fix documentation + build

trolldbois · Nov 5, 2015 · a66ef2a · a66ef2a
1 parent cb75ee7
commit a66ef2a
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -125,7 +125,7 @@ the search dialog.
 python API example:
 ----------------------------------
 
-See the [quick usage guide](docs/docs/Haystack basic usage.ipynb)
+See the [quick usage guide](docs/Haystack basic usage.ipynb)
 
 
 How to define your own structures:
@@ -141,13 +141,13 @@ Heap analysis / forensics:
 ===================================================
 
 Quick info:
- The `haystack-reverse` tool parse the heap for allocator structures, pointers
+ - The `haystack-reverse` tool parse the heap for allocator structures, pointers
  values, small integers and text (ascii/utf).
  Given all the previous information, it can extract instances
  and helps you in classifying and defining structures types.
 
 IPython notebook usage guide:
- [Haystack-reverse CLI](docs/Haystack reverse CLI.ipynb) in the docs/ folder.
+ - [Haystack-reverse CLI](docs/Haystack reverse CLI.ipynb) in the docs/ folder.
 
 Command line example:
 --------------------

diff --git a/docs/Haystack basic usage.ipynb b/docs/Haystack basic usage.ipynb
@@ -589,11 +589,20 @@
     "    print \"@0x%x val1: 0x%x , val1b: 0x%x \"%(x[1], x[0].val1, x[0].val1b)"
    ]
   },
+  {
+   "cell_type": "markdown",
+   "metadata": {
+    "collapsed": false
+   },
+   "source": [
+    "The constraints did reduce the number of results, and haystack only returns allocated chunks of memory that match these constraints."
+   ]
+  },
   {
    "cell_type": "code",
    "execution_count": null,
    "metadata": {
-    "collapsed": false
+    "collapsed": true
    },
    "outputs": [],
    "source": []

diff --git a/docs/Haystack reverse CLI.ipynb b/docs/Haystack reverse CLI.ipynb
@@ -4,7 +4,13 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "# Usage reference guide for haystack-reverse"
+    "# Usage reference guide for haystack-reverse\n",
+    "\n",
+    "this is an example of every haystack-reverse commands.\n",
+    "\n",
+    "The zeus.vmem.856.dump is there https://dl.dropboxusercontent.com/u/10222931/HAYSTACK/zeus.vmem.856.dump.tgz\n",
+    "\n",
+    "It was extracted from pid 856 from the zeus.img image from http://malwarecookbook.googlecode.com/svn-history/r26/trunk/17/1/zeus.vmem.zip"
    ]
   },
   {
@@ -243,7 +249,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "Ah, that make sense.. It's a classic utf16 string.\n",
+    "Ah, that make sense.. It's a classic utf16 string. The whole allocated memory chunk is being used for a string.\n",
     "\n",
     "Lets look at the bytes behind the scene."
    ]
@@ -279,7 +285,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 8,
+   "execution_count": 2,
    "metadata": {
     "collapsed": false
    },
@@ -289,7 +295,8 @@
      "output_type": "stream",
      "text": [
       "WARNING:winheapwalker:Weird: len(free_chunks) != len(free_lists)\n",
-      "INFO:haystack-reverse:[+] Showing predecessors of record at: 0xc64e8\n"
+      "INFO:haystack-reverse:[+] Showing predecessors of record at: 0xc64e8\n",
+      "# [+] No parents records found.\n"
      ]
     }
    ],
@@ -306,7 +313,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 9,
+   "execution_count": 1,
    "metadata": {
     "collapsed": false
    },
@@ -316,7 +323,8 @@
      "output_type": "stream",
      "text": [
       "WARNING:winheapwalker:Weird: len(free_chunks) != len(free_lists)\n",
-      "INFO:haystack-reverse:[+] Showing predecessors of record at: 0xc32d98\n"
+      "INFO:haystack-reverse:[+] Showing predecessors of record at: 0xc32d98\n",
+      "# [+] No parents records found.\n"
      ]
     }
    ],

diff --git a/scripts/haystack-reverse b/scripts/haystack-reverse
@@ -124,9 +124,11 @@ def show_predecessor(opt):
 
     log.info('[+] Showing predecessors of record at: 0x%x', opt.address)
     records = api.get_record_predecessors(memory_handler, child_record)
-
-    for p_record in records:
-        print '#0x%x\n%s\n' % (p_record.address, p_record.to_string())
+    if len(records) == 0:
+        print '# [+] No parents records found.'
+    else:
+        for p_record in records:
+            print '#0x%x\n%s\n' % (p_record.address, p_record.to_string())
 
     # DEBUG pointer found by pontersearcher
     # print '---'

diff --git a/test/haystack/allocators/test_heapwalker.py b/test/haystack/allocators/test_heapwalker.py
@@ -44,7 +44,7 @@ def tearDownClass(cls):
 
     def test_make_heap_finder(self):
         libc_hf_64 = heapwalker.make_heap_finder(self.libc_mh_64)
-        self.assertEqual(libc_hf_64._memory_handler.get_name(), 'test/src/test-ctypes3.64.dump')
+        self.assertIn('test/src/test-ctypes3.64.dump', libc_hf_64._memory_handler.get_name(), )
         target = libc_hf_64._memory_handler.get_target_platform()
         self.assertEqual(target.get_os_name(), 'linux')
         self.assertEqual(target.get_cpu_bits(), 64)