Fix dump memory (#2771)

nalves599 · web-flow · commit a187ad6768b8 · 2025-12-09T12:15:13.000+01:00
* analyzer/linux: improve memory map parse and fix error

* lib/cuckoo: fix unknown memory protection flags

This is a temporary fix because when processing the Linux memory
dumps it fails with an undefined value. Current it is incorrectly
parsing the dump, but this is useful to visualize the dumps.
diff --git a/analyzer/linux/analyzer.py b/analyzer/linux/analyzer.py
@@ -105,10 +105,15 @@ def dump_memory(pid):
         output_file = open(f"{MEM_PATH}/{pid}.dmp", "wb")
 
         for line in maps_file.readlines():
-            m = re.match(r"([0-9A-Fa-f]+)-([0-9A-Fa-f]+) ([-r])(\S+)\s+\d+\s+\S+\s+\d+\s*(.*)?", line)
-            if m and m.group(3) == "r":
+            # Reference: https://man7.org/linux/man-pages/man5/proc_pid_maps.5.html
+            m = re.match(r"^([0-9a-f]+)-([0-9a-f]+) ([-rwxsp]{4}) ([0-9a-f]+) (\d\d:\d\d) (\d+) *(.*)$", line)
+            if not m:
+                log.error("Could not parse memory map line for pid %s: %s", pid, line)
+                continue
+            perms = m.group(3)
+            pathname = m.group(7)
+            if "r" in perms:
                 # Testing: Uncomment to skip memory regions associated with dynamic libraries
-                # pathname = m.group(5)
                 # if pathname and (pathname.endswith('.so') or 'lib' in pathname or '[' in pathname):
                 # continue
                 start = int(m.group(1), 16)
@@ -118,7 +123,7 @@ def dump_memory(pid):
                     chunk = mem_file.read(end - start)
                     output_file.write(chunk)
                 except (OSError, ValueError) as e:
-                    log.error("Could not read memory range %s: {e}", f"{start:x}-{end:x}", str(e))
+                    log.error("Could not read memory range %x-%x (%s) (%s): %s", start, end, perms, pathname, e)
         maps_file.close()
         mem_file.close()
         output_file.close()
diff --git a/lib/cuckoo/common/objects.py b/lib/cuckoo/common/objects.py
@@ -796,7 +796,7 @@ def _prot_to_str(self, prot):
         if prot & PAGE_GUARD:
             return "G"
         prot &= 0xFF
-        return self.protmap[prot]
+        return self.protmap.get(prot, "UNKNOWN")
 
     def pretty_print(self):
         new_addr_space = copy.deepcopy(self.address_space)
