def _init2(self):
log.debug('[+] HeapContext on heap 0x%x', self.heap.get_marked_heap_address())
# Check that cache folder exists
if not os.access(config.get_cache_folder_name(self.dumpname), os.F_OK):
os.mkdir(config.get_cache_folder_name(self.dumpname))
# we need a heap walker to parse all allocations
finder = self.memory_handler.get_heap_finder()
heap_walker = finder.get_heap_walker(self.heap)
log.debug('[+] Searching pointers in heap')
# get all pointers found in from allocated space.
all_offsets, all_values = self.get_heap_pointers_from_allocated(heap_walker)
self._pointers_values = all_values
self._pointers_offsets = all_offsets
log.debug('[+] Gathering allocated heap chunks')
res = utils.cache_get_user_allocations(self, heap_walker)
self._structures_addresses, self._structures_sizes = res
# clean a bit the open fd's
self.memory_handler.reset_mappings()
#if self.memory_handler.get_target_platform().get_os_name() not in ['winxp', 'win7']:
# log.info('[+] Reversing function pointers names')
# # TODO in reversers
# # dict(libdl.reverseLocalFonctionPointerNames(self) )
# self._function_names = dict()
return
def reverse(self):
super(PointerGraphReverser, self).reverse()
import networkx
dumpname = self._memory_handler.get_name()
outname1 = os.path.sep.join([config.get_cache_folder_name(dumpname), config.CACHE_GRAPH])
outname2 = os.path.sep.join([config.get_cache_folder_name(dumpname), config.CACHE_GRAPH_HEAP])
log.info('[+] Process Graph == %d Nodes', self._master_graph.number_of_nodes())
log.info('[+] Process Graph == %d Edges', self._master_graph.number_of_edges())
networkx.readwrite.gexf.write_gexf(self._master_graph, outname1)
log.info('[+] Process Heaps Graph == %d Nodes', self._heaps_graph.number_of_nodes())
log.info('[+] Process Heaps Graph == %d Edges', self._heaps_graph.number_of_edges())
networkx.readwrite.gexf.write_gexf(self._heaps_graph, outname2)
return
def load_process_graph(self):
import networkx
dumpname = self._memory_handler.get_name()
fname = os.path.sep.join(
[config.get_cache_folder_name(dumpname), config.CACHE_GRAPH])
my_graph = networkx.readwrite.gexf.read_gexf(fname)
return my_graph
def reverse_instances(memory_handler):
"""
Reverse all heaps in process from memory_handler
:param memory_handler:
:return:
"""
assert isinstance(memory_handler, interfaces.IMemoryHandler)
process_context = memory_handler.get_reverse_context()
#for heap in heaps:
# # reverse all fields in all records from that heap
# ## reverse_heap(memory_handler, heap_addr)
log.info('Reversing Fields')
fr = dsa.FieldReverser(memory_handler)
fr.reverse()
log.info('Fixing Text Fields')
tfc = dsa.TextFieldCorrection(memory_handler)
tfc.reverse()
# try to find some logical constructs.
log.info('Reversing DoubleLinkedListReverser')
# why is this a reverse_context ?
doublelink = reversers.DoubleLinkedListReverser(memory_handler)
doublelink.reverse()
doublelink.rename_all_lists()
# then and only then can we look at the PointerFields
# identify pointer relation between allocators
log.info('Reversing PointerFields')
pfr = pointertypes.PointerFieldReverser(memory_handler)
pfr.reverse()
# save that
log.info('Saving reversed records instances')
for heap_context in process_context.list_contextes():
heap_context.save_structures()
# save to file
save_headers(heap_context)
log.info('Saving reversed records types')
process_context.save_reversed_types()
# graph pointer relations between allocators
log.info('Reversing PointerGraph')
ptrgraph = reversers.PointerGraphReverser(memory_handler)
ptrgraph.reverse()
# extract all strings
log.info('Reversing strings')
strout = reversers.StringsReverser(memory_handler)
strout.reverse()
log.info('Analysis results are in %s',
config.get_cache_folder_name(memory_handler.get_name()))
return process_context
def reverse(self):
super(PointerGraphReverser, self).reverse()
import networkx
dumpname = self._memory_handler.get_name()
outname1 = os.path.sep.join(
[config.get_cache_folder_name(dumpname), config.CACHE_GRAPH])
outname2 = os.path.sep.join(
[config.get_cache_folder_name(dumpname), config.CACHE_GRAPH_HEAP])
log.info('[+] Process Graph == %d Nodes',
self._master_graph.number_of_nodes())
log.info('[+] Process Graph == %d Edges',
self._master_graph.number_of_edges())
networkx.readwrite.gexf.write_gexf(self._master_graph, outname1)
log.info('[+] Process Heaps Graph == %d Nodes',
self._heaps_graph.number_of_nodes())
log.info('[+] Process Heaps Graph == %d Edges',
self._heaps_graph.number_of_edges())
networkx.readwrite.gexf.write_gexf(self._heaps_graph, outname2)
return
def reverse_instances(memory_handler):
"""
Reverse all heaps in process from memory_handler
:param memory_handler:
:return:
"""
assert isinstance(memory_handler, interfaces.IMemoryHandler)
process_context = memory_handler.get_reverse_context()
#for heap in heaps:
# heap_addr = heap.get_marked_heap_address()
# # reverse all fields in all records from that heap
# ## reverse_heap(memory_handler, heap_addr)
log.info('Reversing Fields')
fr = dsa.FieldReverser(memory_handler)
fr.reverse()
log.info('Fixing Text Fields')
tfc = dsa.TextFieldCorrection(memory_handler)
tfc.reverse()
