Dedup yara logic between windows/linux

Author: john-cado

varc_core/systems/base_system.py

@@ -12,6 +12,7 @@
 import logging
 import os
 import os.path
+from pathlib import Path
 import socket
 import tarfile
 import time
@@ -113,6 +114,15 @@ def __init__(
         if self.yara_file and not self.include_memory and _YARA_AVAILABLE:
             logging.info("YARA hits will be recorded only since include_memory is not selected.")
 
+        if self.include_memory:
+            if self.yara_file:
+                self.yara_scan()
+            self.dump_processes()
+
+            if self.extract_dumps:
+                from varc_core.utils import dumpfile_extraction
+                dumpfile_extraction.extract_dumps(Path(self.output_path))
+
     def get_network(self) -> List[str]:
         """Get active network connections
             
@@ -381,3 +391,5 @@ def yara_hit_callback(hit: dict) -> Any:
         else:
             logging.info("No YARA rules were triggered. Nothing will be written to the output archive.")
 
+    def dump_processes(self) -> None:
+        raise NotImplementedError()

varc_core/systems/linux.py

@@ -35,24 +35,6 @@ class IOVec(ctypes.Structure):
 
 
 class LinuxSystem(BaseSystem):
-    
-    def __init__(
-        self,
-        include_memory: bool,
-        include_open: bool,
-        extract_dumps: bool,
-        yara_file: Optional[str],
-        **kwargs: Any
-    ) -> None:
-        super().__init__(include_memory=include_memory, include_open=include_open, extract_dumps=extract_dumps, yara_file=yara_file, **kwargs)
-        if self.include_memory:
-            if self.yara_file:
-                self.yara_scan()
-            self.dump_processes()
-
-            if self.extract_dumps:
-                from varc_core.utils import dumpfile_extraction
-                dumpfile_extraction.extract_dumps(Path(self.output_path))
 
     def parse_mem_map(self, pid: int, p_name: str) -> List[Tuple[int, int]]:
         """Returns a list of (start address, end address) tuples of the regions of process memory that are mapped

varc_core/systems/windows.py

@@ -15,27 +15,8 @@
 
    import pymem
 
-class WindowsSystem(BaseSystem):
-    """
-    """
-
-    def __init__(
-        self,
-        include_memory: bool,
-        include_open: bool,
-        extract_dumps: bool,
-        yara_file: Optional[str],
-        **kwargs: Any
-    ) -> None:
-        super().__init__(include_memory=include_memory, include_open=include_open, extract_dumps=extract_dumps, yara_file=yara_file, **kwargs)
-        if self.include_memory:
-            if self.yara_file:
-                self.yara_scan()
-            self.dump_processes()
 
-            if self.extract_dumps:
-                from varc_core.utils import dumpfile_extraction
-                dumpfile_extraction.extract_dumps(Path(self.output_path))
+class WindowsSystem(BaseSystem):
 
     def read_process(self, handle: int, address: int) -> Tuple[Optional[bytes], int]:
         """ Read a process. Based on pymems pattern module