[Vol-dev] Patch: strings command optimization

[Tim]

Hello,

Please find attached a patch to speed up the Volatility strings
command.  On my slow laptop, a particular search for a single string
required around 2 hours and 25 minutes.  After these changes, the same
search requires 35 minutes.  (Measured in wall clock time.) 
Notable changes include:

- Switched from guess-and-check style address probing (during the
  reverse map construction) to using get_available_pages().  On my
  test image, this cuts the number of vtop() calls down from 1M to
  something on the order of 55K for each process.  This more than made
  up for the additional overhead of calling get_available_pages().

- The above change also eliminates a 32bit address space assumption
  appearing in top-level code, which I assume is a good thing.

- Reduced the number of reverse_map lookups

- Moved parsing of the strings input file to an earlier point in
  processing so users don't have to wait until the end of the job to 
  discover they didn't specify things correctly.


I can think of several other ways to make this faster and/or more
memory efficient, but most require changes to the address interface
(ever thought of providing a page iterator?).

Also, I added a few comments for future improvements to the user
interface and output.  I think currently there are problems with the
way that addresses appearing in large pages are reported, but I'm not
100% sure what the output is intended to mean, so I just kept it the
same for now.

DISCLAIMER: This is the first time I've seriously looked at the
Volatility code.  Please review/test it carefully before committing
the changes.

thanks!
tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vmodules.py.diff
Type: text/x-diff
Size: 5276 bytes
Desc: not available
Url : https://lists.volatilesystems.com/pipermail/vol-dev/attachments/20090825/4cb4f2e1/vmodules.py.bin