@@ -33,9 +33,6 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
3333 requirements .PluginRequirement (
3434 name = "yarascan" , plugin = yarascan .YaraScan , version = (2 , 0 , 0 )
3535 ),
36- requirements .VersionRequirement (
37- name = "yarascanner" , component = yarascan .YaraScanner , version = (2 , 1 , 0 )
38- ),
3936 requirements .ModuleRequirement (
4037 name = "kernel" ,
4138 description = "Linux kernel" ,
@@ -69,19 +66,29 @@ def _generator(self):
6966 # get the proc_layer object from the context
7067 proc_layer = self .context .layers [proc_layer_name ]
7168
72- # scan the process layer with the yarascanner
73- for offset , rule_name , name , value in proc_layer .scan (
74- context = self .context ,
75- scanner = yarascan .YaraScanner (rules = rules ),
76- sections = self .get_vma_maps (task ),
77- ):
78- yield 0 , (
79- format_hints .Hex (offset ),
80- task .tgid ,
81- rule_name ,
82- name ,
83- value ,
84- )
69+ for start , end in self .get_vma_maps (task ):
70+ for match in rules .match (
71+ data = proc_layer .read (start , end - start , True )
72+ ):
73+ if yarascan .YaraScan .yara_returns_instances ():
74+ for match_string in match .strings :
75+ for instance in match_string .instances :
76+ yield 0 , (
77+ format_hints .Hex (instance .offset + start ),
78+ task .UniqueProcessId ,
79+ match .rule ,
80+ match_string .identifier ,
81+ instance .matched_data ,
82+ )
83+ else :
84+ for offset , name , value in match .strings :
85+ yield 0 , (
86+ format_hints .Hex (offset + start ),
87+ task .tgid ,
88+ match .rule ,
89+ name ,
90+ value ,
91+ )
8592
8693 @staticmethod
8794 def get_vma_maps (
0 commit comments