def getDiff(d1, d2): mappings1 = folder.load(d1) mappings2 = folder.load(d2) log.debug('Building hashes for %s' % d1.name) m1 = dict(buildMappingsHashes(mappings1)) log.debug('Building hashes for %s' % d2.name) m2 = dict(buildMappingsHashes(mappings2)) # new _memory_handler in d2 pnames1 = set([m.pathname for m in m1.values()]) pnames2 = set([m.pathname for m in m2.values()]) new2 = pnames2 - pnames1 news = [] for pathname in new2: news.extend(mappings2._get_mapping(pathname)) print('new _memory_handler in %s:' % d2.name) for n in news: print(n) # believe in hash funcs. diff2 = set(m2.keys()) - set(m1.keys()) diffs = [] revm1 = dict((v, k) for k, v in m1.items()) print('modified _memory_handler in %s:' % d2.name) for h2 in diff2: m = m2[h2] if m.pathname in pnames1: print(m) diffs.append(m) return news, diffs
def test_dumptype_dir(self): '''Checks if dumping to folder works''' tgt1 = self._make_tgt_dir() tgt2 = self._make_tgt_dir() tgt3 = self._make_tgt_dir() self.devnull = open('/dev/null') self.process = self.run_app_test('test3', stdout=self.devnull.fileno()) time.sleep(0.1) out1 = memory_dumper.dump(self.process.pid, tgt1, "dir", True) self.assertEqual(out1, tgt1) # same name self._renew_process() out2 = memory_dumper.dump(self.process.pid, tgt2, "dir", True) self.assertEqual(out2, tgt2) # same name self._renew_process() out3 = memory_dumper.dump(self.process.pid, tgt3, "dir", False) self.assertEqual(out3, tgt3) # same name size1 = self.get_folder_size(tgt1) size2 = self.get_folder_size(tgt2) size3 = self.get_folder_size(tgt3) self.assertGreater(size1, 500) # not a null archive # self.assertGreater(size2, size1) # more _memory_handler self.assertGreater(size3, size2) # more _memory_handler # print size1, size2, size3 # print file(out1+'/_memory_handler').read() # print '-'*80 # print file(out2+'/_memory_handler').read() # print '-'*80 # print file(out3+'/_memory_handler').read() # print '-'*80 # test opening by dump_loader from haystack.mappings import folder from haystack.mappings.base import MemoryHandler # PYDOC # NotImplementedError: MACHINE has not been found. # laoder should habe a cpu, os_name loading mappings1 = folder.load(out1, cpu=self.cpu_bits, os_name=self.os_name) self.assertIsInstance(mappings1, MemoryHandler) mappings2 = folder.load(out2, cpu=self.cpu_bits, os_name=self.os_name) mappings3 = folder.load(out3, cpu=self.cpu_bits, os_name=self.os_name) pathnames1 = [m.pathname for m in mappings1] pathnames2 = [m.pathname for m in mappings2] pathnames3 = [m.pathname for m in mappings3] self.assertEqual(pathnames1, pathnames2) self.assertEqual(pathnames3, pathnames2) return
def setUp(self): dumpname = 'test/src/test-ctypes6.64.dump' self.memory_handler = folder.load(dumpname) self.my_model = self.memory_handler.get_model() self.ctypes_gen64 = self.my_model.import_module("test.src.ctypes6_gen64") # load TU values self._load_offsets_values(self.memory_handler.get_name())
def setUp(self): dumpname = 'test/src/test-ctypes6.64.dump' self.memory_handler = folder.load(dumpname) process_context = self.memory_handler.get_reverse_context() process_context.create_record_cache_folder() # load TU values self._load_offsets_values(self.memory_handler.get_name())
def setUpClass(cls): cls.dumpname = 'test/src/test-ctypes6.32.dump' config.remove_cache_folder(cls.dumpname) cls.memory_handler = folder.load(cls.dumpname) cls.my_target = cls.memory_handler.get_target_platform() cls.my_ctypes = cls.my_target.get_target_ctypes() cls.my_utils = cls.my_target.get_target_ctypes_utils()
def setUp(self): self.memory_handler = folder.load('test/src/test-ctypes5.32.dump') self._load_offsets_values('test/src/test-ctypes5.32.dump') sys.path.append('test/src/') my_model = self.memory_handler.get_model() self.ctypes5_gen32 = my_model.import_module("ctypes5_gen32") my_model.build_python_class_clones(self.ctypes5_gen32)
