class documentation

class Search(object):

View In Hierarchy

Search which slices of memory match a specified pattern.

This object can either return the search Events found during the search, or a view of the Matches to the pattern.

Warning

This object is not meant to be constructed directly. Instead, use reven2.search.Search.memory.

Examples

Iterating over matches

>>> search = server.trace.search
>>> for match in search.memory(b"Bob", trace.context_before(6000000), trace.context_before(6300000)).matches():
...     print(match)
id: 0 | @lin:0xc7e600 (mapped at Context before #6225933) | [Context before #6000000 - Context before #6299999] | 3 access(es)
id: 1 | @lin:0xc67771 (mapped at Context before #6227260) | [Context before #6227260 - Context before #6299999] | 4 access(es)

Iterating over events

>>> search = server.trace.search
>>> for event in search.memory(b"Bob", trace.context_before(6000000), trace.context_before(6300000)).events():
...     print(event)
First Access match: 0 | #Context before #6225933 (6225933) | @lin:0xc7e600
Access match: 0 | [#6225933 movzx eax, byte ptr [r12 + rdi]]Read access at @1987147264 (virtual address: lin:0xc7e600) of size 1
Access match: 0 | [#6226404 movzx eax, byte ptr [r12 + rdi]]Read access at @1987147265 (virtual address: lin:0xc7e601) of size 1
Access match: 0 | [#6226875 movzx eax, byte ptr [r12 + rdi]]Read access at @1987147266 (virtual address: lin:0xc7e602) of size 1
Created match: 1 | #6227259 | @lin:0xc67771
Access match: 1 | [#6250476 or rsi, qword ptr [rdx + rax]]Read access at @1166944112 (virtual address: lin:0xc67770) of size 8
Access match: 1 | [#6251934 movzx ebp, byte ptr [r13]]Read access at @1166944113 (virtual address: lin:0xc67771) of size 1
Access match: 1 | [#6251953 movzx ebp, byte ptr [r13]]Read access at @1166944114 (virtual address: lin:0xc67772) of size 1
Access match: 1 | [#6251972 movzx ebp, byte ptr [r13]]Read access at @1166944115 (virtual address: lin:0xc67773) of size 1
Method __init__ Undocumented
Method events The events that occur when a slice of memory start matching the searched pattern, is accessed, or is destroyed during the search.
Method matches The slices that match the search pattern for some part of the trace.
Property pattern Property: The pattern that is searched for.
Method _events Undocumented
Method _handle_event Undocumented
Method _on_access Undocumented
Method _on_del Undocumented
Method _on_first Undocumented
Method _on_new Undocumented
Method _start_address Undocumented
Method _transition Undocumented
Method _virtual_address Undocumented
Instance Variable _filtered Undocumented
Instance Variable _first_context Undocumented
Instance Variable _last_context Undocumented
Instance Variable _pattern Undocumented
Instance Variable _rvn Undocumented
Instance Variable _trace Undocumented
def __init__(self, _rvn, trace, pattern, from_context=None, to_context=None):

Undocumented

def events(self):

The events that occur when a slice of memory start matching the searched pattern, is accessed, or is destroyed during the search.

See also the Event classes for more information about the possible kinds of events.

Example

Iterating over events, then the final matches in a single search

>>> for event in search.memory(b"\x22\x22\x22").events():
...     print(event)
... for match in event.current_matches():
...     print(match)
First Access match: 0 | #Context before #7070701 (7070701) | @lin:0x7ffb6f470749
Access match: 0 | [#7070701 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
First Access match: 1 | #Context before #7070701 (7070701) | @lin:0x7ffb6f47074a
Access match: 1 | [#7070701 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
Access match: 0 | [#8469446 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
Access match: 1 | [#8469446 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
Access match: 0 | [#8477072 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
Access match: 1 | [#8477072 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
Access match: 0 | [#14304595 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
Access match: 1 | [#14304595 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
Access match: 0 | [#16549091 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
Access match: 1 | [#16549091 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1
id: 0 | @lin:0x7ffb6f470749 (mapped at Context before #7070701) | [Context before #0 - Context after #16899152] | 5 access(es)
id: 1 | @lin:0x7ffb6f47074a (mapped at Context before #7070701) | [Context before #0 - Context after #16899152] | 5 access(es)

Searching for the existence of a pattern and interrupting the search as soon as it has been found:

>>> for event in search.memory(b"Is_this_pattern_in_trace?").events():
...     print("Found: {} :-)".format(event.match_physical_address))
...     break # Interrupts the search immediately
... else:
...     print("Not found :-(")
Found: phy:0x76717600 :-)

Iterating after a single match is deleted:

>>> for event in search.memory(b"MZ").events():
...     print(event)
...     if isinstance(event, reven2.search_in_memory.DelEvent):
...         break # Interrupt the search
... for match in event.current_matches():
...     print(match)
First Access match: 0 | #Context before #3406297 (3406297) | @lin:0xffffe0016bf4b1b8
Access match: 0 | [#3406297 lock xadd dword ptr [r10 + 0x18], ecx]Read access at @2002502072 (virtual address: lin:0xffffe0016bf4b1b8) of size 4
Deleted match: 0 | #3406297
id: 0 | @lin:0xffffe0016bf4b1b8 (mapped at Context before #3406297) | [Context before #0 - Context before #3406297] | 1 access(es)

Information

Returns
A generator of Events.
def matches(self):

The slices that match the search pattern for some part of the trace.

Examples

Iterating over matches

>>> search = server.trace.search
>>> for match in search.memory(b"Bob", trace.context_before(6000000), trace.context_before(6300000)).matches():
...     print(match)
id: 0 | @lin:0xc7e600 (mapped at Context before #6225933) | [Context before #6000000 - Context before #6299999] | 3 access(es)
id: 1 | @lin:0xc67771 (mapped at Context before #6227260) | [Context before #6227260 - Context before #6299999] | 4 access(es)

Information

Returns
A generator of Matches.
@property
pattern =

Property: The pattern that is searched for.

def _events(self, search_state):

Undocumented

def _handle_event(self, raw_event, search_state):

Undocumented

def _on_access(self, access, search_state):

Undocumented

def _on_del(self, access, search_state):

Undocumented

def _on_first(self, access, search_state):

Undocumented

def _on_new(self, access, search_state):

Undocumented

def _start_address(self, event):

Undocumented

def _transition(self, event):

Undocumented

def _virtual_address(self, event):

Undocumented

_filtered =

Undocumented

_first_context =

Undocumented

_last_context =

Undocumented

_pattern =

Undocumented

_rvn =

Undocumented

_trace =

Undocumented