def makeReversedTypes(context, sizeCache):
''' Compare signatures for each size groups.
Makes a chains out of similar structures. Changes the structure names for a single
typename when possible. Changes the ctypes types of each pointer field.'''
log.info(
'[+] Build groups of similar instances, create a reversed type for each group.')
for chains in buildStructureGroup(context, sizeCache):
fixType(context, chains)
log.info(
'[+] For each instances, fix pointers fields to newly created types.')
for s in context.listStructures():
s.reset()
s.decodeFields()
for f in s.getPointerFields():
addr = f._getValue(0)
if addr in context.heap:
try:
ctypes_type = context.getStructureForOffset(
addr).getCtype()
# we have escapees, withouth a typed type... saved them from
# exception
except TypeError as e:
ctypes_type = fixInstanceType(
context,
context.getStructureForOffset(addr),
getname())
f.setCtype(ctypes.POINTER(ctypes_type))
f.setComment('pointer fixed')
log.info('[+] For new reversed type, fix their definitive fields.')
for revStructType in context.listReversedTypes():
revStructType.makeFields(context)
# poitners not in the heap
# for s in context.listStructures():
# for f in s.getPointerFields():
# if ctypes.is_void_pointer_type(f.getCtype()):
# print s,'has a c_void_p field', f._getValue(0),
# print context.getStructureForOffset( f._getValue(0) )
return context
def makeReversedTypes(context, sizeCache):
''' Compare signatures for each size groups.
Makes a chains out of similar structures. Changes the structure names for a single
typename when possible. Changes the ctypes types of each pointer field.'''
log.info('[+] Build groups of similar instances, create a reversed type for each group.')
for chains in buildStructureGroup(context, sizeCache):
fixType(context, chains)
log.info('[+] For each instances, fix pointers fields to newly created types.')
import ctypes
for s in context.listStructures():
s.reset()
s.decodeFields()
for f in s.getPointerFields():
addr = f._getValue(0)
if addr in context.heap:
try:
ctypes_type = context.getStructureForOffset(addr).getCtype()
except TypeError,e: # we have escapees, withouth a typed type... saved them from exception
ctypes_type = fixInstanceType(context, context.getStructureForOffset(addr), getname())
f.setCtype( ctypes.POINTER(ctypes_type) )
f.setComment('pointer fixed')
def graphStructureGroups(context, chains, originAddr=None):
# TODO change generic fn
chains.sort()
import networkx
graph = networkx.DiGraph()
for chain in chains:
log.debug('\t[-] chain len:%d'%len(chain) )
if originAddr is not None:
if originAddr not in chain:
continue # ignore chain if originAddr is not in it
for addr in map(long,chain):
context.getStructureForAddr(addr).decodeFields() # can be long
print context.getStructureForAddr(addr).toString()
targets = set()
for f in context.getStructureForAddr(addr).getPointerFields():
addr_child = f._getValue(0)
child = context.getStructureForOffset(addr)
targets.add(( '%x'%addr, '%x'%child._vaddr ) )
graph.add_edges_from( targets )
print '#','-'*78
networkx.readwrite.gexf.write_gexf( graph, Config.getCacheFilename(Config.CACHE_GRAPH, context.dumpname))
