def reverse_cmdline(args):
""" Reverse """
from haystack.reverse import api as rapi
# get the memory handler adequate for the type requested
memory_handler = cli.make_memory_handler(args)
# do the search
rapi.reverse_instances(memory_handler)
return
def find_heap():
argv = sys.argv[1:]
parser = cli.base_argparser('haystack-find-heap', "Find heaps in a dumpfile")
parser.add_argument('--verbose', '-v', action='store_true', help='Verbose')
parser.add_argument('--mappings', '-m', action='store_true', help='Show mappings')
# only if address is present
group = parser.add_argument_group('For a specific HEAP')
group.add_argument('address', nargs='?', type=argparse_utils.int16, default=None, help='Load Heap from address (hex)')
group.add_argument('--heap', '-p', action='store_true', help='Show the heap content')
group.add_argument('--frontend', '-f', action='store_true', help='Show the frontend heap content')
opts = parser.parse_args(argv)
cli.set_logging_level(opts)
memory_handler = cli.make_memory_handler(opts)
finder = memory_handler.get_heap_finder()
# Show Target information
if opts.bits or opts.osname:
print('Forced target resolution:', memory_handler.get_target_platform())
else:
print('Automatic target resolution:', memory_handler.get_target_platform())
if opts.mappings:
# show all memory mappings
print('Process mappings:')
print('@start @stop File Offset M:m ')
for m in memory_handler.get_mappings():
print(m)
if opts.address is not None:
one_heap(opts, finder)
return
print('Probable Process HEAPS:')
for m in memory_handler.get_mappings():
for addr in range(m.start, m.end, 0x1000):
special = ''
for os, bits, offset in [('winxp', 32, 8), ('winxp', 64, 16),
('win7', 32, 100), ('win7', 64, 160)]:
signature = struct.unpack('I', m.read_bytes(addr+offset, 4))[0]
if signature == 0xeeffeeff:
if addr != m.start:
special = ' (!) '
print('[+] %s %dbits %s 0x%0.8x' % (os, bits, special, addr), m)
# Then show heap analysis
print('Found Heaps:')
for walker in finder.list_heap_walkers():
validator = walker.get_heap_validator()
validator.print_heap_analysis(walker.get_heap(), opts.verbose)
return
def reverse_show_cmdline(args):
""" Show the record at a specific address. """
memory_handler = cli.make_memory_handler(args)
process_context = memory_handler.get_reverse_context()
ctx = process_context.get_context_for_address(args.address)
try:
st = ctx.get_record_at_address(args.address)
print(st.to_string())
except ValueError:
print(None)
return
def show_hex(args):
""" Show the Hex values for the record at that address. """
memory_handler = cli.make_memory_handler(args)
process_context = memory_handler.get_reverse_context()
ctx = process_context.get_context_for_address(args.address)
try:
st = ctx.get_record_at_address(args.address)
print(repr(st.bytes))
except ValueError as e:
print(None)
return
def make(opts):
memory_handler = cli.make_memory_handler(opts)
#digraph=networkx.readwrite.gexf.read_gexf( '../../outputs/skype.1.a.gexf')
digraph = networkx.readwrite.gexf.read_gexf(opts.gexf.name)
finder = memory_handler.get_heap_finder()
heap = finder.list_heap_walkers()[0]
# only add heap structure with links
# edges = [
# (x, y) for x, y in digraph.edges() if int(
# x, 16) in heap and int(
# y, 16) in heap]
heap_mapping = heap.get_heap_mapping()
edges = [(x, y) for x, y in digraph.edges()
if int(x, 16) in heap_mapping and int(y, 16) in heap_mapping]
graph = networkx.DiGraph()
graph.add_edges_from(edges)
print_graph(graph, memory_handler)
def show_predecessors_cmdline(args):
"""
Show the predecessors that point to a record at a particular address.
:param args: cmdline args
:return:
"""
memory_handler = cli.make_memory_handler(args)
process_context = memory_handler.get_reverse_context()
ctx = process_context.get_context_for_address(args.address)
try:
child_record = ctx.get_record_at_address(args.address)
except ValueError as e:
print(None)
return
records = api.get_record_predecessors(memory_handler, child_record)
if len(records) == 0:
print(None)
else:
for p_record in records:
print('#0x%x\n%s\n' % (p_record.address, p_record.to_string()))
return