def find_heap(): argv = sys.argv[1:] parser = cli.base_argparser('haystack-find-heap', "Find heaps in a dumpfile") parser.add_argument('--verbose', '-v', action='store_true', help='Verbose') parser.add_argument('--mappings', '-m', action='store_true', help='Show mappings') # only if address is present group = parser.add_argument_group('For a specific HEAP') group.add_argument('address', nargs='?', type=argparse_utils.int16, default=None, help='Load Heap from address (hex)') group.add_argument('--heap', '-p', action='store_true', help='Show the heap content') group.add_argument('--frontend', '-f', action='store_true', help='Show the frontend heap content') opts = parser.parse_args(argv) cli.set_logging_level(opts) memory_handler = cli.make_memory_handler(opts) finder = memory_handler.get_heap_finder() # Show Target information if opts.bits or opts.osname: print('Forced target resolution:', memory_handler.get_target_platform()) else: print('Automatic target resolution:', memory_handler.get_target_platform()) if opts.mappings: # show all memory mappings print('Process mappings:') print('@start @stop File Offset M:m ') for m in memory_handler.get_mappings(): print(m) if opts.address is not None: one_heap(opts, finder) return print('Probable Process HEAPS:') for m in memory_handler.get_mappings(): for addr in range(m.start, m.end, 0x1000): special = '' for os, bits, offset in [('winxp', 32, 8), ('winxp', 64, 16), ('win7', 32, 100), ('win7', 64, 160)]: signature = struct.unpack('I', m.read_bytes(addr+offset, 4))[0] if signature == 0xeeffeeff: if addr != m.start: special = ' (!) ' print('[+] %s %dbits %s 0x%0.8x' % (os, bits, special, addr), m) # Then show heap analysis print('Found Heaps:') for walker in finder.list_heap_walkers(): validator = walker.get_heap_validator() validator.print_heap_analysis(walker.get_heap(), opts.verbose) return
def reverse(): argv = sys.argv[1:] desc = REVERSE_DESC rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc) rootparser.set_defaults(func=reverse_cmdline) opts = rootparser.parse_args(argv) # apply verbosity cli.set_logging_level(opts) # execute function opts.func(opts) return
def reverse_show(): argv = sys.argv[1:] desc = REVERSE_SHOW_DESC rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc) rootparser.add_argument('address', type=argparse_utils.int16, help='Record memory address in hex') rootparser.set_defaults(func=reverse_show_cmdline) opts = rootparser.parse_args(argv) # apply verbosity cli.set_logging_level(opts) # execute function opts.func(opts) return
def reverse_hex(): argv = sys.argv[1:] desc = REVERSE_HEX_DESC rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc) rootparser.add_argument('address', type=argparse_utils.int16, action='store', default=None, help='Specify the address of the record, or encompassed by the record') rootparser.set_defaults(func=show_hex) opts = rootparser.parse_args(argv) # apply verbosity cli.set_logging_level(opts) # execute function opts.func(opts) return
def reverse_parents(): argv = sys.argv[1:] desc = REVERSE_PARENT_DESC rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc) rootparser.add_argument('address', type=argparse_utils.int16, action='store', default=None, help='Hex address of the child structure') rootparser.set_defaults(func=show_predecessors_cmdline) opts = rootparser.parse_args(argv) # apply verbosity cli.set_logging_level(opts) # execute function opts.func(opts) return
def minidump_reverse_hex(): argv = sys.argv[1:] desc = REVERSE_HEX_DESC + cli.DUMPTYPE_MINIDUMP_DESC rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc) rootparser.add_argument('dump_filename', type=argparse_utils.readable, help='Use this memory dump file') reverse_hex_argparser(rootparser) opts = rootparser.parse_args(argv) opts.dumptype = cli.DUMPTYPE_MINIDUMP # apply verbosity cli.set_logging_level(opts) # execute function opts.func(opts) return
def main_reverse_parents(): argv = sys.argv[1:] desc = REVERSE_PARENT_DESC + cli.DUMPTYPE_BASE_DESC rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc) rootparser.add_argument('dump_folder_name', type=argparse_utils.readable, help='Use this memory dump folder') reverse_parents_argparser(rootparser) opts = rootparser.parse_args(argv) opts.dumptype = cli.DUMPTYPE_BASE # apply verbosity cli.set_logging_level(opts) # execute function opts.func(opts) return
def main(argv): argv = sys.argv[1:] desc = 'Play with graph repr of pointers relationships.' rootparser = cli.base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc) rootparser.add_argument('gexf', type=argparse.FileType('rb'), action='store', help='Source gexf.') rootparser.set_defaults(func=make) opts = rootparser.parse_args(argv) # apply verbosity cli.set_logging_level(opts) # execute function opts.func(opts) return