Windows YARA scan across page boundaries

[meck-gd]

Is your feature request related to a problem? Please describe. I have a use case where I need to apply a YARA rule that in many cases spans multiple memory pages. I thought that windows.vadyarascan was made for this purpose - i.e., that it passes contiguous virtual memory areas belonging to a task to the scanner. However, that's not the case - chunks of 4K are scanned individually. To me this means I might as well have gone and executed YARA manually against the entire dump file (except that it won't tell me what PID it found a match in).

This makes me question the usefulness of YARA scanning in Volatility in general, as it may give you a false sense of security. If you have a YARA rule that generically matches a certain malware family, and you don't know beforehand if any of the strings happen to cross a page boundary (which can always happen by chance), you can never be sure if Volatility just didn't find it or if it's indeed not present.

Describe the solution you'd like I'd like a plugin or option that scans processes with the same semantics as if the scan were executed on a live system. Meaning contiguous virtual memory is scanned in one piece (or at least in bigger chunk sizes with a slight overlap for each chunk).

Describe alternatives you've considered -

Additional information My input file is an ELF produced by applying VirtualBox's debugvm command to a Windows VM.