def test_basic_types(self): # struct a - basic types offset = self.offsets['struct_a'][0] m = self.memory_handler.get_mapping_for_address(offset) my_ctypes = self.memory_handler.get_target_platform( ).get_target_ctypes() ret, validated = api.load_record(self.memory_handler, self.ctypes5_gen32.struct_a, offset) self.assertTrue(validated) self.assertEquals(int(self.sizes['struct_a']), my_ctypes.sizeof(ret)) parser = python.PythonOutputter(self.memory_handler) a = parser.parse(ret) self.assertEquals(int(self.values['struct_a.a']), a.a) self.assertEquals(int(self.values['struct_a.b']), a.b) self.assertEquals(int(self.values['struct_a.c']), a.c) self.assertEquals(int(self.values['struct_a.d']), a.d) self.assertEquals(int(self.values['struct_a.e']), a.e) self.assertEquals(float(self.values['struct_a.f']), a.f) self.assertEquals(float(self.values['struct_a.g']), a.g) self.assertEquals(float(self.values['struct_a.h']), a.h) offset = self.offsets['union_au'][0] m = self.memory_handler.get_mapping_for_address(offset) au, validated = api.load_record(self.memory_handler, self.ctypes5_gen32.union_au, offset) self.assertTrue(validated) au = parser.parse(au) self.assertEquals(int(self.values['union_au.d']), au.d) self.assertEquals(float(self.values['union_au.g']), au.g) self.assertEquals(float(self.values['union_au.h']), au.h) return
def test_complex(self): # struct a - basic types offset = self.offsets['struct_d'][0] m = self.memory_handler.get_mapping_for_address(offset) my_ctypes = self.memory_handler.get_target_platform( ).get_target_ctypes() d, validated = api.load_record(self.memory_handler, self.ctypes5_gen32.struct_d, offset) self.assertTrue(validated) self.assertEquals(int(self.sizes['struct_d']), my_ctypes.sizeof(d)) parser = python.PythonOutputter(self.memory_handler) obj = parser.parse(d) # check Ctypes values too self.assertEquals(d.a.value, self.offsets['struct_d'][0]) self.assertEquals(d.b.value, self.offsets['struct_d.b'][0]) self.assertEquals(d.b2.value, self.offsets['struct_d.b2'][0]) # check python calues for i in range(9): self.assertEquals(int(self.values['struct_d.c[%d].a' % i]), obj.c[i].a) self.assertEquals(int(self.values['struct_d.f[%d]' % i]), obj.f[i]) self.assertEquals(int(self.values['struct_d.e']), obj.e) self.assertEquals(str(self.values['struct_d.i']), obj.i) return
def test_bitfield(self): # struct a - basic types offset = self.offsets['struct_c'][0] m = self.memory_handler.get_mapping_for_address(offset) my_ctypes = self.memory_handler.get_target_platform( ).get_target_ctypes() c, validated = api.load_record(self.memory_handler, self.ctypes5_gen32.struct_c, offset) self.assertTrue(validated) self.assertEquals(int(self.sizes['struct_c']), my_ctypes.sizeof(c)) parser = python.PythonOutputter(self.memory_handler) c = parser.parse(c) self.assertEquals(int(self.values['struct_c.a1']), c.a1) self.assertEquals(int(self.values['struct_c.b1']), c.b1) self.assertEquals(int(self.values['struct_c.c1']), c.c1) self.assertEquals(int(self.values['struct_c.d1']), c.d1) self.assertEquals(str(self.values['struct_c.a2']), c.a2) self.assertEquals(int(self.values['struct_c.b2']), c.b2) self.assertEquals(int(self.values['struct_c.c2']), c.c2) self.assertEquals(int(self.values['struct_c.d2']), c.d2) self.assertEquals(int(self.values['struct_c.h']), c.h) return
def test_print_heap_alignmask(self): finder = winxpheapwalker.WinXPHeapFinder(self._memory_handler) for addr, size in zeus_1668_vmtoolsd_exe.known_heaps: m = self._memory_handler.get_mapping_for_address(addr) walker = finder.get_heap_walker(m) win7heap = walker._heap_module heap = m.read_struct(addr, win7heap.HEAP) parser = python.PythonOutputter(self._memory_handler) x = parser.parse(heap) log.info("Heap: @0x%x #:%d AlignMask: 0x%x FrontEndHeapType:%d", addr, x.ProcessHeapsListIndex, x.AlignMask, x.FrontEndHeapType) #tparser = python.PythonOutputter(self._memory_handler) #print tparser.parse(heap).toString() self.assertEqual(x.AlignMask, 0xfffffff8)
def test_basic_signed_types(self): # union b - basic types offset = self.offsets['union_b'][0] m = self.memory_handler.get_mapping_for_address(offset) my_ctypes = self.memory_handler.get_target_platform( ).get_target_ctypes() ret, validated = api.load_record(self.memory_handler, self.ctypes5_gen32.union_b, offset) self.assertTrue(ret) parser = python.PythonOutputter(self.memory_handler) b = parser.parse(ret) self.assertEquals(int(self.values['union_b.a']), b.a) self.assertEquals(int(self.values['union_b.b']), b.b) self.assertEquals(int(self.values['union_b.c']), b.c) self.assertEquals(int(self.values['union_b.d']), b.d) self.assertEquals(int(self.values['union_b.e']), b.e) # char 251 self.assertEquals((self.values['union_b.g']), b.g) return
def output_to_python(memory_handler, results): """ Transform ctypes results in a non-ctypes python object format :param memory_handler: IMemoryHandler :param results: results from the search_record :return: """ if not isinstance(results, list): raise TypeError('Feed me a list of results') # also generate POPOs my_model = memory_handler.get_model() pythoned_modules = my_model.get_pythoned_modules().keys() for module_name, module in my_model.get_imported_modules().items(): if module_name not in pythoned_modules: my_model.build_python_class_clones(module) # parse and generate instances parser = python.PythonOutputter(memory_handler) ret = [(parser.parse(ss), addr) for ss, addr in results] # last check to clean the structure from any ctypes Structure if python.findCtypesInPyObj(memory_handler, ret): raise HaystackError( 'Bug in framework, some Ctypes are still in the return results. Please Report test unit.') return ret