def _aggregateFields(self):
#if not self.pointerResolved:
# raise ValueError('I should be resolved')
self._dirty = True
self._fields.sort()
myfields = []
signature = self.getSignature()
pencoder = pattern.PatternEncoder(signature, minGroupSize=3)
patterns = pencoder.makePattern()
#txt = self.getSignature(text=True)
#log.warning('signature of len():%d, %s'%(len(txt),txt))
#p = pattern.findPatternText(txt, 2, 3)
#log.debug(p)
#log.debug('aggregateFields came up with pattern %s'%(patterns))
# pattern is made on FieldType,
#so we need to dequeue self.fields at the same time to enqueue in myfields
for nb, fieldTypesAndSizes in patterns:
#print 'fieldTypesAndSizes:',fieldTypesAndSizes
if nb == 1:
fieldType = fieldTypesAndSizes[0] # its a tuple
field = self._fields.pop(0)
myfields.append(field) # single el
#log.debug('simple field:%s '%(field) )
elif len(fieldTypesAndSizes
) > 1: # array of subtructure DEBUG XXX TODO
log.debug('substructure with sig %s' % (fieldTypesAndSizes))
myelements = []
for i in range(nb):
fields = [
self._fields.pop(0)
for i in range(len(fieldTypesAndSizes))
] # nb-1 left
#otherFields = [ self.fields.pop(0) for i in range((nb-1)*len(fieldTypesAndSizes)) ]
# need global ref to compare substructure signature to other anonstructure
firstField = FieldType.makeStructField(
self, fields[0].offset, fields)
myelements.append(firstField)
array = makeArrayField(self, myelements)
myfields.append(array)
#log.debug('array of structure %s'%(array))
elif len(fieldTypesAndSizes) == 1: #make array of elements or
log.debug('found array of %s' %
(self._fields[0].typename.basename))
fields = [self.fields.pop(0) for i in range(nb)]
array = makeArrayField(self, fields)
myfields.append(array)
#log.debug('array of elements %s'%(array))
else: # TODO DEBUG internal struct
raise ValueError('fields patterns len is incorrect %d' %
(len(fieldTypesAndSizes)))
log.debug('done with aggregateFields')
self._fields = myfields
#print 'final', self.fields
return
def _findSubStructures(self):
if not self._pointerResolved:
raise ValueError('I should be resolved')
self._dirty = True
self._fields.sort()
myfields = []
signature = self.getTypeSignature()
pencoder = pattern.PatternEncoder(signature, minGroupSize=2)
patterns = pencoder.makePattern()
txt = self.getTypeSignature(text=True)
p = pattern.findPatternText(txt, 1, 2)
log.debug('substruct typeSig: %s' % txt)
log.debug('substruct findPatterntext: %s' % p)
log.debug('substruct came up with pattern %s' % (patterns))
# pattern is made on FieldType,
#so we need to dequeue self.fields at the same time to enqueue in myfields
for nb, fieldTypes in patterns:
if nb == 1:
field = self._fields.pop(0)
myfields.append(field) # single el
#log.debug('simple field:%s '%(field) )
elif len(fieldTypes) > 1: # array of subtructure DEBUG XXX TODO
log.debug('fieldTypes:%s' % fieldTypes)
log.debug('substructure with sig %s' %
(''.join([ft.sig[0] for ft in fieldTypes])))
myelements = []
for i in range(nb):
fields = [
self._fields.pop(0) for i in range(len(fieldTypes))
] # nb-1 left
#otherFields = [ self.fields.pop(0) for i in range((nb-1)*len(fieldTypesAndSizes)) ]
# need global ref to compare substructure signature to other anonstructure
firstField = FieldType.makeStructField(
self, fields[0].offset, fields)
myelements.append(firstField)
array = makeArrayField(self, myelements)
myfields.append(array)
#log.debug('array of structure %s'%(array))
elif len(fieldTypes
) == 1: #make array of elements obase on same base type
log.debug('found array of %s' %
(self._fields[0].typename.basename))
fields = [self._fields.pop(0) for i in range(nb)]
array = makeArrayField(self, fields)
myfields.append(array)
#log.debug('array of elements %s'%(array))
else: # TODO DEBUG internal struct
raise ValueError('fields patterns len is incorrect %d' %
(len(fieldTypes)))
log.debug('done with findSubstructure')
self._fields = myfields
#print 'final', self.fields
return
def _aggregateFields(self):
# if not self.resolvedPointers:
# raise ValueError('I should be resolved')
self._dirty = True
self._fields.sort()
myfields = []
signature = self.getSignature()
pencoder = pattern.PatternEncoder(signature, minGroupSize=3)
patterns = pencoder.makePattern()
