special review commit for kevin

plugins/inmemoryscanner/src/lib/Scanner.cpp

@@ -83,12 +83,11 @@ namespace InMemoryScanner
         auto frontRegionSpan = regions.front().asSpan();
         std::ranges::copy(frontRegionSpan.begin(), frontRegionSpan.end(), std::back_inserter(result));
 
+        // copy the rest of the regions with a padding page in between each chunk
         for (std::size_t i = 1; i < regions.size(); i++)
         {
-            const auto& region = regions[i];
-            // padding page
             result.insert(result.end(), pageSizeInBytes, 0);
-            auto regionSpan = region.asSpan();
+            auto regionSpan = regions[i].asSpan();
             std::ranges::copy(regionSpan.begin(), regionSpan.end(), std::back_inserter(result));
         }
 

plugins/inmemoryscanner/test/YaraInterface_unittest.cpp

@@ -9,10 +9,11 @@ using VmiCore::PagingDefinitions::pageSizeInBytes;
 
 namespace InMemoryScanner
 {
-    std::vector<uint8_t> constructPageWithContent(const std::string& string)
+    std::vector<uint8_t> constructPageWithContent(const std::string& string, bool insertAtBack = false)
     {
         std::vector<uint8_t> result(pageSizeInBytes, 0);
-        std::copy(string.begin(), string.end(), result.begin());
+        auto insertPosition = insertAtBack ? result.end() - string.size() : result.begin();
+        std::copy(string.begin(), string.end(), insertPosition);
         return result;
     }
 
@@ -84,9 +85,9 @@ namespace InMemoryScanner
                         }
                     )";
         auto yaraInterface = YaraInterface(compileYaraRules(rules));
-        auto subRegion1 = constructPageWithContent("ABCD");
-        auto subRegion2 = constructPageWithContent("DCBA");
-        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}};
+        auto subRegion1 = constructPageWithContent("ABCD", true);
+        auto subRegion2 = constructPageWithContent("DCBA", false);
+        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {pageSizeInBytes, subRegion2}};
 
         auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
 
@@ -110,7 +111,7 @@ namespace InMemoryScanner
         auto subRegion1 = constructPageWithContent("ABCD");
         auto subRegion2 = constructPageWithContent("DCBA");
         std::vector<VmiCore::MappedRegion> memoryRegion1{{0x0, subRegion1}};
-        std::vector<VmiCore::MappedRegion> memoryRegion2{{0x40, subRegion2}};
+        std::vector<VmiCore::MappedRegion> memoryRegion2{{4 * pageSizeInBytes, subRegion2}};
 
         auto matches1 = yaraInterface.scanMemory(memoryRegion1.front().guestBaseVA, memoryRegion1);
         auto matches2 = yaraInterface.scanMemory(memoryRegion2.front().guestBaseVA, memoryRegion2);
@@ -135,8 +136,8 @@ namespace InMemoryScanner
         auto yaraInterface = YaraInterface(compileYaraRules(rules));
         auto subRegion1 = constructPageWithContent("ABCD");
         auto subRegion2 = constructPageWithContent("DCBA");
-        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}};
-        Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}};
+        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}};
+        Rule expectedMatch{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}};
 
         auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
 
@@ -171,9 +172,11 @@ namespace InMemoryScanner
         auto subRegion1 = constructPageWithContent("ABCD");
         auto subRegion2 = constructPageWithContent("DCBA");
         auto subRegion3 = constructPageWithContent("EFGH");
-        std::vector<VmiCore::MappedRegion> memoryRegions{{0x0, subRegion1}, {0x40, subRegion2}, {0x80, subRegion3}};
-        Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 0x40}}};
-        Rule expectedMatch2{"testRule2", "default", {{"$test", 0x80}, {"$test2", 0x81}}};
+        std::vector<VmiCore::MappedRegion> memoryRegions{
+            {0x0, subRegion1}, {4 * pageSizeInBytes, subRegion2}, {8 * pageSizeInBytes, subRegion3}};
+        Rule expectedMatch1{"testRule", "default", {{"$test", 0x0}, {"$test2", 4 * pageSizeInBytes}}};
+        Rule expectedMatch2{
+            "testRule2", "default", {{"$test", 8 * pageSizeInBytes}, {"$test2", 8 * pageSizeInBytes + 1}}};
 
