From b2f11cb710fbd6079d5e765f09cf7e4b6d98c661 Mon Sep 17 00:00:00 2001 From: Dorian Eikenberg Date: Wed, 10 Jan 2024 14:22:56 +0100 Subject: [PATCH] special review commit for kevin --- plugins/inmemoryscanner/src/lib/Scanner.cpp | 5 ++-- .../test/YaraInterface_unittest.cpp | 25 +++++++++++-------- vmicore/test/lib/plugins/mock_PluginSystem.h | 5 ---- 3 files changed, 16 insertions(+), 19 deletions(-) diff --git a/plugins/inmemoryscanner/src/lib/Scanner.cpp b/plugins/inmemoryscanner/src/lib/Scanner.cpp index 22e4b9bf..9c11a7a1 100644 --- a/plugins/inmemoryscanner/src/lib/Scanner.cpp +++ b/plugins/inmemoryscanner/src/lib/Scanner.cpp @@ -83,12 +83,11 @@ namespace InMemoryScanner auto frontRegionSpan = regions.front().asSpan(); std::ranges::copy(frontRegionSpan.begin(), frontRegionSpan.end(), std::back_inserter(result)); + // copy the rest of the regions with a padding page in between each chunk for (std::size_t i = 1; i < regions.size(); i++) { - const auto& region = regions[i]; - // padding page result.insert(result.end(), pageSizeInBytes, 0); - auto regionSpan = region.asSpan(); + auto regionSpan = regions[i].asSpan(); std::ranges::copy(regionSpan.begin(), regionSpan.end(), std::back_inserter(result)); } diff --git a/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp b/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp index ce2c3802..f9539eb1 100644 --- a/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp +++ b/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp @@ -9,10 +9,11 @@ using VmiCore::PagingDefinitions::pageSizeInBytes; namespace InMemoryScanner { - std::vector constructPageWithContent(const std::string& string) + std::vector constructPageWithContent(const std::string& string, bool insertAtBack = false) { std::vector result(pageSizeInBytes, 0); - std::copy(string.begin(), string.end(), result.begin()); + auto insertPosition = insertAtBack ? result.end() - string.size() : result.begin(); + std::copy(string.begin(), string.end(), insertPosition); return result; } @@ -84,9 +85,9 @@ namespace InMemoryScanner } )"; auto yaraInterface = YaraInterface(compileYaraRules(rules)); - auto subRegion1 = constructPageWithContent("ABCD"); - auto subRegion2 = constructPageWithContent("DCBA"); - std::vector memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}}; + auto subRegion1 = constructPageWithContent("ABCD", true); + auto subRegion2 = constructPageWithContent("DCBA", false); + std::vector memoryRegions{{0x0, subRegion1}, {pageSizeInBytes, subRegion2}}; auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions); @@ -110,7 +111,7 @@ namespace InMemoryScanner auto subRegion1 = constructPageWithContent("ABCD"); auto subRegion2 = constructPageWithContent("DCBA"); std::vector memoryRegion1{{0x0, subRegion1}}; - std::vector memoryRegion2{{0x40, subRegion2}}; + std::vector memoryRegion2{{4 * pageSizeInBytes, subRegion2}}; auto matches1 = yaraInterface.scanMemory(memoryRegion1.front().guestBaseVA, memoryRegion1); auto matches2 = yaraInterface.scanMemory(memoryRegion2.front().guestBaseVA, memoryRegion2); @@ -135,8 +136,8 @@ namespace InMemoryScanner auto yaraInterface = YaraInterface(compileYaraRules(rules)); auto subRegion1 = constructPageWithContent("ABCD"); auto subRegion2 = constructPageWithContent("DCBA"); - std::vector memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}}; - Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}}; + std::vector memoryRegions{{0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}}; + Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}}; auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions); @@ -171,9 +172,11 @@ namespace InMemoryScanner auto subRegion1 = constructPageWithContent("ABCD"); auto subRegion2 = constructPageWithContent("DCBA"); auto subRegion3 = constructPageWithContent("EFGH"); - std::vector memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}, {0x80, subRegion3}}; - Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}}; - Rule expectedMatch2{"testRule2", "default", {{"$test", 0x80}, {"$test2", 0x81}}}; + std::vector memoryRegions{ + {0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}, {8 * pageSizeInBytes, subRegion3}}; + Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}}; + Rule expectedMatch2{ + "testRule2", "default", {{"$test", 8 * pageSizeInBytes}, {"$test2", 8 * pageSizeInBytes + 1}}}; auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions); diff --git a/vmicore/test/lib/plugins/mock_PluginSystem.h b/vmicore/test/lib/plugins/mock_PluginSystem.h index f4e489c9..c3f38e00 100644 --- a/vmicore/test/lib/plugins/mock_PluginSystem.h +++ b/vmicore/test/lib/plugins/mock_PluginSystem.h @@ -11,11 +11,6 @@ namespace VmiCore (addr_t, addr_t, std::size_t), (const override)); - MOCK_METHOD(std::unique_ptr>, - readProcessMemoryRegion, - (pid_t, addr_t, size_t), - (const override)); - MOCK_METHOD(std::unique_ptr>, getProcessMemoryRegions, (pid_t), (const override)); MOCK_METHOD(std::unique_ptr>>,