5i-ddlZddlZddlTddlmZGddZGddZGd d ZGd d ZdS) N)*)PROCESSOR_ARCHITECTUREceZdZdZdZdS)VirtualSegmentc>||_||_||_d|_dSN)startendstart_file_addressdata)selfr r r s M/home/kali/Ninja/venv/lib/python3.11/site-packages/minidump/minidumpreader.py__init__zVirtualSegment.__init__ s%$* $(.$$)))c.|j|ko ||jkSr )r r )rr r s rinrangezVirtualSegment.inranges u  /tx/rN)__name__ __module__ __qualname__rrrrrr s200000rrc.eZdZddZdZdZdZdZdS) MinidumpBufferedMemorySegment(c|j|_|j|_|j|jz |_|j|_||_g|_dSr )start_virtual_address start_addressend_virtual_address end_address total_sizer chunksizechunks)rmemory_segment file_handler!s rrz&MinidumpBufferedMemorySegment.__init__sG%;$#7$"69]]$/*=$$.$+++rc6|j|cxko |jkncSr )rrrpositions rrz%MinidumpBufferedMemorySegment.inrange!s* x : : : :$*: : : : ::rcD||sdS|j|z Sr )rrr&s r remaining_lenz+MinidumpBufferedMemorySegment.remaining_len$s) h   $ H $$rc\||dd}|||S)Nr)readfind)rr$patternstartposr s rr-z"MinidumpBufferedMemorySegment.find)s+ ;2 & &$ 7H % %%rc|B||j|z||j|j|zz S|jD]9}|||r!|j||jz ||jz cS:|jd|j zkr|j}td||j}||j|||_|j ||j||jz ||jz St||z |j }||z|jkr |j|z }t|||z|j|z}||j|||_|j ||j||jz ||jz S)Nr) seekr r,rr"rr r r r!rappendmax)rr$r r chunkr!vss rr,z"MinidumpBufferedMemorySegment.read-s[D+e3444   4+t/F/NO P PP{>>e mmE3> :eek)3+<< ====> _$.(((9q)T%<==2D+,,,   i ( (27;b '%"("C"(N2 333u9t~..) Y)))%'9eU9_d.E.MNN" 2()))   Y ' '"'+R !3>1 22rNr)rrrrrr)r-r,rrrrrsd;;;%%% &&&33333rrceZdZddZdZdZddZdZdd Zd Z d Z dd Z dZ dZ dZdZdZdZdZdZddZdS)MinidumpBufferedReaderrcL||_||_g|_d|_d|_dSr )readersegment_chunk_sizememory_segmentscurrent_segmentcurrent_position)rr;r<s rrzMinidumpBufferedReader.__init__Ls/$+.$$$$rcf|jD](}||r||_||_dS)|jjD]c}||rLt ||jj|j}|j|||_||_dSdtd|z)z N)r!z4Memory address 0x%08x is not in process memory space) r=rr>r?r;rr$r<r3 Exception)rrequested_positionr# newsegments r_select_segmentz&MinidumpBufferedReader._select_segmentTs ,  n/00 )D.D FF  3  n/00 .~t{?VbfbyzzzJ +++%D.D FF   HK]]^^^rc|jSr )r;rs r get_readerz!MinidumpBufferedReader.get_readerjs rrc|dkr|jj|z}n6|dkr |j|z}n%|dkr|jj|z }nt d|j|st d||_dS)aD Changes the current address to an offset of offset. The whence parameter controls from which position should we count the offsets. 0: beginning of the current memory segment 1: from current position 2: from the end of the current memory segment If you wish to move out from the segment, use the 'move' function rrr1z.Seek function whence value must be between 0-2z5Seek would cross memory segment boundaries (use move)N)r>rr?rrAr)roffsetwhencets rr2zMinidumpBufferedReader.seekms q[[ )F211 {{ v%11 {{ '&011 C D DD  % %a ( (L J K KK$&rc0||dS)z@ Moves the buffer to a virtual address specified by address N)rD)raddresss rmovezMinidumpBufferedReader.movesw&rNc|$|jjjtjkrd}nd}|j|z}|dkrdS||z |z}||ddS)zD Repositions the current reader to match architecture alignment Nrr)r;sysinfoProcessorArchitecturerAMD64r?r2)r alignmentrIoffset_to_aligneds ralignzMinidumpBufferedReader.alignsr k/3I3OOOIII  9 ,& q[[ 6 6)Y6)) q!!!