def getDiff(d1, d2):
from haystack import dump_loader
mappings1 = dump_loader.load(d1)
mappings2 = dump_loader.load(d2)
log.debug('Building hashes for %s' % (d1.name))
m1 = dict(buildMappingsHashes(mappings1))
log.debug('Building hashes for %s' % (d2.name))
m2 = dict(buildMappingsHashes(mappings2))
# new mappings in d2
pnames1 = set([m.pathname for m in m1.values()])
pnames2 = set([m.pathname for m in m2.values()])
new2 = pnames2 - pnames1
news = []
for pathname in new2:
news.extend(mappings2.getMmap(pathname))
print 'new mappings in %s:' % (d2.name)
for n in news:
print n
# believe in hash funcs.
diff2 = set(m2.keys()) - set(m1.keys())
diffs = []
revm1 = dict((v, k) for k, v in m1.items())
print 'modified mappings in %s:' % (d2.name)
for h2 in diff2:
m = m2[h2]
if m.pathname in pnames1:
print m
diffs.append(m)
return news, diffs
def getDiff(d1, d2):
from haystack import dump_loader
mappings1 = dump_loader.load(d1)
mappings2 = dump_loader.load(d2)
log.debug('Building hashes for %s' % (d1.name))
m1 = dict(buildMappingsHashes(mappings1))
log.debug('Building hashes for %s' % (d2.name))
m2 = dict(buildMappingsHashes(mappings2))
# new _memory_handler in d2
pnames1 = set([m.pathname for m in m1.values()])
pnames2 = set([m.pathname for m in m2.values()])
new2 = pnames2 - pnames1
news = []
for pathname in new2:
news.extend(mappings2._get_mapping(pathname))
print 'new _memory_handler in %s:' % (d2.name)
for n in news:
print n
# believe in hash funcs.
diff2 = set(m2.keys()) - set(m1.keys())
diffs = []
revm1 = dict((v, k) for k, v in m1.items())
print 'modified _memory_handler in %s:' % (d2.name)
for h2 in diff2:
m = m2[h2]
if m.pathname in pnames1:
print m
diffs.append(m)
return news, diffs
def test_dumptype_dir(self):
'''Checks if dumping to folder works'''
tgt1 = self._make_tgt_dir()
tgt2 = self._make_tgt_dir()
tgt3 = self._make_tgt_dir()
self.devnull = open('/dev/null')
self.process = self.run_app_test('test3', stdout=self.devnull.fileno())
time.sleep(0.1)
out1 = memory_dumper.dump(self.process.pid, tgt1, "dir", True)
self.assertEqual(out1, tgt1) # same name
self._renew_process()
out2 = memory_dumper.dump(self.process.pid, tgt2, "dir", True)
self.assertEqual(out2, tgt2) # same name
self._renew_process()
out3 = memory_dumper.dump(self.process.pid, tgt3, "dir", False)
self.assertEqual(out3, tgt3) # same name
size1 = self.get_folder_size(tgt1)
size2 = self.get_folder_size(tgt2)
size3 = self.get_folder_size(tgt3)
self.assertGreater(size1, 500) # not a null archive
# self.assertGreater(size2, size1) # more _memory_handler
self.assertGreater(size3, size2) # more _memory_handler
# print size1, size2, size3
# print file(out1+'/_memory_handler').read()
# print '-'*80
# print file(out2+'/_memory_handler').read()
# print '-'*80
# print file(out3+'/_memory_handler').read()
# print '-'*80
# test opening by dump_loader
from haystack import dump_loader
from haystack.mappings.base import MemoryHandler
# PYDOC
# NotImplementedError: MACHINE has not been found.
# laoder should habe a cpu, os_name loading
mappings1 = dump_loader.load(out1,
cpu=self.cpu_bits,
os_name=self.os_name)
self.assertIsInstance(mappings1, MemoryHandler)
mappings2 = dump_loader.load(out2,
cpu=self.cpu_bits,
os_name=self.os_name)
mappings3 = dump_loader.load(out3,
cpu=self.cpu_bits,
os_name=self.os_name)
pathnames1 = [m.pathname for m in mappings1]
pathnames2 = [m.pathname for m in mappings2]
pathnames3 = [m.pathname for m in mappings3]
self.assertEqual(pathnames1, pathnames2)
self.assertEqual(pathnames3, pathnames2)
return
def setUp(self):
offset = 0x08f75008
self.mappings = dump_loader.load('test/src/test-ctypes5.dump')
sys.path.append('test/src/')
import ctypes5
self.m = self.mappings.getMmapForAddr(offset)
self.usual = self.m.readStruct(offset, ctypes5.usual)
def find_heap():
argv = sys.argv[1:]
parser = argparse.ArgumentParser(prog='haystack-find-heap',
description="Find heaps in a dumpfile")
parser.add_argument('--osname', '-n', action='store', default=None, choices=['winxp', 'win7'], help='winxp,win7')
parser.add_argument('--bits', '-b', type=int, action='store', default=None, choices=[32, 64], help='32,64')
parser.add_argument('--verbose', '-v', action='store_true', help='Verbose')
parser.add_argument('--quiet', action='store_true', help='Set verbosity to ERROR only')
parser.add_argument('--debug', '-d', action='store_true', help='Set verbosity to DEBUG')
parser.add_argument('--mappings', '-m', action='store_true', help='Show mappings')
parser.add_argument('--heap', '-p', action='store_true', help='Show the heap content')
