def reverseLookup(opt): from haystack.reverse import reversers log.info("[+] Load context") context = reversers.getContext(opt.dumpname) addr = opt.struct_addr while True: log.info("[+] find offsets of struct_addr:%x" % (addr)) i = -1 structs = set() try: structs = context.listStructuresForPointerValue(addr) except ValueError, e: log.info("[+] Found no structures.") return log.info("[+] Found %d structures." % (len(structs))) for st in structs: st.decodeFields() print st.toString() # wait for input import code code.interact(local=locals()) sys.stdin.read(1) addr = st._vaddr
def make(opts): log.info('[+] Loading context of %s'%(opts.dump1)) context = reversers.getContext(opts.dump1) #'../../outputs/skype.1.a') # TODO # refresh if len(context.structures) != len(context.structures_addresses): log.info('[+] Refreshing from %d structures cached'%( len(context.structures) )) mallocRev = MallocReverser() context = mallocRev.reverse(context) mallocRev.check_inuse(context) log.info('[+] Final %d structures from malloc blocs'%( len(context.structures) )) heap1 = context.mappings.getHeap() log.info('[+] Loading mappings of %s'%(opts.dump2)) newmappings = dump_loader.load( opts.dump2) heap2 = newmappings.getHeap() log.info('[+] finding diff values with %s'%(opts.dump2)) addrs = cmd_cmp(heap1, heap2, heap1.start) # now compare with structures addresses structures = [] realloc=0 log.info('[+] Looking at %d differences'%( len(addrs) )) st = [] # joined iteration, found structure affected # use info from malloc : structures.start + .size addr_iter = iter(addrs) structs_addr_iter = iter(context.malloc_addresses) structs_size_iter = iter(context.malloc_sizes) try: addr = addr_iter.next() st_addr = structs_addr_iter.next() st_size = structs_size_iter.next() cnt=1 while True: while (addr - st_addr) >= st_size : # find st containing offset st_addr = structs_addr_iter.next() st_size = structs_size_iter.next() # check for gaps if (addr - st_addr) < 0: # went to far - no struct overlapping while (addr - st_addr) < 0: # addr is in between two struct - dump all addr stuck out of malloc_chunks addr = addr_iter.next() pass continue # if 0 <= (addr - st_addr) < st_size: # check if offset is really in st ( should be always if your not dumb/there no holes ) structures.append( context.structures[ st_addr ]) # tag the structure as different cnt+=1 else: ## (addr - st_addr) < 0 # impossible by previous while ## (addr - st_addr) >= st_size # then continur continue while (addr - st_addr) < st_size : # enumerate offsets in st range addr = addr_iter.next() cnt+=1 except StopIteration,e: pass
def makeSignatures(dumpname): from haystack.reverse import reversers log.debug('\t[-] Loading the context for a dumpname.') context = reversers.getContext(dumpname) heap = context.heap log.info('[+] Make the signatures.') sigMaker = SignatureMaker(heap) sig = sigMaker.search() return context, sig
def makeSizeCaches(dumpname): ''' gets all structures instances from the dump, order them by size.''' from haystack.reverse import reversers log.debug('\t[-] Loading the context for a dumpname.') context = reversers.getContext(dumpname) log.debug('\t[-] Make the size dictionnaries.') sizeCache = StructureSizeCache(context) sizeCache.cacheSizes() return context, sizeCache
def make(opts): fname = opts.gexf #if __name__ == '__main__': #if False: #context = reversers.getContext('../../outputs/skype.1.a') context = reversers.getContext(opts.dumpname) #digraph=networkx.readwrite.gexf.read_gexf( '../../outputs/skype.1.a.gexf') digraph=networkx.readwrite.gexf.read_gexf( opts.gexf.name) heap = context.mappings.getHeap() # only add heap structure with links edges = [(x,y) for x,y in digraph.edges() if int(x,16) in heap and int(y,16) in heap] graph = networkx.DiGraph() graph.add_edges_from( edges ) printGraph(graph, os.path.basename(opts.dumpname) )
def make(opts): fname = opts.gexf #if __name__ == '__main__': #if False: #context = reversers.getContext('../../outputs/skype.1.a') context = reversers.getContext(opts.dumpname) #digraph=networkx.readwrite.gexf.read_gexf( '../../outputs/skype.1.a.gexf') digraph = networkx.readwrite.gexf.read_gexf(opts.gexf.name) heap = context.mappings.getHeap() # only add heap structure with links edges = [(x, y) for x, y in digraph.edges() if int(x, 16) in heap and int(y, 16) in heap] graph = networkx.DiGraph() graph.add_edges_from(edges) printGraph(graph, os.path.basename(opts.dumpname))
def reverseLookup(opt): from haystack.reverse import reversers log.info('[+] Load context') context = reversers.getContext(opt.dumpname) addr = opt.struct_addr while True: log.info('[+] find offsets of struct_addr:%x'%(addr)) i = -1 structs = set() try: structs = context.listStructuresForPointerValue(addr) except ValueError,e: log.info('[+] Found no structures.') return log.info('[+] Found %d structures.'%( len(structs) )) for st in structs: st.decodeFields() print st.toString() # wait for input import code code.interact(local=locals()) sys.stdin.read(1) addr = st._vaddr
def make(opts): log.info('[+] Loading context of %s' % (opts.dump1)) context = reversers.getContext( opts.dump1) #'../../outputs/skype.1.a') # TODO # refresh if len(context.structures) != len(context.structures_addresses): log.info('[+] Refreshing from %d structures cached' % (len(context.structures))) mallocRev = MallocReverser() context = mallocRev.reverse(context) mallocRev.check_inuse(context) log.info('[+] Final %d structures from malloc blocs' % (len(context.structures))) heap1 = context.mappings.getHeap() log.info('[+] Loading mappings of %s' % (opts.dump2)) newmappings = dump_loader.load(opts.dump2) heap2 = newmappings.getHeap() log.info('[+] finding diff values with %s' % (opts.dump2)) addrs = cmd_cmp(heap1, heap2, heap1.start) # now compare with structures addresses structures = [] realloc = 0 log.info('[+] Looking at %d differences' % (len(addrs))) st = [] # joined iteration, found structure affected # use info from malloc : structures.start + .size addr_iter = iter(addrs) structs_addr_iter = iter(context.malloc_addresses) structs_size_iter = iter(context.malloc_sizes) try: addr = addr_iter.next() st_addr = structs_addr_iter.next() st_size = structs_size_iter.next() cnt = 1 while True: while (addr - st_addr) >= st_size: # find st containing offset st_addr = structs_addr_iter.next() st_size = structs_size_iter.next() # check for gaps if (addr - st_addr) < 0: # went to far - no struct overlapping while ( addr - st_addr ) < 0: # addr is in between two struct - dump all addr stuck out of malloc_chunks addr = addr_iter.next() pass continue # if 0 <= ( addr - st_addr ) < st_size: # check if offset is really in st ( should be always if your not dumb/there no holes ) structures.append(context.structures[st_addr] ) # tag the structure as different cnt += 1 else: ## (addr - st_addr) < 0 # impossible by previous while ## (addr - st_addr) >= st_size # then continur continue while (addr - st_addr) < st_size: # enumerate offsets in st range addr = addr_iter.next() cnt += 1 except StopIteration, e: pass