def find_heap():
argv = sys.argv[1:]
parser = argparse.ArgumentParser(prog='haystack-find-heap',
description="Find heaps in a dumpfile")
parser.add_argument('--osname', '-n', action='store', default=None, choices=['winxp', 'win7'], help='winxp,win7')
parser.add_argument('--bits', '-b', type=int, action='store', default=None, choices=[32, 64], help='32,64')
parser.add_argument('--verbose', '-v', action='store_true', help='Verbose')
parser.add_argument('--quiet', action='store_true', help='Set verbosity to ERROR only')
parser.add_argument('--debug', '-d', action='store_true', help='Set verbosity to DEBUG')
parser.add_argument('--mappings', '-m', action='store_true', help='Show mappings')
parser.add_argument('--heap', '-p', action='store_true', help='Show the heap content')
parser.add_argument('--frontend', '-f', action='store_true', help='Show the frontend heap content')
parser.add_argument('dumpname', type=argparse_utils.readable, help='process memory dump name')
parser.add_argument('address', nargs='?', type=argparse_utils.int16, default=None, help='Load Heap from address (hex)')
opts = parser.parse_args(argv)
from haystack import cli
cli.set_logging_level(opts)
#
memory_handler = dump_loader.load(opts.dumpname, os_name=opts.osname, cpu=opts.bits)
finder = memory_handler.get_heap_finder()
# Show Target information
if opts.bits or opts.osname:
print 'Forced target resolution:', memory_handler.get_target_platform()
else:
print 'Automatic target resolution:', memory_handler.get_target_platform()
if opts.mappings:
# show all memory mappings
print 'Process mappings:'
print '@start @stop File Offset M:m '
for m in memory_handler.get_mappings():
print m
if opts.address is not None:
one_heap(opts, finder)
return
print 'Probable Process HEAPS:'
for m in memory_handler.get_mappings():
for addr in range(m.start, m.end, 0x1000):
special = ''
for os, bits, offset in [('winxp', 32, 8), ('winxp', 64, 16),
('win7', 32, 100), ('win7', 64, 160)]:
signature = struct.unpack('I', m.read_bytes(addr+offset, 4))[0]
if signature == 0xeeffeeff:
if addr != m.start:
special = ' (!) '
print '[+] %s %dbits %s 0x%0.8x' % (os, bits, special, addr), m
# Then show heap analysis
print 'Found Heaps:'
for walker in finder.list_heap_walkers():
validator = walker.get_heap_validator()
validator.print_heap_analysis(walker.get_heap(), opts.verbose)
return
def find_heap():
argv = sys.argv[1:]
parser = cli.base_argparser('haystack-find-heap', "Find heaps in a dumpfile")
parser.add_argument('--verbose', '-v', action='store_true', help='Verbose')
parser.add_argument('--mappings', '-m', action='store_true', help='Show mappings')
# only if address is present
group = parser.add_argument_group('For a specific HEAP')
group.add_argument('address', nargs='?', type=argparse_utils.int16, default=None, help='Load Heap from address (hex)')
group.add_argument('--heap', '-p', action='store_true', help='Show the heap content')
group.add_argument('--frontend', '-f', action='store_true', help='Show the frontend heap content')
opts = parser.parse_args(argv)
cli.set_logging_level(opts)
memory_handler = cli.make_memory_handler(opts)
finder = memory_handler.get_heap_finder()
# Show Target information
if opts.bits or opts.osname:
print('Forced target resolution:', memory_handler.get_target_platform())
else:
print('Automatic target resolution:', memory_handler.get_target_platform())
if opts.mappings:
# show all memory mappings
print('Process mappings:')
print('@start @stop File Offset M:m ')
for m in memory_handler.get_mappings():
print(m)
if opts.address is not None:
one_heap(opts, finder)
return
print('Probable Process HEAPS:')
for m in memory_handler.get_mappings():
for addr in range(m.start, m.end, 0x1000):
special = ''
for os, bits, offset in [('winxp', 32, 8), ('winxp', 64, 16),
('win7', 32, 100), ('win7', 64, 160)]:
signature = struct.unpack('I', m.read_bytes(addr+offset, 4))[0]
if signature == 0xeeffeeff:
if addr != m.start:
special = ' (!) '
print('[+] %s %dbits %s 0x%0.8x' % (os, bits, special, addr), m)
# Then show heap analysis
print('Found Heaps:')
for walker in finder.list_heap_walkers():
validator = walker.get_heap_validator()
validator.print_heap_analysis(walker.get_heap(), opts.verbose)
return
def reverse():
argv = sys.argv[1:]
desc = REVERSE_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
rootparser.set_defaults(func=reverse_cmdline)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def reverse_show():
argv = sys.argv[1:]
desc = REVERSE_SHOW_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
