def make_search_results(self, memory_handler, struct_type, my_constraints):
addr = int(self.config.ADDRESS, 16)
results = api.load_record(memory_handler,
struct_type,
addr,
load_constraints=my_constraints)
instance = api.output_to_string(memory_handler, [results])
yield (instance, addr)
logging.getLogger("model").setLevel(logging.INFO)
logging.getLogger("python").setLevel(logging.INFO)
fname = sys.argv[1]
mapper = CuckooProcessMapper(fname)
handler = mapper.make_memory_handler()
finder = handler.get_heap_finder()
heaps = finder.list_heap_walkers()
print "heaps", heaps
from haystack import api
from haystack.allocators.win32.winxp_32 import struct__HEAP
heap_constraints = finder._heap_module_constraints
m = handler.get_mapping_for_address(0x00480000)
res = api.load_record(handler, struct__HEAP, m.start, heap_constraints)
logging.getLogger("basicmodel").setLevel(logging.DEBUG)
v = api.validate_record(handler, res[0], heap_constraints)
logging.getLogger("basicmodel").setLevel(logging.INFO)
import code
code.interact(local=locals())
if len(heaps) == 0:
# no heaps ??!!
# it looks like 0x00030000 and other are..
#DEBUG:basicmodel:ptr: Segments[1] <class 'haystack.types.LP_4_struct__HEAP_SEGMENT'> LP_4_struct__HEAP_SEGMENT(26083328) 0x18e0000 INVALID
# explanation, not all mappings are dumped.
# from https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c
# (mbi.State & MEM_COMMIT) == 0 || (mbi.Protect & PAGE_GUARD) != 0 ||
logging.getLogger("model").setLevel(logging.INFO)
logging.getLogger("python").setLevel(logging.INFO)
fname = sys.argv[1]
mapper = CuckooProcessMapper(fname)
handler = mapper.make_memory_handler()
finder = handler.get_heap_finder()
heaps = finder.list_heap_walkers()
print("heaps", heaps)
from haystack import api
from haystack.allocators.win32.winxp_32 import struct__HEAP
heap_constraints = finder._heap_module_constraints
m = handler.get_mapping_for_address(0x00480000)
res = api.load_record(handler, struct__HEAP, m.start, heap_constraints)
logging.getLogger("basicmodel").setLevel(logging.DEBUG)
v = api.validate_record(handler, res[0], heap_constraints)
logging.getLogger("basicmodel").setLevel(logging.INFO)
import code
code.interact(local=locals())
if len(heaps) == 0:
# no heaps ??!!
# it looks like 0x00030000 and other are..
#DEBUG:basicmodel:ptr: Segments[1] <class 'haystack.types.LP_4_struct__HEAP_SEGMENT'> LP_4_struct__HEAP_SEGMENT(26083328) 0x18e0000 INVALID
# explanation, not all mappings are dumped.
# from https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c
# (mbi.State & MEM_COMMIT) == 0 || (mbi.Protect & PAGE_GUARD) != 0 ||
def make_search_results(self, memory_handler, struct_type, my_constraints):
addr = int(self.config.ADDRESS, 16)
results = api.load_record(memory_handler, struct_type, addr, load_constraints=my_constraints)
instance = api.output_to_string(memory_handler, [results])
yield (instance, addr)