# try to find some logical constructs.
log.info('Reversing DoubleLinkedListReverser')
# why is this a reverse_context ?
doublelink = reversers.DoubleLinkedListReverser(memory_handler)
doublelink.reverse()
doublelink.rename_all_lists()
# then and only then can we look at the PointerFields
# identify pointer relation between allocators
log.info('Reversing PointerFields')
pfr = pointertypes.PointerFieldReverser(memory_handler)
pfr.reverse()
# save that
log.info('Saving reversed records instances')
for heap_context in process_context.list_contextes():
heap_context.save_structures()
# save to file
save_headers(heap_context)
log.info('Saving reversed records types')
process_context.save_reversed_types()
# graph pointer relations between allocators
log.info('Reversing PointerGraph')
ptrgraph = reversers.PointerGraphReverser(memory_handler)
ptrgraph.reverse()
log.info('Analysis results are in %s', config.get_cache_folder_name(memory_handler.get_name()))
return process_context
def create_cache_folder(self):
"""Removes the cache folder"""
dumpname = self.memory_handler.get_name()
# create the cache folder
cache_folder = config.get_cache_folder_name(dumpname)
# config.remove_cache_folder(self.memory_handler.get_name())
if not os.access(cache_folder, os.F_OK):
os.mkdir(cache_folder)
log.info("[+] Cache created in %s", cache_folder)
else:
log.debug("[+] Cache exists in %s", cache_folder)
# and the record subfolder
self.create_record_cache_folder()
def setUp(self):
self.memory_handler = dump_loader.load('test/src/test-ctypes5.64.dump')
self._load_offsets_values(self.memory_handler.get_name())
sys.path.append('test/src/')
self.offset = self.offsets['struct_d'][0]
self.m = self.memory_handler.get_mapping_for_address(self.offset)
self._context = context.get_context_for_address(self.memory_handler, self.offset)
# reverse the heap
if not os.access(config.get_record_cache_folder_name(self._context.dumpname), os.F_OK):
os.mkdir(config.get_record_cache_folder_name(self._context.dumpname))
log.info("[+] Cache created in %s", config.get_cache_folder_name(self._context.dumpname))
def print_graph(G, memory_handler):
h = networkx.DiGraph()
h.add_edges_from(G.edges())
# networkx.draw_graphviz(h)
layout = graphviz_layout(h)
networkx.draw(h, layout)
filename = memory_handler.get_name()
print(filename)
bname = os.path.basename(filename)
cache_dir = config.get_cache_folder_name(filename)
print(cache_dir)
fname = os.path.sep.join([cache_dir, 'graph_%s.png' % bname])
plt.savefig(fname)
plt.clf()
fname = os.path.sep.join([cache_dir, 'graph_%s.gexf' % bname])
networkx.readwrite.gexf.write_gexf(h, fname)
return
def setUp(self):
self.memory_handler = folder.load('test/src/test-ctypes5.64.dump')
self._load_offsets_values(self.memory_handler.get_name())
sys.path.append('test/src/')
self.offset = self.offsets['struct_d'][0]
self.m = self.memory_handler.get_mapping_for_address(self.offset)
self._context = context.get_context_for_address(
self.memory_handler, self.offset)
# reverse the heap
if not os.access(
config.get_record_cache_folder_name(self._context.dumpname),
os.F_OK):
os.mkdir(
config.get_record_cache_folder_name(self._context.dumpname))
log.info("[+] Cache created in %s",
config.get_cache_folder_name(self._context.dumpname))
def get_folder_cache(self):
return config.get_cache_folder_name(self.dumpname)
def load_process_graph(self):
import networkx
dumpname = self._memory_handler.get_name()
fname = os.path.sep.join([config.get_cache_folder_name(dumpname), config.CACHE_GRAPH])
my_graph = networkx.readwrite.gexf.read_gexf(fname)
return my_graph