memory-scans

Type: object

Memory scan results. For each scanned memory section, where either a match was found or an error was emitted, one JSON object per line is stored.

 No Additional Properties

root match
Type: array

Contains information about matched rules. Is empty-array if no rules matched.

Each item of this array must be:

root match match.schema.json
Type: object

Information about a yara rule match

 No Additional Properties

root match match strings
Type: array

The exact strings of the yara rule, that were found, including their offsets in the memory segment.

Each item of this array must be:

root match match strings strings items
Type: object
No Additional Properties

root match match strings strings items offset
Type: number

The offset, where the string was found, relative to the start of the scanned memory segment or file. Note, this value can get very large. make sure your parser uses an int64.

root match match strings strings items name
Type: string

The name of the matched string as defined in the yara rule

root match match strings strings items base
Type: number

root match match namespace
Type: string

The namespace of the matched yara rule. This depends on how the rules where compiled.

root match match rule
Type: string

The name of the matched yara rule

root pid
Type: integer

PID of the scanned process

root error
Type: string or null

The error message or null if no error happened. Note, there may still be matches if an error happened.

root memorySegment
Type: integer

The base address of the scanned memory segment. This can be used to resolve the memory segment information in the processes.json. Note, this value can get very large. make sure your parser uses an int64.