Example #1
0
def search_cmdline(args):
    """ Search for instance of a record_type in the allocated memory of a process. """
    # get the memory handler adequate for the type requested
    memory_handler = get_memory_handler(args)
    # try to load constraints
    my_constraints = None
    if args.constraints_file:
        handler = constraints.ConstraintsConfigHandler()
        my_constraints = handler.read(args.constraints_file.name)
    # get the python record type
    modulename, sep, classname = args.record_type_name.rpartition('.')
    module = None
    try:
        module = memory_handler.get_model().import_module(modulename)
    except ImportError as e:
        log.error('sys.path is %s', sys.path)
        raise e
    record_type = getattr(module, classname)
    # do the search
    results = api.search_record(memory_handler, record_type, my_constraints, extended_search=args.extended)
    # output handling
    try:
        ret = get_output(memory_handler, results, args.output)
        # print output on stdout
        print(ret)
    except Exception as e:
        log.error(e)
    finally:
        if args.interactive:
            print('results are local variable "results"')
            import code
            code.interact(local=locals())
    return
Example #2
0
    def test_search(self):
        handler = constraints.ConstraintsConfigHandler()
        my_constraints = handler.read('test/src/ctypes6.constraints')
        results = api.search_record(self.memory_handler, self.node, my_constraints)
        # 2 from test1
        # 3 from test_pointer_to_list
        # the rest have bad values in constrainged fields
        self.assertEqual(len(results), 2 + 3)
        # FIXME: that is a weird idea, that allocations are ordered that way
        (node1, offset1), (node2, offset2) = results[:2]
        self.assertEqual(node1.val1, 0xdeadbeef)
        self.assertEqual(node1.val2, 0xffffffff)
        self.assertEqual(node2.val1, 0xdeadbabe)
        self.assertEqual(node2.val2, 0xffffffff)

        # FIXME there is a circular reference in json.
        #with self.assertRaises(ValueError):
        #    api.output_to_json(self.memory_handler, results)
        #self.assertEqual(node2s['val1'], 0xdeadbabe)
        #self.assertEqual(node2s['val2'], 0xffffffff)
        model = self.memory_handler.get_model()
        #import code
        #code.interact(local=locals())
        x = api.output_to_pickle(self.memory_handler, results)
        rest = pickle.loads(x)
        return
Example #3
0
    def test_search(self):
        handler = constraints.ConstraintsConfigHandler()
        my_constraints = handler.read('test/src/ctypes6.constraints')
        results = api.search_record(self.memory_handler, self.node,
                                    my_constraints)
        # 2 from test1
        # 3 from test_pointer_to_list
        # the rest have bad values in constrainged fields
        self.assertEqual(len(results), 2 + 3)
        # FIXME: that is a weird idea, that allocations are ordered that way
        (node1, offset1), (node2, offset2) = results[:2]
        self.assertEqual(node1.val1, 0xdeadbeef)
        self.assertEqual(node1.val2, 0xffffffff)
        self.assertEqual(node2.val1, 0xdeadbabe)
        self.assertEqual(node2.val2, 0xffffffff)

