def find_heap():
argv = sys.argv[1:]
parser = cli.base_argparser('haystack-find-heap', "Find heaps in a dumpfile")
parser.add_argument('--verbose', '-v', action='store_true', help='Verbose')
parser.add_argument('--mappings', '-m', action='store_true', help='Show mappings')
# only if address is present
group = parser.add_argument_group('For a specific HEAP')
group.add_argument('address', nargs='?', type=argparse_utils.int16, default=None, help='Load Heap from address (hex)')
group.add_argument('--heap', '-p', action='store_true', help='Show the heap content')
group.add_argument('--frontend', '-f', action='store_true', help='Show the frontend heap content')
opts = parser.parse_args(argv)
cli.set_logging_level(opts)
memory_handler = cli.make_memory_handler(opts)
finder = memory_handler.get_heap_finder()
# Show Target information
if opts.bits or opts.osname:
print('Forced target resolution:', memory_handler.get_target_platform())
else:
print('Automatic target resolution:', memory_handler.get_target_platform())
if opts.mappings:
# show all memory mappings
print('Process mappings:')
print('@start @stop File Offset M:m ')
for m in memory_handler.get_mappings():
print(m)
if opts.address is not None:
one_heap(opts, finder)
return
print('Probable Process HEAPS:')
for m in memory_handler.get_mappings():
for addr in range(m.start, m.end, 0x1000):
special = ''
for os, bits, offset in [('winxp', 32, 8), ('winxp', 64, 16),
('win7', 32, 100), ('win7', 64, 160)]:
signature = struct.unpack('I', m.read_bytes(addr+offset, 4))[0]
if signature == 0xeeffeeff:
if addr != m.start:
special = ' (!) '
print('[+] %s %dbits %s 0x%0.8x' % (os, bits, special, addr), m)
# Then show heap analysis
print('Found Heaps:')
for walker in finder.list_heap_walkers():
validator = walker.get_heap_validator()
validator.print_heap_analysis(walker.get_heap(), opts.verbose)
return
def reverse():
argv = sys.argv[1:]
desc = REVERSE_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
rootparser.set_defaults(func=reverse_cmdline)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def reverse_show():
argv = sys.argv[1:]
desc = REVERSE_SHOW_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
rootparser.add_argument('address', type=argparse_utils.int16, help='Record memory address in hex')
rootparser.set_defaults(func=reverse_show_cmdline)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def reverse_hex():
argv = sys.argv[1:]
desc = REVERSE_HEX_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
rootparser.add_argument('address', type=argparse_utils.int16, action='store', default=None,
help='Specify the address of the record, or encompassed by the record')
rootparser.set_defaults(func=show_hex)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def reverse_parents():
argv = sys.argv[1:]
desc = REVERSE_PARENT_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
rootparser.add_argument('address', type=argparse_utils.int16, action='store', default=None,
help='Hex address of the child structure')
rootparser.set_defaults(func=show_predecessors_cmdline)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def minidump_reverse_hex():
argv = sys.argv[1:]
desc = REVERSE_HEX_DESC + cli.DUMPTYPE_MINIDUMP_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]),
description=desc)
rootparser.add_argument('dump_filename',
type=argparse_utils.readable,
help='Use this memory dump file')
reverse_hex_argparser(rootparser)
opts = rootparser.parse_args(argv)
opts.dumptype = cli.DUMPTYPE_MINIDUMP
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def main_reverse_parents():
argv = sys.argv[1:]
desc = REVERSE_PARENT_DESC + cli.DUMPTYPE_BASE_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]),
description=desc)
rootparser.add_argument('dump_folder_name',
type=argparse_utils.readable,
help='Use this memory dump folder')
reverse_parents_argparser(rootparser)
opts = rootparser.parse_args(argv)
opts.dumptype = cli.DUMPTYPE_BASE
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def main(argv):
argv = sys.argv[1:]
desc = 'Play with graph repr of pointers relationships.'
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]),
description=desc)
rootparser.add_argument('gexf',
type=argparse.FileType('rb'),
action='store',
help='Source gexf.')
rootparser.set_defaults(func=make)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
