def make_search_results(self, memory_handler, struct_type, my_constraints): ## DEBUG - use optimised search space for HEAP my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler, my_constraints) for mapping in memory_handler.get_mappings(): res = my_searcher._search_in(mapping, struct_type, nb=1, align=0x1000) if res: instance, addr = api.output_to_python(memory_handler, res)[0] yield addr
def make_search_results(self, memory_handler, struct_type, my_constraints): # do the search # USE the haystack HEAP parsing capabilities ## PROD - use API results = api.search_record(memory_handler, struct_type, my_constraints, extended_search=False) # output handling ret = api.output_to_python(memory_handler, results) for instance, addr in ret: yield addr
# we are still missing the CriticalSection pointer mappings, which is probably a guard or something. # TODO -> change dump format to list all mappings, then data, with 0 data bytes if necessary. # TODO -> find why last mapping is truncated. Check WriteFile return value/written_bytes ? # maybe add debug statement to cuckoo/analyzer/windows/lib/common/results.py upload_to_host ? # check bytes counts ? #m = handler.get_mappings()[0] #heap_constraints = finder._heap_module_constraints #logging.getLogger("basicmodel").setLevel(logging.DEBUG) #f._search_heap(h) possibles = [] for m in handler.get_mappings(): res = api.load_record(handler, struct__HEAP, m.start, heap_constraints) p, valid = api.output_to_python(handler, [res])[0] offset = m.offset print m, "p.Signature", valid, hex(p.Signature), repr(m._backend[8+offset:12+offset]), v = api.validate_record(handler, res[0], heap_constraints) print "validate", v if p.Signature == 0xeeffeeff: possibles.append(m) import code code.interact(local=locals()) for m in possibles: print "trying m", m logging.getLogger("basicmodel").setLevel(logging.INFO) res = api.load_record(handler, struct__HEAP, m.start, heap_constraints) logging.getLogger("basicmodel").setLevel(logging.DEBUG)
# we are still missing the CriticalSection pointer mappings, which is probably a guard or something. # TODO -> change dump format to list all mappings, then data, with 0 data bytes if necessary. # TODO -> find why last mapping is truncated. Check WriteFile return value/written_bytes ? # maybe add debug statement to cuckoo/analyzer/windows/lib/common/results.py upload_to_host ? # check bytes counts ? #m = handler.get_mappings()[0] #heap_constraints = finder._heap_module_constraints #logging.getLogger("basicmodel").setLevel(logging.DEBUG) #f._search_heap(h) possibles = [] for m in handler.get_mappings(): res = api.load_record(handler, struct__HEAP, m.start, heap_constraints) p, valid = api.output_to_python(handler, [res])[0] offset = m.offset print( m, "p.Signature", valid, hex(p.Signature), repr(m._backend[8 + offset:12 + offset]), ) v = api.validate_record(handler, res[0], heap_constraints) print("validate", v) if p.Signature == 0xeeffeeff: possibles.append(m) import code code.interact(local=locals())