Package ghidra.util.bytesearch

Class MemoryBytePatternSearcher

java.lang.Object
ghidra.util.bytesearch.MemoryBytePatternSearcher
public class MemoryBytePatternSearcher extends Object
Multi pattern/mask/action memory searcher. This is the legacy memory searcher that specifically uses Pattern objects which relies on patterns having actions that get invoked as the pattern is found in memory. If you want a simpler, more generic way to search for bulk patterns in memory, you can use the ProgramMemorySearcher, . If you want an even more generic searcher that isn't restricted to just searching program memory, you can directly use a BulkPatternSearcher.

In this class, patterns can be given at construction time or added one at a time. Optionally, this class can be called with a pre-built BulkPatternSearcher, which is a bit awkward since it is not compatible with adding patterns later. In that case, a new BulkPatternSearcher will be created with only the patterns that were added after construction.

Once patterns have been added, simply call the search or searchAll methods to perform a search.

  • Constructor Details

    • MemoryBytePatternSearcher

      public MemoryBytePatternSearcher(String searchName, List<Pattern> patternList)
      Create with pre-created patternList
      Parameters:
      searchName - name of search
      patternList - - list of patterns(bytes/mask/action)

    • MemoryBytePatternSearcher

      public MemoryBytePatternSearcher(String searchName, BulkPatternSearcher<Pattern> searcher)
      Create with an initialized BulkPatternSearcher
      Parameters:
      searchName - name of search
      searcher - search state pre-initialized

    • MemoryBytePatternSearcher

      public MemoryBytePatternSearcher(String searchName)
      Create with no patternList, must add patterns before searching
      Parameters:
      searchName - name of search

  • Method Details

    • addPattern

      public void addPattern(Pattern pattern)
      Add a search pattern
      Parameters:
      pattern - - pattern(bytes/mask/action)

    • setSearchExecutableOnly

      public void setSearchExecutableOnly(boolean doExecutableBlocksOnly)

    • searchAll NEW

      public void searchAll(Program program, TaskMonitor monitor) throws CancelledException
      Search all initialized memory blocks and associated actions on matches
      Parameters:
      program - to be searched
      monitor - allow canceling and reporting of progress
      Throws:
      CancelledException - if canceled

    • search

      public void search(Program program, AddressSetView searchSet, TaskMonitor monitor) throws CancelledException
      Search initialized memory blocks for all patterns(bytes/mask/action). Call associated action for each pattern matched.
      Parameters:
      program - to be searched
      searchSet - set of bytes to restrict search, if null or empty then search all memory blocks
      monitor - allow canceling and reporting of progress
      Throws:
      CancelledException - if canceled

    • preMatchApply MODIFIED

      public void preMatchApply(MatchAction[] actions, Address address)
      param 1 renamed: matchactions → actions; param 2 renamed: addr → address
      -void preMatchApply(ghidra.util.bytesearch.MatchAction[] matchactions, ghidra.program.model.address.Address addr)
      +void preMatchApply(ghidra.util.bytesearch.MatchAction[] actions, ghidra.program.model.address.Address address)
      Called just before any match rules are applied.
      Parameters:
      actions (was: matchactions) - the actions from the pattern that matched
      address (was: addr) - address of match

    • postMatchApply MODIFIED

      public void postMatchApply(MatchAction[] actions, Address address)
      param 1 renamed: matchactions → actions; param 2 renamed: addr → address
      -void postMatchApply(ghidra.util.bytesearch.MatchAction[] matchactions, ghidra.program.model.address.Address addr)
      +void postMatchApply(ghidra.util.bytesearch.MatchAction[] actions, ghidra.program.model.address.Address address)
      Called just after any match rules are applied. Can be used for cross post rule matching state application and cleanup.
      Parameters:
      actions (was: matchactions) - the actions from the pattern that matched
      address (was: addr) - the address of match