Class ContextBuffer

source code

A class to manage hits and create contiguous context buffers.

Instance Methods

__init__(self, session)
x.__init__(...) initializes x; see help(type(x)) for signature

source code

add_hit(self, string_name, hit_offset, value)

source code

get_combined_context_buffers(self)
Yields pseudo_data for each context containing all hits.

source code

process_owners_from_physical_address(self, address)
Get the process owner from the physical address.

source code

get_contexts(self, offset)
Get some context about this offset.

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Properties
Inherited from `object`: `__class__`

Method Details

init(self, session)
(Constructor)

source code

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__: (inherited documentation)

process_owners_from_physical_address(self, address)

source code

Get the process owner from the physical address.

We could use the ptov() or rammap() plugin but this is a very fast implementation which only cares about the identity of the owner.

get_contexts(self, offset)

source code

Get some context about this offset.

We use this context to group similar yara hits into logical groups.

Returns:
  a list of things which can be used as contexts - i.e. they are unique
  for all pages common within this context. Pages will be grouped by
  these contexts and evaluated together.

Class ContextBuffer

__init__(self, session) (Constructor)

process_owners_from_physical_address(self, address)

get_contexts(self, offset)

init(self, session)
(Constructor)