Beispiel #1
0
def makeReversedTypes(context, sizeCache):
    ''' Compare signatures for each size groups.
    Makes a chains out of similar structures. Changes the structure names for a single
    typename when possible. Changes the ctypes types of each pointer field.'''

    log.info(
        '[+] Build groups of similar instances, create a reversed type for each group.')
    for chains in buildStructureGroup(context, sizeCache):
        fixType(context, chains)

    log.info(
        '[+] For each instances, fix pointers fields to newly created types.')
    for s in context.listStructures():
        s.reset()
        s.decodeFields()
        for f in s.getPointerFields():
            addr = f._getValue(0)
            if addr in context.heap:
                try:
                    ctypes_type = context.getStructureForOffset(
                        addr).getCtype()
                # we have escapees, withouth a typed type... saved them from
                # exception
                except TypeError as e:
                    ctypes_type = fixInstanceType(
                        context,
                        context.getStructureForOffset(addr),
                        getname())
                f.setCtype(ctypes.POINTER(ctypes_type))
                f.setComment('pointer fixed')

    log.info('[+] For new reversed type, fix their definitive fields.')
    for revStructType in context.listReversedTypes():
        revStructType.makeFields(context)

    # poitners not in the heap
    # for s in context.listStructures():
    #  for f in s.getPointerFields():
    #    if ctypes.is_void_pointer_type(f.getCtype()):
    #      print s,'has a c_void_p field', f._getValue(0),
    #      print context.getStructureForOffset( f._getValue(0) )

    return context
Beispiel #2
0
  import ctypes
  for s in context.listStructures():
    s.reset()
    s.decodeFields()
    for f in s.getPointerFields():
      addr = f._getValue(0)
      if addr in context.heap:
        try:
          ctypes_type = context.getStructureForOffset(addr).getCtype()
        except TypeError,e: # we have escapees, withouth a typed type... saved them from exception
          ctypes_type = fixInstanceType(context, context.getStructureForOffset(addr), getname())
        f.setCtype( ctypes.POINTER(ctypes_type) )
        f.setComment('pointer fixed')
  
  log.info('[+] For new reversed type, fix their definitive fields.')
  for revStructType in context.listReversedTypes():
    revStructType.makeFields(context)

  # poitners not in the heap
  #for s in context.listStructures():
  #  for f in s.getPointerFields():
  #    if model.isVoidPointerType(f.getCtype()):
  #      print s,'has a c_void_p field', f._getValue(0), 
  #      print context.getStructureForOffset( f._getValue(0) )

    
  return context
  
def makeSignatures(dumpname):
  from haystack.reverse import context
  log.debug('\t[-] Loading the context for a dumpname.')