def search_heap_direct(self, memdumpname, start_address_mapping): # we need a memory dump loader self.memory_handler = dump_loader.load(memdumpname) my_model = self.memory_handler.get_model() module_name = self._init_module_name(self.memory_handler) # import the module with the right arch heap_module = my_model.import_module(module_name) log.debug('the heap module loaded is %s', module_name) # load the constraints constraint_filename = self._init_constraints_filename(heap_module) parser = constraints.ConstraintsConfigHandler() my_constraints = parser.read(constraint_filename) m = self.memory_handler.get_mapping_for_address(start_address_mapping) my_searcher = searcher.AnyOffsetRecordSearcher( self.memory_handler, my_constraints, [m], update_cb=partial(self.print_cb, self.memory_handler)) heap_record_name = self._init_heap_record_name() heap_struct = getattr(heap_module, heap_record_name) results = my_searcher._load_at(m, start_address_mapping, heap_struct, depth=5) #print haystack.output_to_python(memory_handler, [results])[0][0].toString() return results
def make_search_results(self, memory_handler, struct_type, my_constraints): ## DEBUG - use optimised search space for HEAP my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler, my_constraints) for mapping in memory_handler.get_mappings(): res = my_searcher._search_in(mapping, struct_type, nb=1, align=0x1000) if res: instance, addr = api.output_to_python(memory_handler, res)[0] yield addr
def _search_heap(self, mapping): """ return a ctypes heap struct mapped at address on the mapping""" my_searcher = searcher.AnyOffsetRecordSearcher( self._memory_handler, self._heap_module_constraints) # on ly return first results in each mapping log.debug("_search_heap in %s", mapping) res = my_searcher._search_in(mapping, self._heap_type, nb=1, align=0x1000) if len(res) > 0: instance, address = res[0] mapping.mark_as_heap(address) return instance, address return None
def search_heap_direct(self, start_address_mapping): """ return a ctypes heap struct mapped at address on the mapping Will use the memory handler """ heap = self._memory_handler.get_mapping_for_address(start_address_mapping) bits = self._memory_handler.get_target_platform().get_cpu_bits() heap_module = self._cpu[bits]['module'] constraints = self._cpu[bits]['constraints'] my_searcher = searcher.AnyOffsetRecordSearcher(self._memory_handler, constraints, [heap]) # on ly return first results in each mapping log.debug("_search_heap_direct in %s", start_address_mapping) results = my_searcher._load_at(heap, start_address_mapping, heap_module.HEAP, depth=5) return results
def search_heap_direct(self, start_address_mapping): """ return a ctypes heap struct mapped at address on the mapping Will use the memory handler """ heap = self._memory_handler.get_mapping_for_address( start_address_mapping) my_searcher = searcher.AnyOffsetRecordSearcher(self._memory_handler, self._constraints, [heap]) # on ly return first results in each mapping log.debug("_search_heap_direct in %s", start_address_mapping) results = my_searcher._load_at(heap, start_address_mapping, self._heap_record, depth=20) return results
def search_record(memory_handler, record_type, search_constraints=None, extended_search=False): """ Search a record in the memory dump of a process represented by memory_handler. The record type must have been imported using haystack functions. If constraints exists, they will be considered during the search. :param memory_handler: IMemoryHandler :param record_type: a ctypes.Structure or ctypes.Union from a module imported by haystack :param search_constraints: IModuleConstraints to be considered during the search :param extended_search: boolean, use allocated chunks only per default (False) :rtype a list of (ctypes records, memory offset) """ if extended_search: my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler, search_constraints) return my_searcher.search(record_type) my_searcher = searcher.RecordSearcher(memory_handler, search_constraints) return my_searcher.search(record_type)
def search_heap(self, memdumpname): # we need a memory dump loader self.memory_handler = dump_loader.load(memdumpname) my_model = self.memory_handler.get_model() module_name = self._init_module_name(self.memory_handler) # import the module with the right arch heap_module = my_model.import_module(module_name) log.debug('the heap module loaded is %s', module_name) # load the constraints constraint_filename = self._init_constraints_filename(heap_module) parser = constraints.ConstraintsConfigHandler() my_constraints = parser.read(constraint_filename) my_searcher = searcher.AnyOffsetRecordSearcher( self.memory_handler, my_constraints, update_cb=partial(self.print_cb, self.memory_handler)) ## DEBUG # DEBUG PEB search #peb = my_model.import_module('haystack.allocators.win32.winxp_32_peb') ##DEBUG heap_record_name = self._init_heap_record_name() heap_struct = getattr(heap_module, heap_record_name) # on ly return first results in each mapping results = [] for mapping in self.memory_handler.get_mappings(): log.debug("looking at %s", mapping) res = my_searcher._search_in(mapping, heap_struct, nb=1, align=0x1000) # DEBUG PEB search #res = my_searcher._search_in(mapping, peb.struct__PEB, nb=1, align=0x1000) if res: # FIXME output_to are stupid #print haystack.output_to_string(memory_handler, res) results.append(res) return results
def search_record_hint(memory_handler, record_type, hint, search_constraints=None, extended_search=False): """ Search a record in the memory dump of a process, but only on the memory page containing the hinted address. The record type must have been imported using haystack functions. If constraints exists, they will be considered during the search. :param memory_handler: IMemoryHandler :param record_type: a ctypes.Structure or ctypes.Union from a module imported by haystack :param search_constraints: IModuleConstraints to be considered during the search :param extended_search: boolean, use allocated chunks only per default (False) :rtype a list of (ctypes records, memory offset) """ hint_mapping = memory_handler.get_mapping_for_address(hint) if extended_search: my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler, my_constraints=search_constraints, target_mappings=[hint_mapping]) return my_searcher.search(record_type) my_searcher = searcher.RecordSearcher(memory_handler, my_constraints=search_constraints, target_mappings=[hint_mapping]) return my_searcher.search(record_type)