Use process memory scan flag

GDATASoftwareAG · Feb 28, 2024 · 529f9d3 · 529f9d3
1 parent 9e56c52
commit 529f9d3
Show file tree

Hide file tree

Showing 9 changed files with 23 additions and 24 deletions.
diff --git a/plugins/inmemoryscanner/src/lib/IYaraInterface.h b/plugins/inmemoryscanner/src/lib/IYaraInterface.h
@@ -19,8 +19,7 @@ namespace InMemoryScanner
       public:
         virtual ~IYaraInterface() = default;
 
-        virtual std::vector<Rule> scanMemory(VmiCore::addr_t regionBase,
-                                             std::span<const VmiCore::MappedRegion> mappedRegions) = 0;
+        virtual std::vector<Rule> scanMemory(std::span<const VmiCore::MappedRegion> mappedRegions) = 0;
 
       protected:
         IYaraInterface() = default;

diff --git a/plugins/inmemoryscanner/src/lib/Scanner.cpp b/plugins/inmemoryscanner/src/lib/Scanner.cpp
@@ -133,7 +133,7 @@ namespace InMemoryScanner
         // The semaphore protects the yara rules from being accessed more than YR_MAX_THREADS (32 atm.) times in
         // parallel.
         semaphore.acquire();
-        auto results = yaraInterface->scanMemory(memoryRegionDescriptor.base, mappedRegions);
+        auto results = yaraInterface->scanMemory(mappedRegions);
         semaphore.release();
 
         logger->debug("End scanMemory");

diff --git a/plugins/inmemoryscanner/src/lib/YaraInterface.cpp b/plugins/inmemoryscanner/src/lib/YaraInterface.cpp
@@ -64,7 +64,7 @@ namespace InMemoryScanner
         }
     }
 
-    std::vector<Rule> YaraInterface::scanMemory(addr_t regionBase, std::span<const MappedRegion> mappedRegions)
+    std::vector<Rule> YaraInterface::scanMemory(std::span<const MappedRegion> mappedRegions)
     {
         std::vector<Rule> results;
 
@@ -73,7 +73,7 @@ namespace InMemoryScanner
         for (const auto& mappedRegion : mappedRegions)
         {
             iteratorContext.blocks.emplace_back(mappedRegion.num_pages * pageSizeInBytes,
-                                                mappedRegion.guestBaseVA - regionBase,
+                                                mappedRegion.guestBaseVA,
                                                 mappedRegion.mappingBase,
                                                 &fetch_block_data);
         }
@@ -88,7 +88,13 @@ namespace InMemoryScanner
             .context = &iteratorContext, .first = &get_first_block, .next = &get_next_block};
 #endif
 
-        if (auto err = yr_rules_scan_mem_blocks(rules, &iterator, 0, yaraCallback, &results, 0); err != ERROR_SUCCESS)
+        if (auto err = yr_rules_scan_mem_blocks(rules,
+                                                &iterator,
+                                                SCAN_FLAGS_PROCESS_MEMORY | SCAN_FLAGS_REPORT_RULES_MATCHING,
+                                                yaraCallback,
+                                                &results,
+                                                0);
+            err != ERROR_SUCCESS)
         {
             throw YaraException(fmt::format("Error scanning memory. Error code: {}", err));
         }

diff --git a/plugins/inmemoryscanner/src/lib/YaraInterface.h b/plugins/inmemoryscanner/src/lib/YaraInterface.h
@@ -36,8 +36,7 @@ namespace InMemoryScanner
 
         ~YaraInterface() override;
 
-        std::vector<Rule> scanMemory(VmiCore::addr_t regionBase,
-                                     std::span<const VmiCore::MappedRegion> mappedRegions) override;
+        std::vector<Rule> scanMemory(std::span<const VmiCore::MappedRegion> mappedRegions) override;
 
       private:
         YR_RULES* rules = nullptr;

diff --git a/plugins/inmemoryscanner/test/FakeYaraInterface.cpp b/plugins/inmemoryscanner/test/FakeYaraInterface.cpp
@@ -5,8 +5,7 @@
 namespace InMemoryScanner
 {
     std::vector<Rule>
-    FakeYaraInterface::scanMemory([[maybe_unused]] VmiCore::addr_t regionBase,
-                                  [[maybe_unused]] std::span<const VmiCore::MappedRegion> mappedRegions)
+    FakeYaraInterface::scanMemory([[maybe_unused]] std::span<const VmiCore::MappedRegion> mappedRegions)
     {
         concurrentThreads++;
         if (concurrentThreads > YR_MAX_THREADS)

