def search_heap_direct(self, memdumpname, start_address_mapping):
# we need a memory dump loader
self.memory_handler = dump_loader.load(memdumpname)
my_model = self.memory_handler.get_model()
module_name = self._init_module_name(self.memory_handler)
# import the module with the right arch
heap_module = my_model.import_module(module_name)
log.debug('the heap module loaded is %s', module_name)
# load the constraints
constraint_filename = self._init_constraints_filename(heap_module)
parser = constraints.ConstraintsConfigHandler()
my_constraints = parser.read(constraint_filename)
m = self.memory_handler.get_mapping_for_address(start_address_mapping)
my_searcher = searcher.AnyOffsetRecordSearcher(
self.memory_handler,
my_constraints, [m],
update_cb=partial(self.print_cb, self.memory_handler))
heap_record_name = self._init_heap_record_name()
heap_struct = getattr(heap_module, heap_record_name)
results = my_searcher._load_at(m,
start_address_mapping,
heap_struct,
depth=5)
#print haystack.output_to_python(memory_handler, [results])[0][0].toString()
return results
def make_search_results(self, memory_handler, struct_type, my_constraints):
## DEBUG - use optimised search space for HEAP
my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler,
my_constraints)
for mapping in memory_handler.get_mappings():
res = my_searcher._search_in(mapping,
struct_type,
nb=1,
align=0x1000)
if res:
instance, addr = api.output_to_python(memory_handler, res)[0]
yield addr
def _search_heap(self, mapping):
""" return a ctypes heap struct mapped at address on the mapping"""
my_searcher = searcher.AnyOffsetRecordSearcher(
self._memory_handler, self._heap_module_constraints)
# on ly return first results in each mapping
log.debug("_search_heap in %s", mapping)
res = my_searcher._search_in(mapping,
self._heap_type,
nb=1,
align=0x1000)
if len(res) > 0:
instance, address = res[0]
mapping.mark_as_heap(address)
return instance, address
return None
def search_heap_direct(self, start_address_mapping):
"""
return a ctypes heap struct mapped at address on the mapping
Will use the memory handler
"""
heap = self._memory_handler.get_mapping_for_address(start_address_mapping)
bits = self._memory_handler.get_target_platform().get_cpu_bits()
heap_module = self._cpu[bits]['module']
constraints = self._cpu[bits]['constraints']
my_searcher = searcher.AnyOffsetRecordSearcher(self._memory_handler,
constraints,
[heap])
# on ly return first results in each mapping
log.debug("_search_heap_direct in %s", start_address_mapping)
results = my_searcher._load_at(heap, start_address_mapping, heap_module.HEAP, depth=5)
return results
def search_heap_direct(self, start_address_mapping):
"""
return a ctypes heap struct mapped at address on the mapping
Will use the memory handler
"""
heap = self._memory_handler.get_mapping_for_address(
start_address_mapping)
my_searcher = searcher.AnyOffsetRecordSearcher(self._memory_handler,
self._constraints,
[heap])
# on ly return first results in each mapping
log.debug("_search_heap_direct in %s", start_address_mapping)
results = my_searcher._load_at(heap,
start_address_mapping,
self._heap_record,
depth=20)
return results
def search_record(memory_handler, record_type, search_constraints=None, extended_search=False):
"""
Search a record in the memory dump of a process represented
by memory_handler.
The record type must have been imported using haystack functions.
If constraints exists, they will be considered during the search.
:param memory_handler: IMemoryHandler
:param record_type: a ctypes.Structure or ctypes.Union from a module imported by haystack
:param search_constraints: IModuleConstraints to be considered during the search
:param extended_search: boolean, use allocated chunks only per default (False)
:rtype a list of (ctypes records, memory offset)
"""
if extended_search:
my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler, search_constraints)
return my_searcher.search(record_type)
my_searcher = searcher.RecordSearcher(memory_handler, search_constraints)
return my_searcher.search(record_type)
def search_heap(self, memdumpname):
# we need a memory dump loader
self.memory_handler = dump_loader.load(memdumpname)
my_model = self.memory_handler.get_model()
module_name = self._init_module_name(self.memory_handler)
# import the module with the right arch
heap_module = my_model.import_module(module_name)
log.debug('the heap module loaded is %s', module_name)
# load the constraints
constraint_filename = self._init_constraints_filename(heap_module)
parser = constraints.ConstraintsConfigHandler()
my_constraints = parser.read(constraint_filename)
my_searcher = searcher.AnyOffsetRecordSearcher(
self.memory_handler,
my_constraints,
update_cb=partial(self.print_cb, self.memory_handler))
## DEBUG
# DEBUG PEB search
#peb = my_model.import_module('haystack.allocators.win32.winxp_32_peb')
##DEBUG
heap_record_name = self._init_heap_record_name()
heap_struct = getattr(heap_module, heap_record_name)
# on ly return first results in each mapping
results = []
for mapping in self.memory_handler.get_mappings():
log.debug("looking at %s", mapping)
res = my_searcher._search_in(mapping,
heap_struct,
nb=1,
align=0x1000)
# DEBUG PEB search
#res = my_searcher._search_in(mapping, peb.struct__PEB, nb=1, align=0x1000)
if res:
# FIXME output_to are stupid
#print haystack.output_to_string(memory_handler, res)
results.append(res)
return results
def search_record_hint(memory_handler, record_type, hint, search_constraints=None, extended_search=False):
"""
Search a record in the memory dump of a process, but only on the memory page containing the hinted address.
The record type must have been imported using haystack functions.
If constraints exists, they will be considered during the search.
:param memory_handler: IMemoryHandler
:param record_type: a ctypes.Structure or ctypes.Union from a module imported by haystack
:param search_constraints: IModuleConstraints to be considered during the search
:param extended_search: boolean, use allocated chunks only per default (False)
:rtype a list of (ctypes records, memory offset)
"""
hint_mapping = memory_handler.get_mapping_for_address(hint)
if extended_search:
my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler,
my_constraints=search_constraints,
target_mappings=[hint_mapping])
return my_searcher.search(record_type)
my_searcher = searcher.RecordSearcher(memory_handler,
my_constraints=search_constraints,
target_mappings=[hint_mapping])
return my_searcher.search(record_type)
