def resolvePointers(self):
raise NotImplementedError('Please use haystack.reverse.heuristics.dsa.EnrichedPointerFields')
if self.resolvedPointers:
return
structs_addrs, structCache = None, None
self._dirty=True
resolved = 0
pointerFields = self.getPointerFields()
log.debug('got %d pointerfields'%(len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, '_ptr_resolved'):
if field._ptr_resolved:
fromcache+=1
continue
# if pointed is not None: # erase previous info
tgt = None
try:
tgt = self._context.getStructureForAddr(field.value)
known+=1
field.target_struct_addr = field.value
field.ctypes = 'ctypes.POINTER(%s)'%(tgt) # change the basic ctypes
if not tgt._resolved: # fields have not been decoded yet
undecoded+=1
log.debug('target %s is undecoded'%(tgt))
continue
field._target_field = tgt[0] #first field of struct
except KeyError, e:
if field.value in self._heap:
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap+=1
# TODO use context's helpers
tgt_struct, tgt_field = self._resolvePointerToStructField(field)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
### field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(tgt_field.typename)
field._target_field = tgt_field
tgt = '%s_field_%s'%(tgt_field.struct, tgt_field.getName())
else:
undecoded+=1
#log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings+=1
tgt = 'ext_lib_%d'%(field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.getMmapForAddr(field.value).start
pass
#
if tgt is not None:
resolved+=1
field.setName('%s_%s'%(field.typename.basename, tgt))
field._ptr_resolved = True
def resolvePointers(self, structs_addrs, structCache):
if self._pointerResolved:
return
self._dirty = True
resolved = 0
pointerFields = self.getPointerFields()
log.debug('got %d pointerfields' % (len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, '_ptr_resolved'):
if field._ptr_resolved:
fromcache += 1
continue
# if pointed is not None: # erase previous info
tgt = None
if field.value in structs_addrs:
known += 1
tgt = structCache[field.value]
field.target_struct_addr = field.value
field.ctypes = 'ctypes.POINTER(%s)' % (
tgt) # change the basic ctypes
if not tgt.resolved: # fields have not been decoded yet
undecoded += 1
log.debug('target %s is undecoded' % (tgt))
continue
field._target_field = tgt[0] #first field of struct
elif field.value in self._mappings.getHeap():
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap += 1
tgt_struct, tgt_field = self._resolvePointerToStructField(
field, structs_addrs, structCache)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
### field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(tgt_field.typename)
field._target_field = tgt_field
tgt = '%s_field_%s' % (tgt_field.struct,
tgt_field.getName())
else:
undecoded += 1
#log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings += 1
tgt = 'ext_lib_%d' % (field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.getMmapForAddr(
field.value).start
pass
#
if tgt is not None:
resolved += 1
field.setName('%s_%s' % (field.typename.basename, tgt))
field._ptr_resolved = True
#log.debug('resolved %s %s (%d)'%(field.getName(), field, resolved))
log.debug('resolvePointers on t:%d,c:%d,r:%d, k:%d,h:%d,m:%d,u:%d' %
(len(pointerFields), fromcache, resolved, known, inHeap,
inMappings, undecoded))
#
if len(pointerFields) == (resolved + fromcache):
if resolved != 0:
log.debug('%s pointers are fully resolved' % (self))
self._pointerResolved = True
else:
self._pointerResolved = False
return
def resolvePointers(self):
raise NotImplementedError(
'Please use haystack.reverse.heuristics.dsa.EnrichedPointerFields')
if self.resolvedPointers:
return
structs_addrs, structCache = None, None
self._dirty = True
resolved = 0
pointerFields = self.getPointerFields()
log.debug('got %d pointerfields' % (len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, '_ptr_resolved'):
if field._ptr_resolved:
fromcache += 1
continue
# if pointed is not None: # erase previous info
tgt = None
try:
tgt = self._context.getStructureForAddr(field.value)
known += 1
field.target_struct_addr = field.value
field.ctypes = 'ctypes.POINTER(%s)' % (
tgt) # change the basic ctypes
if not tgt._resolved: # fields have not been decoded yet
undecoded += 1
log.debug('target %s is undecoded' % (tgt))
continue
field._target_field = tgt[0] #first field of struct
except KeyError, e:
if field.value in self._heap:
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap += 1
# TODO use context's helpers
tgt_struct, tgt_field = self._resolvePointerToStructField(
field)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
