示例#1
0
文件: yarascan.py 项目: he0x/rekall
    def generate_hits(self, address_space):
        scanner = yarascanner.BaseYaraASScanner(profile=self.profile,
                                                session=self.session,
                                                address_space=address_space,
                                                rules=self.rules)

        return scanner.scan()
示例#2
0
文件: yarascan.py 项目: silky/rekall
    def collect_task_scan(self, task):
        """Scan a task's address space.

        In Windows pagetable entries outside the VAD might be uninitialized and
        this will lead to scanning massive regions of mostly unmapped memory.

        When asked to scan process memory we only scan memory inside the VAD.
        """
        # We have to change process context so the address resolver and task_as
        # line up.
        task_as = self.session.default_address_space

        count = 0
        scanner = yarascanner.BaseYaraASScanner(
            profile=self.profile, session=self.session,
            address_space=task_as, rules=self.rules)

        for vad in sorted(task.RealVadRoot.traverse(),
                          key=lambda x: x.Start):
            self.session.report_progress(
                "Scanning VAD %s from %#0x (%#0x)",
                task.name, vad.Start, vad.Length)

            # Only scan the VAD region.
            for hit in scanner.scan(vad.Start, vad.Length):
                count += 1
                rule = hit[0]
                address = hit[1]

                symbol = self.session.address_resolver.format_address(address)
                yield (task, rule, address, utils.HexDumpedString(
                    task_as.read(address, 0x40)), symbol)

                # If we exceed the total hit count we are done.
                if count > self.hits:
                    return