> https://code.google.com/p/volatility/wiki/VolatilityObjects20. Its
> obviously
> >> a little dated since we're almost in 2.3 but most is still accurate. Or
> just
> >> check out how its done in one of the other plugins like dumpcerts
> >> (
> https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/dumpcerts.py
> )
> >> which manually defines a vtype (the structure name, members, offsets,
> types)
> >> and then creates an "object class" (inherits from obj.CType) to give it
> >> custom methods etc.
> >
> > I'll have a look at the example in dumpcerts, thanks.
> >
> >>
> >> Hope it helps,
> >> MHL
> >>
> >>
> >>
> >> On Mon, Apr 15, 2013 at 8:37 AM, Edwin Smulders <
> edwin.smulders at gmail.com>
> >> wrote:
> >>>
> >>> Hello all,
> >>>
> >>> I have arrived at an implementation part of my research and I was
> >>> wondering if you have any advice or documentation on some "pythonisms"
> >>> and "volatility-isms" I could be using to do this implementation.
> >>>
> >>> My question is two-fold:
> >>>
> >>> 1) I have acquired a small part of memory using read/zread and want to
> >>> match (not search) this part of memory to a specific pattern. Do you
> >>> know of any pythonisms I could be using, other than checking and
> >>> matching byte by byte? Is there some type pattern I could use? I
> >>> suspect I'll just have to evaluate a list of rules, but I figured I'd
> >>> ask anyway.
> >>> 2) Some parts of memory I am interested in are originally (C) structs,
> >>> I'd like to map these to objects similar to the way this is done for
> >>> structs like 'task_struct' and 'mm_struct', is there any documentation
> >>> on the way this is done?
> >>>
> >>> If it matters, this is all in process address space.
> >>>
> >>> Cheers,
> >>> Edwin
> >>> _______________________________________________
> >>> Vol-dev mailing list
> >>> Vol-dev at volatilityfoundation.org
> >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
> >>
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-dev/attachments/20130417/e0d8b879/attachment.html


More information about the Vol-dev mailing list