Capture a process memory to file¶
First of all, be prepared to face a need for elevated privileges.
On Windows, the most straightforward is to get a Minidump. The Windows task manager
allows to capture a process memory to file. Alternatively the Microsoft Sysinternals
suite of tools provide either a CLI (procdump.exe) or a GUI (Process explorer).
Using one of these (with full memory dump option) you will produce a file
that can be used with the haystack-xxx
list of entry points using the dmp://
file prefix.
While technically you could use many third party tool, Haystack actually
need memory mapping information to work with the raw memory data.
In nothing else, there is a dumping tool included in the pytahon-haystack package that
leverage python-ptrace to capture a process memory. See the haystack-live-dump
tool:
# haystack-live-dump <pid> myproc.dump
For live processes¶
haystack-live-dump
capture a process memory dump to a folder (haystack format)
For a Rekall memory dump¶
haystack-rekall-dump
dump a specific process to a haystack process dump
For a Volatility memory dump¶
haystack-volatility-dump
dump a specific process to a haystack process dump
Interesting note for Linux users, dumping a process memory for the same user can be done if you downgrade the “security” of your system by allowing cross process ptrace access:
$ sudo sysctl kernel.yama.ptrace_scope=0
Interesting note for Windows users, most processes memory can be dumped to a Minidump format using the task manager. (NB: I don’t remember is the process memory mapping are included then)
Making your own memory mappings handler¶
If you have a different technique to access a process memory, you can implement the
haystack.abc.interfaces.IMemoryLoader
and haystack.abc.interfaces.IMemoryMapping
interface for
your favorite technique.
Check out the Frida plugin
for example.
Alternatively, if you can copy the process’ memory mappings to file, you can “interface” with the basic, simple, haystack memory dump file format by doing the following: The basic format is a folder containing each memory mapping in a separate file :
- memory content in a file named after it’s start/end addresses ( ex: 0x000700000-0x000800000 )
- a file named ‘mappings’ containing memory mappings metadata. ( ex: mappings )
-
class
haystack.abc.interfaces.
IMemoryLoader
[source]¶ Parse a process memory _memory_handler from a storage concept, then identify its ITargetPlatform characteristics and produce an IMemoryHandler for this process memory dump
-
class
haystack.abc.interfaces.
IMemoryMapping
[source]¶ Interface for a memory mapping. A IMemoryMapping should hold one of a process memory _memory_handler and its start and stop addresses.
-
read_array
(address, basetype, count)[source]¶ Reads the memory content at address <address> and returns an typed array.
Parameters: - address – long the virtual address.
- basetype – a ctypes class.
- count – long the size of the array.
Returns: the memory content at address, in an array form
Return type: (basetype*count) ctypes class
-
read_bytes
(address, size)[source]¶ Reads the memory content at address <address> and returns an array of bytes in a str.
Parameters: - address – long the virtual address.
- size – long the size of the array.
Returns: the memory content at address, in an bytes string
Return type: str
-
read_cstring
(address, max_size, chunk_length=256)[source]¶ Reads the memory content at address <address> and returns a python representation of the NULL terminated string.
Parameters: - address – long the virtual address.
- max_size – long the maximum size of the string.
- chunk_length – (optional) long the number of bytes read at each buffer read.
Returns: the memory content at address, in an bytes string
Return type: str
-
read_struct
(address, struct)[source]¶ Reads the memory content at address <address> and returns an ctypes record instance.
Parameters: - address – long the virtual address.
- struct – a ctypes class.
Returns: the memory content at address, in an ctypes record form
Return type: (struct) ctypes class
-
read_word
(address)[source]¶ Reads the memory content at address <address> and returns an word worth of it. Usually 4 or 8 bytes.
Parameters: address – long the virtual address. Returns: the memory content at address, in an bytes string Return type: str
-
search
(bytestr)[source]¶ Search the memory for this particular sequence of bytes and iterates over the starting address of the results.
Parameters: bytestr – bytes str, the sequence of bytes to look for. Returns: (iterator) long, the list of virtual address matching the byte pattern Return type: iterator, long, the starting virtual address of the match
-