def setUpClass(cls): cls.memory_handler = folder.load(cls.memdumpname) cls.my_target = cls.memory_handler.get_target_platform() cls.my_ctypes = cls.my_target.get_target_ctypes() cls.my_utils = cls.my_target.get_target_ctypes_utils() cls.my_model = cls.memory_handler.get_model() # load offsets cls._load_offsets_values(cls.memdumpname)
def setUp(self): dumpname = 'test/src/test-ctypes6.64.dump' self.memory_handler = folder.load(dumpname) self.my_model = self.memory_handler.get_model() self.ctypes_gen64 = self.my_model.import_module( "test.src.ctypes6_gen64") # load TU values self._load_offsets_values(self.memory_handler.get_name())
def setUpClass(cls): cls.memory_handler = folder.load('test/src/test-ctypes5.32.dump') cls.my_target = cls.memory_handler.get_target_platform() cls.my_ctypes = cls.my_target.get_target_ctypes() cls.my_utils = cls.my_target.get_target_ctypes_utils() cls.my_model = cls.memory_handler.get_model() cls.ctypes5_gen32 = cls.my_model.import_module("test.src.ctypes5_gen32") cls.validator = listmodel.ListModel(cls.memory_handler, None)
def setUpClass(cls): cls.memory_handler = folder.load('test/src/test-ctypes5.32.dump') cls.my_target = cls.memory_handler.get_target_platform() cls.my_ctypes = cls.my_target.get_target_ctypes() cls.my_utils = cls.my_target.get_target_ctypes_utils() cls.my_model = cls.memory_handler.get_model() cls.ctypes5_gen32 = cls.my_model.import_module( "test.src.ctypes5_gen32") cls.validator = listmodel.ListModel(cls.memory_handler, None)
def setUpClass(cls): cls.dumpname = zeus_856_svchost_exe.dumpname #config.remove_cache_folder(cls.dumpname) cls.memory_handler = folder.load(zeus_856_svchost_exe.dumpname) ## cls.offset = zeus_856_svchost_exe.known_records[0][0] cls._context = context.get_context_for_address(cls.memory_handler, cls.offset) return
def setUp(self): # os.chdir() self.memory_handler = folder.load('test/src/test-ctypes3.32.dump') self._load_offsets_values(self.memory_handler.get_name()) finder = self.memory_handler.get_heap_finder() walkers = finder.list_heap_walkers() self.context = context.get_context_for_address(self.memory_handler, walkers[0]) ## self.dsa = dsa.FieldReverser(self.memory_handler)
def setUp(self): self.memory_handler = folder.load('test/src/test-ctypes5.32.dump') self._load_offsets_values('test/src/test-ctypes5.32.dump') self.my_target = target.TargetPlatform.make_target_linux_32() self.my_ctypes = self.my_target.get_target_ctypes() self.my_utils = self.my_target.get_target_ctypes_utils() self.my_model = self.memory_handler.get_model() _constraints = constraints.ModuleConstraints() # empty self.validator = basicmodel.CTypesRecordConstraintValidator(self.memory_handler, _constraints) self.ctypes_gen32 = self.my_model.import_module("test.src.ctypes5_gen32")
def setUpClass(cls): cls.dumpname = zeus_856_svchost_exe.dumpname cls.memory_handler = folder.load(zeus_856_svchost_exe.dumpname) cls.process_context = cls.memory_handler.get_reverse_context() cls.process_context.create_record_cache_folder() ## cls.offset = zeus_856_svchost_exe.known_records[0][0] cls._context = context.get_context_for_address(cls.memory_handler, cls.offset) api.reverse_instances(cls.memory_handler) return
def test_list_heap_walkers(self): memory_handler = folder.load('test/src/test-ctypes1.64.dump') heap_finder = memory_handler.get_heap_finder() walkers = heap_finder.list_heap_walkers() self.assertEqual(len(walkers), 1) self.assertEqual(walkers[0].get_heap_mapping().pathname, '[heap]') memory_handler.reset_mappings() memory_handler = folder.load('test/src/test-ctypes3.64.dump') heap_finder = memory_handler.get_heap_finder() walkers = heap_finder.list_heap_walkers() self.assertEqual(len(walkers), 1) self.assertEqual(walkers[0].get_heap_mapping().pathname, '[heap]') memory_handler.reset_mappings() memory_handler = folder.load('test/src/test-ctypes3.32.dump') heap_finder = memory_handler.get_heap_finder() walkers = heap_finder.list_heap_walkers() self.assertEqual(len(walkers), 1) self.assertEqual(walkers[0].get_heap_mapping().pathname, '[heap]') memory_handler.reset_mappings()