        # FIXME there is a circular reference in json.
        #with self.assertRaises(ValueError):
        #    api.output_to_json(self.memory_handler, results)
        #self.assertEqual(node2s['val1'], 0xdeadbabe)
        #self.assertEqual(node2s['val2'], 0xffffffff)
        model = self.memory_handler.get_model()
        #import code
        #code.interact(local=locals())
        x = api.output_to_pickle(self.memory_handler, results)
        rest = pickle.loads(x)
        return
Example #4
0
def search_cmdline(args):
    """ Search for instance of a record_type in the allocated memory of a process. """
    # get the memory handler adequate for the type requested
    memory_handler = get_memory_handler(args)
    # try to load constraints
    my_constraints = None
    if args.constraints_file:
        handler = constraints.ConstraintsConfigHandler()
        my_constraints = handler.read(args.constraints_file.name)
    # get the python record type
    modulename, sep, classname = args.record_type_name.rpartition('.')
    module = None
    try:
        module = memory_handler.get_model().import_module(modulename)
    except ImportError as e:
        log.error('sys.path is %s', sys.path)
        raise e
    record_type = getattr(module, classname)
    # do the search
    results = api.search_record(memory_handler, record_type, my_constraints, extended_search=args.extended)
    # output handling
    try:
        ret = get_output(memory_handler, results, args.output)
        # print output on stdout
        print ret
    except Exception as e:
        log.error(e)
    finally:
        if args.interactive:
            print 'results are local variable "results"'
            import code
            code.interact(local=locals())
    return
Example #5
0
 def test_search(self):
     results = api.search_record(self.memory_handler, self.ctypes3.struct_test3)
     # without constraints, struct_test3 could be mapped pretty much anywhere in x64
     # all valid record addresses are in self.offsets
     valid = self.offsets['test1'] + self.offsets['test3']
     self.assertEqual(len(results), len(valid))
     for record, addr in results:
         self.assertIn(addr, valid)
Example #6
0
 def test_search(self):
     results = api.search_record(self.memory_handler, self.ctypes3.struct_test3)
     # without constraints, struct_test3 can only be mapped correctly to sutrc_test3.
     # struct_node is too small in x32
     valid = self.offsets['test3']
     self.assertEqual(len(results), len(valid))
     for record, addr in results:
         self.assertIn(addr, valid)
Example #7
0
 def test_search(self):
     results = api.search_record(self.memory_handler,
                                 self.ctypes3.struct_test3)
     # without constraints, struct_test3 could be mapped pretty much anywhere in x64
     # all valid record addresses are in self.offsets
     valid = self.offsets['test1'] + self.offsets['test3']
     self.assertEqual(len(results), len(valid))
     for record, addr in results:
         self.assertIn(addr, valid)
Example #8
0
 def test_search(self):
     results = api.search_record(self.memory_handler,
                                 self.ctypes3.struct_test3)
     # without constraints, struct_test3 can only be mapped correctly to sutrc_test3.
     # struct_node is too small in x32
     valid = self.offsets['test3']
     self.assertEqual(len(results), len(valid))
     for record, addr in results:
         self.assertIn(addr, valid)
Example #9
0
    def test_search_with_constraints(self):
        # now add some constraints to the search for struct_test3
        handler = constraints.ConstraintsConfigHandler()
        my_constraints = handler.read('test/src/ctypes3.constraints')
        results = api.search_record(self.memory_handler, self.ctypes3.struct_test3, my_constraints)
        # all valid record addresses are in self.offsets
        valid = self.offsets['test3']
        self.assertEqual(len(results), len(valid))
        for record, addr in results:
            self.assertIn(addr, valid)

        # search struct_Node with constraints
        results = api.search_record(self.memory_handler, self.ctypes3.struct_Node, my_constraints)
        # check the string output
        out = api.output_to_string(self.memory_handler, results)
        valid = self.offsets['test1']
        self.assertEqual(len(results), len(valid))
        for x in valid:
            self.assertIn(hex(x), out)
        # all valid record addresses are in self.offsets
        for record, addr in results:
            self.assertIn(addr, valid)
Example #10
0
    def reverse_record(self, _context, record_name):
        """
        _record is actually a record_type_name
        """
        from haystack.search import api
        modulename, sep, classname = record_name.rpartition('.')
        module = self._memory_handler.get_model().import_module(modulename)
        record_type = getattr(module, classname)
        # now launch the search
        results = api.search_record(self._memory_handler, record_type, self.__constraints, False)

        addresses = [addr for _, addr in results]
        self.__search_results[record_name] = addresses
        return
Example #11
0
    def reverse_record(self, _context, record_name):
        """
        _record is actually a record_type_name
        """
        from haystack.search import api
        modulename, sep, classname = record_name.rpartition('.')
        module = self._memory_handler.get_model().import_module(modulename)
        record_type = getattr(module, classname)
        # now launch the search
        results = api.search_record(self._memory_handler, record_type,
                                    self.__constraints, False)

        addresses = [addr for _, addr in results]
        self.__search_results[record_name] = addresses
        return
Example #12
0
    def test_search_with_constraints(self):
        # now add some constraints to the search for struct_test3
        handler = constraints.ConstraintsConfigHandler()
        my_constraints = handler.read('test/src/ctypes3.constraints')
        results = api.search_record(self.memory_handler,
                                    self.ctypes3.struct_test3, my_constraints)
        # all valid record addresses are in self.offsets
        valid = self.offsets['test3']
        self.assertEqual(len(results), len(valid))
        for record, addr in results:
            self.assertIn(addr, valid)