         auto matches = yaraInterface.scanMemory(memoryRegions.front().guestBaseVA, memoryRegions);
 

vmicore/src/include/vmicore/vmi/IMemoryMapping.h

@@ -20,8 +20,8 @@ namespace VmiCore
         virtual ~IMemoryMapping() = default;
 
         /**
-         * Retrieves a set memory mapping descriptors. See MappedRegion.h for details. Elements are ordered from lowest
-         * to highest guest VA.
+         * Retrieves a set of memory mapping descriptors. See MappedRegion.h for details. Elements are ordered from
+         * lowest to highest guest VA.
          *
          * @throws MemoryMappingError Will occur if unmap has already been called.
          */

vmicore/src/lib/plugins/PluginSystem.cpp

@@ -1,5 +1,6 @@
 #include "PluginSystem.h"
 #include "../vmi/MemoryMapping.h"
+#include "PluginException.h"
 #include <bit>
 #include <cstdint>
 #include <dlfcn.h>

vmicore/src/lib/plugins/PluginSystem.h

@@ -8,7 +8,6 @@
 #include "../os/IActiveProcessesSupervisor.h"
 #include "../vmi/InterruptEventSupervisor.h"
 #include "../vmi/LibvmiInterface.h"
-#include "PluginException.h"
 #include <cstdint>
 #include <functional>
 #include <map>

vmicore/src/lib/vmi/MemoryMapping.h

@@ -34,6 +34,6 @@ namespace VmiCore
         mapped_regions_t libvmiMappings;
         bool isMapped = true;
     };
-} // VmiCore
+}
 
 #endif // VMICORE_MEMORYMAPPING_H

vmicore/test/lib/plugins/mock_PluginSystem.h

@@ -11,13 +11,6 @@ namespace VmiCore
                     (addr_t, addr_t, std::size_t),
                     (const override));
 
-        MOCK_METHOD(std::unique_ptr<std::vector<uint8_t>>,
-                    readProcessMemoryRegion,
-                    (pid_t, addr_t, size_t),
-                    (const override));
-
-        MOCK_METHOD(std::unique_ptr<std::vector<MemoryRegion>>, getProcessMemoryRegions, (pid_t), (const override));
-
         MOCK_METHOD(std::unique_ptr<std::vector<std::shared_ptr<const ActiveProcessInformation>>>,
                     getRunningProcesses,
                     (),

vmicore/test/lib/vmi/MemoryMapping_UnitTest.cpp

@@ -1,124 +1,29 @@
 #include "../io/mock_Logging.h"
+#include "mock_LibvmiInterface.h"
 #include <gtest/gtest.h>
 #include <vmi/MemoryMapping.h>
-#include <vmicore/os/PagingDefinitions.h>
 
