From 099226536fb08528ecffc0611360b9ffc74ce8ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Praszmo?= Date: Thu, 17 Sep 2020 22:50:59 +0200 Subject: [PATCH] Add small docs for idamem (#43) --- docs/extractor.rst | 4 ---- malduck/extractor/extract_manager.py | 6 +++--- malduck/extractor/extractor.py | 2 +- malduck/procmem/idamem.py | 15 ++++++++++++++- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/docs/extractor.rst b/docs/extractor.rst index 2861eb8..9c2c3aa 100644 --- a/docs/extractor.rst +++ b/docs/extractor.rst @@ -19,7 +19,3 @@ Internally used classes and routines .. autoclass:: malduck.extractor.extract_manager.ProcmemExtractManager :members: -.. autoclass:: malduck.extractor.extractor.ExtractorBase - :members: -.. autoclass:: malduck.extractor.extractor.MetaExtractor - :members: diff --git a/malduck/extractor/extract_manager.py b/malduck/extractor/extract_manager.py index e77bb54..70ae46f 100644 --- a/malduck/extractor/extract_manager.py +++ b/malduck/extractor/extract_manager.py @@ -184,7 +184,7 @@ def push_file(self, filepath: str, base: int = 0) -> Optional[str]: :param base: Memory dump base address :type base: int :return: Family name if ripped successfully and provided better configuration than previous files. - Returns None otherwise. + Returns None otherwise. """ log.debug("Started extraction of file %s:%x", filepath, base) with ProcessMemory.from_file(filepath, base=base) as p: @@ -214,10 +214,10 @@ def push_procmem( :param p: ProcessMemory object :type p: :class:`malduck.procmem.ProcessMemory` :param rip_binaries: Look for binaries (PE, ELF) in provided ProcessMemory and try to perform extraction using - specialized variants (ProcessMemoryPE, ProcessMemoryELF) + specialized variants (ProcessMemoryPE, ProcessMemoryELF) :type rip_binaries: bool (default: False) :return: Family name if ripped successfully and provided better configuration than previous procmems. - Returns None otherwise. + Returns None otherwise. """ from ..procmem import ProcessMemoryPE, ProcessMemoryELF from ..procmem.binmem import ProcessMemoryBinary diff --git a/malduck/extractor/extractor.py b/malduck/extractor/extractor.py index 64b7654..7ece63a 100644 --- a/malduck/extractor/extractor.py +++ b/malduck/extractor/extractor.py @@ -160,7 +160,7 @@ def xxx_call(self, p: ProcessMemory, addr: int, match: YaraStringMatch) -> Confi :param strings_or_method: If method name doesn't match the string identifier, pass yara string identifier as decorator argument. Multiple strings are accepted - :type strings_or_method: *str, optional + :type strings_or_method: str, optional .. py:decoratormethod:: Extractor.extractor diff --git a/malduck/procmem/idamem.py b/malduck/procmem/idamem.py index 3e5d716..57fff88 100644 --- a/malduck/procmem/idamem.py +++ b/malduck/procmem/idamem.py @@ -51,7 +51,20 @@ def __len__(self): class IDAProcessMemory(ProcessMemory): """ - ProcessMemory representation operating in IDAPython context [BETA] + ProcessMemory representation operating in IDAPython context + + Short name: `idamem` + + Initialize by creating the object within IDAPython context and then use like a + normal procmem object: + + .. code-block:: python + + from malduck import idamem, xor + + ida = idamem() + decrypted_data = xor(b"KEYZ", ida.readv(0x0040D320, 128)) + some_wide_string = ida.asciiz(0x402010).decode("utf-16") """ def __init__(self):