parser.add_argument('--frontend', '-f', action='store_true', help='Show the frontend heap content')
parser.add_argument('dumpname', type=argparse_utils.readable, help='process memory dump name')
parser.add_argument('address', nargs='?', type=argparse_utils.int16, default=None, help='Load Heap from address (hex)')
opts = parser.parse_args(argv)
from haystack import cli
cli.set_logging_level(opts)
#
memory_handler = dump_loader.load(opts.dumpname, os_name=opts.osname, cpu=opts.bits)
finder = memory_handler.get_heap_finder()
# Show Target information
if opts.bits or opts.osname:
print 'Forced target resolution:', memory_handler.get_target_platform()
else:
print 'Automatic target resolution:', memory_handler.get_target_platform()
if opts.mappings:
# show all memory mappings
print 'Process mappings:'
print '@start @stop File Offset M:m '
for m in memory_handler.get_mappings():
print m
if opts.address is not None:
one_heap(opts, finder)
return
print 'Probable Process HEAPS:'
for m in memory_handler.get_mappings():
for addr in range(m.start, m.end, 0x1000):
special = ''
for os, bits, offset in [('winxp', 32, 8), ('winxp', 64, 16),
('win7', 32, 100), ('win7', 64, 160)]:
signature = struct.unpack('I', m.read_bytes(addr+offset, 4))[0]
if signature == 0xeeffeeff:
if addr != m.start:
special = ' (!) '
print '[+] %s %dbits %s 0x%0.8x' % (os, bits, special, addr), m
# Then show heap analysis
print 'Found Heaps:'
for walker in finder.list_heap_walkers():
validator = walker.get_heap_validator()
validator.print_heap_analysis(walker.get_heap(), opts.verbose)
return
def test_chunks_numbers(self):
""" Count all user allocations and free chunks (10 sec)"""
memory_handler = dump_loader.load('test/dumps/ssh/ssh.1')
heap_finder = memory_handler.get_heap_finder()
mappings = heap_finder.get_heap_mappings()
heaps = heap_finder.get_heap_mappings()
self.assertEquals(len(heaps), 1)
heap = heaps[0]
self.assertTrue(heap_finder._is_heap(heap, heap.start))
#
walker = heap_finder.get_heap_walker(heap)
# test the number of allocations
allocs = walker.get_user_allocations()
self.assertEquals(len(allocs), 2568)
# test the size of allocations
size = sum([size for addr, size in allocs])
self.assertEquals(size, 105616)
# test the number of free chunks
free = walker.get_free_chunks()
self.assertEquals(len(free), 7)
# test the size of free chunks
size = sum([size for addr, size in free])
self.assertEquals(size, 19252)
return
def search_heap_direct(self, memdumpname, start_address_mapping):
# we need a memory dump loader
self.memory_handler = dump_loader.load(memdumpname)
my_model = self.memory_handler.get_model()
module_name = self._init_module_name(self.memory_handler)
# import the module with the right arch
heap_module = my_model.import_module(module_name)
log.debug('the heap module loaded is %s', module_name)
# load the constraints
constraint_filename = self._init_constraints_filename(heap_module)
parser = constraints.ConstraintsConfigHandler()
my_constraints = parser.read(constraint_filename)
m = self.memory_handler.get_mapping_for_address(start_address_mapping)
my_searcher = searcher.AnyOffsetRecordSearcher(
self.memory_handler,
my_constraints, [m],
update_cb=partial(self.print_cb, self.memory_handler))
heap_record_name = self._init_heap_record_name()
heap_struct = getattr(heap_module, heap_record_name)
results = my_searcher._load_at(m,
start_address_mapping,
heap_struct,
depth=5)
#print haystack.output_to_python(memory_handler, [results])[0][0].toString()
return results
def setUp(self):
dumpname = 'test/src/test-ctypes6.64.dump'
self.memory_handler = dump_loader.load(dumpname)
self.my_model = self.memory_handler.get_model()
self.ctypes_gen64 = self.my_model.import_module("test.src.ctypes6_gen64")
# load TU values
self._load_offsets_values(self.memory_handler.get_name())
def show_dumpname(structname, dumpname, address, rtype='python'):
""" shows the values for klass at @address in memdump.
:param structname the ctypes structure name (string)
:type structName string
:param dumpname the memdump filename
:param address the address from where to read the structure
:param rtype the return type format ( string, pickle, json )
:type rtype ['string', 'pickle', 'json', 'python']
:returns (instance, validated) instance the loaded ctypes and validated a boolean flag
if validated is True, all constraints were OK in instance.
"""
from haystack import dump_loader
log.debug('haystack show %s %s %x' % (dumpname, structname, address))
structType = getKlass(structname)
mappings = dump_loader.load(dumpname)
finder = StructFinder(mappings)