### field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(
tgt_field.typename)
field._target_field = tgt_field
tgt = '%s_field_%s' % (tgt_field.struct,
tgt_field.getName())
else:
undecoded += 1
#log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings += 1
tgt = 'ext_lib_%d' % (field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.getMmapForAddr(
field.value).start
pass
#
if tgt is not None:
resolved += 1
field.setName('%s_%s' % (field.typename.basename, tgt))
field._ptr_resolved = True
def resolvePointers(self, structs_addrs, structCache):
if self._pointerResolved:
return
self._dirty=True
resolved = 0
pointerFields = self.getPointerFields()
log.debug('got %d pointerfields'%(len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, '_ptr_resolved'):
if field._ptr_resolved:
fromcache+=1
continue
# if pointed is not None: # erase previous info
tgt = None
if field.value in structs_addrs:
known+=1
tgt = structCache[field.value]
field.target_struct_addr = field.value
field.ctypes = 'ctypes.POINTER(%s)'%(tgt) # change the basic ctypes
if not tgt.resolved: # fields have not been decoded yet
undecoded+=1
log.debug('target %s is undecoded'%(tgt))
continue
field._target_field = tgt[0] #first field of struct
elif field.value in self._mappings.getHeap():
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap+=1
tgt_struct, tgt_field = self._resolvePointerToStructField(field, structs_addrs, structCache)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
### field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(tgt_field.typename)
field._target_field = tgt_field
tgt = '%s_field_%s'%(tgt_field.struct, tgt_field.getName())
else:
undecoded+=1
#log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings+=1
tgt = 'ext_lib_%d'%(field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.getMmapForAddr(field.value).start
pass
#
if tgt is not None:
resolved+=1
field.setName('%s_%s'%(field.typename.basename, tgt))
field._ptr_resolved = True
#log.debug('resolved %s %s (%d)'%(field.getName(), field, resolved))
log.debug('resolvePointers on t:%d,c:%d,r:%d, k:%d,h:%d,m:%d,u:%d'%(len(pointerFields),
fromcache, resolved, known, inHeap, inMappings, undecoded))
#
if len(pointerFields) == (resolved+fromcache):
if resolved != 0 :
log.debug('%s pointers are fully resolved'%(self))
self._pointerResolved = True
else:
self._pointerResolved = False
return
def resolvePointers(self):
raise NotImplementedError("Please use haystack.reverse.heuristics.dsa.EnrichedPointerFields")
if self.resolvedPointers:
return
structs_addrs, structCache = None, None
self._dirty = True
resolved = 0
pointerFields = self.getPointerFields()
log.debug("got %d pointerfields" % (len(pointerFields)))
known = 0
inHeap = 0
inMappings = 0
undecoded = 0
fromcache = 0
for field in pointerFields:
# shorcut
if hasattr(field, "_ptr_resolved"):
if field._ptr_resolved:
fromcache += 1
continue
# if pointed is not None: # erase previous info
tgt = None
try:
tgt = self._context.getStructureForAddr(field.value)
known += 1
field.target_struct_addr = field.value
# change the basic ctypes
field.ctypes = "ctypes.POINTER(%s)" % (tgt)
if not tgt._resolved: # fields have not been decoded yet
undecoded += 1
log.debug("target %s is undecoded" % (tgt))
continue
field._target_field = tgt[0] # first field of struct
except KeyError as e:
if field.value in self._heap:
# elif target is a STRING in the HEAP
# set pointer type to char_p
inHeap += 1
# TODO use context's helpers
tgt_struct, tgt_field = self._resolvePointerToStructField(field)
field.target_struct_addr = tgt_struct._vaddr
if tgt_field is not None:
# field.ctypes = str(tgt_struct) # no
field.typename = FieldType.makePOINTER(tgt_field.typename)
field._target_field = tgt_field
tgt = "%s_field_%s" % (tgt_field.struct, tgt_field.getName())
else:
undecoded += 1
# log.debug('target %x is unresolvable in a field'%(field.value))
pass
elif field.value in self._mappings: # other mappings
inMappings += 1
tgt = "ext_lib_%d" % (field.offset)
field._ptr_to_ext_lib = True
field.target_struct_addr = self._mappings.get_mapping_for_address(field.value).start
pass
#
if tgt is not None:
resolved += 1
field.setName("%s_%s" % (field.typename.basename, tgt))
field._ptr_resolved = True
# log.debug('resolved %s %s (%d)'%(field.getName(), field, resolved))
log.debug(
"resolvePointers on t:%d,c:%d,r:%d, k:%d,h:%d,m:%d,u:%d"
% (len(pointerFields), fromcache, resolved, known, inHeap, inMappings, undecoded)
)
#
if len(pointerFields) == (resolved + fromcache):
if resolved != 0:
log.debug("%s pointers are fully resolved" % (self))
self._resolvedPointers = True
else:
self._resolvedPointers = False
return