_HEAP.getFreeLists = _HEAP_getFreeLists def _HEAP_getFreeListsWinXP(self, mappings): ''' Understanding_the_LFH.pdf page 17 ''' freeList = [] # 128 blocks start = ctypes.addressof(self.FreeLists) # sentinel value logging.getLogger('listmodel').setLevel(level=logging.DEBUG) for freeBlock in self.FreeLists._iterateList(mappings): # try to get the size sizeaddr = freeBlock - Config.WORDSIZE memoryMap = utils.is_valid_address_value(sizeaddr, mappings) if memoryMap == False: raise ValueError('the link of this linked list has a bad value') val = memoryMap.readWord(sizeaddr) log.debug('\t - freeblock @%0.8x size:%d' % (freeBlock, val)) yield freeBlock #free_chain = [freeBlock for freeBlock in self.iterateListField( mappings, 'FreeLists')] logging.getLogger('listmodel').setLevel(level=logging.INFO) raise StopIteration ########## _LIST_ENTRY from haystack import listmodel listmodel.declare_double_linked_list_type(_LIST_ENTRY, 'FLink', 'BLink')
_HEAP.getFreeLists = _HEAP_getFreeLists def _HEAP_getFreeListsWinXP(self, mappings): """ Understanding_the_LFH.pdf page 17 """ freeList = [] # 128 blocks start = ctypes.addressof(self.FreeLists) # sentinel value logging.getLogger("listmodel").setLevel(level=logging.DEBUG) for freeBlock in self.FreeLists._iterateList(mappings): # try to get the size sizeaddr = freeBlock - Config.WORDSIZE memoryMap = utils.is_valid_address_value(sizeaddr, mappings) if memoryMap == False: raise ValueError("the link of this linked list has a bad value") val = memoryMap.readWord(sizeaddr) log.debug("\t - freeblock @%0.8x size:%d" % (freeBlock, val)) yield freeBlock # free_chain = [freeBlock for freeBlock in self.iterateListField( mappings, 'FreeLists')] logging.getLogger("listmodel").setLevel(level=logging.INFO) raise StopIteration ########## _LIST_ENTRY from haystack import listmodel listmodel.declare_double_linked_list_type(_LIST_ENTRY, "FLink", "BLink")
load mappings that contains subsegment of a heap. Understanding_the_LFH.pdf page 18 ++ We iterate on HEAP.FreeLists to get ALL free blocks. @returns freeblock_addr : the address of the HEAP_ENTRY (chunk header) size : the size of the free chunk + HEAP_ENTRY header size, in blocks. """ # FIXME: we should use get_segmentlist to coallescce segment in one heap # memory mapping. Not free chunks. res = list() for freeblock in self.iterateListField(mappings, 'FreeLists'): if self.EncodeFlagMask: chunk_header = HEAP_ENTRY_decode(freeblock, self) # size = header + freespace res.append((freeblock._orig_address_, chunk_header.Size * 8)) return res # imported dynamically # pylint: disable=undefined-variable HEAP.get_freelists = HEAP_get_freelists # def HEAP_getFreeListsWinXP(self, mappings): # Understanding_the_LFH.pdf page 17 """ # LIST_ENTRY from haystack import listmodel listmodel.declare_double_linked_list_type(LIST_ENTRY, 'Flink', 'Blink')