def reverseLookup(opt):
from haystack.reverse import reversers
log.info("[+] Load context")
context = reversers.getContext(opt.dumpname)
addr = opt.struct_addr
while True:
log.info("[+] find offsets of struct_addr:%x" % (addr))
i = -1
structs = set()
try:
structs = context.listStructuresForPointerValue(addr)
except ValueError, e:
log.info("[+] Found no structures.")
return
log.info("[+] Found %d structures." % (len(structs)))
for st in structs:
st.decodeFields()
print st.toString()
# wait for input
import code
code.interact(local=locals())
sys.stdin.read(1)
addr = st._vaddr
def make(opts):
log.info('[+] Loading context of %s'%(opts.dump1))
context = reversers.getContext(opts.dump1) #'../../outputs/skype.1.a') # TODO
# refresh
if len(context.structures) != len(context.structures_addresses):
log.info('[+] Refreshing from %d structures cached'%( len(context.structures) ))
mallocRev = MallocReverser()
context = mallocRev.reverse(context)
mallocRev.check_inuse(context)
log.info('[+] Final %d structures from malloc blocs'%( len(context.structures) ))
heap1 = context.mappings.getHeap()
log.info('[+] Loading mappings of %s'%(opts.dump2))
newmappings = dump_loader.load( opts.dump2)
heap2 = newmappings.getHeap()
log.info('[+] finding diff values with %s'%(opts.dump2))
addrs = cmd_cmp(heap1, heap2, heap1.start)
# now compare with structures addresses
structures = []
realloc=0
log.info('[+] Looking at %d differences'%( len(addrs) ))
st = []
# joined iteration, found structure affected
# use info from malloc : structures.start + .size
addr_iter = iter(addrs)
structs_addr_iter = iter(context.malloc_addresses)
structs_size_iter = iter(context.malloc_sizes)
try:
addr = addr_iter.next()
st_addr = structs_addr_iter.next()
st_size = structs_size_iter.next()
cnt=1
while True:
while (addr - st_addr) >= st_size : # find st containing offset
st_addr = structs_addr_iter.next()
st_size = structs_size_iter.next()
# check for gaps
if (addr - st_addr) < 0: # went to far - no struct overlapping
while (addr - st_addr) < 0: # addr is in between two struct - dump all addr stuck out of malloc_chunks
addr = addr_iter.next()
pass
continue
#
if 0 <= (addr - st_addr) < st_size: # check if offset is really in st ( should be always if your not dumb/there no holes )
structures.append( context.structures[ st_addr ]) # tag the structure as different
cnt+=1
else:
## (addr - st_addr) < 0 # impossible by previous while
## (addr - st_addr) >= st_size # then continur
continue
while (addr - st_addr) < st_size : # enumerate offsets in st range
addr = addr_iter.next()
cnt+=1
except StopIteration,e:
pass
def makeSignatures(dumpname):
from haystack.reverse import reversers
log.debug('\t[-] Loading the context for a dumpname.')
context = reversers.getContext(dumpname)
heap = context.heap
log.info('[+] Make the signatures.')
sigMaker = SignatureMaker(heap)
sig = sigMaker.search()
return context, sig
def makeSizeCaches(dumpname):
''' gets all structures instances from the dump, order them by size.'''
from haystack.reverse import reversers
log.debug('\t[-] Loading the context for a dumpname.')
context = reversers.getContext(dumpname)
log.debug('\t[-] Make the size dictionnaries.')