        # search struct_Node with constraints
        results = api.search_record(self.memory_handler,
                                    self.ctypes3.struct_Node, my_constraints)
        # check the string output
        out = api.output_to_string(self.memory_handler, results)
        valid = self.offsets['test1']
        self.assertEqual(len(results), len(valid))
        for x in valid:
            self.assertIn(hex(x), out)
        # all valid record addresses are in self.offsets
        for record, addr in results:
            self.assertIn(addr, valid)
Example #13
0
def search_cmdline(args):
    """ Internal cmdline mojo. """
    # get the memory handler adequate for the type requested
    memory_handler = _get_memory_handler(args)
    # print output on stdout
    rtype = _get_output_style(args)
    # try to load constraints
    # mapper
    if args.constraints_file:
        handler = constraints.ConstraintsConfigHandler()
        my_constraints = handler.read(args.constraints_file.name)
    else:
        my_constraints = None
    # get the structure name
    modulename, sep, classname = args.struct_name.rpartition('.')
    module = memory_handler.get_model().import_module(modulename)
    struct_type = getattr(module, classname)
    # do the search
    results = api.search_record(memory_handler,
                                struct_type,
                                my_constraints,
                                extended_search=args.extended_search)
    if args.interactive:
        import code
        code.interact(local=locals())
    # output handling
    ret = None
    if rtype == 'string':
        ret = api.output_to_string(memory_handler, results)
    elif rtype == 'python':
        ret = api.output_to_python(memory_handler, results)
    elif rtype == 'json':
        ret = api.output_to_json(memory_handler, results)
    elif rtype == 'pickled':
        ret = api.output_to_pickle(memory_handler, results)
    else:
        raise ValueError('unknown output format')
    print ret
    return
Example #14
0
def search_cmdline(args):
    """ Internal cmdline mojo. """
    # get the memory handler adequate for the type requested
    memory_handler = _get_memory_handler(args)
    # print output on stdout
    rtype = _get_output_style(args)
    # try to load constraints
    # mapper
    if args.constraints_file:
        handler = constraints.ConstraintsConfigHandler()
        my_constraints = handler.read(args.constraints_file.name)
    else:
        my_constraints = None
    # get the structure name
    modulename, sep, classname = args.struct_name.rpartition('.')
    module = memory_handler.get_model().import_module(modulename)
    struct_type = getattr(module, classname)
    # do the search
    results = api.search_record(memory_handler, struct_type, my_constraints, extended_search=args.extended_search)
    if args.interactive:
        import code
        code.interact(local=locals())
    # output handling
    ret = None
    if rtype == 'string':
        ret = api.output_to_string(memory_handler, results)
    elif rtype == 'python':
        ret = api.output_to_python(memory_handler, results)
    elif rtype == 'json':
        ret = api.output_to_json(memory_handler, results)
    elif rtype == 'pickled':
        ret = api.output_to_pickle(memory_handler, results)
    else:
        raise ValueError('unknown output format')
    print ret
    return
Example #15
0

class FridaLoader(interfaces.IMemoryLoader):
    desc = 'Load a Minidump memory dump'

    def __init__(self, opts):
        self.loader = FridaMapper(opts.target.netloc,
                                  bits=opts.bits,
                                  os_name=opts.osname)

    def make_memory_handler(self):
        return self.loader.make_memory_handler()


# haystack-search frida://test-ctypes6.64 ctypes6_gen64.struct_usual
# haystack-search frida://1242 ctypes6_gen64.struct_usual
if __name__ == '__main__':
    mapper = FridaMapper('test-ctypes6.64')
    memory_handler = mapper.make_memory_handler()
    m = memory_handler.get_mappings()[0]
    # py3
    print(m.read_bytes(m.start, 100).hex())
    # py2
    #print(m.read_bytes(m.start, 100).encode("hex"))
    my_model = memory_handler.get_model()
    import sys
    sys.path.append('test/src/')
    test6 = my_model.import_module("ctypes6_gen64")
    from haystack.search import api
    api.search_record(memory_handler, test6.struct_usual)
        d['session'] = None
        return d


class FridaLoader(interfaces.IMemoryLoader):
    desc = 'Load a Minidump memory dump'

    def __init__(self, opts):
        self.loader = FridaMapper(opts.target.netloc, bits=opts.bits, os_name=opts.osname)

    def make_memory_handler(self):
        return self.loader.make_memory_handler()


# haystack-search frida://test-ctypes6.64 ctypes6_gen64.struct_usual
# haystack-search frida://1242 ctypes6_gen64.struct_usual
if __name__ == '__main__':
    mapper = FridaMapper('test-ctypes6.64')
    memory_handler = mapper.make_memory_handler()
    m = memory_handler.get_mappings()[0]
    # py3
    print(m.read_bytes(m.start, 100).hex())
    # py2
    #print(m.read_bytes(m.start, 100).encode("hex"))
    my_model = memory_handler.get_model()
    import sys
    sys.path.append('test/src/')
    test6 = my_model.import_module("ctypes6_gen64")
    from haystack.search import api
    api.search_record(memory_handler, test6.struct_usual)