[Forensics-changes] [yara] 285/415: Improvements and bug fixes in yr_process_get_memory contributed by Robin Keir
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:15 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 54d1025f8aba5c3df34b7f0abaff3cdafb6b7c11
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date: Tue Dec 3 23:58:28 2013 +0100
Improvements and bug fixes in yr_process_get_memory contributed by Robin Keir
---
libyara/proc.c | 64 ++++++++++++++++++++++++++++++----------------------------
1 file changed, 33 insertions(+), 31 deletions(-)
diff --git a/libyara/proc.c b/libyara/proc.c
index 9925622..527dfd1 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -74,48 +74,50 @@ int yr_process_get_memory(
address = si.lpMinimumApplicationAddress;
- while (address < si.lpMaximumApplicationAddress)
+ while (VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
{
- if (VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
+ if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0))
{
- if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS)
- {
- data = (unsigned char*) yr_malloc(mbi.RegionSize);
+ data = (unsigned char*) yr_malloc(mbi.RegionSize);
- if (data == NULL)
- return ERROR_INSUFICIENT_MEMORY;
+ if (data == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
- if (ReadProcessMemory(hProcess, address, data, mbi.RegionSize, &read))
- {
- new_block = (YR_MEMORY_BLOCK*) yr_malloc(sizeof(YR_MEMORY_BLOCK));
+ if (ReadProcessMemory(
+ hProcess,
+ mbi.BaseAddress,
+ data,
+ mbi.RegionSize,
+ &read))
+ {
+ new_block = (YR_MEMORY_BLOCK*) yr_malloc(sizeof(YR_MEMORY_BLOCK));
- if (new_block == NULL)
- {
- yr_free(data);
- return ERROR_INSUFICIENT_MEMORY;
- }
+ if (new_block == NULL)
+ {
+ yr_free(data);
+ return ERROR_INSUFICIENT_MEMORY;
+ }
- if (*first_block == NULL)
- *first_block = new_block;
+ if (*first_block == NULL)
+ *first_block = new_block;
- new_block->base = (size_t) mbi.BaseAddress;
- new_block->size = mbi.RegionSize;
- new_block->data = data;
- new_block->next = NULL;
+ new_block->base = (size_t) mbi.BaseAddress;
+ new_block->size = mbi.RegionSize;
+ new_block->data = data;
+ new_block->next = NULL;
- if (current_block != NULL)
- current_block->next = new_block;
+ if (current_block != NULL)
+ current_block->next = new_block;
- current_block = new_block;
- }
- else
- {
- yr_free(data);
- }
+ current_block = new_block;
+ }
+ else
+ {
+ yr_free(data);
}
-
- address = (PVOID)((DWORD) mbi.BaseAddress + mbi.RegionSize);
}
+
+ address = (PVOID)((ULONG_PTR) mbi.BaseAddress + mbi.RegionSize);
}
return ERROR_SUCCESS;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list