# validate the input address.
memoryMap = utils.is_valid_address_value(address, finder.mappings)
if not memoryMap:
log.error("the address is not accessible in the memoryMap")
raise ValueError("the address is not accessible in the memoryMap")
instance, validated = finder.loadAt(memoryMap, address, structType)
out = _show_output(instance, validated, rtype)
return out
def setUpClass(cls):
cls.dumpname = 'test/src/test-ctypes6.32.dump'
config.remove_cache_folder(cls.dumpname)
cls.memory_handler = dump_loader.load(cls.dumpname)
cls.my_target = cls.memory_handler.get_target_platform()
cls.my_ctypes = cls.my_target.get_target_ctypes()
cls.my_utils = cls.my_target.get_target_ctypes_utils()
def search_heap(self, memdumpname):
# we need a memory dump loader
self.memory_handler = dump_loader.load(memdumpname)
my_model = self.memory_handler.get_model()
module_name = self._init_module_name(self.memory_handler)
# import the module with the right arch
heap_module = my_model.import_module(module_name)
log.debug('the heap module loaded is %s', module_name)
# load the constraints
constraint_filename = self._init_constraints_filename(heap_module)
parser = constraints.ConstraintsConfigHandler()
my_constraints = parser.read(constraint_filename)
my_searcher = searcher.AnyOffsetRecordSearcher(self.memory_handler,
my_constraints,
update_cb=partial(self.print_cb, self.memory_handler))
## DEBUG
# DEBUG PEB search
#peb = my_model.import_module('haystack.allocators.win32.winxp_32_peb')
##DEBUG
heap_record_name = self._init_heap_record_name()
heap_struct = getattr(heap_module, heap_record_name)
# on ly return first results in each mapping
results = []
for mapping in self.memory_handler.get_mappings():
log.debug("looking at %s", mapping)
res = my_searcher._search_in(mapping, heap_struct, nb=1, align=0x1000)
# DEBUG PEB search
#res = my_searcher._search_in(mapping, peb.struct__PEB, nb=1, align=0x1000)
if res:
# FIXME output_to are stupid
#print haystack.output_to_string(memory_handler, res)
results.append(res)
return results
def setUp(self):
dumpname = 'test/src/test-ctypes6.64.dump'
self.memory_handler = dump_loader.load(dumpname)
process_context = self.memory_handler.get_reverse_context()
process_context.create_record_cache_folder()
# load TU values
self._load_offsets_values(self.memory_handler.get_name())
def setUp(self):
self.memory_handler = dump_loader.load('test/src/test-ctypes5.32.dump')
self._load_offsets_values('test/src/test-ctypes5.32.dump')
sys.path.append('test/src/')
my_model = self.memory_handler.get_model()
self.ctypes5_gen32 = my_model.import_module("ctypes5_gen32")
my_model.build_python_class_clones(self.ctypes5_gen32)
def setUpClass(cls):
# context.get_context('test/src/test-ctypes3.dump')
cls.context = None
cls.memory_handler = dump_loader.load(putty_7124_win7.dumpname)
cls.putty7124 = context.get_context_for_address(cls.memory_handler, putty_7124_win7.known_heaps[0][0])
cls.dsa = dsa.FieldReverser(cls.putty7124.memory_handler)
cls.memory_handler = cls.putty7124.memory_handler
def getContext(fname):
from haystack.reverse.reversers import ReverserContext
mappings = dump_loader.load( fname)
try:
context = ReverserContext.cacheLoad(mappings)
except IOError,e:
context = ReverserContext(mappings, mappings.getHeap())
def setUpClass(cls):
cls.dumpname = 'test/src/test-ctypes6.32.dump'
config.remove_cache_folder(cls.dumpname)
cls.memory_handler = dump_loader.load(cls.dumpname)
cls.my_target = cls.memory_handler.get_target_platform()
cls.my_ctypes = cls.my_target.get_target_ctypes()
cls.my_utils = cls.my_target.get_target_ctypes_utils()
def show_dumpname(structname, dumpname, address, rtype='python'):
""" shows the values for klass at @address in memdump.
:param structname the ctypes structure name (string)
:type structName string
:param dumpname the memdump filename
:param address the address from where to read the structure
:param rtype the return type format ( string, pickle, json )
:type rtype ['string', 'pickle', 'json', 'python']
:returns (instance, validated) instance the loaded ctypes and validated a boolean flag
if validated is True, all constraints were OK in instance.
"""
from haystack import dump_loader
log.debug('haystack show %s %s %x'%(dumpname, structname, address ))
structType = getKlass(structname)
mappings = dump_loader.load(dumpname)
finder = StructFinder(mappings)
# validate the input address.
memoryMap = utils.is_valid_address_value(address, finder.mappings)
if not memoryMap:
log.error("the address is not accessible in the memoryMap")
raise ValueError("the address is not accessible in the memoryMap")
instance,validated = finder.loadAt( memoryMap, address, structType)
out = _show_output(instance, validated, rtype)
return out
def setUp(self):
self.memory_handler = dump_loader.load('test/src/test-ctypes5.32.dump')
self._load_offsets_values('test/src/test-ctypes5.32.dump')
sys.path.append('test/src/')
my_model = self.memory_handler.get_model()
self.ctypes5_gen32 = my_model.import_module("ctypes5_gen32")
my_model.build_python_class_clones(self.ctypes5_gen32)
def setUp(self):
self.memory_handler = dump_loader.load('test/src/test-ctypes6.32.dump')
self.memdumpname = 'test/src/test-ctypes6.32.dump'
self._load_offsets_values(self.memdumpname)
sys.path.append('test/src/')
my_model = self.memory_handler.get_model()
self.ctypes6_gen32 = my_model.import_module("ctypes6_gen32")
handler = constraints.ConstraintsConfigHandler()
my_constraints = handler.read('test/src/ctypes6.constraints')
self.x32_validator = ctypes6.CTypes6Validator(self.memory_handler,
my_constraints,
self.ctypes6_gen32)
self.offset = self.offsets['test1'][0]
self.m = self.memory_handler.get_mapping_for_address(self.offset)
self.usual = self.m.read_struct(self.offset,
self.ctypes6_gen32.struct_usual)
# complex
self.o_rootA = self.offsets['rootA'][0]
self.rootA = self.m.read_struct(self.o_rootA,
self.ctypes6_gen32.struct_Node)
self.o_rootB = self.offsets['rootB'][0]
self.rootB = self.m.read_struct(self.o_rootB,
self.ctypes6_gen32.struct_Node)
self.o_rootC = self.offsets['rootC'][0]
self.rootC = self.m.read_struct(self.o_rootC,
self.ctypes6_gen32.struct_Node)
def test_chunks_numbers(self):
""" Count all user allocations and free chunks (10 sec)"""
memory_handler = dump_loader.load('test/dumps/ssh/ssh.1')
heap_finder = memory_handler.get_heap_finder()
mappings = heap_finder.get_heap_mappings()
heaps = heap_finder.get_heap_mappings()
self.assertEquals(len(heaps), 1)
heap = heaps[0]
self.assertTrue(heap_finder._is_heap(heap, heap.start))
#
walker = heap_finder.get_heap_walker(heap)
# test the number of allocations
allocs = walker.get_user_allocations()
self.assertEquals(len(allocs), 2568)
# test the size of allocations
size = sum([size for addr, size in allocs])
self.assertEquals(size, 105616)
# test the number of free chunks
free = walker.get_free_chunks()
self.assertEquals(len(free), 7)
# test the size of free chunks
size = sum([size for addr, size in free])
self.assertEquals(size, 19252)
return
def setUp(self):
dumpname = 'test/src/test-ctypes6.64.dump'
self.memory_handler = dump_loader.load(dumpname)
process_context = self.memory_handler.get_reverse_context()
process_context.create_record_cache_folder()
# load TU values
self._load_offsets_values(self.memory_handler.get_name())
def setUp(self):
dumpname = 'test/src/test-ctypes6.64.dump'
self.memory_handler = dump_loader.load(dumpname)
self.my_model = self.memory_handler.get_model()
self.ctypes_gen64 = self.my_model.import_module(
"test.src.ctypes6_gen64")
# load TU values
self._load_offsets_values(self.memory_handler.get_name())
def setUpClass(cls):
cls.memory_handler = dump_loader.load(cls.memdumpname)
cls.my_target = cls.memory_handler.get_target_platform()
cls.my_ctypes = cls.my_target.get_target_ctypes()
cls.my_utils = cls.my_target.get_target_ctypes_utils()
cls.my_model = cls.memory_handler.get_model()
# load offsets
cls._load_offsets_values(cls.memdumpname)
def setUpClass(cls):
cls.dumpname = zeus_856_svchost_exe.dumpname
#config.remove_cache_folder(cls.dumpname)
cls.memory_handler = dump_loader.load(zeus_856_svchost_exe.dumpname)
##
cls.offset = zeus_856_svchost_exe.known_records[0][0]
cls._context = context.get_context_for_address(cls.memory_handler, cls.offset)
return
def setUp(self):
offset = 0x08F75008
self.mappings = dump_loader.load("test/src/test-ctypes5.dump")
sys.path.append("test/src/")
import ctypes5
self.m = self.mappings.getMmapForAddr(offset)
self.usual = self.m.readStruct(offset, ctypes5.usual)
def setUpClass(cls):
cls.memory_handler = dump_loader.load('test/src/test-ctypes5.32.dump')
cls.my_target = cls.memory_handler.get_target_platform()
cls.my_ctypes = cls.my_target.get_target_ctypes()
cls.my_utils = cls.my_target.get_target_ctypes_utils()
cls.my_model = cls.memory_handler.get_model()
cls.ctypes5_gen32 = cls.my_model.import_module("test.src.ctypes5_gen32")
cls.validator = listmodel.ListModel(cls.memory_handler, None)
def setUpClass(cls):
cls.memory_handler = dump_loader.load(cls.memdumpname)
cls.my_target = cls.memory_handler.get_target_platform()
cls.my_ctypes = cls.my_target.get_target_ctypes()
cls.my_utils = cls.my_target.get_target_ctypes_utils()
cls.my_model = cls.memory_handler.get_model()
# load offsets
cls._load_offsets_values(cls.memdumpname)
def _openDumpfile(self, dumpfile):
# load memorymapping
mappings = dump_loader.load(dumpfile)
# TODO : make a mapping chooser
if len(mappings) > 1:
heap = [m for m in mappings if m.pathname == '[heap]'][0]
else:
heap = mappings[0]
return self.make_memory_tab( os.path.sep.join( [os.path.basename(dumpfile.name),heap.pathname]), heap, mappings)
def setUp(self):
# os.chdir()
self.memory_handler = dump_loader.load('test/src/test-ctypes3.32.dump')
self._load_offsets_values(self.memory_handler.get_name())
finder = self.memory_handler.get_heap_finder()
walkers = finder.list_heap_walkers()
self.context = context.get_context_for_address(self.memory_handler, walkers[0])
##
self.dsa = dsa.FieldReverser(self.memory_handler)
def setUpClass(cls):
cls.dumpname = zeus_856_svchost_exe.dumpname
#config.remove_cache_folder(cls.dumpname)
cls.memory_handler = dump_loader.load(zeus_856_svchost_exe.dumpname)
##
cls.offset = zeus_856_svchost_exe.known_records[0][0]
cls._context = context.get_context_for_address(cls.memory_handler,
cls.offset)
return
def make(opts):
log.info('[+] Extracting structures from pointer values and offsets.')
## get the list of pointers values pointing to heap
## need cache
mappings = dump_loader.load(opts.dumpfile, lazy=True)
values, heap_addrs, aligned, not_aligned = utils.getHeapPointers(
opts.dumpfile.name, mappings)
dumpname = opts.dumpfile.name
# we
if not os.access(Config.structsCacheDir, os.F_OK):
os.mkdir(Config.structsCacheDir)
heap = mappings.getHeap()
log.info('[+] Reversing %s' % (heap))
# creates
t0 = time.time()
structCache = {}
signatures = {}
lastNb = 0
for anon_struct, structs_addrs in buildAnonymousStructs(
mappings,
heap,
aligned,
not_aligned,
heap_addrs,
structCache,
reverse=False): # reverse is way too slow...
#
# regexp could be better if crossed against another dump.
anon_struct.save()
# save signature
cacheSignature(signatures, anon_struct)
#
nb = len(structs_addrs)
if nb >= lastNb + 1000: #time.time() - t0 > 30 :
td = time.time()
log.info(
'\t[-] extracted @%lx, %lx left - %d structs extracted (%d)' %
(anon_struct.vaddr, heap.end - anon_struct.vaddr,
len(structCache), td - t0))
rewrite(structs_addrs, structCache, dumpname)
saveSignatures(signatures, structCache, dumpname)
log.info('\t\t[.] %2.2f secs to rewrite %d structs' %
(time.time() - td, len(structs_addrs)))
t0 = time.time()
lastNb = nb
Config.nbAnonymousStruct = nb
pass
# final pass
rewrite(structs_addrs, structCache, dumpname)
saveSignatures(signatures, structCache)
## we have :
## resolved PinnedPointers on all sigs in ppMapper.resolved
## unresolved PP in ppMapper.unresolved
## next step
log.info('Pin resolved PinnedPointers to their respective heap.')
def setUp(self):
self.memory_handler = dump_loader.load('test/src/test-ctypes5.32.dump')
self._load_offsets_values('test/src/test-ctypes5.32.dump')
self.my_target = target.TargetPlatform.make_target_linux_32()
self.my_ctypes = self.my_target.get_target_ctypes()
self.my_utils = self.my_target.get_target_ctypes_utils()
self.my_model = self.memory_handler.get_model()
_constraints = constraints.ModuleConstraints() # empty
self.validator = basicmodel.CTypesRecordConstraintValidator(self.memory_handler, _constraints)
self.ctypes_gen32 = self.my_model.import_module("test.src.ctypes5_gen32")
def _openDump(self, dumpname): # load memorymapping mappings = dump_loader.load(dumpname) # TODO : make a mapping chooser heap = mappings.getHeap() #if len(mappings) > 1: # heap = [m for m in mappings if m.pathname == '[heap]'][0] #else: # heap = mappings[0] return self.make_memory_tab( os.path.sep.join( [os.path.basename(dumpname),heap.pathname]), heap, mappings)
def setUpClass(cls):
cls.dumpname = zeus_856_svchost_exe.dumpname
cls.memory_handler = dump_loader.load(zeus_856_svchost_exe.dumpname)
cls.process_context = cls.memory_handler.get_reverse_context()
cls.process_context.create_record_cache_folder()
##
cls.offset = zeus_856_svchost_exe.known_records[0][0]
cls._context = context.get_context_for_address(cls.memory_handler, cls.offset)
api.reverse_instances(cls.memory_handler)
return
def get_context(fname):
''' Load a dump file, and create a reverser context object.
@return context: a ReverserContext
'''
from haystack import dump_loader
mappings = dump_loader.load( fname)
try:
context = ReverserContext.cacheLoad(mappings)
except IOError,e:
context = ReverserContext(mappings, mappings.getHeap())
def setUp(self):
# os.chdir()
self.memory_handler = dump_loader.load('test/src/test-ctypes3.32.dump')
self._load_offsets_values(self.memory_handler.get_name())
finder = self.memory_handler.get_heap_finder()
walkers = finder.list_heap_walkers()
self.context = context.get_context_for_address(self.memory_handler,
walkers[0])
##
self.dsa = dsa.FieldReverser(self.memory_handler)
def setUp(self):
model.reset()
self._mappings = dump_loader.load('test/dumps/putty/putty.1.dump')
self._known_heaps = [(0x390000, 0x3000), (0x540000, 0x1000),
(0x580000, 0x9000), (0x5c0000, 0x59000),
(0x1ef0000, 0x1000), (0x2010000, 0x21000),
(0x2080000, 0x10000), (0x21f0000, 0x6000),
(0x3360000, 0x1000), (0x4030000, 0x1000),
(0x4110000, 0x1000), (0x41c0000, 0x1000),
]
return
def _openDump(self, dumpname):
# load memorymapping
memory_handler = dump_loader.load(dumpname)
# TODO : make a mapping chooser
finder = memory_handler.get_heap_finder()
heap = memory_handler.get_heap_mappings()[0]
# if len(_memory_handler) > 1:
# heap = [m for m in _memory_handler if m.pathname == '[heap]'][0]
# else:
# heap = _memory_handler[0]
return self.make_memory_tab(os.path.sep.join([os.path.basename(dumpname), heap.pathname]), heap, memory_handler)
def setUpClass(cls):
cls.dumpname = zeus_856_svchost_exe.dumpname
cls.memory_handler = dump_loader.load(zeus_856_svchost_exe.dumpname)
cls.process_context = cls.memory_handler.get_reverse_context()
cls.process_context.create_record_cache_folder()
##
cls.offset = zeus_856_svchost_exe.known_records[0][0]
cls._context = context.get_context_for_address(cls.memory_handler,
cls.offset)
api.reverse_instances(cls.memory_handler)
return
def test_get_heap_mappings(self):
memory_handler = dump_loader.load('test/src/test-ctypes1.64.dump')
heap_finder = memory_handler.get_heap_finder()
mappings = heap_finder.get_heap_mappings()
self.assertEqual(len(mappings), 1)
self.assertEqual(mappings[0].pathname, '[heap]')
memory_handler.reset_mappings()
memory_handler = dump_loader.load('test/src/test-ctypes3.64.dump')
heap_finder = memory_handler.get_heap_finder()
mappings = heap_finder.get_heap_mappings()
self.assertEqual(len(mappings), 1)
self.assertEqual(mappings[0].pathname, '[heap]')
memory_handler.reset_mappings()
memory_handler = dump_loader.load('test/src/test-ctypes3.32.dump')
heap_finder = memory_handler.get_heap_finder()
mappings = heap_finder.get_heap_mappings()
self.assertEqual(len(mappings), 1)
self.assertEqual(mappings[0].pathname, '[heap]')
memory_handler.reset_mappings()
def setUpClass(cls):
cls.dumpname = 'test/src/test-ctypes3.32.dump'
config.remove_cache_folder(cls.dumpname)
cls.memory_handler = dump_loader.load(cls.dumpname)
finder = cls.memory_handler.get_heap_finder()
heap_walker = finder.list_heap_walkers()[0]
heap_addr = heap_walker.get_heap_address()
cls.context = context.get_context_for_address(cls.memory_handler, heap_addr)
cls.target = cls.context.memory_handler.get_target_platform()
cls.dsa = dsa.FieldReverser(cls.context.memory_handler)
cls.pta = pointertypes.PointerFieldReverser(cls.context.memory_handler)
return
def setUp(self):
self.classname = 'haystack.allocators.win32.win7heap.HEAP'
self.known_heaps = [(0x00390000, 8956), (0x00540000, 868),
(0x00580000, 111933), (0x005c0000, 1704080),
(0x01ef0000, 604), (0x02010000, 61348),
(0x02080000, 474949), (0x021f0000, 18762),
(0x03360000, 604), (0x04030000, 632),
(0x04110000, 1334), (0x041c0000, 644),
# from free stuf
(0x0061a000, 1200),
]
self.memory_handler = dump_loader.load(self.memdumpname)
def test_list_heap_walkers(self):
memory_handler = dump_loader.load('test/src/test-ctypes1.64.dump')
heap_finder = memory_handler.get_heap_finder()
walkers = heap_finder.list_heap_walkers()
self.assertEqual(len(walkers), 1)
self.assertEqual(walkers[0].get_heap_mapping().pathname, '[heap]')
memory_handler.reset_mappings()
memory_handler = dump_loader.load('test/src/test-ctypes3.64.dump')
heap_finder = memory_handler.get_heap_finder()
walkers = heap_finder.list_heap_walkers()
self.assertEqual(len(walkers), 1)
self.assertEqual(walkers[0].get_heap_mapping().pathname, '[heap]')
memory_handler.reset_mappings()
memory_handler = dump_loader.load('test/src/test-ctypes3.32.dump')
heap_finder = memory_handler.get_heap_finder()
walkers = heap_finder.list_heap_walkers()
self.assertEqual(len(walkers), 1)
self.assertEqual(walkers[0].get_heap_mapping().pathname, '[heap]')
memory_handler.reset_mappings()
def setUp(self):
self._mappings = dump_loader.load('test/dumps/putty/putty.1.dump')
self._known_heaps = [ (0x00390000, 8956), (0x00540000, 868),
( 0x00580000, 111933), (0x005c0000, 1704080) ,
( 0x01ef0000, 604), (0x02010000, 61348),
( 0x02080000, 474949), (0x021f0000 , 18762),
( 0x03360000, 604), (0x04030000 , 632),
( 0x04110000, 1334), (0x041c0000 , 644),
# from free stuf - erroneous
#( 0x0061a000, 1200),
]
return
def setUp(self):
self.memory_handler = dump_loader.load('test/src/test-ctypes5.32.dump')
self._load_offsets_values('test/src/test-ctypes5.32.dump')
self.my_target = target.TargetPlatform.make_target_linux_32()
self.my_ctypes = self.my_target.get_target_ctypes()
self.my_utils = self.my_target.get_target_ctypes_utils()
self.my_model = self.memory_handler.get_model()
_constraints = constraints.ModuleConstraints() # empty
self.validator = basicmodel.CTypesRecordConstraintValidator(
self.memory_handler, _constraints)
self.ctypes_gen32 = self.my_model.import_module(
"test.src.ctypes5_gen32")
def _openDump(self, dumpname):
# load memorymapping
memory_handler = dump_loader.load(dumpname)
# TODO : make a mapping chooser
finder = memory_handler.get_heap_finder()
heap = memory_handler.list_heap_walkers()[0]
# if len(_memory_handler) > 1:
# heap = [m for m in _memory_handler if m.pathname == '[heap]'][0]
# else:
# heap = _memory_handler[0]
return self.make_memory_tab(
os.path.sep.join([os.path.basename(dumpname), heap.pathname]), heap, memory_handler)
def test_dumptype_dir(self):
tgt1 = self._make_tgt_dir()
tgt2 = self._make_tgt_dir()
tgt3 = self._make_tgt_dir()
out1 = memory_dumper.dump(self.process.pid, tgt1, "dir", False, True)
self.assertEquals(out1, tgt1) # same name
self._renew_process()
out2 = memory_dumper.dump(self.process.pid, tgt2, "dir", True, True)
self.assertEquals(out2, tgt2) # same name
self._renew_process()
out3 = memory_dumper.dump(self.process.pid, tgt3, "dir", False, False)
self.assertEquals(out3, tgt3) # same name
size1 = get_folder_size(tgt1)
size2 = get_folder_size(tgt2)
size3 = get_folder_size(tgt3)
self.assertGreater(size1, 500) # not a null archive
self.assertGreater(size2, size1) # more mappings
self.assertGreater(size3, size2) # more mappings
# test opening by dump_loader
from haystack import dump_loader
from haystack import memory_mapping
mappings1 = dump_loader.load(out1)
self.assertIsInstance( mappings1, memory_mapping.Mappings)
mappings2 = dump_loader.load(out2)
mappings3 = dump_loader.load(out3)
pathnames1 = [m.pathname for m in mappings1]
pathnames2 = [m.pathname for m in mappings2]
pathnames3 = [m.pathname for m in mappings3]
self.assertEquals(pathnames1, pathnames2)
self.assertEquals(pathnames3, pathnames2)
return
def test_closestFloorValue(self):
lst = numpy.asarray(range(0, 100, 10))
self.assertEquals(utils.closestFloorValue(41, lst), (40, 4))
self.assertEquals(utils.closestFloorValue(40, lst), (40, 4))
with self.assertRaises(ValueError):
utils.closestFloorValue(-1, lst)
memory_handler = dump_loader.load('test/src/test-ctypes3.32.dump')
finder = memory_handler.get_heap_finder()
heap = finder.get_heap_mappings()[0]
heap_addr = heap.get_marked_heap_address()
ctx = context.get_context_for_address(memory_handler, heap_addr)
lst = ctx._structures_addresses
def setUp(self):
dumpname = 'test/src/test-ctypes6.64.dump'
self.memory_handler = dump_loader.load(dumpname)
process_context = self.memory_handler.get_reverse_context()
process_context.create_record_cache_folder()
# load TU values
self._load_offsets_values(self.memory_handler.get_name())
##
self.dllr = reversers.DoubleLinkedListReverser(self.memory_handler)
log.debug('Reversing Fields')
fr = dsa.FieldReverser(self.memory_handler)
fr.reverse()
def setUp(self):
dumpname = 'test/src/test-ctypes6.64.dump'
self.memory_handler = dump_loader.load(dumpname)
process_context = self.memory_handler.get_reverse_context()
process_context.create_record_cache_folder()
# load TU values
self._load_offsets_values(self.memory_handler.get_name())
##
self.dllr = reversers.DoubleLinkedListReverser(self.memory_handler)
log.debug('Reversing Fields')
fr = dsa.FieldReverser(self.memory_handler)
fr.reverse()
def test_closestFloorValue(self):
lst = numpy.asarray(range(0, 100, 10))
self.assertEquals(utils.closestFloorValue(41, lst), (40, 4))
self.assertEquals(utils.closestFloorValue(40, lst), (40, 4))
with self.assertRaises(ValueError):
utils.closestFloorValue(-1, lst)
memory_handler = dump_loader.load('test/src/test-ctypes3.32.dump')
finder = memory_handler.get_heap_finder()
heap = finder.get_heap_mappings()[0]
heap_addr = heap.get_marked_heap_address()
ctx = context.get_context_for_address(memory_handler, heap_addr)
lst = ctx._structures_addresses
def setUpClass(cls):
cls.libc_mh_64 = dump_loader.load('test/src/test-ctypes3.64.dump')
cls.libc_mh_32 = dump_loader.load('test/src/test-ctypes3.32.dump')
cls.winxp_mh_32 = dump_loader.load('test/dumps/minidump/cmd.dmp')
cls.winxp_mh_64 = dump_loader.load('test/dumps/minidump/alg.dmp')
cls.win7_mh_32 = dump_loader.load(putty_1_win7.dumpname)
# FIXME, its loaded as a winxp
cls.win7_mh_64 = dump_loader.load('test/dumps/keepass.test')
def setUpClass(cls):
cls.libc_mh_64 = dump_loader.load('test/src/test-ctypes3.64.dump')
cls.libc_mh_32 = dump_loader.load('test/src/test-ctypes3.32.dump')
cls.winxp_mh_32 = dump_loader.load('test/dumps/minidump/cmd.dmp')
cls.winxp_mh_64 = dump_loader.load('test/dumps/minidump/alg.dmp')
cls.win7_mh_32 = dump_loader.load(putty_1_win7.dumpname)
# FIXME, its loaded as a winxp
cls.win7_mh_64 = dump_loader.load('test/dumps/keepass.test')
def setUp(self):
self.memory_handler = dump_loader.load('test/dumps/ssh/ssh.1/')
self.my_target = self.memory_handler.get_target_platform()
self.my_ctypes = self.my_target.get_target_ctypes()
self.my_utils = self.my_target.get_target_ctypes_utils()
self.my_model = self.memory_handler.get_model()
_constraints = constraints.ModuleConstraints() # empty
self.validator = basicmodel.CTypesRecordConstraintValidator(
self.memory_handler, _constraints)
