def _locate_heap(self, task, vad):
"""Locate the correct heap by scanning for its reference.
Find the references into the heap from the dnsrslvr.dll vad. This will
normally be stored in dnsrslvr.dll's global variable called g_CacheHeap.
"""
scanner = scan.PointerScanner(
pointers=task.Peb.ProcessHeaps,
session=self.session,
address_space=self.session.GetParameter("default_address_space"))
seen = set()
for hit in scanner.scan(vad.Start, maxlen=vad.Length):
heap = self.heap_profile.Pointer(
hit, target="_HEAP"
).deref()
if heap in seen:
continue
seen.add(heap)
for entry in heap.Entries:
hash_table = self._verify_hash_table(entry.Allocation, heap)
if hash_table:
return hash_table
def initialize(self, task=None):
if self.initialized:
return self.initialized
# if no task is given, we expect the process context to be switched
# already.
if task:
self.task = task
self.task_as = self.task.get_process_address_space()
else:
self.task = self.session.GetParameter("process_context")
self.task_as = self.task.get_process_address_space()
self.psize = self.profile.get_obj_size("Pointer")
all_mods = list(self.task.get_load_modules())
if not all_mods:
# PEB is paged or no DLLs loaded
self.session.logging.error(
"Cannot load DLLs in process AS of process {:d}".format(
self.task.pid.v()))
return False
self.exported_apis = self._enum_apis(all_mods)
func_addresses = [x[1].v() for x in list(self.exported_apis.values())]
func_addresses = set(func_addresses)
if 0 in func_addresses:
func_addresses.remove(0)
self.scanner = scan.PointerScanner(profile=self.profile,
session=self.session,
address_space=self.task_as,
pointers=func_addresses)
self.initialized = True
return self.initialized