def setUp(self): self.classname = 'haystack.allocators.win32.win7heap.HEAP' self.known_heaps = [(0x00390000, 8956), (0x00540000, 868), (0x00580000, 111933), (0x005c0000, 1704080), (0x01ef0000, 604), (0x02010000, 61348), (0x02080000, 474949), (0x021f0000, 18762), (0x03360000, 604), (0x04030000, 632), (0x04110000, 1334), (0x041c0000, 644), # from free stuf (0x0061a000, 1200), ] self.memory_handler = folder.load(self.memdumpname)
def setUp(self): self.memory_handler = folder.load('test/src/test-ctypes5.32.dump') self._load_offsets_values('test/src/test-ctypes5.32.dump') self.my_target = target.TargetPlatform.make_target_linux_32() self.my_ctypes = self.my_target.get_target_ctypes() self.my_utils = self.my_target.get_target_ctypes_utils() self.my_model = self.memory_handler.get_model() _constraints = constraints.ModuleConstraints() # empty self.validator = basicmodel.CTypesRecordConstraintValidator( self.memory_handler, _constraints) self.ctypes_gen32 = self.my_model.import_module( "test.src.ctypes5_gen32")
def setUpClass(cls): cls.dumpname = 'test/src/test-ctypes3.32.dump' config.remove_cache_folder(cls.dumpname) cls.memory_handler = folder.load(cls.dumpname) finder = cls.memory_handler.get_heap_finder() heap_walker = finder.list_heap_walkers()[0] heap_addr = heap_walker.get_heap_address() cls.context = context.get_context_for_address(cls.memory_handler, heap_addr) cls.target = cls.context.memory_handler.get_target_platform() cls.dsa = dsa.FieldReverser(cls.context.memory_handler) cls.pta = pointertypes.PointerFieldReverser(cls.context.memory_handler) return
def test_closestFloorValue(self): lst = numpy.asarray(range(0, 100, 10)) self.assertEqual(utils.closestFloorValue(41, lst), (40, 4)) self.assertEqual(utils.closestFloorValue(40, lst), (40, 4)) with self.assertRaises(ValueError): utils.closestFloorValue(-1, lst) memory_handler = folder.load('test/src/test-ctypes3.32.dump') finder = memory_handler.get_heap_finder() walker = finder.list_heap_walkers()[0] heap_addr = walker.get_heap_address() ctx = context.get_context_for_address(memory_handler, heap_addr) lst = ctx._structures_addresses
def setUpClass(cls): cls.libc_mh_64 = folder.load('test/src/test-ctypes3.64.dump') cls.libc_mh_32 = folder.load('test/src/test-ctypes3.32.dump') cls.winxp_mh_32 = folder.load('test/dumps/minidump/cmd.dmp') cls.winxp_mh_64 = folder.load('test/dumps/minidump/alg.dmp') cls.win7_mh_32 = folder.load(putty_1_win7.dumpname) # FIXME, its loaded as a winxp cls.win7_mh_64 = folder.load('test/dumps/keepass.test')
def setUpClass(cls): cls.memory_handler = folder.load(zeus_856_svchost_exe.dumpname) cls._context = context.get_context_for_address(cls.memory_handler, 0x90000) cls.process_context = cls.memory_handler.get_reverse_context() fr = dsa.FieldReverser(cls.memory_handler) fr.reverse() tfc = dsa.TextFieldCorrection(cls.memory_handler) tfc.reverse() doublelink = reversers.DoubleLinkedListReverser(cls.memory_handler) doublelink.reverse() doublelink.rename_all_lists() pfr = pointertypes.PointerFieldReverser(cls.memory_handler) pfr.reverse()
def setUp(self): self.memory_handler = folder.load('test/dumps/ssh/ssh.1/') self.my_target = self.memory_handler.get_target_platform() self.my_ctypes = self.my_target.get_target_ctypes() self.my_utils = self.my_target.get_target_ctypes_utils() self.my_model = self.memory_handler.get_model() _constraints = constraints.ModuleConstraints() # empty self.validator = basicmodel.CTypesRecordConstraintValidator(self.memory_handler, _constraints) try: self.sslsnoop = self.my_model.import_module("sslsnoop") except ImportError: self.skipTest('sslsnoop not present') self.classname = 'sslsnoop.ctypes_openssh.session_state' self.known_offset = 0xb84ee318
