def get_new_moddump(self, old, new, deps):
"""
Dumps new drivers.
"""
moddir = os.path.join(os.path.dirname(self.memfile), "drivers//")
res = self.get_new_objects(old, new, deps)
# Copy new drivers to dir
for new_driver in res:
utils.copy_safe(new["moddump"]["config"]["dump_dir"] + \
"/driver.{0:x}.sys".format(new_driver["module_base"]), moddir + new_driver["module_name"])
utils.remove_dir_safe(old["moddump"]["config"]["dump_dir"])
utils.remove_dir_safe(new["moddump"]["config"]["dump_dir"])
return res
def get_new_malfind(self, old, new, deps, dump_dir=None):
"""
Gets new malfinds. Filters out malfunds in python processes.
"""
found_mals = self.get_new_objects(old, new, deps)
new_mals = []
malfinds_dir = os.path.join(os.path.dirname(self.memfile), "malfinds//")
for m in found_mals:
if not (m["process_name"] == "python.exe"):
new_mals.append(m)
# Copy new drivers to dir
if dump_dir is not None:
for new_mal in new_mals:
name = "process.{0:#x}.{1:#x}.dmp".format(new_mal["offset"], int(new_mal["vad_start"],16))
utils.copy_safe(dump_dir + '//' + name, malfinds_dir + name)
utils.remove_dir_safe(old["malfind"]["config"]["dump_dir"])
utils.remove_dir_safe(new["malfind"]["config"]["dump_dir"])
return new_mals