def generate_hits(self, address_space): scanner = yarascanner.BaseYaraASScanner(profile=self.profile, session=self.session, address_space=address_space, rules=self.rules) return scanner.scan()
def collect_task_scan(self, task): """Scan a task's address space. In Windows pagetable entries outside the VAD might be uninitialized and this will lead to scanning massive regions of mostly unmapped memory. When asked to scan process memory we only scan memory inside the VAD. """ # We have to change process context so the address resolver and task_as # line up. task_as = self.session.default_address_space count = 0 scanner = yarascanner.BaseYaraASScanner( profile=self.profile, session=self.session, address_space=task_as, rules=self.rules) for vad in sorted(task.RealVadRoot.traverse(), key=lambda x: x.Start): self.session.report_progress( "Scanning VAD %s from %#0x (%#0x)", task.name, vad.Start, vad.Length) # Only scan the VAD region. for hit in scanner.scan(vad.Start, vad.Length): count += 1 rule = hit[0] address = hit[1] symbol = self.session.address_resolver.format_address(address) yield (task, rule, address, utils.HexDumpedString( task_as.read(address, 0x40)), symbol) # If we exceed the total hit count we are done. if count > self.hits: return