def setUp(self): self.memory_handler = folder.load('test/dumps/ssh/ssh.1/') self.my_target = self.memory_handler.get_target_platform() self.my_ctypes = self.my_target.get_target_ctypes() self.my_utils = self.my_target.get_target_ctypes_utils() self.my_model = self.memory_handler.get_model() _constraints = constraints.ModuleConstraints() # empty self.validator = basicmodel.CTypesRecordConstraintValidator( self.memory_handler, _constraints) try: self.sslsnoop = self.my_model.import_module("sslsnoop") except ImportError: self.skipTest('sslsnoop not present') self.classname = 'sslsnoop.ctypes_openssh.session_state' self.known_offset = 0xb84ee318
def setUp(self): dumpname = 'test/src/test-ctypes6.64.dump' # arh ... py2/py3 pickled cache config.remove_cache_folder(dumpname) self.memory_handler = folder.load(dumpname) process_context = self.memory_handler.get_reverse_context() process_context.create_record_cache_folder() # load TU values self._load_offsets_values(self.memory_handler.get_name()) ## self.dllr = reversers.DoubleLinkedListReverser(self.memory_handler) log.debug('Reversing Fields') fr = dsa.FieldReverser(self.memory_handler) fr.reverse()
def setUpClass(cls): #self.context3 = context.get_context('test/src/test-ctypes3.dump') cls.dumpname = 'test/src/test-ctypes6.32.dump' config.remove_cache_folder(cls.dumpname) cls.memory_handler = folder.load(cls.dumpname) cls._target = cls.memory_handler.get_target_platform() finder = cls.memory_handler.get_heap_finder() heap_walker = finder.list_heap_walkers()[0] heap_addr = heap_walker.get_heap_address() cls._load_offsets_values(cls.memory_handler.get_name()) cls.context6 = context.get_context_for_address(cls.memory_handler, heap_addr) cls.dsa = dsa.FieldReverser(cls.context6.memory_handler) cls.st = cls.context6.listStructures()[0]
def setUp(self): self.classname = 'haystack.allocators.win32.win7heap.HEAP' self.known_heaps = [ (0x00390000, 8956), (0x00540000, 868), (0x00580000, 111933), (0x005c0000, 1704080), (0x01ef0000, 604), (0x02010000, 61348), (0x02080000, 474949), (0x021f0000, 18762), (0x03360000, 604), (0x04030000, 632), (0x04110000, 1334), (0x041c0000, 644), # from free stuf (0x0061a000, 1200), ] self.memory_handler = folder.load(self.memdumpname)
def setUp(self): self.memory_handler = folder.load('test/src/test-ctypes5.64.dump') self._load_offsets_values(self.memory_handler.get_name()) sys.path.append('test/src/') self.offset = self.offsets['struct_d'][0] self.m = self.memory_handler.get_mapping_for_address(self.offset) self._context = context.get_context_for_address( self.memory_handler, self.offset) # reverse the heap if not os.access( config.get_record_cache_folder_name(self._context.dumpname), os.F_OK): os.mkdir( config.get_record_cache_folder_name(self._context.dumpname)) log.info("[+] Cache created in %s", config.get_cache_folder_name(self._context.dumpname))
def setUp(self): self.memory_handler = folder.load('test/src/test-ctypes6.32.dump') self.memdumpname = 'test/src/test-ctypes6.32.dump' self._load_offsets_values(self.memdumpname) sys.path.append('test/src/') my_model = self.memory_handler.get_model() self.ctypes6_gen32 = my_model.import_module("ctypes6_gen32") handler = constraints.ConstraintsConfigHandler() my_constraints = handler.read('test/src/ctypes6.constraints') self.x32_validator = ctypes6.CTypes6Validator(self.memory_handler, my_constraints, self.ctypes6_gen32) self.offset = self.offsets['test1'][0] self.m = self.memory_handler.get_mapping_for_address(self.offset) self.usual = self.m.read_struct(self.offset, self.ctypes6_gen32.struct_usual) # complex self.o_rootA = self.offsets['rootA'][0] self.rootA = self.m.read_struct(self.o_rootA, self.ctypes6_gen32.struct_Node) self.o_rootB = self.offsets['rootB'][0] self.rootB = self.m.read_struct(self.o_rootB, self.ctypes6_gen32.struct_Node) self.o_rootC = self.offsets['rootC'][0] self.rootC = self.m.read_struct(self.o_rootC, self.ctypes6_gen32.struct_Node)
