def test_load(self): # this is kinda stupid, given we are using a heapwalker to # find the heap, and testing the heap. finder = self.memory_handler.get_heap_finder() walkers = finder.list_heap_walkers() heaps = [walker.get_heap_mapping() for walker in walkers] my_heap = [x for x in heaps if x.start == self.known_heaps[0][0]][0] heap_mapping = self.memory_handler.get_mapping_for_address( self.known_heaps[0][0]) # we want the 32 bits heap record type on 32 bits heap mappings heapwalker = finder.get_heap_walker(heap_mapping) ## Thats a 64 bits heap heapwalker = finder.get_heap_walker(heaps[0]) my_loader = searcher.RecordLoader(self.memory_handler) res = my_loader.load(heapwalker._heap_module.HEAP, self.known_heaps[0][0]) res_p = haystack.output_to_python(self.memory_handler, [res]) instance, validated = res_p[0] # no constraints loaded, subsegmentcode pointer went to is_valid self.assertFalse(validated) # now lets just use the win7heap constraints my_loader = searcher.RecordLoader(self.memory_handler, heapwalker._heap_module_constraints) res = my_loader.load(heapwalker._heap_module.HEAP, self.known_heaps[0][0]) res_p = haystack.output_to_python(self.memory_handler, [res]) instance, validated = res_p[0] # no constraints loaded, subsegmentcode pointer went to is_valid self.assertTrue(validated) self.assertIsInstance(instance, object) self.assertEquals(instance.Signature, 0xeeffeeff) self.assertEquals(instance.VirtualMemoryThreshold, 0xfe00) self.assertEquals(instance.FrontEndHeapType, 0) # try a misalign read res = my_loader.load(heapwalker._heap_module.HEAP, self.known_heaps[0][0] + 1) res_p = haystack.output_to_python(self.memory_handler, [res]) instance, validated = res_p[0] self.assertFalse(validated) self.assertIsInstance(instance, object) self.assertNotEquals(instance.Signature, 0xeeffeeff) self.assertEquals(instance.Signature, 0xeeffee) # 1 byte off self.assertNotEquals(instance.VirtualMemoryThreshold, 0xfe00) self.assertEquals(instance.VirtualMemoryThreshold, 0xff0000fe) return
def test_load(self): # this is kinda stupid, given we are using a heapwalker to # find the heap, and testing the heap. my_target = self.memory_handler.get_target_platform() my_ctypes = my_target.get_target_ctypes() my_utils = my_target.get_target_ctypes_utils() my_model = self.memory_handler.get_model() finder = self.memory_handler.get_heap_finder() heaps = finder.get_heap_mappings() my_heap = [ x for x in heaps if x.start == self.known_heaps[0][0]][0] heapwalker = finder.get_heap_walker(heaps[0]) win7heap = heapwalker._heap my_loader = searcher.RecordLoader(self.memory_handler) res = my_loader.load(heapwalker._heap_module.HEAP, self.known_heaps[0][0]) res_p = haystack.output_to_python(self.memory_handler, [res]) instance, validated = res_p[0] # no constraints loaded, subsegmentcode pointer went to is_valid self.assertFalse(validated) # now lets just use the win7heap constraints my_loader = searcher.RecordLoader(self.memory_handler, heapwalker._heap_module_constraints) res = my_loader.load(heapwalker._heap_module.HEAP, self.known_heaps[0][0]) res_p = haystack.output_to_python(self.memory_handler, [res]) instance, validated = res_p[0] # no constraints loaded, subsegmentcode pointer went to is_valid self.assertTrue(validated) self.assertIsInstance(instance, object) self.assertEquals(instance.Signature, 0xeeffeeff) self.assertEquals(instance.VirtualMemoryThreshold, 0xfe00) self.assertEquals(instance.FrontEndHeapType, 0) # try a misalign read res = my_loader.load(heapwalker._heap_module.HEAP, self.known_heaps[0][0] + 1) res_p = haystack.output_to_python(self.memory_handler, [res]) instance, validated = res_p[0] self.assertFalse(validated) self.assertIsInstance(instance, object) self.assertNotEquals(instance.Signature, 0xeeffeeff) self.assertEquals(instance.Signature, 0xeeffee) # 1 byte off self.assertNotEquals(instance.VirtualMemoryThreshold, 0xfe00) self.assertEquals(instance.VirtualMemoryThreshold, 0xff0000fe) return
