heimdall.os_related.base_os package

Submodules

heimdall.os_related.base_os.kernel_struct module

class heimdall.os_related.base_os.kernel_struct.KernelStruct(ks: Symbol)

Bases: object

Represents a kernel structure in memory.

Warning

The ks parameter represents the real kernel structure in memory. Accessing or modifying it directly, such as by setting ks.p_pid[0] = 9999 (assuming ks is of type proc*), will override the real PID in the virtual machine and can cause crashes. Use it only if you know what you’re doing.

Parameters:

ks (Symbol) – The symbol representing the kernel structure.

__init__(ks: Symbol) → None

ks: Symbol

heimdall.os_related.base_os.processes module

class heimdall.os_related.base_os.processes.Process(ks: Any, ctx: Context)

Bases: KernelStruct

Abstract base class representing a process.

This class provides an interface for interacting with processes, including methods to access process attributes and perform memory operations. Subclasses should implement the abstract methods to provide platform-specific functionality.

Notes

This is an interface class and should be subclassed. Subclasses must implement the abstract properties pid, name, and path.

Examples

Subclassing the Process class:

>>> class MyProcess(Process):
...     @cached_property
...     def pid(self) -> int:
...         # Implement get process pid
...
...     @cached_property
...     def name(self) -> str:
...         # Implement get process name
...
...     @cached_property
...     def path(self) -> str:
...         # Implement get process path

__init__(ks: Any, ctx: Context) → None

Initialize the Process.

Parameters:

• ks (KernelStruct) – The kernel structure representing the process.

• ctx (Context) – The context associated with the process.

disass(address: int, size: int = 40) → list[CsInsn]

Disassemble a number of bytes starting from a specified address.

Parameters:

• address (int) – The memory address to start disassembling from.

• size (int, optional) – The number of bytes to disassemble (default is 40).

Returns:

A list of disassembled instructions.

Return type:

list of CsInsn

file_symbol(address: int, descriptor: Any | None = None) → Symbol

Retrieve a file symbol at a specified address.

Parameters:

• address (int) – The memory address of the file symbol.

• descriptor (Optional[Any], optional) – Additional descriptor information for the file symbol (default is None).

Returns:

The file symbol at the specified address.

Return type:

Symbol

property name: str

Abstract property to return the process name.

property path: str

Abstract property to return the process path.

peek(address: int, size: int) → bytes

Peek into memory at a specified address and retrieve a specified number of bytes.

Parameters:

• address (int) – The memory address to peek at.

• size (int) – The number of bytes to read from the specified address.

Returns:

The bytes read from memory.

Return type:

bytes

peek_str(address: int) → str

Peek into memory at a specified address and retrieve a string.

Parameters:

address (int) – The memory address to peek at.

Returns:

The string read from memory.

Return type:

str

peek_ustr(address: int) → str

Peek into memory at a specified address and retrieve a Unicode string.

Parameters:

address (int) – The memory address to peek at.

Returns:

The Unicode string read from memory.

Return type:

str

property pid: int

Abstract property to return the process ID.

poke(address: int, data: bytes) → None

Write data to memory at a specified address.

Parameters:

• address (int) – The memory address to write to.

• data (bytes) – The data to write to the specified address.

slide() → int

Return the ASLR (Address Space Layout Randomization) value.

Returns:

The ASLR slide value.

Return type:

int

symbol(address: int, descriptor: Any | None = None) → Symbol

Retrieve a symbol at a specified address.

Parameters:

• address (int) – The memory address of the symbol.

• descriptor (Optional[Any], optional) – Additional descriptor information for the symbol (default is None).

Returns:

The symbol at the specified address.

Return type:

Symbol

class heimdall.os_related.base_os.processes.Processes(hc: HeimdallClient)

Bases: ABC

Abstract base class for managing processes.

This class provides an interface for listing processes and retrieving processes by name or PID. Subclasses should implement the abstract methods to provide platform-specific functionality.

Examples

Subclassing the Processes class:

>>> class MyProcesses(Processes):
...     def list(self) -> list[Process]:
...         # Implement process listing
...         pass
...
...     def get_by_name(self, name: str) -> Optional[Process]:
...         # Implement retrieval by name
...         pass
...
...     def get_by_pid(self, pid: int) -> Optional[Process]:
...         # Implement retrieval by PID
...         pass

__init__(hc: HeimdallClient) → None

Initialize the Processes manager.

Parameters:

hc (HeimdallClient) – The Heimdall client used for interacting with the system.

get_by_name(process_name: str) → Process | None

Get a process by name.

Parameters:

process_name (str) – The name of the process to retrieve.

Returns:

The process with the specified name, or None if not found.

Return type:

Optional[Process]

get_by_pid(process_id: int) → Process | None

Get a process by PID.

Parameters:

process_id (int) – The PID of the process to retrieve.

Returns:

The process with the specified PID, or None if not found.

Return type:

Optional[Process]

abstract list() → list[Process]

List all processes.

Returns:

A list of all processes.

Return type:

list of Process

Module contents