def search_cmdline(args): """ Search for instance of a record_type in the allocated memory of a process. """ # get the memory handler adequate for the type requested memory_handler = get_memory_handler(args) # try to load constraints my_constraints = None if args.constraints_file: handler = constraints.ConstraintsConfigHandler() my_constraints = handler.read(args.constraints_file.name) # get the python record type modulename, sep, classname = args.record_type_name.rpartition('.') module = None try: module = memory_handler.get_model().import_module(modulename) except ImportError as e: log.error('sys.path is %s', sys.path) raise e record_type = getattr(module, classname) # do the search results = api.search_record(memory_handler, record_type, my_constraints, extended_search=args.extended) # output handling try: ret = get_output(memory_handler, results, args.output) # print output on stdout print(ret) except Exception as e: log.error(e) finally: if args.interactive: print('results are local variable "results"') import code code.interact(local=locals()) return
def test_search(self): handler = constraints.ConstraintsConfigHandler() my_constraints = handler.read('test/src/ctypes6.constraints') results = api.search_record(self.memory_handler, self.node, my_constraints) # 2 from test1 # 3 from test_pointer_to_list # the rest have bad values in constrainged fields self.assertEqual(len(results), 2 + 3) # FIXME: that is a weird idea, that allocations are ordered that way (node1, offset1), (node2, offset2) = results[:2] self.assertEqual(node1.val1, 0xdeadbeef) self.assertEqual(node1.val2, 0xffffffff) self.assertEqual(node2.val1, 0xdeadbabe) self.assertEqual(node2.val2, 0xffffffff) # FIXME there is a circular reference in json. #with self.assertRaises(ValueError): # api.output_to_json(self.memory_handler, results) #self.assertEqual(node2s['val1'], 0xdeadbabe) #self.assertEqual(node2s['val2'], 0xffffffff) model = self.memory_handler.get_model() #import code #code.interact(local=locals()) x = api.output_to_pickle(self.memory_handler, results) rest = pickle.loads(x) return
def search_cmdline(args): """ Search for instance of a record_type in the allocated memory of a process. """ # get the memory handler adequate for the type requested memory_handler = get_memory_handler(args) # try to load constraints my_constraints = None if args.constraints_file: handler = constraints.ConstraintsConfigHandler() my_constraints = handler.read(args.constraints_file.name) # get the python record type modulename, sep, classname = args.record_type_name.rpartition('.') module = None try: module = memory_handler.get_model().import_module(modulename) except ImportError as e: log.error('sys.path is %s', sys.path) raise e record_type = getattr(module, classname) # do the search results = api.search_record(memory_handler, record_type, my_constraints, extended_search=args.extended) # output handling try: ret = get_output(memory_handler, results, args.output) # print output on stdout print ret except Exception as e: log.error(e) finally: if args.interactive: print 'results are local variable "results"' import code code.interact(local=locals()) return
def test_search(self): results = api.search_record(self.memory_handler, self.ctypes3.struct_test3) # without constraints, struct_test3 could be mapped pretty much anywhere in x64 # all valid record addresses are in self.offsets valid = self.offsets['test1'] + self.offsets['test3'] self.assertEqual(len(results), len(valid)) for record, addr in results: self.assertIn(addr, valid)
def test_search(self): results = api.search_record(self.memory_handler, self.ctypes3.struct_test3) # without constraints, struct_test3 can only be mapped correctly to sutrc_test3. # struct_node is too small in x32 valid = self.offsets['test3'] self.assertEqual(len(results), len(valid)) for record, addr in results: self.assertIn(addr, valid)