# txt = self.getSignature(text=True)
# log.warning('signature of len():%d, %s'%(len(txt),txt))
# p = pattern.findPatternText(txt, 2, 3)
# log.debug(p)
# log.debug('aggregateFields came up with pattern %s'%(patterns))
# pattern is made on FieldType,
# so we need to dequeue self.fields at the same time to enqueue in
# myfields
for nb, fieldTypesAndSizes in patterns:
# print 'fieldTypesAndSizes:',fieldTypesAndSizes
if nb == 1:
fieldType = fieldTypesAndSizes[0] # its a tuple
field = self._fields.pop(0)
myfields.append(field) # single el
# log.debug('simple field:%s '%(field) )
# array of subtructure DEBUG XXX TODO
elif len(fieldTypesAndSizes) > 1:
log.debug("substructure with sig %s" % (fieldTypesAndSizes))
myelements = []
for i in range(nb):
fields = [self._fields.pop(0) for i in range(len(fieldTypesAndSizes))] # nb-1 left
# otherFields = [ self.fields.pop(0) for i in range((nb-1)*len(fieldTypesAndSizes)) ]
# need global ref to compare substructure signature to
# other anonstructure
firstField = FieldType.makeStructField(self, fields[0].offset, fields)
myelements.append(firstField)
array = makeArrayField(self, myelements)
myfields.append(array)
# log.debug('array of structure %s'%(array))
elif len(fieldTypesAndSizes) == 1: # make array of elements or
log.debug("found array of %s" % (self._fields[0].typename.basename))
fields = [self.fields.pop(0) for i in range(nb)]
array = makeArrayField(self, fields)
myfields.append(array)
# log.debug('array of elements %s'%(array))
else: # TODO DEBUG internal struct
raise ValueError("fields patterns len is incorrect %d" % (len(fieldTypesAndSizes)))
log.debug("done with aggregateFields")
self._fields = myfields
# print 'final', self.fields
return
def _findSubStructures(self):
if not self.resolvedPointers:
raise ValueError("I should be resolved")
self._dirty = True
self._fields.sort()
myfields = []
signature = self.getTypeSignature()
pencoder = pattern.PatternEncoder(signature, minGroupSize=2)
patterns = pencoder.makePattern()
txt = self.getTypeSignature(text=True)
p = pattern.findPatternText(txt, 1, 2)
log.debug("substruct typeSig: %s" % txt)
log.debug("substruct findPatterntext: %s" % p)
log.debug("substruct came up with pattern %s" % (patterns))
# pattern is made on FieldType,
# so we need to dequeue self.fields at the same time to enqueue in
# myfields
for nb, fieldTypes in patterns:
if nb == 1:
field = self._fields.pop(0)
myfields.append(field) # single el
# log.debug('simple field:%s '%(field) )
elif len(fieldTypes) > 1: # array of subtructure DEBUG XXX TODO
log.debug("fieldTypes:%s" % fieldTypes)
log.debug("substructure with sig %s" % ("".join([ft.sig[0] for ft in fieldTypes])))
myelements = []
for i in range(nb):
fields = [self._fields.pop(0) for i in range(len(fieldTypes))] # nb-1 left
# otherFields = [ self.fields.pop(0) for i in range((nb-1)*len(fieldTypesAndSizes)) ]
# need global ref to compare substructure signature to
# other anonstructure
firstField = FieldType.makeStructField(self, fields[0].offset, fields)
myelements.append(firstField)
array = makeArrayField(self, myelements)
myfields.append(array)
# log.debug('array of structure %s'%(array))
# make array of elements obase on same base type
elif len(fieldTypes) == 1:
log.debug("found array of %s" % (self._fields[0].typename.basename))
fields = [self._fields.pop(0) for i in range(nb)]
array = makeArrayField(self, fields)
myfields.append(array)
# log.debug('array of elements %s'%(array))
else: # TODO DEBUG internal struct
raise ValueError("fields patterns len is incorrect %d" % (len(fieldTypes)))
log.debug("done with findSubstructure")
self._fields = myfields
# print 'final', self.fields
return
def resolvePointers(self):
raise NotImplementedError('Please use haystack.reverse.heuristics.dsa.EnrichedPointerFields')
if self.resolvedPointers:
return
structs_addrs, structCache = None, None
self._dirty=True
resolved = 0
pointerFields = self.getPointerFields()
log.debug('got %d pointerfields'%(len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, '_ptr_resolved'):
if field._ptr_resolved:
fromcache+=1
continue
# if pointed is not None: # erase previous info
tgt = None
try:
tgt = self._context.getStructureForAddr(field.value)
known+=1
field.target_struct_addr = field.value
