Skip to content

Commit

Permalink
special review commit for kevin
Browse files Browse the repository at this point in the history
  • Loading branch information
Dorian Eikenberg committed Jan 10, 2024
1 parent 2298e29 commit 4dea8e4
Show file tree
Hide file tree
Showing 7 changed files with 20 additions and 25 deletions.
5 changes: 2 additions & 3 deletions plugins/inmemoryscanner/src/lib/Scanner.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -83,12 +83,11 @@ namespace InMemoryScanner
auto frontRegionSpan = regions.front().asSpan();
std::ranges::copy(frontRegionSpan.begin(), frontRegionSpan.end(), std::back_inserter(result));

// copy the rest of the regions with a padding page in between each chunk
for (std::size_t i = 1; i < regions.size(); i++)
{
const auto& region = regions[i];
// padding page
result.insert(result.end(), pageSizeInBytes, 0);
auto regionSpan = region.asSpan();
auto regionSpan = regions[i].asSpan();
std::ranges::copy(regionSpan.begin(), regionSpan.end(), std::back_inserter(result));
}

Expand Down
25 changes: 14 additions & 11 deletions plugins/inmemoryscanner/test/YaraInterface_unittest.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,11 @@ using VmiCore::PagingDefinitions::pageSizeInBytes;

namespace InMemoryScanner
{
std::vector<uint8_t> constructPageWithContent(const std::string& string)
std::vector<uint8_t> constructPageWithContent(const std::string& string, bool insertAtBack = false)
{
std::vector<uint8_t> result(pageSizeInBytes, 0);
std::copy(string.begin(), string.end(), result.begin());
auto insertPosition = insertAtBack ? result.end() - string.size() : result.begin();
std::copy(string.begin(), string.end(), insertPosition);
return result;
}

Expand Down Expand Up @@ -84,9 +85,9 @@ namespace InMemoryScanner
}
)";
auto yaraInterface = YaraInterface(compileYaraRules(rules));
auto subRegion1 = constructPageWithContent("ABCD");
auto subRegion2 = constructPageWithContent("DCBA");
std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}};
auto subRegion1 = constructPageWithContent("ABCD", true);
auto subRegion2 = constructPageWithContent("DCBA", false);
std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {pageSizeInBytes, subRegion2}};

auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);

Expand All @@ -110,7 +111,7 @@ namespace InMemoryScanner
auto subRegion1 = constructPageWithContent("ABCD");
auto subRegion2 = constructPageWithContent("DCBA");
std::vector<VmiCore::MappedRegion> memoryRegion1{{0x0, subRegion1}};
std::vector<VmiCore::MappedRegion> memoryRegion2{{0x40, subRegion2}};
std::vector<VmiCore::MappedRegion> memoryRegion2{{4 * pageSizeInBytes, subRegion2}};

auto matches1 = yaraInterface.scanMemory(memoryRegion1.front().guestBaseVA, memoryRegion1);
auto matches2 = yaraInterface.scanMemory(memoryRegion2.front().guestBaseVA, memoryRegion2);
Expand All @@ -135,8 +136,8 @@ namespace InMemoryScanner
auto yaraInterface = YaraInterface(compileYaraRules(rules));
auto subRegion1 = constructPageWithContent("ABCD");
auto subRegion2 = constructPageWithContent("DCBA");
std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}};
Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}};
std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}};
Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}};

auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);

Expand Down Expand Up @@ -171,9 +172,11 @@ namespace InMemoryScanner
auto subRegion1 = constructPageWithContent("ABCD");
auto subRegion2 = constructPageWithContent("DCBA");
auto subRegion3 = constructPageWithContent("EFGH");
std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}, {0x80, subRegion3}};
Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}};
Rule expectedMatch2{"testRule2", "default", {{"$test", 0x80}, {"$test2", 0x81}}};
std::vector<VmiCore::MappedRegion> memoryRegions{
{0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}, {8 * pageSizeInBytes, subRegion3}};
Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}};
Rule expectedMatch2{
"testRule2", "default", {{"$test", 8 * pageSizeInBytes}, {"$test2", 8 * pageSizeInBytes + 1}}};

auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);

Expand Down
4 changes: 2 additions & 2 deletions vmicore/src/include/vmicore/vmi/IMemoryMapping.h
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ namespace VmiCore
virtual ~IMemoryMapping() = default;

/**
* Retrieves a set memory mapping descriptors. See MappedRegion.h for details. Elements are ordered from lowest
* to highest guest VA.
* Retrieves a set of memory mapping descriptors. See MappedRegion.h for details. Elements are ordered from
* lowest to highest guest VA.
*
* @throws MemoryMappingError Will occur if unmap has already been called.
*/
Expand Down
1 change: 1 addition & 0 deletions vmicore/src/lib/plugins/PluginSystem.cpp
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#include "PluginSystem.h"
#include "../vmi/MemoryMapping.h"
#include "PluginException.h"
#include <bit>
#include <cstdint>
#include <dlfcn.h>
Expand Down
1 change: 0 additions & 1 deletion vmicore/src/lib/plugins/PluginSystem.h
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
#include "../os/IActiveProcessesSupervisor.h"
#include "../vmi/InterruptEventSupervisor.h"
#include "../vmi/LibvmiInterface.h"
#include "PluginException.h"
#include <cstdint>
#include <functional>
#include <map>
Expand Down
2 changes: 1 addition & 1 deletion vmicore/src/lib/vmi/MemoryMapping.h
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,6 @@ namespace VmiCore
mapped_regions_t libvmiMappings;
bool isMapped = true;
};
} // VmiCore
}

#endif // VMICORE_MEMORYMAPPING_H
7 changes: 0 additions & 7 deletions vmicore/test/lib/plugins/mock_PluginSystem.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,6 @@ namespace VmiCore
(addr_t, addr_t, std::size_t),
(const override));

MOCK_METHOD(std::unique_ptr<std::vector<uint8_t>>,
readProcessMemoryRegion,
(pid_t, addr_t, size_t),
(const override));

MOCK_METHOD(std::unique_ptr<std::vector<MemoryRegion>>, getProcessMemoryRegions, (pid_t), (const override));

MOCK_METHOD(std::unique_ptr<std::vector<std::shared_ptr<const ActiveProcessInformation>>>,
getRunningProcesses,
(),
Expand Down

0 comments on commit 4dea8e4

Please sign in to comment.