Fixed procmem lifecycle within extractor

CERT-Polska · May 13, 2024 · 1b031b6 · 1b031b6
1 parent e82b581
commit 1b031b6
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/malduck/procmem/binmem.py b/malduck/procmem/binmem.py
@@ -82,9 +82,11 @@ def load_binaries_from_memory(cls: Type[T], procmem: ProcessMemory) -> Iterator[
             raise NotImplementedError()
         for binary_va in procmem.findv(cls.__magic__):
             binary_procmem_dmp = cls.from_memory_slice(procmem, binary_va)
+            binary_procmem_img = binary_procmem_dmp.image
+            # Binaries must be yielded at the end as they may be
+            # released by caller after that
             if binary_procmem_dmp.is_valid():
                 yield binary_procmem_dmp
-            binary_procmem_img = binary_procmem_dmp.image
             if binary_procmem_img and binary_procmem_img.is_valid():
                 yield binary_procmem_img
 

diff --git a/malduck/procmem/membuf.py b/malduck/procmem/membuf.py
@@ -32,6 +32,7 @@ def __init__(
         self,
         buf: Union[bytes, bytearray, memoryview],
     ) -> None:
+        print("created ", self, id(self))
         if type(buf) is memoryview:
             self.buf = buf
         elif type(buf) in (bytearray, bytes):
@@ -68,6 +69,7 @@ def slice(
         return PlainMemoryBuffer(self.buf[from_offset:to_offset].toreadonly())
 
     def release(self) -> None:
+        print("released ", self, id(self))
         self.buf.release()
 
 

diff --git a/malduck/procmem/procmem.pyi b/malduck/procmem/procmem.pyi
@@ -68,6 +68,10 @@ class ProcessMemory:
     def from_memory(
         cls: Type[T], memory: "ProcessMemory", base: int = None, **kwargs
     ) -> T: ...
+    @classmethod
+    def from_memory_slice(
+        cls: Type[T], memory: "ProcessMemory", addr: int, length: Optional[int] = None
+    ) -> T: ...
     @property
     def length(self) -> int: ...
     def iter_regions(