def _load_memory_mappings(self): """ make the python objects""" _mappings = [] default_ctypes = types.load_ctypes_default() for mmap_fname, start, end, permissions, offset, major_device, minor_device, inode, pathname in self.metalines: log.debug('Loading %s - %s' % (mmap_fname, pathname)) # open the file in the archive fname = os.path.sep.join([self.dumpname, mmap_fname]) mmap = FilenameBackedMemoryMapping(fname, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname) mmap.set_ctypes(default_ctypes) _mappings.append(mmap) _target_platform = target.TargetPlatform(_mappings, cpu_bits=self._cpu_bits, os_name=self._os_name) self._memory_handler = MemoryHandler(_mappings, _target_platform, self.dumpname) self._memory_handler.reset_mappings() return
def _load_memory_mappings(self): """ make the python objects""" _mappings = [] for _start, _end, permissions, offset, devices, inode, mmap_pathname in self.metalines: start, end = int(_start, 16), int(_end, 16) offset = int(offset, 16) inode = int(inode) # rebuild filename mmap_fname = "%s-%s" % (_start, _end) # get devices nums major_device, minor_device = devices.split(':') major_device = int(major_device, 16) minor_device = int(minor_device, 16) log.debug('Loading %s - %s' % (mmap_fname, mmap_pathname)) # open the file in the archive fname = os.path.sep.join([self.dumpname, mmap_fname]) mmap = FilenameBackedMemoryMapping(fname, start, end, permissions, offset, major_device, minor_device, inode, pathname=mmap_pathname) _mappings.append(mmap) _target_platform = TargetPlatform(_mappings, cpu_bits=self._cpu_bits, os_name=self._os_name) self._memory_handler = MemoryHandler(_mappings, _target_platform, self.dumpname) self._memory_handler.reset_mappings() return
class VeryLazyProcessMemoryDumpLoader(LazyProcessMemoryDumpLoader): """ Always use a filename backed memory mapping. """ def _load_memory_mappings(self): """ make the python objects""" _mappings = [] for _start, _end, permissions, offset, devices, inode, mmap_pathname in self.metalines: start, end = int(_start, 16), int(_end, 16) offset = int(offset, 16) inode = int(inode) # rebuild filename mmap_fname = "%s-%s" % (_start, _end) # get devices nums major_device, minor_device = devices.split(':') major_device = int(major_device, 16) minor_device = int(minor_device, 16) log.debug('Loading %s - %s' % (mmap_fname, mmap_pathname)) # open the file in the archive fname = os.path.sep.join([self.dumpname, mmap_fname]) mmap = FilenameBackedMemoryMapping(fname, start, end, permissions, offset, major_device, minor_device, inode, pathname=mmap_pathname) _mappings.append(mmap) _target_platform = TargetPlatform(_mappings, cpu_bits=self._cpu_bits, os_name=self._os_name) self._memory_handler = MemoryHandler(_mappings, _target_platform, self.dumpname) self._memory_handler.reset_mappings() return
def _make_mmap_with_values(self, intervals, struct_offset=None): """ Make a memory map, with a fake structure of pointer pattern inside. Return the pattern signature :param intervals: :param struct_offset: :return: """ # template of a memory map metadata self._mstart = 0x0c00000 self._mlength = 4096 # end at (0x0c01000) # could be 8, it doesn't really matter self.word_size = self.target.get_word_size() if struct_offset is not None: self._struct_offset = struct_offset else: self._struct_offset = self.word_size * 12 # 12, or any other aligned mmap, values = self._make_mmap(0x0c00000, 4096, self._struct_offset, intervals, self.word_size) # add a reference to mmap in mmap2 ammap2 = AMemoryMapping(0xff7dc000, 0xff7dc000 + 0x1000, '-rwx', 0, 0, 0, 0, 'test_mmap2') ammap2.set_ctypes(self.target.get_target_ctypes()) mmap2 = LocalMemoryMapping.fromBytebuffer(ammap2, mmap.get_byte_buffer()) self._memory_handler = MemoryHandler([mmap, mmap2], self.target, 'test') self.mmap2 = mmap2 return mmap, values
def make_process_memory_handler(process): """ Read all memory mappings of the specified process. Return a list of MemoryMapping objects, or empty list if it's not possible to read the memory mappings. May raise a ProcessError. """ if not isinstance(process, dbg.IProcess): raise TypeError('dbg.IProcess expected') mapsfile = process.get_mappings_line() mappings = [] is_64 = False # read the mappings for line in mapsfile: line = line.rstrip() match = PROC_MAP_REGEX.match(line) if not match: raise IOError(process, "Unable to parse memory mapping: %r" % line) if not is_64 and len(match.group(1)) > 8: is_64 = True # log.debug('readProcessMappings %s' % (str(match.groups()))) _map = ProcessMemoryMapping(process, int(match.group(1), 16), int(match.group(2), 16), match.group(3), int(match.group(4), 16), int(match.group(5), 16), int(match.group(6), 