search

trolldbois / python-haystack

Process heap analysis framework - Windows/Linux - record type inference and forensics
http://trolldbois.blogspot.com/search?q=python-haystack
GNU General Public License v3.0
94 stars 33 forks source link

Windows: make a standalone exe process dumper #23

Closed trolldbois closed 8 years ago

trolldbois commented 8 years ago

It will be easier than git clone, pip -r requirements, and d/l plenty of requires for no reason.

trolldbois commented 8 years ago

winadppdbg is a win32 requirements for the ptrace-functionallity.

trolldbois commented 8 years ago

Traceback (most recent call last): File "scripts\haystack-dump", line 18, in memory_dumper.main(sys.argv[1:]) File "C:\haystack\memory_dumper.py", line 221, in main opts.func(opts) File "C:\haystack\memory_dumper.py", line 198, in _dump return dump(opt.pid, opt.dumpname, opt.type) File "C:\haystack\memory_dumper.py", line 192, in dump destname = dumper.dump() File "C:\haystack\memory_dumper.py", line 69, in dump self._dump_to_dir() File "C:\haystack\memory_dumper.py", line 81, in _dump_to_dir self._dump_all_mappings(self._dest) File "C:\haystack\memory_dumper.py", line 127, in _dump_all_mappings self._dump_mapping(m, destdir) File "C:\haystack\memory_dumper.py", line 170, in _dump_mapping mmap_fout.write(m.mmap().get_byte_buffer()) File "C:\haystack\mappings\process.py", line 112, in mmap self._process().readBytes( AttributeError: 'Process' object has no attribute 'readBytes'

trolldbois commented 8 years ago

mappings.process:L112: s/readBytes/read. We need a better unix-ptrace/win32-winappdbg interfaces and wrapper

trolldbois commented 8 years ago

And also an issue with protected memory Traceback (most recent call last): File "scripts\haystack-dump", line 18, in memory_dumper.main(sys.argv[1:]) File "C:\haystack\memory_dumper.py", line 221, in main opts.func(opts) File "C:\haystack\memory_dumper.py", line 198, in _dump return dump(opt.pid, opt.dumpname, opt.type) File "C:\haystack\memory_dumper.py", line 192, in dump destname = dumper.dump() File "C:\haystack\memory_dumper.py", line 69, in dump self._dump_to_dir() File "C:\haystack\memory_dumper.py", line 81, in _dump_to_dir self._dump_all_mappings(self._dest) File "C:\haystack\memory_dumper.py", line 127, in _dump_all_mappings self._dump_mapping(m, destdir) File "C:\haystack\memory_dumper.py", line 170, in _dump_mapping mmap_fout.write(m.mmap().get_byte_buffer()) File "C:\haystack\mappings\process.py", line 115, in mmap len(self)), File "C:\haystack\venv\lib\site-packages\winappdbg\process.py", line 1599, in read raise ctypes.WinError() WindowsError: [Error 299] Only part of a ReadProcessMemory or WriteProcessMemory request was completed.

trolldbois commented 8 years ago

It might be access related or some sort of memory protection. http://gojuyou.com/questions/542633/readprocessmemory-with-ctypes

trolldbois commented 8 years ago

or maybe 64bits/32bits

trolldbois commented 8 years ago

Use procdump from sysinternals and the minidump format. #closed