def make_search_results(self, memory_handler, struct_type, my_constraints):
## DEBUG - use optimised search space for HEAP
my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler, my_constraints)
for mapping in memory_handler.get_mappings():
res = my_searcher._search_in(mapping, struct_type, nb=1, align=0x1000)
if res:
instance, addr = api.output_to_python(memory_handler, res)[0]
yield addr
def make_search_results(self, memory_handler, struct_type, my_constraints):
# do the search
# USE the haystack HEAP parsing capabilities
## PROD - use API
results = api.search_record(memory_handler, struct_type, my_constraints, extended_search=False)
# output handling
ret = api.output_to_python(memory_handler, results)
for instance, addr in ret:
yield addr
def make_search_results(self, memory_handler, struct_type, my_constraints):
# do the search
# USE the haystack HEAP parsing capabilities
## PROD - use API
results = api.search_record(memory_handler,
struct_type,
my_constraints,
extended_search=False)
# output handling
ret = api.output_to_python(memory_handler, results)
for instance, addr in ret:
yield addr
def make_search_results(self, memory_handler, struct_type, my_constraints):
## DEBUG - use optimised search space for HEAP
my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler,
my_constraints)
for mapping in memory_handler.get_mappings():
res = my_searcher._search_in(mapping,
struct_type,
nb=1,
align=0x1000)
if res:
instance, addr = api.output_to_python(memory_handler, res)[0]
yield addr
# we are still missing the CriticalSection pointer mappings, which is probably a guard or something.
# TODO -> change dump format to list all mappings, then data, with 0 data bytes if necessary.
# TODO -> find why last mapping is truncated. Check WriteFile return value/written_bytes ?
# maybe add debug statement to cuckoo/analyzer/windows/lib/common/results.py upload_to_host ?
# check bytes counts ?
#m = handler.get_mappings()[0]
#heap_constraints = finder._heap_module_constraints
#logging.getLogger("basicmodel").setLevel(logging.DEBUG)
#f._search_heap(h)
possibles = []
for m in handler.get_mappings():
res = api.load_record(handler, struct__HEAP, m.start, heap_constraints)
p, valid = api.output_to_python(handler, [res])[0]
offset = m.offset
print m, "p.Signature", valid, hex(p.Signature), repr(m._backend[8+offset:12+offset]),
v = api.validate_record(handler, res[0], heap_constraints)
print "validate", v
if p.Signature == 0xeeffeeff:
possibles.append(m)
import code
code.interact(local=locals())
for m in possibles:
print "trying m", m
logging.getLogger("basicmodel").setLevel(logging.INFO)
res = api.load_record(handler, struct__HEAP, m.start, heap_constraints)
logging.getLogger("basicmodel").setLevel(logging.DEBUG)
# we are still missing the CriticalSection pointer mappings, which is probably a guard or something.
# TODO -> change dump format to list all mappings, then data, with 0 data bytes if necessary.
# TODO -> find why last mapping is truncated. Check WriteFile return value/written_bytes ?
# maybe add debug statement to cuckoo/analyzer/windows/lib/common/results.py upload_to_host ?
# check bytes counts ?
#m = handler.get_mappings()[0]
#heap_constraints = finder._heap_module_constraints
#logging.getLogger("basicmodel").setLevel(logging.DEBUG)
#f._search_heap(h)
possibles = []
for m in handler.get_mappings():
res = api.load_record(handler, struct__HEAP, m.start,
heap_constraints)
p, valid = api.output_to_python(handler, [res])[0]
offset = m.offset
print(
m,
"p.Signature",
valid,
hex(p.Signature),
repr(m._backend[8 + offset:12 + offset]),
)
v = api.validate_record(handler, res[0], heap_constraints)
print("validate", v)
if p.Signature == 0xeeffeeff:
possibles.append(m)
import code
code.interact(local=locals())
