def make_search_results(self, memory_handler, struct_type, my_constraints): addr = int(self.config.ADDRESS, 16) results = api.load_record(memory_handler, struct_type, addr, load_constraints=my_constraints) instance = api.output_to_string(memory_handler, [results]) yield (instance, addr)
logging.getLogger("model").setLevel(logging.INFO) logging.getLogger("python").setLevel(logging.INFO) fname = sys.argv[1] mapper = CuckooProcessMapper(fname) handler = mapper.make_memory_handler() finder = handler.get_heap_finder() heaps = finder.list_heap_walkers() print "heaps", heaps from haystack import api from haystack.allocators.win32.winxp_32 import struct__HEAP heap_constraints = finder._heap_module_constraints m = handler.get_mapping_for_address(0x00480000) res = api.load_record(handler, struct__HEAP, m.start, heap_constraints) logging.getLogger("basicmodel").setLevel(logging.DEBUG) v = api.validate_record(handler, res[0], heap_constraints) logging.getLogger("basicmodel").setLevel(logging.INFO) import code code.interact(local=locals()) if len(heaps) == 0: # no heaps ??!! # it looks like 0x00030000 and other are.. #DEBUG:basicmodel:ptr: Segments[1] <class 'haystack.types.LP_4_struct__HEAP_SEGMENT'> LP_4_struct__HEAP_SEGMENT(26083328) 0x18e0000 INVALID # explanation, not all mappings are dumped. # from https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c # (mbi.State & MEM_COMMIT) == 0 || (mbi.Protect & PAGE_GUARD) != 0 ||
logging.getLogger("model").setLevel(logging.INFO) logging.getLogger("python").setLevel(logging.INFO) fname = sys.argv[1] mapper = CuckooProcessMapper(fname) handler = mapper.make_memory_handler() finder = handler.get_heap_finder() heaps = finder.list_heap_walkers() print("heaps", heaps) from haystack import api from haystack.allocators.win32.winxp_32 import struct__HEAP heap_constraints = finder._heap_module_constraints m = handler.get_mapping_for_address(0x00480000) res = api.load_record(handler, struct__HEAP, m.start, heap_constraints) logging.getLogger("basicmodel").setLevel(logging.DEBUG) v = api.validate_record(handler, res[0], heap_constraints) logging.getLogger("basicmodel").setLevel(logging.INFO) import code code.interact(local=locals()) if len(heaps) == 0: # no heaps ??!! # it looks like 0x00030000 and other are.. #DEBUG:basicmodel:ptr: Segments[1] <class 'haystack.types.LP_4_struct__HEAP_SEGMENT'> LP_4_struct__HEAP_SEGMENT(26083328) 0x18e0000 INVALID # explanation, not all mappings are dumped. # from https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c # (mbi.State & MEM_COMMIT) == 0 || (mbi.Protect & PAGE_GUARD) != 0 ||