[Forensics-changes] [yara] 286/415: Improvements and bug fixes in yr_process_get_memory contributed by Robin Keir
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:15 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 39eee48ebfc7f3b9e01241893999e5c14336c528
Author: Victor Manuel Alvarez <plusvic at gmail.com>
Date: Wed Dec 4 00:01:59 2013 +0100
Improvements and bug fixes in yr_process_get_memory contributed by Robin Keir
---
libyara/proc.c | 78 ++++++++++++++++++++++++++++------------------------------
1 file changed, 38 insertions(+), 40 deletions(-)
diff --git a/libyara/proc.c b/libyara/proc.c
index 86402dd..b8b2000 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -40,14 +40,14 @@ int get_process_memory(int pid, MEMORY_BLOCK** first_block)
HANDLE hProcess;
HANDLE hToken;
- if( OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) &&
+ if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) &&
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidDebug))
{
- tokenPriv.PrivilegeCount = 1;
- tokenPriv.Privileges[0].Luid = luidDebug;
- tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+ tokenPriv.PrivilegeCount = 1;
+ tokenPriv.Privileges[0].Luid = luidDebug;
+ tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(tokenPriv), NULL, NULL);
+ AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(tokenPriv), NULL, NULL);
}
hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
@@ -59,55 +59,53 @@ int get_process_memory(int pid, MEMORY_BLOCK** first_block)
return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
}
+
GetSystemInfo(&si);
address = si.lpMinimumApplicationAddress;
- while (address < si.lpMaximumApplicationAddress)
+ while (VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
{
- if (VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
- {
- if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS)
- {
- data = (unsigned char*) yr_malloc(mbi.RegionSize);
+ if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0))
+ {
+ data = (unsigned char*) yr_malloc(mbi.RegionSize);
- if (data == NULL)
- return ERROR_INSUFICIENT_MEMORY;
+ if (data == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
- if (ReadProcessMemory(hProcess, address, data, mbi.RegionSize, &read))
- {
- new_block = (MEMORY_BLOCK*) yr_malloc(sizeof(MEMORY_BLOCK));
+ if (ReadProcessMemory(hProcess, mbi.BaseAddress, data, mbi.RegionSize, &read))
+ {
+ new_block = (MEMORY_BLOCK*) yr_malloc(sizeof(MEMORY_BLOCK));
- if (new_block == NULL)
- {
- yr_free(data);
- return ERROR_INSUFICIENT_MEMORY;
- }
+ if (new_block == NULL)
+ {
+ yr_free(data);
+ return ERROR_INSUFICIENT_MEMORY;
+ }
- if (*first_block == NULL)
- *first_block = new_block;
+ if (*first_block == NULL)
+ *first_block = new_block;
- new_block->base = (size_t) mbi.BaseAddress;
- new_block->size = mbi.RegionSize;
- new_block->data = data;
- new_block->next = NULL;
+ new_block->base = (size_t) mbi.BaseAddress;
+ new_block->size = mbi.RegionSize;
+ new_block->data = data;
+ new_block->next = NULL;
- if (current_block != NULL)
- current_block->next = new_block;
+ if (current_block != NULL)
+ current_block->next = new_block;
- current_block = new_block;
- }
- else
- {
- yr_free(data);
- }
- }
+ current_block = new_block;
+ }
+ else
+ {
+ yr_free(data);
+ }
+ }
- address = (PVOID)((DWORD) mbi.BaseAddress + mbi.RegionSize);
- }
- }
+ address = (PVOID)((ULONG_PTR) mbi.BaseAddress + mbi.RegionSize);
+ }
- return ERROR_SUCCESS;
+ return ERROR_SUCCESS;
}
#else
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list