16), int(match.group(7)), match.group(8)) mappings.append(_map) # create the memory_handler for self import sys if 'linux' in sys.platform: os_name = target.TargetPlatform.LINUX else: # sys.platform.startswith('win'): os_name = target.TargetPlatform.WIN7 _target_platform = None if is_64: if os_name in [ target.TargetPlatform.WINXP, target.TargetPlatform.WIN7 ]: _target_platform = target.TargetPlatform.make_target_win_64( os_name) elif os_name == target.TargetPlatform.LINUX: _target_platform = target.TargetPlatform.make_target_linux_64() else: if os_name in [ target.TargetPlatform.WINXP, target.TargetPlatform.WIN7 ]: _target_platform = target.TargetPlatform.make_target_win_32( os_name) elif os_name == target.TargetPlatform.LINUX: _target_platform = target.TargetPlatform.make_target_linux_32() _memory_handler = MemoryHandler(mappings, _target_platform, 'localhost-%d' % process.get_pid()) return _memory_handler
class VeryLazyProcessMemoryDumpLoader(LazyProcessMemoryDumpLoader): """ Always use a filename backed memory mapping. """ def _load_memory_mappings(self): """ make the python objects""" _mappings = [] default_ctypes = types.load_ctypes_default() for mmap_fname, start, end, permissions, offset, major_device, minor_device, inode, pathname in self.metalines: log.debug('Loading %s - %s' % (mmap_fname, pathname)) # open the file in the archive fname = os.path.sep.join([self.dumpname, mmap_fname]) mmap = FilenameBackedMemoryMapping(fname, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname) mmap.set_ctypes(default_ctypes) _mappings.append(mmap) _target_platform = target.TargetPlatform(_mappings, cpu_bits=self._cpu_bits, os_name=self._os_name) self._memory_handler = MemoryHandler(_mappings, _target_platform, self.dumpname) self._memory_handler.reset_mappings() return
def my_render_text(mapper, cmd, outfd, data): maps = [] for task in data: # print type(task) address_space = task.get_process_address_space() for vad in task.VadRoot.traverse(): # print type(vad) if vad is None: continue offset = vad.obj_offset start = vad.Start end = vad.End tag = vad.Tag flags = str(vad.u.VadFlags) perms = PERMS_PROTECTION[vad.u.VadFlags.Protection.v() & 7] pathname = '' if vad.u.VadFlags.PrivateMemory == 1 or not vad.ControlArea: pathname = '' else: # FIXME, push that to volatility plugin too. try: file_obj = vad.ControlArea.FilePointer if file_obj: pathname = file_obj.FileName or "Pagefile-backed section" except AttributeError: pass #elif vad.FileObject: # pathname = str(vad.FileObject.FileName or '') pmap = VolatilityProcessMappingA( address_space, start, end, permissions=perms, pathname=pathname) # print pmap #import code # code.interact(local=locals()) maps.append(pmap) # get the platform ## FIXME, use imageinfo, or find the automation in vol.py #import code #code.interact(local=locals()) if mapper.config.PROFILE == "WinXPSP2x86": mapper._target = target.TargetPlatform.make_target_win_32('winxp') memory_handler = MemoryHandler(maps, mapper._target, mapper.imgname) # print _memory_handler #mappings.init_config() mapper._memory_handler = memory_handler
def readProcessMappings(process): """ Read all memory mappings of the specified process. Return a list of MemoryMapping objects, or empty list if it's not possible to read the memory mappings. May raise a ProcessError. """ maps = [] if not dbg.HAS_PROC: return maps try: mapsfile = dbg.openProc(process.pid) except dbg.ProcError as err: raise dbg.ProcessError(process, "Unable to read process maps: %s" % err) mappings = [] try: # read the mappings for line in mapsfile: line = line.rstrip() match = PROC_MAP_REGEX.match(line) if not match: raise dbg.ProcessError( process, "Unable to parse memory mapping: %r" % line) log.debug('readProcessMappings %s' % (str(match.groups()))) _map = ProcessMemoryMapping( # cfg, process, int(match.group(1), 16), int(match.group(2), 16), match.group(3), int(match.group(4), 16), int(match.group(5), 16), int(match.group(6), 16), int(match.group(7)), match.group(8)) mappings.append(_map) finally: if isinstance(mapsfile, file): mapsfile.close() # create the memory_handler for self _target_platform = target.TargetPlatform.make_target_platform_local() _memory_handler = MemoryHandler(mappings, _target_platform, 'localhost-%d' % process.pid) return _memory_handler