def print_cb(self, memory_handler, instance, address): """ Callback function called by AnyOffsetRecordSearcher when an instance is found :param memory_handler: :param instance: :param address: :return: """ py_results = haystack.output_to_python(memory_handler, [(instance, address)]) for x, addr in py_results: heap_not_at_start = ' ' m = memory_handler.get_mapping_for_address(addr) if addr != m.start: heap_not_at_start = ' (!)' print 'HEAP at 0x%x%s\tsize: 0x%x map: %s' % (addr, heap_not_at_start, len(m), m)
def print_cb(self, memory_handler, instance, address): """ Callback function called by AnyOffsetRecordSearcher when an instance is found :param memory_handler: :param instance: :param address: :return: """ py_results = haystack.output_to_python(memory_handler, [(instance, address)]) for x, addr in py_results: heap_not_at_start = ' ' m = memory_handler.get_mapping_for_address(addr) if addr != m.start: heap_not_at_start = ' (!)' print 'HEAP at 0x%x%s\tsize: 0x%x map: %s' % ( addr, heap_not_at_start, len(m), m)
def test_refresh(self): #handler = constraints.ConstraintsConfigHandler() #my_constraints = handler.read('test/src/ctypes6.constraints') #results = haystack.search_record(self.memory_handler, self.usual_structname, my_constraints) # search struct_usual with constraints results, validated = haystack.search.api.load_record(self.memory_handler, self.usual, self.address1) # check the string output retstr = haystack.output_to_string(self.memory_handler, [(results, validated)]) self.assertTrue(isinstance(retstr, str)) # string #retstr = api.show_dumpname(self.usual_structname, self.memdumpname, # self.address1, rtype='string') self.assertIn(str(0x0aaaaaaa), retstr) # 0xaaaaaaa/178956970L self.assertIn(str(0x0ffffff0), retstr) self.assertIn('"val2b": 0L,', retstr) self.assertIn('"val1b": 0L,', retstr) # usual->root.{f,b}link = &node1->list; # offset list is (wordsize) bytes ## TU results based on __book node1_list_addr = hex(self.address2 + self.my_target.get_word_size()) self.assertIn('"flink": { # <struct_entry at %s' % node1_list_addr, retstr) self.assertIn('"blink": { # <struct_entry at %s' % node1_list_addr, retstr) ## TU results based on direct access #node1_list_addr = self.address2 + self.my_target.get_word_size() #self.assertIn('"flink": 0x%0.8x' % node1_list_addr, retstr) #self.assertIn('"blink": 0x%0.8x' % node1_list_addr, retstr) # python usuals = haystack.output_to_python(self.memory_handler, [(results, validated)]) usual, validated = usuals[0] self.assertEquals(validated, True) self.assertEquals(usual.val1, 0x0aaaaaaa) self.assertEquals(usual.val2, 0x0ffffff0) self.assertEquals(usual.txt, 'This a string with a test this is a test ' 'string') # so now we got python objects # that is node 1 self.assertIsNotNone(usual.root.flink) self.assertEquals(usual.root.flink, usual.root.blink) #print usual.root.flink # that is node2 self.assertEquals(usual.root.blink.flink, usual.root.flink.flink) # that is None (root.flink = root.blink) self.assertIsNone(usual.root.blink.blink) self.assertIsNone(usual.root.flink.blink) # that is None per design UT self.assertIsNone(usual.root.blink.flink.flink) # python 2 struct Node results, validated = haystack.search.api.load_record(self.memory_handler, self.node, self.address2) node1s = haystack.output_to_python(self.memory_handler, [(results, validated)]) node1, validated = node1s[0] self.assertEquals(validated, True) self.assertEquals(node1.val1, 0xdeadbeef) self.assertEquals(node1.val2, 0xffffffff) results, validated = haystack.search.api.load_record(self.memory_handler, self.node, self.address3) node2s = haystack.output_to_python(self.memory_handler, [(results, validated)]) node2, validated = node2s[0] self.assertEquals(validated, True) self.assertEquals(node2.val1, 0xdeadbabe) self.assertEquals(node2.val2, 0xffffffff) self.assertIsNotNone(usual.root.flink) # FIXME this was assertNotEquals. Why would the python obj be equals now ? # but we have different instances/references between calls to # show_dumpname self.assertEquals(usual.root.flink, node1.list) self.assertEquals(usual.root.blink.flink, node2.list)