def test_findbytes():
payload = b" " * 0x1000 + pad.null(
b"\xffoo\x00bar thisis0test\n hAAAA\xc3\xc0\xc2\xc4\n\n\x10\x2f\x1f\x1a\x1b\x1f\x1d\xbb\xcc\xdd\xff",
0x10000)
buf = procmem(payload, base=0x400000)
assert list(buf.findbytesv("c? c? c? 0A")) == [0x40101B]
assert list(buf.findbytesv(b"1f ?? ?b")) == [0x401022, 0x401025]
assert list(buf.findbytesv("?f ?? ?? 00")) == [0x401000, 0x40102A]
assert not list(buf.findbytesv(enhex(b"test hAAAA")))
assert list(buf.findbytesv(enhex(b"test\n hAAAA")))
assert list(buf.findbytesv(enhex(b"is"), length=0x100b)) == [0x40100a]
assert list(buf.findbytesv(enhex(b"is"),
length=0x100d)) == [0x40100a, 0x40100c]
assert list(buf.findbytesv(enhex(b"is"), addr=0x40100b,
length=0x100d)) == [0x40100c]
payload = b"".join(
[b"a" * 0x1000, b"b" * 0x1000, b"c" * 0x1000, b"d" * 0x1000])
regions = [
Region(0x400000, 0x1000, 0, 0, 0, 0),
Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
]
p = procmem(payload, regions=regions)
assert next(p.findbytesv(enhex(b"dddd"))) == 0x410000
def test_findv():
payload = b"".join([
pad.null(
pad.null(b"a" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000),
pad.null(
pad.null(b"b" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000),
b"c" * 0x1000,
pad.null(
pad.null(b"d" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000)
])
regions = [
Region(0x400000, 0x1000, 0, 0, 0, 0),
Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
]
p = procmem(payload, regions=regions)
assert list(p.findv(b"pattern")) == [
0x400200, 0x400500, 0x401200, 0x401500, 0x410200, 0x410500
]
assert list(p.findv(b"pattern", 0x401100, 0x405)) == [0x401200]
assert list(p.findv(b"pattern", length=0x10300)) == [
0x400200, 0x400500, 0x401200, 0x401500, 0x410200
]
assert list(p.findv(b"pattern", 0x401508)) == [0x410200, 0x410500]
assert list(p.findv(b"pattern", 0x403508)) == [0x410200, 0x410500]
def test_cuckoomem_methods():
fd, filepath = tempfile.mkstemp()
os.write(fd, b"".join((
struct.pack("QIIII", 0x401000, 0x1000, 0, 0, PAGE_READWRITE),
pad.null(b"foo\x00bar thisis0test\n hAAAA\xc3", 0x1000),
)))
os.close(fd)
with cuckoomem.from_file(filepath) as buf:
assert buf.readv(0x401000, 0x1000).endswith(b"\x00"*0x100)
assert list(buf.regexv(b"thisis(.*)test", 0x401000)) == [0x401008]
assert list(buf.regexv(b" ", 0x401000)) == [0x401007, 0x401014]
assert list(buf.regexv(b" ", 0x401000, 0x10)) == [0x401007]
assert list(buf.regexv(b"test..h", 0x401000)) == [0x40100f]
assert buf.disasmv(0x401015, 6) == [
insn("push", 0x41414141, addr=0x401015),
insn("ret", addr=0x40101a),
]
def test_pad():
assert pad(b"hello!!1", 8) == b"hello!!1"
assert pad(b"hello", 8) == b"hello\x03\x03\x03"
assert pad.pkcs7(b"hello!", 8) == b"hello!\x02\x02"
assert pad.null(b"hi", 4) == b"hi\x00\x00"
assert pad.null(b"foo_bar!", 8) == b"foo_bar!"