def test_chunks_numbers(self): """ Count all user allocations and free chunks (10 sec)""" memory_handler = folder.load('test/dumps/ssh/ssh.1') heap_finder = memory_handler.get_heap_finder() # walkers = heap_finder.list_heap_walkers() self.assertEqual(len(walkers), 1) heap = walkers[0].get_heap_mapping() walker = heap_finder.get_heap_walker(heap) # test the number of allocations allocs = walker.get_user_allocations() self.assertEqual(len(allocs), 2568) # test the size of allocations size = sum([size for addr, size in allocs]) self.assertEqual(size, 105616) # test the number of free chunks free = walker.get_free_chunks() self.assertEqual(len(free), 7) # test the size of free chunks size = sum([size for addr, size in free]) self.assertEqual(size, 19252) return
def test_dumptype_dir(self): '''Checks if dumping to folder works''' tgt1 = self._make_tgt_dir() tgt2 = self._make_tgt_dir() tgt3 = self._make_tgt_dir() self.devnull = open('/dev/null') self.process = self.run_app_test('test3', stdout=self.devnull.fileno()) time.sleep(0.1) out1 = memory_dumper.dump(self.process.pid, tgt1, "dir", True) self.assertEqual(out1, tgt1) # same name self._renew_process() out2 = memory_dumper.dump(self.process.pid, tgt2, "dir", True) self.assertEqual(out2, tgt2) # same name self._renew_process() out3 = memory_dumper.dump(self.process.pid, tgt3, "dir", False) self.assertEqual(out3, tgt3) # same name size1 = self.get_folder_size(tgt1) size2 = self.get_folder_size(tgt2) size3 = self.get_folder_size(tgt3) self.assertGreater(size1, 500) # not a null archive # self.assertGreater(size2, size1) # more _memory_handler self.assertGreater(size3, size2) # more _memory_handler # print size1, size2, size3 # print file(out1+'/_memory_handler').read() # print '-'*80 # print file(out2+'/_memory_handler').read() # print '-'*80 # print file(out3+'/_memory_handler').read() # print '-'*80 # test opening by dump_loader from haystack.mappings import folder from haystack.mappings.base import MemoryHandler # PYDOC # NotImplementedError: MACHINE has not been found. # laoder should habe a cpu, os_name loading mappings1 = folder.load( out1, cpu=self.cpu_bits, os_name=self.os_name) self.assertIsInstance(mappings1, MemoryHandler) mappings2 = folder.load( out2, cpu=self.cpu_bits, os_name=self.os_name) mappings3 = folder.load( out3, cpu=self.cpu_bits, os_name=self.os_name) pathnames1 = [m.pathname for m in mappings1] pathnames2 = [m.pathname for m in mappings2] pathnames3 = [m.pathname for m in mappings3] self.assertEqual(pathnames1, pathnames2) self.assertEqual(pathnames3, pathnames2) return
def setUpClass(cls): cls.memory_handler = folder.load('test/dumps/putty/putty.1.dump') cls.my_target = cls.memory_handler.get_target_platform() cls.my_ctypes = cls.my_target.get_target_ctypes() cls.my_utils = cls.my_target.get_target_ctypes_utils()
def setUpClass(cls): cls._memory_handler = folder.load(zeus_1668_vmtoolsd_exe.dumpname) return
def setUpClass(cls): # putty 1 was done under win7 32 bits ? cls._memory_handler = folder.load(putty_1_win7.dumpname) return
def setUp(self): self.memory_handler = folder.load('test/src/test-ctypes6.32.dump')
def setUp(self): self.memory_handler = folder.load('test/src/test-ctypes6.64.dump') self.heap_finder = self.memory_handler.get_heap_finder() self.walkers = self.heap_finder.list_heap_walkers() self.walker = self.walkers[0]
def setUpClass(cls): cls.memory_handler = folder.load('test/dumps/ssh/ssh.1')
def setUpClass(cls): cls.memory_handler = folder.load('test/dumps/ssh/ssh.1') cls.finder = cls.memory_handler.get_heap_finder()
def setUp(self): dumpname = zeus_856_svchost_exe.dumpname # config.remove_cache_folder(dumpname) self.memory_handler = folder.load(dumpname) process_context = self.memory_handler.get_reverse_context()
def setUpClass(cls): cls._memory_handler = folder.load(zeus_1668_vmtoolsd_exe.dumpname) cls._utils = cls._memory_handler.get_target_platform().get_target_ctypes_utils() return
def setUpClass(cls): cls.memory_handler = folder.load(putty_1_win7.dumpname) return
def setUpClass(cls): cls.memory_handler = folder.load(putty_1_win7.dumpname) cls.finder = cls.memory_handler.get_heap_finder()