@@ -18,6 +18,22 @@ class IOVec(ctypes.Structure):
1818 ("iov_len" , ctypes .c_size_t )
1919 ]
2020
21+
22+ _process_vm_readv = ctypes .CDLL ("libc.so.6" ).process_vm_readv
23+ _process_vm_readv .args = [ # type: ignore
24+ ctypes .c_int ,
25+ ctypes .POINTER (IOVec ),
26+ ctypes .c_ulong ,
27+ ctypes .POINTER (IOVec ),
28+ ctypes .c_ulong ,
29+ ctypes .c_ulong
30+ ]
31+ _process_vm_readv .restype = ctypes .c_ssize_t
32+
33+
34+ _MAX_VIRTUAL_PAGE_CHUNK = 256 * 1000 ** 2 # max number of megabytes that will be read at a time
35+
36+
2137class LinuxSystem (BaseSystem ):
2238
2339 def __init__ (
@@ -29,23 +45,11 @@ def __init__(
2945 ** kwargs : Any
3046 ) -> None :
3147 super ().__init__ (include_memory = include_memory , include_open = include_open , extract_dumps = extract_dumps , yara_file = yara_file , ** kwargs )
32- self .libc = ctypes .CDLL ("libc.so.6" )
33- self .process_vm_readv = self .libc .process_vm_readv
34- self .process_vm_readv .args = [ # type: ignore
35- ctypes .c_int ,
36- ctypes .POINTER (IOVec ),
37- ctypes .c_ulong ,
38- ctypes .POINTER (IOVec ),
39- ctypes .c_ulong ,
40- ctypes .c_ulong
41- ]
42- self .process_vm_readv .restype = ctypes .c_ssize_t
4348 if self .include_memory :
44- self ._MAX_VIRTUAL_PAGE_CHUNK = 256 * 1000 ** 2 # set max number of megabytes that will be read at a time
45- self .own_pid = getpid ()
4649 if self .yara_file :
4750 self .yara_scan ()
4851 self .dump_processes ()
52+
4953 if self .extract_dumps :
5054 from varc_core .utils import dumpfile_extraction
5155 dumpfile_extraction .extract_dumps (Path (self .output_path ))
@@ -90,7 +94,7 @@ def read_bytes(self, pid: int, address: int, byte: int) -> Optional[bytes]:
9094 io_dst = IOVec (ctypes .cast (ctypes .byref (buff ), ctypes .c_void_p ), byte )
9195 io_src = IOVec (ctypes .c_void_p (address ), byte )
9296
93- linux_syscall = self . process_vm_readv (pid , ctypes .byref (io_dst ), 1 , ctypes .byref (io_src ), 1 , 0 )
97+ linux_syscall = _process_vm_readv (pid , ctypes .byref (io_dst ), 1 , ctypes .byref (io_src ), 1 , 0 )
9498
9599 if linux_syscall == - 1 :
96100 return None
@@ -100,12 +104,13 @@ def read_bytes(self, pid: int, address: int, byte: int) -> Optional[bytes]:
100104 def dump_processes (self ) -> None :
101105 """Dumps all processes to temp files, adds temp file to output archive then removes the temp file"""
102106 archive_out = self .output_path
107+ own_pid = getpid ()
103108 with zipfile .ZipFile (archive_out , "a" , compression = zipfile .ZIP_DEFLATED ) as zip_file :
104109 try :
105110 for proc in tqdm (self .process_info , desc = "Process dump progess" , unit = " procs" ):
106111 # If scanning with YARA, only dump processes if they triggered a rule
107112 if self .yara_hit_pids :
108- if proc ["Process ID" ] not in self .yara_hit_pids or proc ["Process ID" ] == self . own_pid :
113+ if proc ["Process ID" ] not in self .yara_hit_pids or proc ["Process ID" ] == own_pid :
109114 continue
110115 pid = proc ["Process ID" ]
111116 p_name = proc ["Name" ]
@@ -117,14 +122,14 @@ def dump_processes(self) -> None:
117122 for map in maps :
118123 page_start = map [0 ]
119124 page_len = map [1 ] - map [0 ]
120- if page_len > self . _MAX_VIRTUAL_PAGE_CHUNK :
121- sub_chunk_count , final_chunk_size = divmod (page_len , self . _MAX_VIRTUAL_PAGE_CHUNK )
125+ if page_len > _MAX_VIRTUAL_PAGE_CHUNK :
126+ sub_chunk_count , final_chunk_size = divmod (page_len , _MAX_VIRTUAL_PAGE_CHUNK )
122127 page_len = int (page_len / sub_chunk_count )
123128 for sc in range (0 , sub_chunk_count ):
124129 mem_page_content = self .read_bytes (pid , page_start , page_len )
125130 if mem_page_content :
126131 tmpfile .write (mem_page_content )
127- page_start = page_start + self . _MAX_VIRTUAL_PAGE_CHUNK
132+ page_start = page_start + _MAX_VIRTUAL_PAGE_CHUNK
128133 mem_page_content = self .read_bytes (pid , page_start , final_chunk_size )
129134 if mem_page_content :
130135 tmpfile .write (mem_page_content )
0 commit comments