diff --git a/malduck/extractor/extract_manager.py b/malduck/extractor/extract_manager.py index af3f77a..3d0fcd1 100644 --- a/malduck/extractor/extract_manager.py +++ b/malduck/extractor/extract_manager.py @@ -214,9 +214,6 @@ def push_procmem( family = self._extract_procmem(p, matches) for binary in binaries: family = self._extract_procmem(binary, matches) or family - binary_image = binary.image - if binary_image: - family = self._extract_procmem(binary_image, matches) or family return family @property diff --git a/malduck/procmem/binmem.py b/malduck/procmem/binmem.py index 668fb47..0be7daa 100644 --- a/malduck/procmem/binmem.py +++ b/malduck/procmem/binmem.py @@ -71,13 +71,22 @@ def load_binaries_from_memory(cls: Type[T], procmem: ProcessMemory) -> Iterator[ """ Looks for binaries in ProcessMemory object and yields specialized ProcessMemoryBinary objects :param procmem: ProcessMemory object to search + + .. versionchanged:: 4.4.0 + + In addition to image=False binaries, it also returns image=True versions. + In previous versions it was done by extractor, so it was working only + if memory-aligned version was also "valid". """ if cls.__magic__ is None: raise NotImplementedError() for binary_va in procmem.findv(cls.__magic__): - binary_procmem = cls.from_memory(procmem, base=binary_va) - if binary_procmem.is_valid(): - yield binary_procmem + binary_procmem_dmp = cls.from_memory(procmem, base=binary_va) + if binary_procmem_dmp.is_valid(): + yield binary_procmem_dmp + binary_procmem_img = binary_procmem_dmp.image + if binary_procmem_img and binary_procmem_img.is_valid(): + yield binary_procmem_img @abstractmethod def is_image_loaded_as_memdump(self) -> bool: diff --git a/setup.cfg b/setup.cfg index 29ffb55..a567b61 100644 --- a/setup.cfg +++ b/setup.cfg @@ -23,3 +23,6 @@ ignore_missing_imports = True [mypy-ida_bytes.*] ignore_missing_imports = True + +[mypy-dnfile.*] +ignore_missing_imports = True