Usage

First you need to install python-haystack. Please refer to the Installation section of the documentation.

Then you need a process memory dump. Please refer to the Capture a process memory to file section of the documentation. We will name the process memory dump memory.dmp for the rest of this documentation.

Command line usage

A few entry points exists for different purposes

  • haystack-find-heap allows to show details on Windows HEAP.
  • haystack-search allows to search for instance of types
  • haystack-show allows to show a specific formatted values of a type instance at a specific memory address

You can use the following URL to designate your memory handler/dump:

  • dir:///path/to/my/haystack/fump/folder to use the haystack dump format
  • dmp:///path/to/my/minidump/file use the minidump format (microsoft?)
  • frida://name_or_pid_of_process_to_attach_to use frida to access a live process memory
  • live://name_or_pid_of_process_to_attach_to ptrace a live process
  • rekall:// load a rekall image
  • volatility:// load a volatility image

API usage

haystack.search.api.load_record(memory_handler, struct_type, memory_address, load_constraints=None)[source]

Load a record from a specific address in memory. You could use that function to monitor a specific record from memory after a refresh.

Parameters:
  • memory_handler – IMemoryHandler
  • struct_type – a ctypes.Structure or ctypes.Union
  • memory_address – long
  • load_constraints – IModuleConstraints to be considered during loading
Returns:

(ctypes record instance, validated_boolean)
haystack.search.api.output_to_json(memory_handler, results)[source]

Transform ctypes results in a json format :param memory_handler: IMemoryHandler :param results: results from the search_record :return:

haystack.search.api.output_to_pickle(memory_handler, results)[source]

Transform ctypes results in a pickled format. To load the pickled objects, you need to have haystack in your path.

Parameters:
  • memory_handler – IMemoryHandler
  • results – results from the search_record
Returns:
haystack.search.api.output_to_python(memory_handler, results)[source]

Transform ctypes results in a non-ctypes python object format :param memory_handler: IMemoryHandler :param results: results from the search_record :return:

haystack.search.api.output_to_string(memory_handler, results)[source]

Transform ctypes results in a string format :param memory_handler: IMemoryHandler :param results: results from the search_record :return:

haystack.search.api.search_record(memory_handler, record_type, search_constraints=None, extended_search=False)[source]

Search a record in the memory dump of a process represented by memory_handler.

The record type must have been imported using haystack functions.

If constraints exists, they will be considered during the search.

Parameters:
  • memory_handler – IMemoryHandler
  • record_type – a ctypes.Structure or ctypes.Union from a module imported by haystack
  • search_constraints – IModuleConstraints to be considered during the search
  • extended_search – boolean, use allocated chunks only per default (False)

:rtype a list of (ctypes records, memory offset)

haystack.search.api.search_record_hint(memory_handler, record_type, hint, search_constraints=None, extended_search=False)[source]

Search a record in the memory dump of a process, but only on the memory page containing the hinted address.

The record type must have been imported using haystack functions.

If constraints exists, they will be considered during the search.

Parameters:
  • memory_handler – IMemoryHandler
  • record_type – a ctypes.Structure or ctypes.Union from a module imported by haystack
  • search_constraints – IModuleConstraints to be considered during the search
  • extended_search – boolean, use allocated chunks only per default (False)

:rtype a list of (ctypes records, memory offset)

haystack.search.api.validate_record(memory_handler, instance, record_constraints=None, max_depth=10)[source]

Validate a loaded record against constraints.

Parameters:
  • memory_handler – IMemoryHandler
  • instance – a ctypes record
  • record_constraints – IModuleConstraints to be considered during validation
Returns: