def _load_memory_mappings(self):
""" make the python objects"""
_mappings = []
default_ctypes = types.load_ctypes_default()
for mmap_fname, start, end, permissions, offset, major_device, minor_device, inode, pathname in self.metalines:
log.debug('Loading %s - %s' % (mmap_fname, pathname))
# open the file in the archive
fname = os.path.sep.join([self.dumpname, mmap_fname])
mmap = FilenameBackedMemoryMapping(fname,
start,
end,
permissions,
offset,
major_device,
minor_device,
inode,
pathname=pathname)
mmap.set_ctypes(default_ctypes)
_mappings.append(mmap)
_target_platform = target.TargetPlatform(_mappings,
cpu_bits=self._cpu_bits,
os_name=self._os_name)
self._memory_handler = MemoryHandler(_mappings, _target_platform,
self.dumpname)
self._memory_handler.reset_mappings()
return
def _load_memory_mappings(self):
""" make the python objects"""
_mappings = []
for _start, _end, permissions, offset, devices, inode, mmap_pathname in self.metalines:
start, end = int(_start, 16), int(_end, 16)
offset = int(offset, 16)
inode = int(inode)
# rebuild filename
mmap_fname = "%s-%s" % (_start, _end)
# get devices nums
major_device, minor_device = devices.split(':')
major_device = int(major_device, 16)
minor_device = int(minor_device, 16)
log.debug('Loading %s - %s' % (mmap_fname, mmap_pathname))
# open the file in the archive
fname = os.path.sep.join([self.dumpname, mmap_fname])
mmap = FilenameBackedMemoryMapping(fname,
start,
end,
permissions,
offset,
major_device,
minor_device,
inode,
pathname=mmap_pathname)
_mappings.append(mmap)
_target_platform = TargetPlatform(_mappings,
cpu_bits=self._cpu_bits,
os_name=self._os_name)
self._memory_handler = MemoryHandler(_mappings, _target_platform,
self.dumpname)
self._memory_handler.reset_mappings()
return
class VeryLazyProcessMemoryDumpLoader(LazyProcessMemoryDumpLoader):
"""
Always use a filename backed memory mapping.
"""
def _load_memory_mappings(self):
""" make the python objects"""
_mappings = []
for _start, _end, permissions, offset, devices, inode, mmap_pathname in self.metalines:
start, end = int(_start, 16), int(_end, 16)
offset = int(offset, 16)
inode = int(inode)
# rebuild filename
mmap_fname = "%s-%s" % (_start, _end)
# get devices nums
major_device, minor_device = devices.split(':')
major_device = int(major_device, 16)
minor_device = int(minor_device, 16)
log.debug('Loading %s - %s' % (mmap_fname, mmap_pathname))
# open the file in the archive
fname = os.path.sep.join([self.dumpname, mmap_fname])
mmap = FilenameBackedMemoryMapping(fname, start, end, permissions, offset,
major_device, minor_device, inode, pathname=mmap_pathname)
_mappings.append(mmap)
_target_platform = TargetPlatform(_mappings, cpu_bits=self._cpu_bits, os_name=self._os_name)
self._memory_handler = MemoryHandler(_mappings, _target_platform, self.dumpname)
self._memory_handler.reset_mappings()
return
def _make_mmap_with_values(self, intervals, struct_offset=None):
"""
Make a memory map, with a fake structure of pointer pattern inside.
Return the pattern signature
:param intervals:
:param struct_offset:
:return:
"""
# template of a memory map metadata
self._mstart = 0x0c00000
self._mlength = 4096 # end at (0x0c01000)
# could be 8, it doesn't really matter
self.word_size = self.target.get_word_size()
if struct_offset is not None:
self._struct_offset = struct_offset
else:
self._struct_offset = self.word_size * 12 # 12, or any other aligned
mmap, values = self._make_mmap(0x0c00000, 4096, self._struct_offset,
intervals, self.word_size)
# add a reference to mmap in mmap2
ammap2 = AMemoryMapping(0xff7dc000, 0xff7dc000 + 0x1000, '-rwx', 0, 0,
0, 0, 'test_mmap2')
ammap2.set_ctypes(self.target.get_target_ctypes())
mmap2 = LocalMemoryMapping.fromBytebuffer(ammap2,
mmap.get_byte_buffer())
self._memory_handler = MemoryHandler([mmap, mmap2], self.target,
'test')
self.mmap2 = mmap2
return mmap, values
def make_process_memory_handler(process):
"""
Read all memory mappings of the specified process.
Return a list of MemoryMapping objects, or empty list if it's not possible
to read the memory mappings.
May raise a ProcessError.
"""
if not isinstance(process, dbg.IProcess):
raise TypeError('dbg.IProcess expected')
mapsfile = process.get_mappings_line()
mappings = []
is_64 = False
# read the mappings
for line in mapsfile:
line = line.rstrip()
match = PROC_MAP_REGEX.match(line)
if not match:
raise IOError(process, "Unable to parse memory mapping: %r" % line)
if not is_64 and len(match.group(1)) > 8:
is_64 = True
#
log.debug('readProcessMappings %s' % (str(match.groups())))
_map = ProcessMemoryMapping(process, int(match.group(1), 16),
int(match.group(2), 16), match.group(3),
int(match.group(4), 16),
int(match.group(5), 16),
int(match.group(6), 16),
int(match.group(7)), match.group(8))
mappings.append(_map)
# create the memory_handler for self
import sys
if 'linux' in sys.platform:
os_name = target.TargetPlatform.LINUX
else: # sys.platform.startswith('win'):
os_name = target.TargetPlatform.WIN7
_target_platform = None
if is_64:
if os_name in [
target.TargetPlatform.WINXP, target.TargetPlatform.WIN7
]:
_target_platform = target.TargetPlatform.make_target_win_64(
os_name)
elif os_name == target.TargetPlatform.LINUX:
_target_platform = target.TargetPlatform.make_target_linux_64()
else:
if os_name in [
target.TargetPlatform.WINXP, target.TargetPlatform.WIN7
]:
_target_platform = target.TargetPlatform.make_target_win_32(
os_name)
elif os_name == target.TargetPlatform.LINUX:
_target_platform = target.TargetPlatform.make_target_linux_32()
_memory_handler = MemoryHandler(mappings, _target_platform,
'localhost-%d' % process.get_pid())
return _memory_handler
class VeryLazyProcessMemoryDumpLoader(LazyProcessMemoryDumpLoader):
"""
Always use a filename backed memory mapping.
"""
def _load_memory_mappings(self):
""" make the python objects"""
_mappings = []
default_ctypes = types.load_ctypes_default()
for mmap_fname, start, end, permissions, offset, major_device, minor_device, inode, pathname in self.metalines:
log.debug('Loading %s - %s' % (mmap_fname, pathname))
# open the file in the archive
fname = os.path.sep.join([self.dumpname, mmap_fname])
mmap = FilenameBackedMemoryMapping(fname, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname)
mmap.set_ctypes(default_ctypes)
_mappings.append(mmap)
_target_platform = target.TargetPlatform(_mappings, cpu_bits=self._cpu_bits, os_name=self._os_name)
self._memory_handler = MemoryHandler(_mappings, _target_platform, self.dumpname)
self._memory_handler.reset_mappings()
return
def my_render_text(mapper, cmd, outfd, data):
maps = []
for task in data:
# print type(task)
address_space = task.get_process_address_space()
for vad in task.VadRoot.traverse():
# print type(vad)
if vad is None:
continue
offset = vad.obj_offset
start = vad.Start
end = vad.End
tag = vad.Tag
flags = str(vad.u.VadFlags)
perms = PERMS_PROTECTION[vad.u.VadFlags.Protection.v() & 7]
pathname = ''
if vad.u.VadFlags.PrivateMemory == 1 or not vad.ControlArea:
pathname = ''
else:
# FIXME, push that to volatility plugin too.
try:
file_obj = vad.ControlArea.FilePointer
if file_obj:
pathname = file_obj.FileName or "Pagefile-backed section"
except AttributeError:
pass
#elif vad.FileObject:
# pathname = str(vad.FileObject.FileName or '')
pmap = VolatilityProcessMappingA(
address_space,
start,
end,
permissions=perms,
pathname=pathname)
# print pmap
#import code
# code.interact(local=locals())
maps.append(pmap)
# get the platform
## FIXME, use imageinfo, or find the automation in vol.py
#import code
#code.interact(local=locals())
if mapper.config.PROFILE == "WinXPSP2x86":
mapper._target = target.TargetPlatform.make_target_win_32('winxp')
memory_handler = MemoryHandler(maps, mapper._target, mapper.imgname)
# print _memory_handler
#mappings.init_config()
mapper._memory_handler = memory_handler
def readProcessMappings(process):
"""
Read all memory mappings of the specified process.
Return a list of MemoryMapping objects, or empty list if it's not possible
to read the memory mappings.
May raise a ProcessError.
"""
maps = []
if not dbg.HAS_PROC:
return maps
try:
mapsfile = dbg.openProc(process.pid)
except dbg.ProcError as err:
raise dbg.ProcessError(process,
"Unable to read process maps: %s" % err)
mappings = []
try:
# read the mappings
for line in mapsfile:
line = line.rstrip()
match = PROC_MAP_REGEX.match(line)
if not match:
raise dbg.ProcessError(
process, "Unable to parse memory mapping: %r" % line)
log.debug('readProcessMappings %s' % (str(match.groups())))
_map = ProcessMemoryMapping(
# cfg,
process,
int(match.group(1), 16),
int(match.group(2), 16),
match.group(3),
int(match.group(4), 16),
int(match.group(5), 16),
int(match.group(6), 16),
int(match.group(7)),
match.group(8))
mappings.append(_map)
finally:
if isinstance(mapsfile, file):
mapsfile.close()
# create the memory_handler for self
_target_platform = target.TargetPlatform.make_target_platform_local()
_memory_handler = MemoryHandler(mappings, _target_platform,
'localhost-%d' % process.pid)
return _memory_handler
def _init_mappings(self):
mappings = []
#
is_64 = False
for _range in self.session.enumerate_ranges('r'):
log.debug("Mapping Frida %s", _range)
start = _range.base_address
end = _range.base_address + _range.size
perms = _range.protection
mappings.append(
FridaMemoryMapping(self.session, start, end, perms, None))
if not is_64 and len(hex(start)) > 8:
is_64 = True
#
self.mappings = mappings
log.debug("nb maps: %d", len(self.mappings))
# Use a folder name for its cache later on
h_name = self.name + ".d"
self._target = None
# create the memory_handler for self
# FIXME cpu, os_name from init param
if 'linux' in sys.platform:
os_name = target.TargetPlatform.LINUX
else: # sys.platform.startswith('win'):
os_name = target.TargetPlatform.WIN7
_target_platform = None
if is_64:
if os_name in [
target.TargetPlatform.WINXP, target.TargetPlatform.WIN7
]:
_target_platform = target.TargetPlatform.make_target_win_64(
os_name)
elif os_name == target.TargetPlatform.LINUX:
_target_platform = target.TargetPlatform.make_target_linux_64()
else:
if os_name in [
target.TargetPlatform.WINXP, target.TargetPlatform.WIN7
]:
_target_platform = target.TargetPlatform.make_target_win_32(
os_name)
elif os_name == target.TargetPlatform.LINUX:
_target_platform = target.TargetPlatform.make_target_linux_32()
memory_handler = MemoryHandler(mappings, _target_platform, self.name)
self._memory_handler = memory_handler
return
def my_render_text(mapper, cmd, outfd, data):
maps = []
for task in data:
# print type(task)
address_space = task.get_process_address_space()
for vad in task.VadRoot.traverse():
# print type(vad)
if vad is None:
continue
offset = vad.obj_offset
start = vad.Start
end = vad.End
tag = vad.Tag
flags = str(vad.u.VadFlags)
perms = PERMS_PROTECTION[vad.u.VadFlags.Protection.v() & 7]
pathname = ''
if vad.u.VadFlags.PrivateMemory == 1 or not vad.ControlArea:
pathname = ''
elif vad.FileObject:
pathname = str(vad.FileObject.FileName or '')
pmap = VolatilityProcessMappingA(address_space,
start,
end,
permissions=perms,
pathname=pathname)
# print pmap
#import code
# code.interact(local=locals())
maps.append(pmap)
# get the platform
if mapper.config.PROFILE == "WinXPSP2x86":
mapper._target = target.TargetPlatform.make_target_win_32('winxp')
memory_handler = MemoryHandler(maps, mapper._target, mapper.imgname)
# print _memory_handler
#mappings.init_config()
mapper._memory_handler = memory_handler
def _load_memory_mappings(self):
""" make the python objects"""
_mappings = []
for mmap_fname, start, end, permissions, offset, major_device, minor_device, inode, pathname in self.metalines:
log.debug('Loading %s - %s' % (mmap_fname, pathname))
# open the file in the archive
try:
mmap_content_file = self._protected_open_file(mmap_fname, pathname)
except (IOError, KeyError) as e:
log.debug('Ignore absent file : %s' % (e))
mmap = AMemoryMapping(start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname)
_mappings.append(mmap)
continue
except LazyLoadingException as e:
mmap = FilenameBackedMemoryMapping(e._filename, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname)
_mappings.append(mmap)
continue
if isinstance(self.archive, zipfile.ZipFile): # ZipExtFile is lame
log.warning(
'Using a local memory mapping . Zipfile sux. thx ruby.')
mmap = AMemoryMapping(start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname)
mmap = LocalMemoryMapping.fromBytebuffer(
mmap,
mmap_content_file.read())
# use file mmap when file is too big
elif end - start > haystack.MAX_MAPPING_SIZE_FOR_MMAP:
log.warning('Using a file backed memory mapping. no mmap in memory for this memorymap (%s).' % (pathname) +
' Search will fail. Buffer is needed.')
mmap = FileBackedMemoryMapping(mmap_content_file.name, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname)
else:
# log.debug('Using a MemoryDumpMemoryMapping. small size')
# mmap = MemoryDumpMemoryMapping(mmap_content_file, start, end, permissions, offset,
log.debug('Always use FilenameBackedMemoryMapping. small size')
mmap = FilenameBackedMemoryMapping(mmap_content_file.name, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname)
_mappings.append(mmap)
_target_platform = target.TargetPlatform(_mappings, cpu_bits=self._cpu_bits, os_name=self._os_name)
self._memory_handler = MemoryHandler(_mappings, _target_platform, self.dumpname)
return
def _make_signature(self, intervals, struct_offset=None):
"""
Make a memory map, with a fake structure of pointer pattern inside.
Return the pattern signature
:param intervals:
:param struct_offset:
:return:
"""
# template of a memory map metadata
self._mstart = 0x0c00000
self._mlength = 4096 # end at (0x0c01000)
# could be 8, it doesn't really matter
self.word_size = self.target.get_word_size()
if struct_offset is not None:
self._struct_offset = struct_offset
else:
self._struct_offset = self.word_size*12 # 12, or any other aligned
mmap, values = self._make_mmap(self._mstart, self._mlength, self._struct_offset,
intervals, self.word_size)
mappings = MemoryHandler([mmap], self.target, 'test/reverse/fakedump')
sig = pattern.PointerIntervalSignature(mappings, 'test_mmap')
return sig
