Skip to content

Commit e86981c

Browse files
ikelosikelos
committed
Various: Update yarascan plugins to output LayerData instead of just bytes
1 parent 6f599fa commit e86981c

File tree

3 files changed

+30
-12
lines changed

3 files changed

+30
-12
lines changed

volatility3/framework/plugins/linux/vmayarascan.py

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,8 @@
1717
class VmaYaraScan(interfaces.plugins.PluginInterface):
1818
"""Scans all virtual memory areas for tasks using yara."""
1919

20-
_required_framework_version = (2, 4, 0)
21-
_version = (1, 0, 3)
20+
_required_framework_version = (2, 22, 0)
21+
_version = (1, 0, 4)
2222

2323
@classmethod
2424
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -97,12 +97,18 @@ def _generator(self):
9797
for offset, rule_name, name, value in scanner(
9898
proc_layer.read(start, size, pad=True), start
9999
):
100+
layer_data = renderers.LayerData(
101+
context=self.context,
102+
offset=offset,
103+
layer_name=proc_layer.name,
104+
length=len(value),
105+
)
100106
yield 0, (
101107
format_hints.Hex(offset),
102108
task.tgid,
103109
rule_name,
104110
name,
105-
value,
111+
layer_data,
106112
)
107113

108114
@classmethod
@@ -130,7 +136,7 @@ def run(self):
130136
("PID", int),
131137
("Rule", str),
132138
("Component", str),
133-
("Value", bytes),
139+
("Value", renderers.LayerData),
134140
],
135141
self._generator(),
136142
)

volatility3/framework/plugins/windows/vadyarascan.py

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,8 @@
1717
class VadYaraScan(interfaces.plugins.PluginInterface):
1818
"""Scans all the Virtual Address Descriptor memory maps using yara."""
1919

20-
_required_framework_version = (2, 4, 0)
21-
_version = (1, 1, 2)
20+
_required_framework_version = (2, 22, 0)
21+
_version = (1, 1, 3)
2222

2323
@classmethod
2424
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -93,12 +93,18 @@ def _generator(self):
9393
for offset, rule_name, name, value in scanner(
9494
layer.read(start, size, pad=True), start
9595
):
96+
layer_data = renderers.LayerData(
97+
context=self.context,
98+
offset=offset,
99+
layer_name=layer.name,
100+
length=len(value),
101+
)
96102
yield 0, (
97103
format_hints.Hex(offset),
98104
task.UniqueProcessId,
99105
rule_name,
100106
name,
101-
value,
107+
layer_data,
102108
)
103109

104110
@classmethod
@@ -126,7 +132,7 @@ def run(self):
126132
("PID", int),
127133
("Rule", str),
128134
("Component", str),
129-
("Value", bytes),
135+
("Value", renderers.LayerData),
130136
],
131137
self._generator(),
132138
)

volatility3/framework/plugins/yarascan.py

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -105,8 +105,8 @@ def from_file(cls, filepath):
105105
class YaraScan(plugins.PluginInterface):
106106
"""Scans kernel memory using yara rules (string or file)."""
107107

108-
_required_framework_version = (2, 0, 0)
109-
_version = (2, 0, 0)
108+
_required_framework_version = (2, 22, 0)
109+
_version = (2, 0, 1)
110110
_yara_x = USE_YARA_X
111111

112112
@classmethod
@@ -201,15 +201,21 @@ def _generator(self):
201201
for offset, rule_name, name, value in layer.scan(
202202
context=self.context, scanner=YaraScanner(rules=rules)
203203
):
204-
yield 0, (format_hints.Hex(offset), rule_name, name, value)
204+
layer_data = renderers.LayerData(
205+
context=self.context,
206+
offset=offset,
207+
layer_name=layer.name,
208+
length=len(value),
209+
)
210+
yield 0, (format_hints.Hex(offset), rule_name, name, layer_data)
205211

206212
def run(self):
207213
return renderers.TreeGrid(
208214
[
209215
("Offset", format_hints.Hex),
210216
("Rule", str),
211217
("Component", str),
212-
("Value", bytes),
218+
("Value", renderers.LayerData),
213219
],
214220
self._generator(),
215221
)

0 commit comments

Comments
 (0)