diff --git a/plugins/inmemoryscanner/test/FakeYaraInterface.h b/plugins/inmemoryscanner/test/FakeYaraInterface.h
@@ -7,8 +7,7 @@ namespace InMemoryScanner
     class FakeYaraInterface : public IYaraInterface
     {
       public:
-        std::vector<Rule> scanMemory(VmiCore::addr_t regionBase,
-                                     std::span<const VmiCore::MappedRegion> mappedRegions) override;
+        std::vector<Rule> scanMemory(std::span<const VmiCore::MappedRegion> mappedRegions) override;
 
         bool max_threads_exceeded = false;
 

diff --git a/plugins/inmemoryscanner/test/Scanner_unittest.cpp b/plugins/inmemoryscanner/test/Scanner_unittest.cpp
@@ -134,7 +134,7 @@ namespace InMemoryScanner
             auto dumping = std::make_unique<NiceMock<MockDumping>>();
             dumpingRawPointer = dumping.get();
             auto yara = std::make_unique<NiceMock<MockYaraInterface>>();
-            ON_CALL(*yara, scanMemory(_, _)).WillByDefault(Return(std::vector<Rule>{}));
+            ON_CALL(*yara, scanMemory(_)).WillByDefault(Return(std::vector<Rule>{}));
             scanner.emplace(pluginInterface.get(), configuration, std::move(yara), std::move(dumping));
         };
     };
@@ -173,7 +173,7 @@ namespace InMemoryScanner
                     });
             auto dumping = std::make_unique<Dumping>(pluginInterface.get(), configuration);
             auto yara = std::make_unique<NiceMock<MockYaraInterface>>();
-            ON_CALL(*yara, scanMemory(_, _)).WillByDefault(Return(std::vector<Rule>{}));
+            ON_CALL(*yara, scanMemory(_)).WillByDefault(Return(std::vector<Rule>{}));
             scanner.emplace(pluginInterface.get(), configuration, std::move(yara), std::move(dumping));
         };
 

diff --git a/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp b/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp
@@ -67,7 +67,7 @@ namespace InMemoryScanner
         auto subRegion1 = constructPageWithContent("ABCD");
         std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}};
 
-        auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
+        auto matches = yaraInterface.scanMemory(memoryRegions);
 
         EXPECT_EQ(matches.size(), 0);
     }
@@ -89,7 +89,7 @@ namespace InMemoryScanner
         auto subRegion2 = constructPageWithContent("DCBA", false);
         std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {pageSizeInBytes, subRegion2}};
 
-        auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
+        auto matches = yaraInterface.scanMemory(memoryRegions);
 
         EXPECT_EQ(matches.size(), 0);
     }
@@ -113,8 +113,8 @@ namespace InMemoryScanner
         std::vector<VmiCore::MappedRegion> memoryRegion1{{0x0, subRegion1}};
         std::vector<VmiCore::MappedRegion> memoryRegion2{{4 * pageSizeInBytes, subRegion2}};
 
-        auto matches1 = yaraInterface.scanMemory(memoryRegion1.front().guestBaseVA, memoryRegion1);
-        auto matches2 = yaraInterface.scanMemory(memoryRegion2.front().guestBaseVA, memoryRegion2);
+        auto matches1 = yaraInterface.scanMemory(memoryRegion1);
+        auto matches2 = yaraInterface.scanMemory(memoryRegion2);
 
         EXPECT_EQ(matches1.size(), 0);
         EXPECT_EQ(matches2.size(), 0);
@@ -139,7 +139,7 @@ namespace InMemoryScanner
         std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}};
         Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}};
 
-        auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
+        auto matches = yaraInterface.scanMemory(memoryRegions);
 
         ASSERT_EQ(matches.size(), 1);
         EXPECT_THAT(matches, UnorderedElementsAre(expectedMatch));
@@ -178,7 +178,7 @@ namespace InMemoryScanner
         Rule expectedMatch2{
             "testRule2", "default", {{"$test", 8 * pageSizeInBytes}, {"$test2", 8 * pageSizeInBytes + 1}}};
 
-        auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
+        auto matches = yaraInterface.scanMemory(memoryRegions);
 
         ASSERT_EQ(matches.size(), 2);
         EXPECT_THAT(matches, UnorderedElementsAre(expectedMatch1, expectedMatch2));

diff --git a/plugins/inmemoryscanner/test/mock_YaraInterface.h b/plugins/inmemoryscanner/test/mock_YaraInterface.h
@@ -8,9 +8,6 @@ namespace InMemoryScanner
     class MockYaraInterface : public IYaraInterface
     {
       public:
-        MOCK_METHOD(std::vector<Rule>,
-                    scanMemory,
-                    (VmiCore::addr_t, std::span<const VmiCore::MappedRegion>),
-                    (override));
+        MOCK_METHOD(std::vector<Rule>, scanMemory, (std::span<const VmiCore::MappedRegion>), (override));
     };
 }