def _init_mappings(self): mappings = [] # is_64 = False for _range in self.session.enumerate_ranges('r'): log.debug("Mapping Frida %s", _range) start = _range.base_address end = _range.base_address + _range.size perms = _range.protection mappings.append( FridaMemoryMapping(self.session, start, end, perms, None)) if not is_64 and len(hex(start)) > 8: is_64 = True # self.mappings = mappings log.debug("nb maps: %d", len(self.mappings)) # Use a folder name for its cache later on h_name = self.name + ".d" self._target = None # create the memory_handler for self # FIXME cpu, os_name from init param if 'linux' in sys.platform: os_name = target.TargetPlatform.LINUX else: # sys.platform.startswith('win'): os_name = target.TargetPlatform.WIN7 _target_platform = None if is_64: if os_name in [ target.TargetPlatform.WINXP, target.TargetPlatform.WIN7 ]: _target_platform = target.TargetPlatform.make_target_win_64( os_name) elif os_name == target.TargetPlatform.LINUX: _target_platform = target.TargetPlatform.make_target_linux_64() else: if os_name in [ target.TargetPlatform.WINXP, target.TargetPlatform.WIN7 ]: _target_platform = target.TargetPlatform.make_target_win_32( os_name) elif os_name == target.TargetPlatform.LINUX: _target_platform = target.TargetPlatform.make_target_linux_32() memory_handler = MemoryHandler(mappings, _target_platform, self.name) self._memory_handler = memory_handler return
def my_render_text(mapper, cmd, outfd, data): maps = [] for task in data: # print type(task) address_space = task.get_process_address_space() for vad in task.VadRoot.traverse(): # print type(vad) if vad is None: continue offset = vad.obj_offset start = vad.Start end = vad.End tag = vad.Tag flags = str(vad.u.VadFlags) perms = PERMS_PROTECTION[vad.u.VadFlags.Protection.v() & 7] pathname = '' if vad.u.VadFlags.PrivateMemory == 1 or not vad.ControlArea: pathname = '' elif vad.FileObject: pathname = str(vad.FileObject.FileName or '') pmap = VolatilityProcessMappingA(address_space, start, end, permissions=perms, pathname=pathname) # print pmap #import code # code.interact(local=locals()) maps.append(pmap) # get the platform if mapper.config.PROFILE == "WinXPSP2x86": mapper._target = target.TargetPlatform.make_target_win_32('winxp') memory_handler = MemoryHandler(maps, mapper._target, mapper.imgname) # print _memory_handler #mappings.init_config() mapper._memory_handler = memory_handler
def _load_memory_mappings(self): """ make the python objects""" _mappings = [] for mmap_fname, start, end, permissions, offset, major_device, minor_device, inode, pathname in self.metalines: log.debug('Loading %s - %s' % (mmap_fname, pathname)) # open the file in the archive try: mmap_content_file = self._protected_open_file(mmap_fname, pathname) except (IOError, KeyError) as e: log.debug('Ignore absent file : %s' % (e)) mmap = AMemoryMapping(start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname) _mappings.append(mmap) continue except LazyLoadingException as e: mmap = FilenameBackedMemoryMapping(e._filename, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname) _mappings.append(mmap) continue if isinstance(self.archive, zipfile.ZipFile): # ZipExtFile is lame log.warning( 'Using a local memory mapping . Zipfile sux. thx ruby.') mmap = AMemoryMapping(start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname) mmap = LocalMemoryMapping.fromBytebuffer( mmap, mmap_content_file.read()) # use file mmap when file is too big elif end - start > haystack.MAX_MAPPING_SIZE_FOR_MMAP: log.warning('Using a file backed memory mapping. no mmap in memory for this memorymap (%s).' % (pathname) + ' Search will fail. Buffer is needed.') mmap = FileBackedMemoryMapping(mmap_content_file.name, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname) else: # log.debug('Using a MemoryDumpMemoryMapping. small size') # mmap = MemoryDumpMemoryMapping(mmap_content_file, start, end, permissions, offset, log.debug('Always use FilenameBackedMemoryMapping. small size') mmap = FilenameBackedMemoryMapping(mmap_content_file.name, start, end, permissions, offset, major_device, minor_device, inode, pathname=pathname) _mappings.append(mmap) _target_platform = target.TargetPlatform(_mappings, cpu_bits=self._cpu_bits, os_name=self._os_name) self._memory_handler = MemoryHandler(_mappings, _target_platform, self.dumpname) return
def _make_signature(self, intervals, struct_offset=None): """ Make a memory map, with a fake structure of pointer pattern inside. Return the pattern signature :param intervals: :param struct_offset: :return: """ # template of a memory map metadata self._mstart = 0x0c00000 self._mlength = 4096 # end at (0x0c01000) # could be 8, it doesn't really matter self.word_size = self.target.get_word_size() if struct_offset is not None: self._struct_offset = struct_offset else: self._struct_offset = self.word_size*12 # 12, or any other aligned mmap, values = self._make_mmap(self._mstart, self._mlength, self._struct_offset, intervals, self.word_size) mappings = MemoryHandler([mmap], self.target, 'test/reverse/fakedump') sig = pattern.PointerIntervalSignature(mappings, 'test_mmap') return sig