Merge pull request volatilityfoundation#1347 from eve-mem/regex_scan

Volshell: add regex_scan
eve-mem · Nov 13, 2024 · fe91fea · fe91fea
2 parents d2ae43c + af7a420
commit fe91fea
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/volatility3/cli/volshell/generic.py b/volatility3/cli/volshell/generic.py
@@ -14,7 +14,7 @@
 from volatility3.cli import text_renderer, volshell
 from volatility3.framework import exceptions, interfaces, objects, plugins, renderers
 from volatility3.framework.configuration import requirements
-from volatility3.framework.layers import intel, physical, resources
+from volatility3.framework.layers import intel, physical, resources, scanners
 
 try:
     import capstone
@@ -149,6 +149,7 @@ def construct_locals(self) -> List[Tuple[List[str], Any]]:
             (["cc", "create_configurable"], self.create_configurable),
             (["lf", "load_file"], self.load_file),
             (["rs", "run_script"], self.run_script),
+            (["rx", "regex_scan"], self.regex_scan),
         ]
 
     def _construct_locals_dict(self) -> Dict[str, Any]:
@@ -288,6 +289,21 @@ def display_words(self, offset, count=128, layer_name=None):
         remaining_data = self._read_data(offset, count=count, layer_name=layer_name)
         self._display_data(offset, remaining_data, format_string="H")
 
+    def regex_scan(self, pattern, count=128, layer_name=None):
+        """Scans for regex pattern in layer using RegExScanner."""
+        if not isinstance(pattern, bytes):
+            raise TypeError("pattern must be bytes, e.g. rx(b'pattern')")
+        layer_name_to_scan = layer_name or self.current_layer
+        for offset in self.context.layers[layer_name_to_scan].scan(
+            scanner=scanners.RegExScanner(pattern),
+            context=self.context,
+        ):
+            remaining_data = self._read_data(
+                offset, count=count, layer_name=layer_name_to_scan
+            )
+            self._display_data(offset, remaining_data)
+            print("")
+
     def disassemble(self, offset, count=128, layer_name=None, architecture=None):
         """Disassembles a number of instructions from the code at offset"""
         remaining_data = self._read_data(offset, count=count, layer_name=layer_name)