rootparser.add_argument('address', type=argparse_utils.int16, help='Record memory address in hex')
rootparser.set_defaults(func=reverse_show_cmdline)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def reverse_hex():
argv = sys.argv[1:]
desc = REVERSE_HEX_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
rootparser.add_argument('address', type=argparse_utils.int16, action='store', default=None,
help='Specify the address of the record, or encompassed by the record')
rootparser.set_defaults(func=show_hex)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def reverse_parents():
argv = sys.argv[1:]
desc = REVERSE_PARENT_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
rootparser.add_argument('address', type=argparse_utils.int16, action='store', default=None,
help='Hex address of the child structure')
rootparser.set_defaults(func=show_predecessors_cmdline)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def minidump_reverse_hex():
argv = sys.argv[1:]
desc = REVERSE_HEX_DESC + cli.DUMPTYPE_MINIDUMP_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]),
description=desc)
rootparser.add_argument('dump_filename',
type=argparse_utils.readable,
help='Use this memory dump file')
reverse_hex_argparser(rootparser)
opts = rootparser.parse_args(argv)
opts.dumptype = cli.DUMPTYPE_MINIDUMP
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def main_reverse_parents():
argv = sys.argv[1:]
desc = REVERSE_PARENT_DESC + cli.DUMPTYPE_BASE_DESC
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]),
description=desc)
rootparser.add_argument('dump_folder_name',
type=argparse_utils.readable,
help='Use this memory dump folder')
reverse_parents_argparser(rootparser)
opts = rootparser.parse_args(argv)
opts.dumptype = cli.DUMPTYPE_BASE
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def main(argv):
argv = sys.argv[1:]
desc = 'Play with graph repr of pointers relationships.'
rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]),
description=desc)
rootparser.add_argument('gexf',
type=argparse.FileType('rb'),
action='store',
help='Source gexf.')
rootparser.set_defaults(func=make)
opts = rootparser.parse_args(argv)
# apply verbosity
cli.set_logging_level(opts)
# execute function
opts.func(opts)
return
def find_heap():
argv = sys.argv[1:]
parser = argparse.ArgumentParser(prog='haystack-find-heap',
description="Find heaps in a dumpfile")
parser.add_argument('--osname',
'-n',
action='store',
default=None,
choices=['winxp', 'win7'],
help='winxp,win7')
parser.add_argument('--bits',
'-b',
type=int,
action='store',
default=None,
choices=[32, 64],
help='32,64')
parser.add_argument('--verbose', '-v', action='store_true', help='Verbose')
parser.add_argument('--quiet',
action='store_true',
help='Set verbosity to ERROR only')
parser.add_argument('--debug',
'-d',
action='store_true',
help='Set verbosity to DEBUG')
parser.add_argument('--mappings',
'-m',
action='store_true',
help='Show mappings')
parser.add_argument('--heap',
'-p',
action='store_true',
help='Show the heap content')
parser.add_argument('--frontend',
'-f',
action='store_true',
help='Show the frontend heap content')
parser.add_argument('dumpname',
type=argparse_utils.readable,
help='process memory dump name')
parser.add_argument('address',
nargs='?',
type=argparse_utils.int16,
default=None,
help='Load Heap from address (hex)')
opts = parser.parse_args(argv)
from haystack import cli
cli.set_logging_level(opts)
#
memory_handler = dump_loader.load(opts.dumpname,
os_name=opts.osname,
cpu=opts.bits)
finder = memory_handler.get_heap_finder()
# Show Target information
if opts.bits or opts.osname:
print 'Forced target resolution:', memory_handler.get_target_platform()
else:
print 'Automatic target resolution:', memory_handler.get_target_platform(
)
if opts.mappings:
# show all memory mappings
print 'Process mappings:'
print '@start @stop File Offset M:m '
for m in memory_handler.get_mappings():
print m
if opts.address is not None:
one_heap(opts, finder)
return
print 'Probable Process HEAPS:'
for m in memory_handler.get_mappings():
for addr in range(m.start, m.end, 0x1000):
special = ''
for os, bits, offset in [('winxp', 32, 8), ('winxp', 64, 16),
('win7', 32, 100), ('win7', 64, 160)]:
signature = struct.unpack('I', m.read_bytes(addr + offset,
4))[0]
if signature == 0xeeffeeff:
if addr != m.start:
special = ' (!) '
print '[+] %s %dbits %s 0x%0.8x' % (os, bits, special,
addr), m
# Then show heap analysis
print 'Found Heaps:'
for walker in finder.list_heap_walkers():
validator = walker.get_heap_validator()
validator.print_heap_analysis(walker.get_heap(), opts.verbose)
return
