def test_calc_dmp(): with cuckoomem.from_file("tests/files/calc.dmp") as p: ppe = procmempe.from_memory(p, 0xd0000) assert p.regions == ppe.regions assert p.findmz(0x129abc) == 0xd0000 # Old/regular method with PE header. assert pe(p.readv(p.imgbase, 0x1000)).dos_header.e_lfanew == 0xd8 assert p.readv(p.imgbase + 0xd8, 4) == b"PE\x00\x00" assert pe(p).is32bit is True d = pe(p).optional_header.DATA_DIRECTORY[2] assert d.VirtualAddress == 0x59000 and d.Size == 0x62798 data = pe(p).resource(b"WEVT_TEMPLATE") assert data.startswith(b"CRIM") assert len(data) == 4750 assert len(ppe.pe.section(".text").get_data()) == 0x52e00
def test_cuckoomem_methods(): fd, filepath = tempfile.mkstemp() os.write(fd, b"".join(( struct.pack("QIIII", 0x401000, 0x1000, 0, 0, PAGE_READWRITE), pad.null(b"foo\x00bar thisis0test\n hAAAA\xc3", 0x1000), ))) os.close(fd) with cuckoomem.from_file(filepath) as buf: assert buf.readv(0x401000, 0x1000).endswith(b"\x00"*0x100) assert list(buf.regexv(b"thisis(.*)test", 0x401000)) == [0x401008] assert list(buf.regexv(b" ", 0x401000)) == [0x401007, 0x401014] assert list(buf.regexv(b" ", 0x401000, 0x10)) == [0x401007] assert list(buf.regexv(b"test..h", 0x401000)) == [0x40100f] assert buf.disasmv(0x401015, 6) == [ insn("push", 0x41414141, addr=0x401015), insn("ret", addr=0x40101a), ]