Skip to content

feat: process scanning #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 40 commits into
base: main
Choose a base branch
from
Open

feat: process scanning #384

wants to merge 40 commits into from
+1,165 −32

Conversation

JonathanAnbary
Copy link
Contributor

Implemented Process scanning in lib (not accessible from cli yet) for linux and windows.
the semantics of the scan are as follows:

  • string are searched in each memory region of the scanned process separately, and results are combined.
  • modules are not ran, and conditions that depend on offsets evaluate to undefined (behaving as though the length of the scanned data is 0).

@JonathanAnbary JonathanAnbary mentioned this pull request Jun 24, 2025
Open
@JonathanAnbary JonathanAnbary changed the title Process scanning feat: process scanning Jun 24, 2025
@JonathanAnbary
Copy link
Contributor Author

I fixed the clippy errors (sorry about that).
In regards to the macos issues I also think I fixed it (by that I mean that it should compile not that I implemented process scanning) but I dont have a way to test it (Im working from linux, and cross compiling to macos seems like a pain) unless some one has a decent flake.nix/shell.nix for cargo with cross compilation to darwin.

@JonathanAnbary
Copy link
Contributor Author

Ok, pretty sure I actually fixed the clippy errors now (switched to using the toolchain thats listed at the top of the clippy job).
in regards to the macos, I also fixed the error that was reported in the job but I dont actually have a way to test it.
Ill be trying to setup cross compilation for macos from my linux machine, and if that works Ill at least be able to ensure that it compiles.

secDre4mer
secDre4mer reviewed Jun 25, 2025
View reviewed changes
Copy link

@secDre4mer secDre4mer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for implementing this (as this was the main thing I was missing from yara-x so far).

Regarding MacOS: If you need something tested on a MacOS, I'd be glad to help out.

lib/src/scanner/mod.rs
.set(self.wasm_store.as_context_mut(), Val::I32(1))
.unwrap();

// Set the global variable `filesize` to the size of the total memroy regions.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly this should be something the caller can choose? YARA uses "memory iterators", which have a similar option.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that sounds good, the only thing Im not sure about is how to set a wasm global to undefined.
adding a method to the DataIter trait is probably the way to do this.

secDre4mer
secDre4mer reviewed Jun 25, 2025
View reviewed changes
@JonathanAnbary
Copy link
Contributor Author

Regarding MacOS: If you need something tested on a MacOS, I'd be glad to help out.

If you could try compiling the branch for macos and inform me if any issues that arise that would be great (macos is not implemented so dont expect to be able to scan processes, I just want to make sure that it compiles).

@secDre4mer
Copy link

It compiles on MacOS. There are some warnings about unused code (warning: method scan_many_impl is never used and similar), but that is expected since without process scanning, these are superfluous for MacOS right now.

@JonathanAnbary
Copy link
Contributor Author

@plusvic would it be possible to run the checks now?
I'm pretty sure it should pass now.

@JonathanAnbary JonathanAnbary mentioned this pull request Jun 25, 2025
Open
@JonathanAnbary
Copy link
Contributor Author

I am happy to report that my hat is delicious.
I fixed the test, and then compiled and tested with windows-msvc (previously was using windows-gnu).
Its a bit of a weird test and it honestly might be better to just remove it but I wanted to make sure that the match content was not being duplicated for overlapping matches and this test (scan_proc_overlapping_matches) was the only way I could think of doing that.
Ill be happy if you can rerun the tests, Hopefully for the last time...

