special review commit for kevin

GDATASoftwareAG · Jan 10, 2024 · b5f683b · b5f683b
1 parent 2298e29
commit b5f683b
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 14 deletions.
diff --git a/plugins/inmemoryscanner/src/lib/Scanner.cpp b/plugins/inmemoryscanner/src/lib/Scanner.cpp
@@ -83,12 +83,11 @@ namespace InMemoryScanner
         auto frontRegionSpan = regions.front().asSpan();
         std::ranges::copy(frontRegionSpan.begin(), frontRegionSpan.end(), std::back_inserter(result));
 
+        // copy the rest of the regions with a padding page in between each chunk
         for (std::size_t i = 1; i < regions.size(); i++)
         {
-            const auto& region = regions[i];
-            // padding page
             result.insert(result.end(), pageSizeInBytes, 0);
-            auto regionSpan = region.asSpan();
+            auto regionSpan = regions[i].asSpan();
             std::ranges::copy(regionSpan.begin(), regionSpan.end(), std::back_inserter(result));
         }
 

diff --git a/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp b/plugins/inmemoryscanner/test/YaraInterface_unittest.cpp
@@ -9,10 +9,11 @@ using VmiCore::PagingDefinitions::pageSizeInBytes;
 
 namespace InMemoryScanner
 {
-    std::vector<uint8_t> constructPageWithContent(const std::string& string)
+    std::vector<uint8_t> constructPageWithContent(const std::string& string, bool insertAtBack = false)
     {
         std::vector<uint8_t> result(pageSizeInBytes, 0);
-        std::copy(string.begin(), string.end(), result.begin());
+        auto insertPosition = insertAtBack ? result.end() - string.size() : result.begin();
+        std::copy(string.begin(), string.end(), insertPosition);
         return result;
     }
 
@@ -84,9 +85,9 @@ namespace InMemoryScanner
                         }
                     )";
         auto yaraInterface = YaraInterface(compileYaraRules(rules));
-        auto subRegion1 = constructPageWithContent("ABCD");
-        auto subRegion2 = constructPageWithContent("DCBA");
-        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}};
+        auto subRegion1 = constructPageWithContent("ABCD", true);
+        auto subRegion2 = constructPageWithContent("DCBA", false);
+        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {pageSizeInBytes, subRegion2}};
 
         auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
 
@@ -110,7 +111,7 @@ namespace InMemoryScanner
         auto subRegion1 = constructPageWithContent("ABCD");
         auto subRegion2 = constructPageWithContent("DCBA");
         std::vector<VmiCore::MappedRegion> memoryRegion1{{0x0, subRegion1}};
-        std::vector<VmiCore::MappedRegion> memoryRegion2{{0x40, subRegion2}};
+        std::vector<VmiCore::MappedRegion> memoryRegion2{{4 * pageSizeInBytes, subRegion2}};
 
         auto matches1 = yaraInterface.scanMemory(memoryRegion1.front().guestBaseVA, memoryRegion1);
         auto matches2 = yaraInterface.scanMemory(memoryRegion2.front().guestBaseVA, memoryRegion2);
@@ -135,8 +136,8 @@ namespace InMemoryScanner
         auto yaraInterface = YaraInterface(compileYaraRules(rules));
         auto subRegion1 = constructPageWithContent("ABCD");
         auto subRegion2 = constructPageWithContent("DCBA");
-        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}};
-        Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}};
+        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}};
+        Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}};
 
         auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
 
@@ -171,9 +172,11 @@ namespace InMemoryScanner
         auto subRegion1 = constructPageWithContent("ABCD");
         auto subRegion2 = constructPageWithContent("DCBA");
         auto subRegion3 = constructPageWithContent("EFGH");
-        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}, {0x80, subRegion3}};
-        Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}};
-        Rule expectedMatch2{"testRule2", "default", {{"$test", 0x80}, {"$test2", 0x81}}};
+        std::vector<VmiCore::MappedRegion> memoryRegions{
+            {0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}, {8 * pageSizeInBytes, subRegion3}};
+        Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}};
+        Rule expectedMatch2{
+            "testRule2", "default", {{"$test", 8 * pageSizeInBytes}, {"$test2", 8 * pageSizeInBytes + 1}}};
 
         auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);