def test_calc_dmp():
with cuckoomem.from_file("tests/files/calc.dmp") as p:
ppe = procmempe.from_memory(p, 0xd0000)
assert p.regions == ppe.regions
assert p.findmz(0x129abc) == 0xd0000
# Old/regular method with PE header.
assert pe(p.readv(p.imgbase, 0x1000)).dos_header.e_lfanew == 0xd8
assert p.readv(p.imgbase + 0xd8, 4) == b"PE\x00\x00"
assert pe(p).is32bit is True
d = pe(p).optional_header.DATA_DIRECTORY[2]
assert d.VirtualAddress == 0x59000 and d.Size == 0x62798
data = pe(p).resource(b"WEVT_TEMPLATE")
assert data.startswith(b"CRIM")
assert len(data) == 4750
assert len(ppe.pe.section(".text").get_data()) == 0x52e00
def test_cuckoomem_methods():
fd, filepath = tempfile.mkstemp()
os.write(fd, b"".join((
struct.pack("QIIII", 0x401000, 0x1000, 0, 0, PAGE_READWRITE),
pad.null(b"foo\x00bar thisis0test\n hAAAA\xc3", 0x1000),
)))
os.close(fd)
with cuckoomem.from_file(filepath) as buf:
assert buf.readv(0x401000, 0x1000).endswith(b"\x00"*0x100)
assert list(buf.regexv(b"thisis(.*)test", 0x401000)) == [0x401008]
assert list(buf.regexv(b" ", 0x401000)) == [0x401007, 0x401014]
assert list(buf.regexv(b" ", 0x401000, 0x10)) == [0x401007]
assert list(buf.regexv(b"test..h", 0x401000)) == [0x40100f]
assert buf.disasmv(0x401015, 6) == [
insn("push", 0x41414141, addr=0x401015),
insn("ret", addr=0x40101a),
]