@JonathanAnbary
working on porting a poc of the scan_proc on linux
74bfd11
@JonathanAnbary
poc for linux process scanning
8f58abb
@JonathanAnbary
added comment in regards to weird failure when trying to read vvars o…
edf3a40 
…f another process in order to scan it
@JonathanAnbary
moved the process memory loading into separate module
f8cf45e
@JonathanAnbary
wip, added winapi dependency to facilitate windows process scanning
28a7fb9
@JonathanAnbary
wip, implementing the windows process scanning
d9b1955
@JonathanAnbary
wip, windows process scanning
ca822aa
@JonathanAnbary
wip, code for windows process scanning
2524e9f
@JonathanAnbary
cross compiles to windows
f420270
@JonathanAnbary
working linux, still not tested windows
a135dbf
@JonathanAnbary
working windows process reading, oom if actually trying to use single…
cb3d427 
… vector
@JonathanAnbary
working on windows (dont like the solution, this should be done with …
3ab5ea4 
…iterators)
@JonathanAnbary
fixed linux process scanning regressions
e8a766e
@JonathanAnbary
seperated the linux and windows process scanning into different files
e4c7916
@JonathanAnbary
changed to using a streaming-iterator internally in the linux proc me…
d7a13fb 
…mory scanner
@JonathanAnbary
cleaned up linux proc scanner
43801a1
@JonathanAnbary
cleaned up the windows implementation
0198d94
@JonathanAnbary
using the windows crate and not the winapi crate
6745e03
@JonathanAnbary
fixed compilation on linux
1a028b3
@JonathanAnbary
fixed test for linux
eaf00a7
@JonathanAnbary
windows proc scanning compiles successfully
bb403d8
@JonathanAnbary
working process scanning on linux without copying the entire targeted…
f7ff9ae 
… processes memory into our own memory at once
@JonathanAnbary
mapping mapped files instead of reading from the processes memory
18cbaf5
@JonathanAnbary
wip, process scanning on linux has issue with reading from non mapped…
ce5dd80 
… file
@JonathanAnbary
working linux scanning, need to consider reusing the vector
a61c345
@JonathanAnbary
got the windows proc scanning working
c74851e
@JonathanAnbary
not ending iteration over process memory when failing to fetch, inste…
e60393d 
…ad moving on to next region
@JonathanAnbary
reusing existing vector and limiting max vector size
d685c47
@JonathanAnbary
poc for saving match content in the case of fragmented scanning (not …
1ad93f3 
…efficient)
@JonathanAnbary
wip, working process scanning with saving match results
820837b
@JonathanAnbary
wip, working sparse scanned data saving for match content
777127a
@JonathanAnbary
not doing anchored patterns when scanning processes
b1cbafa
@JonathanAnbary
added cfg to ensure compilation will still succedd on non windows/lin…
3ce7416 
…ux (although of course, scan_proc wont be available)
@JonathanAnbary
removing flake.nix, before creating PR
283b823
@JonathanAnbary
cleaned up code before submitting PR
1ed23bb
@JonathanAnbary
fixed so that macos will pass + some clippy errors
972ee17
@JonathanAnbary
fixed clippy warnings (for the correct rust version this time)
f0f6772
@JonathanAnbary
excluding process scanning tests when not targeting windows/linux
c678c00
@JonathanAnbary
CR fixes
e2ff4e8
@JonathanAnbary
changed the process scanning deduplicated match content test, the rul…
8760d29 
…e now does not match itself
@JonathanAnbary
Copy link
Contributor Author

Hi @plusvic.
I'd love to know what needs to be done in order to get this merged as soon as possible :)

@plusvic
Copy link
Member

plusvic commented Jul 7, 2025

Hi @JonathanAnbary, it will take me some time before I can look into this thoroughly. As this is a big feature with a lot of implications from the API standpoint, I want to be very careful with it. My preliminary assessment is that this is unlikely to be merged as is. I would like to avoid at all cost to have all the OS-dependent code merged into the yara-x crate. I will probably think about a generic API that allows implementing process scanning on top of it, but leaving the memory reading stuff to the user of the API.

@gustavo-iniguez-goya
Copy link

Aupa @plusvic !

If you eventually add this feature, consider parsing /proc/<pid>/exe and other files (stat, status, ...), in order to scan for red flags on Linux, like processes masquerading as kernel threads, or processes executed from locations like /dev/shm, /tmp, /memfd, /var/tmp, etc.

@plusvic
Copy link
Member

plusvic commented Sep 26, 2025

After merging #459 we already have an API for scanning memory blocks that could support process memory scanning on top of it. For the time being I don't plan to implement the OS-dependent memory reading logic. If that's ever implemented, I envision it as a separate crate that abstracts you from the details of reading the memory of another process given the process ID. I guess some other Rust crates can benefit from having such an API in a stand-alone crate.

With the new block scanning API, and some other crate that reads memory from external processes, implementing process scanning should be fairly trivial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@secDre4mer secDre4mer secDre4mer left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@JonathanAnbary @secDre4mer @plusvic @gustavo-iniguez-goya