search

trolldbois / python-haystack

Process heap analysis framework - Windows/Linux - record type inference and forensics
http://trolldbois.blogspot.com/search?q=python-haystack
GNU General Public License v3.0
94 stars 33 forks source link

haystack-live-search throws "ValueError: 0xfffff900c0580000/0xfffff900c38f0d60 is not a valid vaddr for me" #31

Closed rchateauneu closed 8 years ago

rchateauneu commented 8 years ago

C:\Users\rchateau\Developpement\ReverseEngineeringApps\Haystack_Tests>set PYTHONPATH=C:\Users\rchateau\Developpement\ReverseEngineeringApps\Haystack_Tests

C:\Users\rchateau\Developpement\ReverseEngineeringApps\Haystack_Tests>haystack-live-search --constraints_file StructDict64.constraints 1868 StructDict64_ctypes.struct_time_t INFO:gbd:MemoryHandler mmaped, process released after 6.84 secs Traceback (most recent call last): File "C:\Python27\Scripts\haystack-live-search-script.py", line 9, in load_entry_point('haystack==0.34', 'console_scripts', 'haystack-live-search')() File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\cli.py", line 431, in live_search opts.func(opts) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\cli.py", line 115, in search_cmdline results = api.search_record(memory_handler, record_type, my_constraints, extended_search=args.extended) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\search\api.py", line 38, in search_record my_searcher = searcher.RecordSearcher(memory_handler, search_constraints) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\search\searcher.py", line 38, in init target_walkers = memory_handler.get_heap_finder().list_heap_walkers() File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\allocators\win32\winheapwalker.py", line 418, in list_heap_wa lkers walker = self._find_heap(mapping) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\allocators\win32\winheapwalker.py", line 302, in _find_heap elif self.is_kernel_heap(mapping, addr, bits): File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\allocators\win32\winheapwalker.py", line 364, in iskernel heap heap = mapping.read_struct(start, heap_module.HEAP) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\mappings\process.py", line 87, in read_struct _struct = self._base.read_struct(address, _struct) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\mappings\file.py", line 107, in read_struct laddr = self._vtop(vaddr) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\mappings\file.py", line 81, in _vtop raise ValueError('0x%0.8x/0x%0.8x is not a valid vaddr for me' % (vaddr, ret)) ValueError: 0xfffff900c0580000/0xfffff900c37eecf0 is not a valid vaddr for me

rchateauneu commented 8 years ago

ctypes definitions in StructDict64_ctypes.py

class struct_time_t(ctypes.Structure): pack = True # source:False fields = [ ('tm_sec', ctypes.c_int32), # 0..61 ('tm_min', ctypes.c_int32), # 0..59 ('tm_hour', ctypes.c_int32), # 0..23 ('tm_mday', ctypes.c_int32), # 1..31 ('tm_mon', ctypes.c_int32), # 0..11 ('tm_year', ctypes.c_int32), # since 1900 ('tm_wday', ctypes.c_int32), # 0..6 ('tm_yday', ctypes.c_int32), # 0..365 ('tm_isdst', ctypes.c_int32), ]

Constraints in StructDict64.constraints :+1: [struct_time_t] tm_sec: RangeValue(1,61) tm_min: RangeValue(0,59) tm_hour: RangeValue(0,23) tm_mday: RangeValue(0,31) tm_mon: RangeValue(0,11) tm_year: RangeValue(0,1000) tm_wday: RangeValue(0,6) tm_yday: RangeValue(0,365) tm_isdst: IgnoreMember

trolldbois commented 8 years ago

Can you use the --debug command line flag, and send me the log file produced by the CLI ?

rchateauneu commented 8 years ago

Yakad'manday !

C:\Users\rchateau\Developpement\ReverseEngineeringApps\Haystack_Tests>haystack-live-search --constraints_file StructDict64.constrain ts --debug 1868 StructDict64_ctypes.struct_time_t [+] **\ COMPLETE debug log to log Traceback (most recent call last): File "C:\Python27\Scripts\haystack-live-search-script.py", line 9, in

load_entry_point('haystack==0.34', 'console_scripts', 'haystack-live-search')() File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\cli.py", line 431, in live_search opts.func(opts) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\cli.py", line 115, in search_cmdline results = api.search_record(memory_handler, record_type, my_constraints, extended_search=args.extended) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\search\api.py", line 38, in search_record my_searcher = searcher.RecordSearcher(memory_handler, search_constraints) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\search\searcher.py", line 38, in **init** target_walkers = memory_handler.get_heap_finder().list_heap_walkers() File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\allocators\win32\winheapwalker.py", line 418, in list_heap_wa lkers walker = self._find_heap(mapping) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\allocators\win32\winheapwalker.py", line 302, in _find_heap elif self.__is_kernel_heap(mapping, addr, bits): File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\allocators\win32\winheapwalker.py", line 364, in __is_kernel_ heap heap = mapping.read_struct(start, heap_module.HEAP) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\mappings\process.py", line 87, in read_struct _struct = self._base.read_struct(address, _struct) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\mappings\file.py", line 107, in read_struct laddr = self._vtop(vaddr) File "C:\Python27\lib\site-packages\haystack-0.34-py2.7.egg\haystack\mappings\file.py", line 81, in _vtop raise ValueError('0x%0.8x/0x%0.8x is not a valid vaddr for me' % (vaddr, ret)) ValueError: 0xfffff900c0580000/0xfffff900c38155f0 is not a valid vaddr for me On Sun, Mar 13, 2016 at 4:40 PM, Loic Jaquemet notifications@github.com wrote: > Can you use the --debug command line flag, and send me the log file > produced by the CLI ? > > — > Reply to this email directly or view it on GitHub > https://github.com/trolldbois/python-haystack/issues/31#issuecomment-195991631 > .
trolldbois commented 8 years ago

Can you share the "log" file that was produced by the --debug option ? (google drive) thanks

rchateauneu commented 8 years ago

You might have receibed an google drive invitation. The compressed file is RangeValue.7z . Le 15 mars 2016 18:16, "Loic Jaquemet" notifications@github.com a écrit :

Can you share the "log" file that was produced by the --debug option ? (google drive) thanks

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/trolldbois/python-haystack/issues/31#issuecomment-196957466

trolldbois commented 8 years ago

I found the bug. Working on it

trolldbois commented 8 years ago

Fixed in v0.35