From 4dea8e45f2b0076cd598696515b0ea4a656d5e93 Mon Sep 17 00:00:00 2001 From: Dorian Eikenberg Date: Wed, 10 Jan 2024 14:22:56 +0100 Subject: [PATCH] special review commit for kevin --- plugins/inmemoryscanner/src/lib/Scanner.cpp | 5 ++-- .../test/YaraInterface_unittest.cpp | 25 +++++++++++-------- .../src/include/vmicore/vmi/IMemoryMapping.h | 4 +-- vmicore/src/lib/plugins/PluginSystem.cpp | 1 + vmicore/src/lib/plugins/PluginSystem.h | 1 - vmicore/src/lib/vmi/MemoryMapping.h | 2 +- vmicore/test/lib/plugins/mock_PluginSystem.h | 7 ------ 7 files changed, 20 insertions(+), 25 deletions(-) diff --git a/plugins/inmemoryscanner/src/lib/Scanner.cpp b/plugins/inmemoryscanner/src/lib/Scanner.cpp index 22e4b9bf..9c11a7a1 100644 --- a/plugins/inmemoryscanner/src/lib/Scanner.cpp +++ b/plugins/inmemoryscanner/src/lib/Scanner.cpp @@ -83,12 +83,11 @@ namespace InMemoryScanner auto frontRegionSpan = regions.front().asSpan(); std::ranges::copy(frontRegionSpan.begin(), frontRegionSpan.end(), std::back_inserter(result)); + // copy the rest of the regions with a padding page in between each chunk for (std::size_t i = 1; i < regions.size(); i++) { - const auto& region = regions[i]; - // padding page result.insert(result.end(), pageSizeInBytes, 0); - auto regionSpan = region.asSpan(); + auto regionSpan = regions[i].asSpan(); std::ranges::copy(regionSpan.begin(), regionSpan.end(), std::back_inserter(result)); } diff --git a/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp b/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp index ce2c3802..f9539eb1 100644 --- a/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp +++ b/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp @@ -9,10 +9,11 @@ using VmiCore::PagingDefinitions::pageSizeInBytes; namespace InMemoryScanner { - std::vector constructPageWithContent(const std::string& string) + std::vector constructPageWithContent(const std::string& string, bool insertAtBack = false) { std::vector result(pageSizeInBytes, 0); - std::copy(string.begin(), string.end(), result.begin()); + auto insertPosition = insertAtBack ? result.end() - string.size() : result.begin(); + std::copy(string.begin(), string.end(), insertPosition); return result; } @@ -84,9 +85,9 @@ namespace InMemoryScanner } )"; auto yaraInterface = YaraInterface(compileYaraRules(rules)); - auto subRegion1 = constructPageWithContent("ABCD"); - auto subRegion2 = constructPageWithContent("DCBA"); - std::vector memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}}; + auto subRegion1 = constructPageWithContent("ABCD", true); + auto subRegion2 = constructPageWithContent("DCBA", false); + std::vector memoryRegions{{0x0, subRegion1}, {pageSizeInBytes, subRegion2}}; auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions); @@ -110,7 +111,7 @@ namespace InMemoryScanner auto subRegion1 = constructPageWithContent("ABCD"); auto subRegion2 = constructPageWithContent("DCBA"); std::vector memoryRegion1{{0x0, subRegion1}}; - std::vector memoryRegion2{{0x40, subRegion2}}; + std::vector memoryRegion2{{4 * pageSizeInBytes, subRegion2}}; auto matches1 = yaraInterface.scanMemory(memoryRegion1.front().guestBaseVA, memoryRegion1); auto matches2 = yaraInterface.scanMemory(memoryRegion2.front().guestBaseVA, memoryRegion2); @@ -135,8 +136,8 @@ namespace InMemoryScanner auto yaraInterface = YaraInterface(compileYaraRules(rules)); auto subRegion1 = constructPageWithContent("ABCD"); auto subRegion2 = constructPageWithContent("DCBA"); - std::vector memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}}; - Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}}; + std::vector memoryRegions{{0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}}; + Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}}; auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions); @@ -171,9 +172,11 @@ namespace InMemoryScanner auto subRegion1 = constructPageWithContent("ABCD"); auto subRegion2 = constructPageWithContent("DCBA"); auto subRegion3 = constructPageWithContent("EFGH"); - std::vector memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}, {0x80, subRegion3}}; - Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}}; - Rule expectedMatch2{"testRule2", "default", {{"$test", 0x80}, {"$test2", 0x81}}}; + std::vector memoryRegions{ + {0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}, {8 * pageSizeInBytes, subRegion3}}; + Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}}; + Rule expectedMatch2{ + "testRule2", "default", {{"$test", 8 * pageSizeInBytes}, {"$test2", 8 * pageSizeInBytes + 1}}}; auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions); diff --git a/vmicore/src/include/vmicore/vmi/IMemoryMapping.h b/vmicore/src/include/vmicore/vmi/IMemoryMapping.h index b6c7054d..a2e7cd6e 100644 --- a/vmicore/src/include/vmicore/vmi/IMemoryMapping.h +++ b/vmicore/src/include/vmicore/vmi/IMemoryMapping.h @@ -20,8 +20,8 @@ namespace VmiCore virtual ~IMemoryMapping() = default; /** - * Retrieves a set memory mapping descriptors. See MappedRegion.h for details. Elements are ordered from lowest - * to highest guest VA. + * Retrieves a set of memory mapping descriptors. See MappedRegion.h for details. Elements are ordered from + * lowest to highest guest VA. * * @throws MemoryMappingError Will occur if unmap has already been called. */ diff --git a/vmicore/src/lib/plugins/PluginSystem.cpp b/vmicore/src/lib/plugins/PluginSystem.cpp index 27eaa9b9..cba1bed3 100644 --- a/vmicore/src/lib/plugins/PluginSystem.cpp +++ b/vmicore/src/lib/plugins/PluginSystem.cpp @@ -1,5 +1,6 @@ #include "PluginSystem.h" #include "../vmi/MemoryMapping.h" +#include "PluginException.h" #include #include #include diff --git a/vmicore/src/lib/plugins/PluginSystem.h b/vmicore/src/lib/plugins/PluginSystem.h index 93417f70..c8be60c0 100644 --- a/vmicore/src/lib/plugins/PluginSystem.h +++ b/vmicore/src/lib/plugins/PluginSystem.h @@ -8,7 +8,6 @@ #include "../os/IActiveProcessesSupervisor.h" #include "../vmi/InterruptEventSupervisor.h" #include "../vmi/LibvmiInterface.h" -#include "PluginException.h" #include #include #include diff --git a/vmicore/src/lib/vmi/MemoryMapping.h b/vmicore/src/lib/vmi/MemoryMapping.h index 68aabd7e..4714ce80 100644 --- a/vmicore/src/lib/vmi/MemoryMapping.h +++ b/vmicore/src/lib/vmi/MemoryMapping.h @@ -34,6 +34,6 @@ namespace VmiCore mapped_regions_t libvmiMappings; bool isMapped = true; }; -} // VmiCore +} #endif // VMICORE_MEMORYMAPPING_H diff --git a/vmicore/test/lib/plugins/mock_PluginSystem.h b/vmicore/test/lib/plugins/mock_PluginSystem.h index f4e489c9..0fcfeaeb 100644 --- a/vmicore/test/lib/plugins/mock_PluginSystem.h +++ b/vmicore/test/lib/plugins/mock_PluginSystem.h @@ -11,13 +11,6 @@ namespace VmiCore (addr_t, addr_t, std::size_t), (const override)); - MOCK_METHOD(std::unique_ptr>, - readProcessMemoryRegion, - (pid_t, addr_t, size_t), - (const override)); - - MOCK_METHOD(std::unique_ptr>, getProcessMemoryRegions, (pid_t), (const override)); - MOCK_METHOD(std::unique_ptr>>, getRunningProcesses, (),