Closed 35mpded closed 6 months ago
Related to #317
Not really. The issue raised by that user is about the hex output not being converted to strings as in volatility2. The issue I raised is that adjacent hex/strings are not displayed. In the old output in vol2 you used to show the next 15 offsets next to the match.
I made a dirty workaround. You have to use a regex to expand the context, then use awk and xxd to re-process the hex dump.
For example, to look for "usermath" in pid 544, with 32 bytes of extra context:
$ vol -f 0zapftis.vmem windows.vadyarascan.VadYaraScan --pid 544 --yara-rules "/usermath.{32}?/" |
awk '
/^0x/{
S=""
for(i=5; i<NF; i++) {
S=S sprintf("%s", $i)
}
print "PID:" $2 "\tRule:" $3 "\tComponent:" $4
system("echo " S " | xxd -r -ps | xxd -o " $1 " | sed \"s/^/0x/\"")
print ""
next
}
/^Offset/{next}
{print}
'
Volatility 3 Framework 2.4.2 PDB scanning finished
PID:544 Rule:r1 Component:$a
0x4ad1f9ad: 7573 6572 6d61 7468 6572 7200 003b 015f usermatherr..;._
0x4ad1f9bd: 696e 6974 7465 726d 006d 005f 5f67 6574 initterm.m.__get
0x4ad1f9cd: 6d61 696e 6172 67 mainarg
PID:544 Rule:r1 Component:$a
0x77c5b578: 7573 6572 6d61 7468 6572 7200 5f5f 7468 usermatherr.__th
0x77c5b588: 7265 6164 6861 6e64 6c65 005f 5f74 6872 readhandle.__thr
0x77c5b598: 6561 6469 6400 5f eadid._
This issue is stale because it has been open for 200 days with no activity.
This issue was closed because it has been inactive for 60 days since being marked as stale.
Volatility2 yarascan module used to show adjacent offsets, bytes/strings for a match on a rule. Volatility3 yarascan module now only shows the bytes of the strings used as a rule. This creates couple of issues while doing memory analysis:
Example 1 (Volatility2's yarascan output):
Example 2 (volatility3 yarascan output):
Example 3 (volatility2 yarascan output)