try:
self.sslsnoop = self.my_model.import_module("sslsnoop")
except ImportError:
self.skipTest('sslsnoop not present')
self.classname = 'sslsnoop.ctypes_openssh.session_state'
self.known_offset = 0xb84ee318
def _openDumpfile(dumpfile):
# load memorymapping
mappings = dump_loader.load(dumpfile)
# TODO : make a mapping chooser
stack, heap = None, None
if len(mappings) > 1:
for m in mappings:
if m.pathname == '[heap]':
heap = m
if m.pathname == '[stack]':
stack = m
if heap is None or stack is None:
log.info('Heap or stack has not been found( head:%s stack:%s'%(heap, stack))
return None
return heap,stack,mappings
def setUpClass(cls):
from haystack import dump_loader
cls.memory_handler = dump_loader.load(zeus_856_svchost_exe.dumpname)
cls.context = context.get_context_for_address(cls.memory_handler, 0x90000)
cls.target = cls.memory_handler.get_target_platform()
cls.zeroes = dsa.ZeroFields(cls.memory_handler)
cls.utf16 = dsa.UTF16Fields(cls.memory_handler)
cls.ascii = dsa.PrintableAsciiFields(cls.memory_handler)
cls.ints = dsa.IntegerFields(cls.memory_handler)
# new test from real case zeus.856 @0xb2e38
cls.real = '\xc81\x0b\x00\xa8*\x0b\x00\x01\x00\x00\x00\x00\x00\x00\x00f \x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\xe0\xa9`\x9dz3\xd0\x11\xbd\x88\x00\x00\xc0\x82\xe6\x9a\xed\x03\x00\x00\x01\x00\x00\x00\xc8\xfc\xbe\x02p\x0c\x00\x00\x08\x00\x00\x00\x1d\x00\x02\x00L\xfd\xbe\x02\xd8\x91\x1b\x01\x00\x00\x00\x00\x06\x00\x00\x00\x02\x00\x00\x00\x10\x00\x00\x00\x10\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00R\x00S\x00V\x00P\x00 \x00T\x00C\x00P\x00 \x00S\x00e\x00r\x00v\x00i\x00c\x00e\x00 \x00P\x00r\x00o\x00v\x00i\x00d\x00e\x00r\x00\x00\x00f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xab\xe9\x90|\xf2\x94\x80|\x00P\xfd\x7f\x00\x00\x1c\x00\x08\x00\x00\x00\x00\x00\x00\x00t\xfc\xbe\x02\\\r\x91|\x00\x00\x1c\x00\x00\x00\xc3\x00\x00\x00\x00\x00\x88\xb0\xd2\x01\\\r\x91|\x00\x00\x1c\x00\x91\x0e\x91|\x08\x06\x1c\x00m\x05\x91|h^\xd0\x01\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\xc3\x00\x01\x00\x00\x000\x02\x1c\x00\x02\x00\x00\x00\x90\xb0\xd2\x01\x03\x00\x00\x00\x02\x00\x00\x00h^\xd0\x010\x02\x1c\x00\xd8>\xd4\x010\xf0\xfc\x00\xb8\x02\x1c\x00\xe8?\xd4\x01\xd8\x01\x1c\x00\x00\x00\x00\x00\x10\x00\x00\x00\xe8?\xd4\x01\x0c\x00\x00\x00\x05\x00\x00\x00\xf0\x06\x91|\xe0\x01\x1c\x00\x18\x00\x00\x00\xe0>\xd4\x01\x00\x00\x1c\x00\x01\x00\x00\x00\x08\x00\x00\x00\xe0\x01\x1c\x00@\x00\x00\x00\xf0?\xd4\x01\xa8\x04\x1c\x00\x00\x00\x1c\x00Om\x01\x01\x84^\xd0\x01`\x00\x00\x00\xb8\x02\x1c\x00\x00\x00\x00\x00\xd8>\xd4\x01\x88\xfc\xbe\x02F\x0f\x91|\r\x00\x00\x00\xd8>\xd4\x01\x00\x00\x1c\x00\x10<\xd4\x01\x00\x00\x00\x00\\\xfd\xbe\x02\\\r\x91|\x00\x00\x1c\x00\x91\x0e\x91|\x08\x06\x1c\x00m\x05\x91|`\xab\xf0\x00\x00\x00\x00\x00\xec<\xca\x02\x00\x00\xc3\x00\x0c\x00\x00\x00\x10<\xd4\x01\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x0c\x00\x00\x00\x00\x00\x00\x18<\xd4\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x0c\x00\x00(\xfd\xbe\x02\xa8\x04\x1c\x00\xd0\x0c\x00\x00@\x00\x00\x00\x03\x00\x00\x00\x18<\xd4\x01\xa8\x04\x1c\x00`\xab\xf0\x00\xc8\x02\x00\x00\xec<\xca\x02\x0c\x00\x0e\x00<V_u\x00\x00\x00\x00\xf8\xfc\xbe\x02\xec<\xca\x02\x00\x00\x00\x00`\xab\xf0\x00P\xfd\xbe\x02l\xfb\x90|q\xfb\x90|`\xab\xf0\x00\x00\x00\x00\x00\xec<\xca\x02,\xfd\xbe\x02%SystemRoot%\\system32\\rsvpsp.dll\x00\x003\x00B\x006\x004\x00B\x007\x00}\x00\x00\x00\xbe\x02\x05\x00\x00\x00\xe6-\xfd\x7f\x96\x15\x91|\xeb\x06\x91|\xa4\xfd\xbe\x02 8\xd4\x01\x10\x00\x00\x00\t\x04\x00\x00\x00\x01\x00\x00\xdc\xfa\xbe\x02\x00\x00\x00\x00\x96\x15\x91|\xeb\x06\x91|\x01\x00\x00\x00\xa4\xfd\xbe\x02\x04\x00\x00\x00\xaf\x9f\xd4w\xdc\xfa\xbe\x02\x05\x00\x00\x00\x96\x15\x91|\xeb\x06\x91|\x01\x00\x00\x00\xa4\xfd\xbe\x02\x96\x15\x91|\xeb\x06\x91|\x00\x00\x00\x00\x00\x00\x00\x00X\x00\x00\x00\xeb\x06\x91|\x01\x00\x00\x00\xa4\xfd\xbe\x02\x01\x00\x00\x00\xff\xff\xff\xff\xd8\xa2\x92w\x08\xa3\x92w\xdc\xfa\xbe\x02\xd8\xfa\xbe\x02\x02\x00\x00\x80\x9c\xfa\xbe\x02\x90\x01\x1c\x00\xb0\x01\x00\x00\xe4\xfa\xbe\x02\xff\xff\xff\xff\xe0\xfc\xbe\x02\xab\xa5\x92wh^\xd0\x01\xdc\xfa\xbe\x02\x88\x01\x1c\x00\x00\x00\xc3\x00\x01\x00\x00\x00\x96\x15\x91|\x00\x00\x00\x00'
cls.test1 = structure.AnonymousRecord(cls.memory_handler, 0xb2e38, 904, prefix=None)
cls.test2 = structure.AnonymousRecord(cls.memory_handler, 0xb2e38 + 636, 100, prefix=None)
pass