def test_walker_after_arch_change(self): x32 = types.reload_ctypes(4, 4, 8) x64 = types.reload_ctypes(8, 8, 16) from haystack.structures.libc import libcheapwalker from haystack.structures.win32 import winheapwalker from haystack.structures.win32 import win7heapwalker if False: # set the arch ctypes = types.set_ctypes(x32) libc_x32 = libcheapwalker.LibcHeapFinder(x32) winxp_x32 = winheapwalker.WinHeapFinder(x32) win7_x32 = win7heapwalker.Win7HeapFinder(x32) from haystack.structures.win32 import win7heap t = win7heap.HEAP_ENTRY for fi, tp in t._fields_: f = getattr(t, fi) print fi, " : ", hex(f.offset), hex(f.size) self.assertEquals(ctypes.sizeof(libc_x32.heap_type), 8) self.assertEquals(ctypes.sizeof(winxp_x32.heap_type), 1430) self.assertEquals(ctypes.sizeof(win7_x32.heap_type), 312) # 0x138 # set the arch model.reset() ctypes = types.set_ctypes(x64) libc_x64 = libcheapwalker.LibcHeapFinder(x64) winxp_x64 = winheapwalker.WinHeapFinder(x64) win7_x64 = win7heapwalker.Win7HeapFinder(x64) # import code # code.interact(local=locals()) self.assertEquals(ctypes.sizeof(libc_x64.heap_type), 16) # who knows... self.assertEquals(ctypes.sizeof(win7_x64.heap_type), 520) # BUG FIXME, what is the size of winxp64 HEAP ? self.assertEquals(ctypes.sizeof(winxp_x64.heap_type), 2792) # 0xae8
def readProcessMappings(process): """ Read all memory mappings of the specified process. Return a list of MemoryMapping objects, or empty list if it's not possible to read the mappings. May raise a ProcessError. """ maps = [] if not HAS_PROC: return maps try: mapsfile = openProc(process.pid) except ProcError as err: raise ProcessError(process, "Unable to read process maps: %s" % err) before = None # save the current ctypes module. mappings = Mappings(None) # FIXME Debug, but probably useless now that ctypes is in config if True: import ctypes before = ctypes try: for line in mapsfile: line = line.rstrip() match = PROC_MAP_REGEX.match(line) if not match: raise ProcessError( process, "Unable to parse memory mapping: %r" % line) log.debug('readProcessMappings %s' % (str(match.groups()))) _map = ProcessMemoryMapping( # cfg, process, int(match.group(1), 16), int(match.group(2), 16), match.group(3), int(match.group(4), 16), int(match.group(5), 16), int(match.group(6), 16), int(match.group(7)), match.group(8)) mappings.append(_map) finally: if isinstance(mapsfile, file): mapsfile.close() # reposition the previous ctypes module. if True: ctypes = types.set_ctypes(before) return mappings