Add small docs for idamem (#43)

CERT-Polska · Sep 17, 2020 · 0992265 · 0992265
1 parent c4b39b9
commit 0992265
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 9 deletions.
diff --git a/docs/extractor.rst b/docs/extractor.rst
@@ -19,7 +19,3 @@ Internally used classes and routines
 
 .. autoclass:: malduck.extractor.extract_manager.ProcmemExtractManager
     :members:
-.. autoclass:: malduck.extractor.extractor.ExtractorBase
-    :members:
-.. autoclass:: malduck.extractor.extractor.MetaExtractor
-    :members:
diff --git a/malduck/extractor/extract_manager.py b/malduck/extractor/extract_manager.py
@@ -184,7 +184,7 @@ def push_file(self, filepath: str, base: int = 0) -> Optional[str]:
         :param base: Memory dump base address
         :type base: int
         :return: Family name if ripped successfully and provided better configuration than previous files.
-                 Returns None otherwise.
+            Returns None otherwise.
         """
         log.debug("Started extraction of file %s:%x", filepath, base)
         with ProcessMemory.from_file(filepath, base=base) as p:
@@ -214,10 +214,10 @@ def push_procmem(
         :param p: ProcessMemory object
         :type p: :class:`malduck.procmem.ProcessMemory`
         :param rip_binaries: Look for binaries (PE, ELF) in provided ProcessMemory and try to perform extraction using
-        specialized variants (ProcessMemoryPE, ProcessMemoryELF)
+            specialized variants (ProcessMemoryPE, ProcessMemoryELF)
         :type rip_binaries: bool (default: False)
         :return: Family name if ripped successfully and provided better configuration than previous procmems.
-                 Returns None otherwise.
+            Returns None otherwise.
         """
         from ..procmem import ProcessMemoryPE, ProcessMemoryELF
         from ..procmem.binmem import ProcessMemoryBinary

diff --git a/malduck/extractor/extractor.py b/malduck/extractor/extractor.py
@@ -160,7 +160,7 @@ def xxx_call(self, p: ProcessMemory, addr: int, match: YaraStringMatch) -> Confi
         :param strings_or_method:
             If method name doesn't match the string identifier, pass yara string identifier as decorator argument.
             Multiple strings are accepted
-        :type strings_or_method: *str, optional
+        :type strings_or_method: str, optional
 
     .. py:decoratormethod:: Extractor.extractor
 

diff --git a/malduck/procmem/idamem.py b/malduck/procmem/idamem.py
@@ -51,7 +51,20 @@ def __len__(self):
 
 class IDAProcessMemory(ProcessMemory):
     """
-    ProcessMemory representation operating in IDAPython context [BETA]
+    ProcessMemory representation operating in IDAPython context
+
+    Short name: `idamem`
+
+    Initialize by creating the object within IDAPython context and then use like a
+    normal procmem object:
+
+    .. code-block:: python
+
+        from malduck import idamem, xor
+
+        ida = idamem()
+        decrypted_data = xor(b"KEYZ", ida.readv(0x0040D320, 128))
+        some_wide_string = ida.asciiz(0x402010).decode("utf-16")
     """
 
     def __init__(self):