package rrg.action.scan_memory_yara

Get desktop application:
View/edit binary Protocol Buffers messages

• repeated uint32 pids = 1

  PIDs of the processes whose memory we are interested in.

• oneof signature_oneof

  YARA signature source to use for scanning.

  • string signature_inline = 2

    Signature passed inline with the request as a UTF-8 string.

  • bytes signature_file_sha256 = 10

    SHA-256 checksum of the signature, which must have been previously stored in the filestore.

• optional google.protobuf.Duration timeout = 3

  Maximum time spent scanning a single process.

• optional uint32 max_matches_per_pattern = 11

  Maximum number of matches returned for each pattern in the given YARA signature. Scanning for a particular pattern will stop once this number of matches has been found in memory. No error will be emitted in that case.

• bool skip_mapped_files = 4

  Set this flag to avoid scanning mapped files.

• bool skip_shared_regions = 5

  Set this flag to avoid scanning shared memory regions. Applies to Linux only.

• bool skip_executable_regions = 6

  Set this flag to avoid scanning regions marked as executable.

• bool skip_readonly_regions = 7

  Set this flag to avoid scanning regions marked as readable and not writable or executable.

• optional uint64 chunk_size = 8

  Length of the chunks used to read large memory regions, in bytes. Will use a reasonable default value if unset.

• optional uint64 chunk_overlap = 9

  Overlap across chunks, in bytes. A larger overlap decreases the chance of missing a string that would otherwise match, but is located across chunk boundaries. Will use a reasonable default value if unset.

Used in: Pattern

• uint64 offset = 2

  Offset of the matching string into the process' address space.

• bytes data_sha256 = 4

  A SHA-256 hash of the blob of matching data, which was sent to the blob sink.

Used in: Rule

• string identifier = 1

  The name of this pattern.

• repeated Match matches = 2

  Matching occurrences of this pattern.

Result of scanning memory for one single process.

• uint32 pid = 1

  PID of the process this result refers to.

• repeated Rule matching_rules = 2

  Yara rules which matched when scanning this process, if any. Only set if `error` is unset.

• string error = 9

  Error message set if something went wrong when scanning this process' memory.

Used in: Result

• string identifier = 1

  The name of this rule.

• repeated Pattern patterns = 2

  Patterns which this rule searches for.