def test_search_with_constraints(self): # now add some constraints to the search for struct_test3 handler = constraints.ConstraintsConfigHandler() my_constraints = handler.read('test/src/ctypes3.constraints') results = api.search_record(self.memory_handler, self.ctypes3.struct_test3, my_constraints) # all valid record addresses are in self.offsets valid = self.offsets['test3'] self.assertEqual(len(results), len(valid)) for record, addr in results: self.assertIn(addr, valid) # search struct_Node with constraints results = api.search_record(self.memory_handler, self.ctypes3.struct_Node, my_constraints) # check the string output out = api.output_to_string(self.memory_handler, results) valid = self.offsets['test1'] self.assertEqual(len(results), len(valid)) for x in valid: self.assertIn(hex(x), out) # all valid record addresses are in self.offsets for record, addr in results: self.assertIn(addr, valid)
def reverse_record(self, _context, record_name): """ _record is actually a record_type_name """ from haystack.search import api modulename, sep, classname = record_name.rpartition('.') module = self._memory_handler.get_model().import_module(modulename) record_type = getattr(module, classname) # now launch the search results = api.search_record(self._memory_handler, record_type, self.__constraints, False) addresses = [addr for _, addr in results] self.__search_results[record_name] = addresses return
def search_cmdline(args): """ Internal cmdline mojo. """ # get the memory handler adequate for the type requested memory_handler = _get_memory_handler(args) # print output on stdout rtype = _get_output_style(args) # try to load constraints # mapper if args.constraints_file: handler = constraints.ConstraintsConfigHandler() my_constraints = handler.read(args.constraints_file.name) else: my_constraints = None # get the structure name modulename, sep, classname = args.struct_name.rpartition('.') module = memory_handler.get_model().import_module(modulename) struct_type = getattr(module, classname) # do the search results = api.search_record(memory_handler, struct_type, my_constraints, extended_search=args.extended_search) if args.interactive: import code code.interact(local=locals()) # output handling ret = None if rtype == 'string': ret = api.output_to_string(memory_handler, results) elif rtype == 'python': ret = api.output_to_python(memory_handler, results) elif rtype == 'json': ret = api.output_to_json(memory_handler, results) elif rtype == 'pickled': ret = api.output_to_pickle(memory_handler, results) else: raise ValueError('unknown output format') print ret return
class FridaLoader(interfaces.IMemoryLoader): desc = 'Load a Minidump memory dump' def __init__(self, opts): self.loader = FridaMapper(opts.target.netloc, bits=opts.bits, os_name=opts.osname) def make_memory_handler(self): return self.loader.make_memory_handler() # haystack-search frida://test-ctypes6.64 ctypes6_gen64.struct_usual # haystack-search frida://1242 ctypes6_gen64.struct_usual if __name__ == '__main__': mapper = FridaMapper('test-ctypes6.64') memory_handler = mapper.make_memory_handler() m = memory_handler.get_mappings()[0] # py3 print(m.read_bytes(m.start, 100).hex()) # py2 #print(m.read_bytes(m.start, 100).encode("hex")) my_model = memory_handler.get_model() import sys sys.path.append('test/src/') test6 = my_model.import_module("ctypes6_gen64") from haystack.search import api api.search_record(memory_handler, test6.struct_usual)
d['session'] = None return d class FridaLoader(interfaces.IMemoryLoader): desc = 'Load a Minidump memory dump' def __init__(self, opts): self.loader = FridaMapper(opts.target.netloc, bits=opts.bits, os_name=opts.osname) def make_memory_handler(self): return self.loader.make_memory_handler() # haystack-search frida://test-ctypes6.64 ctypes6_gen64.struct_usual # haystack-search frida://1242 ctypes6_gen64.struct_usual if __name__ == '__main__': mapper = FridaMapper('test-ctypes6.64') memory_handler = mapper.make_memory_handler() m = memory_handler.get_mappings()[0] # py3 print(m.read_bytes(m.start, 100).hex()) # py2 #print(m.read_bytes(m.start, 100).encode("hex")) my_model = memory_handler.get_model() import sys sys.path.append('test/src/') test6 = my_model.import_module("ctypes6_gen64") from haystack.search import api api.search_record(memory_handler, test6.struct_usual)