reven2.search_in_memory.Search(object)
class documentationreven2.search_in_memory
(View In Hierarchy)
Search which slices of memory match a specified pattern.
This object can either return the search Event
s found
during the search, or a view of the Match
es to the
pattern.
This object is not meant to be constructed directly. Instead, use reven2.search.Search.memory
.
Iterating over matches
>>> search = server.trace.search >>> for match in search.memory(b"Bob", trace.context_before(6000000), trace.context_before(6300000)).matches(): ... print(match) id: 0 | @lin:0xc7e600 (mapped at Context before #6225933) | [Context before #6000000 - Context before #6299999] | 3 access(es) id: 1 | @lin:0xc67771 (mapped at Context before #6227260) | [Context before #6227260 - Context before #6299999] | 4 access(es)
Iterating over events
>>> search = server.trace.search >>> for event in search.memory(b"Bob", trace.context_before(6000000), trace.context_before(6300000)).events(): ... print(event) First Access match: 0 | #Context before #6225933 (6225933) | @lin:0xc7e600 Access match: 0 | [#6225933 movzx eax, byte ptr [r12 + rdi]]Read access at @1987147264 (virtual address: lin:0xc7e600) of size 1 Access match: 0 | [#6226404 movzx eax, byte ptr [r12 + rdi]]Read access at @1987147265 (virtual address: lin:0xc7e601) of size 1 Access match: 0 | [#6226875 movzx eax, byte ptr [r12 + rdi]]Read access at @1987147266 (virtual address: lin:0xc7e602) of size 1 Created match: 1 | #6227259 | @lin:0xc67771 Access match: 1 | [#6250476 or rsi, qword ptr [rdx + rax]]Read access at @1166944112 (virtual address: lin:0xc67770) of size 8 Access match: 1 | [#6251934 movzx ebp, byte ptr [r13]]Read access at @1166944113 (virtual address: lin:0xc67771) of size 1 Access match: 1 | [#6251953 movzx ebp, byte ptr [r13]]Read access at @1166944114 (virtual address: lin:0xc67772) of size 1 Access match: 1 | [#6251972 movzx ebp, byte ptr [r13]]Read access at @1166944115 (virtual address: lin:0xc67773) of size 1
Method | __init__ | Undocumented |
Method | events | The events that occur when a slice of memory start matching the searched pattern, is accessed, or is destroyed during the search. |
Method | matches | The slices that match the search pattern for some part of the trace. |
Method | pattern | Property: The pattern that is searched for. |
Method | _events | Undocumented |
Method | _handle_event | Undocumented |
Method | _on_new | Undocumented |
Method | _on_first | Undocumented |
Method | _on_access | Undocumented |
Method | _on_del | Undocumented |
Method | _transition | Undocumented |
Method | _virtual_address | Undocumented |
Method | _start_address | Undocumented |
The events that occur when a slice of memory start matching the searched pattern, is accessed, or is destroyed during the search.
See also the Event
classes
for more information about the possible kinds of events.
Iterating over events, then the final matches in a single search
>>> for event in search.memory(b"\x22\x22\x22").events(): ... print(event) ... for match in event.current_matches(): ... print(match) First Access match: 0 | #Context before #7070701 (7070701) | @lin:0x7ffb6f470749 Access match: 0 | [#7070701 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 First Access match: 1 | #Context before #7070701 (7070701) | @lin:0x7ffb6f47074a Access match: 1 | [#7070701 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 Access match: 0 | [#8469446 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 Access match: 1 | [#8469446 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 Access match: 0 | [#8477072 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 Access match: 1 | [#8477072 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 Access match: 0 | [#14304595 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 Access match: 1 | [#14304595 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 Access match: 0 | [#16549091 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 Access match: 1 | [#16549091 movzx r10d, byte ptr [rax + rsi + 0x110710]]Read access at @2095937355 (virtual address: lin:0x7ffb6f47074b) of size 1 id: 0 | @lin:0x7ffb6f470749 (mapped at Context before #7070701) | [Context before #0 - Context after #16899152] | 5 access(es) id: 1 | @lin:0x7ffb6f47074a (mapped at Context before #7070701) | [Context before #0 - Context after #16899152] | 5 access(es)
Searching for the existence of a pattern and interrupting the search as soon as it has been found:
>>> for event in search.memory(b"Is_this_pattern_in_trace?").events(): ... print("Found: {} :-)".format(event.match_physical_address)) ... break # Interrupts the search immediately ... else: ... print("Not found :-(") Found: phy:0x76717600 :-)
Iterating after a single match is deleted:
>>> for event in search.memory(b"MZ").events(): ... print(event) ... if isinstance(event, reven2.search_in_memory.DelEvent): ... break # Interrupt the search ... for match in event.current_matches(): ... print(match) First Access match: 0 | #Context before #3406297 (3406297) | @lin:0xffffe0016bf4b1b8 Access match: 0 | [#3406297 lock xadd dword ptr [r10 + 0x18], ecx]Read access at @2002502072 (virtual address: lin:0xffffe0016bf4b1b8) of size 4 Deleted match: 0 | #3406297 id: 0 | @lin:0xffffe0016bf4b1b8 (mapped at Context before #3406297) | [Context before #0 - Context before #3406297] | 1 access(es)
Returns | A generator of Event s. |
The slices that match the search pattern for some part of the trace.
Iterating over matches
>>> search = server.trace.search >>> for match in search.memory(b"Bob", trace.context_before(6000000), trace.context_before(6300000)).matches(): ... print(match) id: 0 | @lin:0xc7e600 (mapped at Context before #6225933) | [Context before #6000000 - Context before #6299999] | 3 access(es) id: 1 | @lin:0xc67771 (mapped at Context before #6227260) | [Context before #6227260 - Context before #6299999] | 4 access(es)
Returns | A generator of Match es. |