field.ctypes = 'ctypes.POINTER(%s)'%(tgt) # change the basic ctypes
if not tgt._resolved: # fields have not been decoded yet
undecoded+=1
log.debug('target %s is undecoded'%(tgt))
continue
field._target_field = tgt[0] #first field of struct
except KeyError, e:
if field.value in self._heap:
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap+=1
# TODO use context's helpers
tgt_struct, tgt_field = self._resolvePointerToStructField(field)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
### field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(tgt_field.typename)
field._target_field = tgt_field
tgt = '%s_field_%s'%(tgt_field.struct, tgt_field.getName())
else:
undecoded+=1
#log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings+=1
tgt = 'ext_lib_%d'%(field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.getMmapForAddr(field.value).start
pass
#
if tgt is not None:
resolved+=1
field.setName('%s_%s'%(field.typename.basename, tgt))
field._ptr_resolved = True
def resolvePointers(self, structs_addrs, structCache):
if self._pointerResolved:
return
self._dirty = True
resolved = 0
pointerFields = self.getPointerFields()
log.debug('got %d pointerfields' % (len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, '_ptr_resolved'):
if field._ptr_resolved:
fromcache += 1
continue
# if pointed is not None: # erase previous info
tgt = None
if field.value in structs_addrs:
known += 1
tgt = structCache[field.value]
field.target_struct_addr = field.value
field.ctypes = 'ctypes.POINTER(%s)' % (
tgt) # change the basic ctypes
if not tgt.resolved: # fields have not been decoded yet
undecoded += 1
log.debug('target %s is undecoded' % (tgt))
continue
field._target_field = tgt[0] #first field of struct
elif field.value in self._mappings.getHeap():
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap += 1
tgt_struct, tgt_field = self._resolvePointerToStructField(
field, structs_addrs, structCache)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
### field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(tgt_field.typename)
field._target_field = tgt_field
tgt = '%s_field_%s' % (tgt_field.struct,
tgt_field.getName())
else:
undecoded += 1
#log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings += 1
tgt = 'ext_lib_%d' % (field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.getMmapForAddr(
field.value).start
pass
#
if tgt is not None:
resolved += 1
field.setName('%s_%s' % (field.typename.basename, tgt))
field._ptr_resolved = True
#log.debug('resolved %s %s (%d)'%(field.getName(), field, resolved))
log.debug('resolvePointers on t:%d,c:%d,r:%d, k:%d,h:%d,m:%d,u:%d' %
(len(pointerFields), fromcache, resolved, known, inHeap,
inMappings, undecoded))
#
if len(pointerFields) == (resolved + fromcache):
if resolved != 0:
log.debug('%s pointers are fully resolved' % (self))
self._pointerResolved = True
else:
self._pointerResolved = False
return
def resolvePointers(self, structs_addrs, structCache):
if self._pointerResolved:
return
self._dirty=True
resolved = 0
pointerFields = self.getPointerFields()
log.debug('got %d pointerfields'%(len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, '_ptr_resolved'):
if field._ptr_resolved:
fromcache+=1
continue
# if pointed is not None: # erase previous info
tgt = None
if field.value in structs_addrs:
known+=1
tgt = structCache[field.value]
field.target_struct_addr = field.value
field.ctypes = 'ctypes.POINTER(%s)'%(tgt) # change the basic ctypes
if not tgt.resolved: # fields have not been decoded yet
undecoded+=1
log.debug('target %s is undecoded'%(tgt))
continue
field._target_field = tgt[0] #first field of struct
elif field.value in self._mappings.getHeap():
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap+=1
tgt_struct, tgt_field = self._resolvePointerToStructField(field, structs_addrs, structCache)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
### field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(tgt_field.typename)
field._target_field = tgt_field
tgt = '%s_field_%s'%(tgt_field.struct, tgt_field.getName())
else:
undecoded+=1
#log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings+=1
tgt = 'ext_lib_%d'%(field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.getMmapForAddr(field.value).start