&rc|jS)z) Returns the current virtual address )r?rFs rtellzMinidumpBufferedReader.tells   rc|j|z}|j|dz std|j|jj|j|jjz ||jjz S)z@ Returns up to length bytes from the current memory segment r#Would read over segment boundaries!)r?r>rrAr,r;r$r)rlengthrKs rpeekzMinidumpBufferedReader.peeks f$!  % %a!e , ,: 8 9 99  " "4;#:Dr)r?rr,r;r$rr)rsizerK old_new_poss rr,zMinidumpBufferedReader.reads# BYY / 0 00 RZZ ))$*?@@1  4&;/;4   # #DK$;[4K_Km=mos t tt d"!  % %a!e , ,: 8 9 99%+$  " "4;#:K$J^Jlr-r;r$r?)rr.poss rr-zMinidumpBufferedReader.finds= !!$+"97CC#BYY " t$ $$rcg}d} |j|jj||dz}|dkrn#|||jjzS|S)zp Searches for all occurrences of a pattern in the current memory segment, returns all occurrences as a list r+Tr)r>r-r;r$r3r)rr.rm last_founds rfind_allzMinidumpBufferedReader.find_allsn #*?$))$+*A7JYZN[[:B ::j4/==>>> ? *rcp|j|}t|dkrdS|dS)zx Searches for the pattern in the whole process memory space and returns the first occurrence. This is exhaustive! rr+)r;searchlen)rr.pos_ss r find_globalz"MinidumpBufferedReader.find_globals6 +  W % %%ZZ1__ " q/rc6|j|S)z Searches for the pattern in the whole process memory space and returns a list of addresses where the pattern begins. This is exhaustive! )r;rr)rr.s rfind_all_globalz&MinidumpBufferedReader.find_all_globals   G $ $$rcT|||Sr )rNrk)rrms rget_ptrzMinidumpBufferedReader.get_ptrs!))C...   rc,|jjjtjkrM||t |ddd}|dz|zS||| S)NrQrbTrc) r;rRrSrrTrNrgrhr,rk)rrmptrs rget_ptr_with_offsetz*MinidumpBufferedReader.get_ptr_with_offsetsv [.2H2NNN99S>>>  ! (T J J3 'C-99S>>> ..  rFcN|j|||||j}|S)N) find_first reverse_orderr!)r; search_moduler<)r module_namer.r~rrKs rfind_in_modulez%MinidumpBufferedReader.find_in_modules6 k W:_lz~{RSS! (rr7)rr )r+)FF)rrrrrDrGr2rNrWrYr]r,rirkr-rprurwryr|rrrrr9r9KsK___,    .        aaaVVVV. L L L M M M%%%       %%%       rr9cJeZdZdZdZdZd dZdZdZdd Z dd Z d Z d S)MinidumpFileReaderc>|jj|_g|_|j|jj|_|j|_|jr|jj|_d|_n|jj|_d|_|j|_|j|_d|_d|_ |jj tj tj fvrd|_d|_dS|jj tjtjfvrd|_d|_dSt%d|jj z)NTFrQz->-@-@AARGG JJJH rc|jD]6}tj|j|dkr|cS7dSr)rrrrr-rs rget_unloaded_by_namez'MinidumpFileReader.get_unloaded_by_nameCsL  "c och$$[11R77 JJJ8 rFcT||}|)||}|td|zg}|jD]]}|j|jcxkr |jkr?n!||||j||z }t|dkr|dur|cS^|S)NzCould not find module! %sr~r!rT) rrrAr= baseaddressr endaddressrrr$rs) rrr.r~rr!rneedlesmss rrz MinidumpFileReader.search_moduleIs  ,,#[ " "; / /3 k /+= > >> '  b o1BBBBCNBBBBB bii!1 XaibbbG 7||aJ$.. ^^^ .rc`g}|jD]#}||||j||z }$|S)Nr)r=rrr$)rr.r~r!rKrs rrrzMinidumpFileReader.searchZsD!  \\bryy$*QZy[[[11 (rc|jD]5}||r||||jcS6t dt |z)NzAddress not in memory range! %s)r=rr,r$rAhex)r virt_addrr_segments rr,zMinidumpFileReader.readasf%;;g ooi  ; << 4)9 : ::::;3c)nnDEEErNr7)FFr)Fr) rrrrrrrrrrrrr,rrrrrsxxx@OOOO  "    FFFFFrr) structrcommon_structsstreams.SystemInfoStreamrrrr9rrrrrs  <<<<<< 0 0 0 0 0 0 0 0/3/3/3/3/3/3/3/3fF F F F F F F F PRFRFRFRFRFRFRFRFRFRFr