And there actually is a LFH in Windows XP. Just not in the symbols. w…

…hat-a-pity. using win7 symbols works.
trolldbois · Jan 9, 2016 · ee12786 · ee12786
1 parent 7d1bd07
commit ee12786
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 3 deletions.
diff --git a/haystack/allocators/win32/winheap.py b/haystack/allocators/win32/winheap.py
@@ -256,8 +256,14 @@ def get_lfh_chunks(self, record):
         Windows XP and Windows Server 2003 introduce the low-fragmentation heap (LFH).
         Win 7 is LFH only, no LAL.
         """
-        # TODO: move LFH back here.
-        raise NotImplementedError
+        # FIXME: move LFH back here.
+        # yes winxp can have a LFH heap, if requested by the app.
+        # https://support.microsoft.com/en-us/kb/929136
+        # but we dont have the symbols in WinXP PDBs....
+        # using the win7 types works pretty good though.
+        log.error('LFH not implemented for this OS')
+        return set(), set()
+
 
     def get_frontend_chunks(self, heap):
         """

diff --git a/haystack/mappings/minidump.py b/haystack/mappings/minidump.py
@@ -1009,6 +1009,9 @@ def _init_mappings(self, construct_data):
                     map_offset += prev_size
                     start = range.StartOfMemoryRange
                     size = range.DataSize
+                    if map_offset+size > fsize:
+                        log.error('BAD FILE: reducing mapping 0x%x-0x%x size 0x%x -> 0x%x bytes', start, start+size, size, fsize - map_offset)
+                        size = fsize - map_offset
                     end = start + size
                     log.debug("0x%x-0x%x size:0x%x offset_in_file:0x%x", start, start+size, size, map_offset)
                     ## BUG FIXME, offset reading ???

diff --git a/scripts/haystack-find-heap.py b/scripts/haystack-find-heap.py
@@ -89,7 +89,32 @@ def one_heap(opts, finder):
         print out.parse(ctypes_heap, depth=2)
         print 'Valid =', valid
     if opts.frontend:
-        # TODO
+        heap_addr = ctypes_heap._orig_address_
+        heap_m = memory_handler.get_mapping_for_address(heap_addr)
+        heap_m.mark_as_heap(heap_addr)
+        walker = finder.get_heap_walker(heap_m)
+        win_heap = walker._heap_module
+        _utils = memory_handler.get_ctypes_utils()
+        if ctypes_heap.FrontEndHeapType == 0:
+            log.error('BACKEND HEAP Type')
+        elif ctypes_heap.FrontEndHeapType == 1:
+            lal_start_addr = _utils.get_pointee_address(ctypes_heap.FrontEndHeap)
+            m = memory_handler.is_valid_address(lal_start_addr, win_heap.HEAP_LOOKASIDE * 128)
+            if not m:
+                log.error('HEAP.FrontEndHeap has a bad address %x', lal_start_addr)
+                return set()
+            lal_list = m.read_struct(lal_start_addr, win_heap.HEAP_LOOKASIDE * 128)
+            for i, st in enumerate(lal_list):
+                out.parse(st, depth=2)
+        elif ctypes_heap.FrontEndHeapType == 2 and memory_handler.get_target_platform().get_os_name() != 'winxp':
+            lfh_start_addr = _utils.get_pointee_address(ctypes_heap.FrontEndHeap)
+            m = memory_handler.is_valid_address(lfh_start_addr, win_heap.LFH_HEAP)
+            if not m:
+                log.error('HEAP.FrontEndHeap has a bad address %x', lfh_start_addr)
+                return set()
+            lfh_heap = m.read_struct(lfh_start_addr, win_heap.LFH_HEAP)
+            out.parse(lfh_heap, depth=2)
+
         pass
     # fake it
     m = memory_handler.get_mapping_for_address(address)