pass
#
if tgt is not None:
resolved+=1
field.setName('%s_%s'%(field.typename.basename, tgt))
field._ptr_resolved = True
#log.debug('resolved %s %s (%d)'%(field.getName(), field, resolved))
log.debug('resolvePointers on t:%d,c:%d,r:%d, k:%d,h:%d,m:%d,u:%d'%(len(pointerFields),
fromcache, resolved, known, inHeap, inMappings, undecoded))
#
if len(pointerFields) == (resolved+fromcache):
if resolved != 0 :
log.debug('%s pointers are fully resolved'%(self))
self._pointerResolved = True
else:
self._pointerResolved = False
return
def resolvePointers(self):
raise NotImplementedError(
'Please use haystack.reverse.heuristics.dsa.EnrichedPointerFields')
if self.resolvedPointers:
return
structs_addrs, structCache = None, None
self._dirty = True
resolved = 0
pointerFields = self.getPointerFields()
log.debug('got %d pointerfields' % (len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, '_ptr_resolved'):
if field._ptr_resolved:
fromcache += 1
continue
# if pointed is not None: # erase previous info
tgt = None
try:
tgt = self._context.getStructureForAddr(field.value)
known += 1
field.target_struct_addr = field.value
field.ctypes = 'ctypes.POINTER(%s)' % (
tgt) # change the basic ctypes
if not tgt._resolved: # fields have not been decoded yet
undecoded += 1
log.debug('target %s is undecoded' % (tgt))
continue
field._target_field = tgt[0] #first field of struct
except KeyError, e:
if field.value in self._heap:
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap += 1
# TODO use context's helpers
tgt_struct, tgt_field = self._resolvePointerToStructField(
field)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
### field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(
tgt_field.typename)
field._target_field = tgt_field
tgt = '%s_field_%s' % (tgt_field.struct,
tgt_field.getName())
else:
undecoded += 1
#log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings += 1
tgt = 'ext_lib_%d' % (field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.getMmapForAddr(
field.value).start
pass
#
if tgt is not None:
resolved += 1
field.setName('%s_%s' % (field.typename.basename, tgt))
field._ptr_resolved = True
def resolvePointers(self):
raise NotImplementedError("Please use haystack.reverse.heuristics.dsa.EnrichedPointerFields")
if self.resolvedPointers:
return
structs_addrs, structCache = None, None
self._dirty = True
resolved = 0
pointerFields = self.getPointerFields()
log.debug("got %d pointerfields" % (len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, "_ptr_resolved"):
if field._ptr_resolved:
fromcache += 1
continue
# if pointed is not None: # erase previous info
tgt = None
try:
tgt = self._context.getStructureForAddr(field.value)
known += 1
field.target_struct_addr = field.value
# change the basic ctypes
field.ctypes = "ctypes.POINTER(%s)" % (tgt)
if not tgt._resolved: # fields have not been decoded yet
undecoded += 1
log.debug("target %s is undecoded" % (tgt))
continue
field._target_field = tgt[0] # first field of struct
except KeyError as e:
if field.value in self._heap:
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap += 1
# TODO use context's helpers
tgt_struct, tgt_field = self._resolvePointerToStructField(field)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
# field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(tgt_field.typename)
field._target_field = tgt_field
tgt = "%s_field_%s" % (tgt_field.struct, tgt_field.getName())
else:
undecoded += 1
# log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings += 1
tgt = "ext_lib_%d" % (field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.get_mapping_for_address(field.value).start
pass
#
if tgt is not None:
resolved += 1
field.setName("%s_%s" % (field.typename.basename, tgt))
field._ptr_resolved = True
# log.debug('resolved %s %s (%d)'%(field.getName(), field, resolved))
log.debug(
"resolvePointers on t:%d,c:%d,r:%d, k:%d,h:%d,m:%d,u:%d"
% (len(pointerFields), fromcache, resolved, known, inHeap, inMappings, undecoded)
)
#
if len(pointerFields) == (resolved + fromcache):
if resolved != 0:
log.debug("%s pointers are fully resolved" % (self))
self._resolvedPointers = True
else:
self._resolvedPointers = False
return