 using testing::NiceMock;
-using VmiCore::PagingDefinitions::numberOfPageIndexBits;
-using VmiCore::PagingDefinitions::pageSizeInBytes;
-/*
+
 namespace VmiCore
 {
-    constexpr uint64_t testBaseVA = 0x123 << numberOfPageIndexBits;
-
-    TEST(MemoryMappingTest, constructor_emptyAccessPointers_emptyMappings)
-    {
-        auto accessPointers = std::vector<void*>{};
-
-        auto memoryMapping = MemoryMapping(testBaseVA, accessPointers, std::make_shared<NiceMock<MockLogging>>());
-
-        EXPECT_EQ(memoryMapping.getSizeInGuest(), 0);
-        EXPECT_TRUE(memoryMapping.getMappedRegions().lock()->empty());
-    }
-
-    TEST(MemoryMappingTest, constructor_AccessPointersWithNullPointersOnly_emptyMappings)
-    {
-        auto accessPointers = std::vector<void*>{nullptr, nullptr};
-
-        auto memoryMapping = MemoryMapping(testBaseVA, accessPointers, std::make_shared<NiceMock<MockLogging>>());
-
-        EXPECT_EQ(memoryMapping.getSizeInGuest(), 2 * pageSizeInBytes);
-        EXPECT_TRUE(memoryMapping.getMappedRegions().lock()->empty());
-    }
-
-    TEST(MemoryMappingTest, constructor_continguousRegion_correctMapping)
-    {
-        auto accessPointers = std::vector<void*>{reinterpret_cast<void*>(0x1 << numberOfPageIndexBits),
-                                                 reinterpret_cast<void*>(0x2 << numberOfPageIndexBits),
-                                                 reinterpret_cast<void*>(0x3 << numberOfPageIndexBits)};
-        auto expectedMappedRegions = std::vector<MappedRegion>{MappedRegion{
-            testBaseVA, std::span(reinterpret_cast<uint8_t*>(0x1 << numberOfPageIndexBits), 3 * pageSizeInBytes)}};
-
-        auto memoryMapping = MemoryMapping(testBaseVA, accessPointers, std::make_shared<NiceMock<MockLogging>>());
-
-        EXPECT_EQ(memoryMapping.getSizeInGuest(), accessPointers.size() * pageSizeInBytes);
-        EXPECT_EQ(*memoryMapping.getMappedRegions().lock(), expectedMappedRegions);
-    }
-
-    TEST(MemoryMappingTest, constructor_twoRegions_correctMapping)
-    {
-        auto accessPointers = std::vector<void*>{reinterpret_cast<void*>(0x1 << numberOfPageIndexBits),
-                                                 nullptr,
-                                                 reinterpret_cast<void*>(0x2 << numberOfPageIndexBits),
-                                                 reinterpret_cast<void*>(0x3 << numberOfPageIndexBits)};
-        auto expectedMappedRegions = std::vector<MappedRegion>{
-            {testBaseVA, {reinterpret_cast<uint8_t*>(0x1 << numberOfPageIndexBits), pageSizeInBytes}},
-            {testBaseVA + 2 * pageSizeInBytes,
-             {reinterpret_cast<uint8_t*>(0x2 << numberOfPageIndexBits), 2 * pageSizeInBytes}}};
-
-        auto memoryMapping = MemoryMapping(testBaseVA, accessPointers, std::make_shared<NiceMock<MockLogging>>());
-
-        EXPECT_EQ(memoryMapping.getSizeInGuest(), accessPointers.size() * pageSizeInBytes);
-        EXPECT_EQ(*memoryMapping.getMappedRegions().lock(), expectedMappedRegions);
-    }
-
-    TEST(MemoryMappingTest, constructor_twoRegionsWithlastPageUnmapped_correctMapping)
+    TEST(MemoryMappingTest, getMappedRegions_validState_mappings)
     {
-        auto accessPointers = std::vector<void*>{reinterpret_cast<void*>(0x1 << numberOfPageIndexBits),
-                                                 nullptr,
-                                                 nullptr,
-                                                 reinterpret_cast<void*>(0x2 << numberOfPageIndexBits),
-                                                 reinterpret_cast<void*>(0x3 << numberOfPageIndexBits),
-                                                 nullptr};
-        auto expectedMappedRegions = std::vector<MappedRegion>{
-            {testBaseVA, {reinterpret_cast<uint8_t*>(0x1 << numberOfPageIndexBits), pageSizeInBytes}},
-            {testBaseVA + 3 * pageSizeInBytes,
-             {reinterpret_cast<uint8_t*>(0x2 << numberOfPageIndexBits), 2 * pageSizeInBytes}}};
-
-        auto memoryMapping = MemoryMapping(testBaseVA, accessPointers, std::make_shared<NiceMock<MockLogging>>());
-
-        EXPECT_EQ(memoryMapping.getSizeInGuest(), accessPointers.size() * pageSizeInBytes);
-        EXPECT_EQ(*memoryMapping.getMappedRegions().lock(), expectedMappedRegions);
-    }
-
-    TEST(MemoryMappingTest, constructor_threeRegions_correctMapping)
-    {
-        auto accessPointers = std::vector<void*>{reinterpret_cast<void*>(0x1 << numberOfPageIndexBits),
-                                                 nullptr,
-                                                 nullptr,
-                                                 reinterpret_cast<void*>(0x2 << numberOfPageIndexBits),
-                                                 reinterpret_cast<void*>(0x3 << numberOfPageIndexBits),
-                                                 nullptr,
-                                                 reinterpret_cast<void*>(0x4 << numberOfPageIndexBits),
-                                                 nullptr};
-        auto expectedMappedRegions = std::vector<MappedRegion>{
-            {testBaseVA, {reinterpret_cast<uint8_t*>(0x1 << numberOfPageIndexBits), pageSizeInBytes}},
-            {testBaseVA + 3 * pageSizeInBytes,
-             {reinterpret_cast<uint8_t*>(0x2 << numberOfPageIndexBits), 2 * pageSizeInBytes}},
-            {testBaseVA + 6 * pageSizeInBytes,
-             {reinterpret_cast<uint8_t*>(0x4 << numberOfPageIndexBits), pageSizeInBytes}}};
-
-        auto memoryMapping = MemoryMapping(testBaseVA, accessPointers, std::make_shared<NiceMock<MockLogging>>());
+        auto memoryMapping = MemoryMapping(std::make_shared<NiceMock<MockLogging>>(),
+                                           std::make_shared<NiceMock<MockLibvmiInterface>>(),
+                                           mapped_regions_t{});
 
