[Vol-dev] Pythonisms and volatility-isms for structs

Edwin Smulders edwin.smulders at gmail.com
Wed Apr 17 14:35:57 CDT 2013


My question was unclear, that was not what I meant, but I have decided
to use another method anyway. Thanks for your time :)

On 17 April 2013 20:23, Michael Hale Ligh <michael.hale at gmail.com> wrote:
> Sure, both the BaseYaraScanner.scan() and DiscontigYaraScanner.scan()
> functions take starting addresses and maxlen parameters. So you can just set
> start to 0xBFFFF000 and maxlen to 0xFFF.
>
>
> On Wed, Apr 17, 2013 at 9:24 AM, Edwin Smulders <edwin.smulders at gmail.com>
> wrote:
>>
>> Followup question: can I use yara to match an integer(32) between a
>> specific range? I did not find this in the documentation, but that
>> does not always mean it is not possible.
>> For example, I want to find a pointer of which I know it's in the
>> 0xBFFFF000-0xBFFFFFFF range. I suppose I could work around that by
>> searching for a hex string like "BF FF F? ??", but this does not feel
>> quite the same... Plus the ranges are not known beforehand, I have to
>> generate these rules.
>>
>> On 16 April 2013 10:22, Edwin Smulders <edwin.smulders at gmail.com> wrote:
>> > On 16 April 2013 05:10, Michael Hale Ligh <michael.hale at gmail.com>
>> > wrote:
>> >> Hey Edwin,
>> >>
>> >> 1) It depends what type of pattern you're trying to match. If the
>> >> pattern is
>> >> a simple byte string like "one" or "\x0d\x0a" you can just do
>> >> address_space.zread(address, size) == "one". If the pattern is a
>> >> regular
>> >> expression you can also use the python re module (some examples in the
>> >> moddump and driverirp plugins). Also you can use yara for pattern
>> >> matching
>> >> (there's a yarascan for windows and now a linux_yarascan plugin so look
>> >> in
>> >> there for examples). Also if you do happen to want to search also, you
>> >> can
>> >> use proc.search_process_memory(["one", "two"]) etc.
>> >
>> > Ahh, yara is more than I thought it was. I'll have a look at the
>> > rulesystem, see if it works for my purpose.
>> >
>> >>
>> >> 2) There is partial documentation on the wiki, see the 2.0 developers
>> >> guide
>> >> https://code.google.com/p/volatility/wiki/VolatilityObjects20. Its
>> >> obviously
>> >> a little dated since we're almost in 2.3 but most is still accurate. Or
>> >> just
>> >> check out how its done in one of the other plugins like dumpcerts
>> >>
>> >> (https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/dumpcerts.py)
>> >> which manually defines a vtype (the structure name, members, offsets,
>> >> types)
>> >> and then creates an "object class" (inherits from obj.CType) to give it
>> >> custom methods etc.
>> >
>> > I'll have a look at the example in dumpcerts, thanks.
>> >
>> >>
>> >> Hope it helps,
>> >> MHL
>> >>
>> >>
>> >>
>> >> On Mon, Apr 15, 2013 at 8:37 AM, Edwin Smulders
>> >> <edwin.smulders at gmail.com>
>> >> wrote:
>> >>>
>> >>> Hello all,
>> >>>
>> >>> I have arrived at an implementation part of my research and I was
>> >>> wondering if you have any advice or documentation on some "pythonisms"
>> >>> and "volatility-isms" I could be using to do this implementation.
>> >>>
>> >>> My question is two-fold:
>> >>>
>> >>> 1) I have acquired a small part of memory using read/zread and want to
>> >>> match (not search) this part of memory to a specific pattern. Do you
>> >>> know of any pythonisms I could be using, other than checking and
>> >>> matching byte by byte? Is there some type pattern I could use? I
>> >>> suspect I'll just have to evaluate a list of rules, but I figured I'd
>> >>> ask anyway.
>> >>> 2) Some parts of memory I am interested in are originally (C) structs,
>> >>> I'd like to map these to objects similar to the way this is done for
>> >>> structs like 'task_struct' and 'mm_struct', is there any documentation
>> >>> on the way this is done?
>> >>>
>> >>> If it matters, this is all in process address space.
>> >>>
>> >>> Cheers,
>> >>> Edwin
>> >>> _______________________________________________
>> >>> Vol-dev mailing list
>> >>> Vol-dev at volatilityfoundation.org
>> >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>> >>
>> >>
>
>


More information about the Vol-dev mailing list