sizeCache = StructureSizeCache(context)
sizeCache.cacheSizes()
return context, sizeCache
def make(opts):
fname = opts.gexf
#if __name__ == '__main__':
#if False:
#context = reversers.getContext('../../outputs/skype.1.a')
context = reversers.getContext(opts.dumpname)
#digraph=networkx.readwrite.gexf.read_gexf( '../../outputs/skype.1.a.gexf')
digraph=networkx.readwrite.gexf.read_gexf( opts.gexf.name)
heap = context.mappings.getHeap()
# only add heap structure with links
edges = [(x,y) for x,y in digraph.edges() if int(x,16) in heap and int(y,16) in heap]
graph = networkx.DiGraph()
graph.add_edges_from( edges )
printGraph(graph, os.path.basename(opts.dumpname) )
def make(opts):
fname = opts.gexf
#if __name__ == '__main__':
#if False:
#context = reversers.getContext('../../outputs/skype.1.a')
context = reversers.getContext(opts.dumpname)
#digraph=networkx.readwrite.gexf.read_gexf( '../../outputs/skype.1.a.gexf')
digraph = networkx.readwrite.gexf.read_gexf(opts.gexf.name)
heap = context.mappings.getHeap()
# only add heap structure with links
edges = [(x, y) for x, y in digraph.edges()
if int(x, 16) in heap and int(y, 16) in heap]
graph = networkx.DiGraph()
graph.add_edges_from(edges)
printGraph(graph, os.path.basename(opts.dumpname))
def reverseLookup(opt):
from haystack.reverse import reversers
log.info('[+] Load context')
context = reversers.getContext(opt.dumpname)
addr = opt.struct_addr
while True:
log.info('[+] find offsets of struct_addr:%x'%(addr))
i = -1
structs = set()
try:
structs = context.listStructuresForPointerValue(addr)
except ValueError,e:
log.info('[+] Found no structures.')
return
log.info('[+] Found %d structures.'%( len(structs) ))
for st in structs:
st.decodeFields()
print st.toString()
# wait for input
import code
code.interact(local=locals())
sys.stdin.read(1)
addr = st._vaddr
def make(opts):
log.info('[+] Loading context of %s' % (opts.dump1))
context = reversers.getContext(
opts.dump1) #'../../outputs/skype.1.a') # TODO
# refresh
if len(context.structures) != len(context.structures_addresses):
log.info('[+] Refreshing from %d structures cached' %
(len(context.structures)))
mallocRev = MallocReverser()
context = mallocRev.reverse(context)
mallocRev.check_inuse(context)
log.info('[+] Final %d structures from malloc blocs' %
(len(context.structures)))
heap1 = context.mappings.getHeap()
log.info('[+] Loading mappings of %s' % (opts.dump2))
newmappings = dump_loader.load(opts.dump2)
heap2 = newmappings.getHeap()
log.info('[+] finding diff values with %s' % (opts.dump2))
addrs = cmd_cmp(heap1, heap2, heap1.start)
# now compare with structures addresses
structures = []
realloc = 0
log.info('[+] Looking at %d differences' % (len(addrs)))
st = []
# joined iteration, found structure affected
# use info from malloc : structures.start + .size
addr_iter = iter(addrs)
structs_addr_iter = iter(context.malloc_addresses)
structs_size_iter = iter(context.malloc_sizes)
try:
addr = addr_iter.next()
st_addr = structs_addr_iter.next()
st_size = structs_size_iter.next()
cnt = 1
while True:
while (addr - st_addr) >= st_size: # find st containing offset
st_addr = structs_addr_iter.next()
st_size = structs_size_iter.next()
# check for gaps
if (addr - st_addr) < 0: # went to far - no struct overlapping
while (
addr - st_addr
) < 0: # addr is in between two struct - dump all addr stuck out of malloc_chunks
addr = addr_iter.next()
pass
continue
#
if 0 <= (
addr - st_addr
) < st_size: # check if offset is really in st ( should be always if your not dumb/there no holes )
structures.append(context.structures[st_addr]
) # tag the structure as different
cnt += 1
else:
## (addr - st_addr) < 0 # impossible by previous while
## (addr - st_addr) >= st_size # then continur
continue
while (addr - st_addr) < st_size: # enumerate offsets in st range
addr = addr_iter.next()
cnt += 1
except StopIteration, e:
pass