-        EXPECT_EQ(memoryMapping.getSizeInGuest(), accessPointers.size() * pageSizeInBytes);
-        EXPECT_EQ(*memoryMapping.getMappedRegions().lock(), expectedMappedRegions);
+        EXPECT_NO_THROW(auto _mappings = memoryMapping.getMappedRegions());
     }
 
-    TEST(MemoryMappingTest, constructor_firstTwoPagesUnmapped_correctMapping)
+    TEST(MemoryMappingTest, getMappedRegions_alreadyUnmapped_throws)
     {
-        auto accessPointers = std::vector<void*>{nullptr,
-                                                 nullptr,
-                                                 reinterpret_cast<void*>(0x1 << numberOfPageIndexBits),
-                                                 reinterpret_cast<void*>(0x2 << numberOfPageIndexBits),
-                                                 reinterpret_cast<void*>(0x3 << numberOfPageIndexBits)};
-        auto expectedMappedRegions = std::vector<MappedRegion>{
-            {testBaseVA + 2 * pageSizeInBytes,
-             {reinterpret_cast<uint8_t*>(0x1 << numberOfPageIndexBits), 3 * pageSizeInBytes}}};
+        auto memoryMapping = MemoryMapping(std::make_shared<NiceMock<MockLogging>>(),
+                                           std::make_shared<NiceMock<MockLibvmiInterface>>(),
+                                           mapped_regions_t{});
 
-        auto memoryMapping = MemoryMapping(testBaseVA, accessPointers, std::make_shared<NiceMock<MockLogging>>());
+        memoryMapping.unmap();
 
-        EXPECT_EQ(memoryMapping.getSizeInGuest(), accessPointers.size() * pageSizeInBytes);
-        EXPECT_EQ(*memoryMapping.getMappedRegions().lock(), expectedMappedRegions);
+        EXPECT_ANY_THROW(auto _mappings = memoryMapping.getMappedRegions());
     }
 }
-*/