search

trolldbois / python-haystack

Process heap analysis framework - Windows/Linux - record type inference and forensics
http://trolldbois.blogspot.com/search?q=python-haystack
GNU General Public License v3.0
94 stars 33 forks source link

Minidump reader: too verbose #29

Closed rchateauneu closed 8 years ago

rchateauneu commented 8 years ago

I would like to use memory_handler = dump_loader.load(memdumpname) from a script without printing too much information I do not need, for example:

Container: StreamType = 'MemoryInfoListStream' Location = Container: DataSize = 39664 RVA = 24093 DirectoryData = Container: SizeOfHeader = 16 SizeOfEntry = 48 NumberOfEntries = 826 MINIDUMP_MEMORY_INFO = [ ...etc ...

How can this be avoided please ? Maybe an optional parameter ?

trolldbois commented 8 years ago

Hi, Could you produce a small script + memory dump that reproduce the issue ? I seems these are Debug info from the minidump dump loader, if it is run as the main script.

see https://github.com/trolldbois/python-haystack/blob/master/haystack/mappings/minidump.py:L1087 If you don't want the debug, don't run the minidump.py script :)

import haystack from haystack import dump_loader memory_handler = dump_loader.load('test/dumps/minidump/alg.dmp') The piece of code does not produce the debug logs you reported.

Can you confirm you the issue is solved ? Or am I missing something ? If so, please post some test case that reproduces the issue

rchateauneu commented 8 years ago

The script haystack_essay I sent does reproduce the issue and also you code sample.

Same result if the dump is created with procexp or with TaskManager !

On Sun, Mar 13, 2016 at 2:44 AM, Loic Jaquemet notifications@github.com wrote:

Hi, Could you produce a small script + memory dump that reproduce the issue ? I seems these are Debug info from the minidump dump loader, if it is run as the main script.

see https://github.com/trolldbois/python-haystack/blob/master/haystack/mappings/minidump.py:L1087 If you don't want the debug, don't run the minidump.py script :)

import haystack from haystack import dump_loader memory_handler = dump_loader.load('test/dumps/minidump/alg.dmp')

The piece of code does not produce the debug logs you reported.

Can you confirm you the issue is solved ? Or am I missing something ? If so, please post some test case that reproduces the issue

— Reply to this email directly or view it on GitHub https://github.com/trolldbois/python-haystack/issues/29#issuecomment-195858735 .

trolldbois commented 8 years ago 
from haystack import logging 
logging.setLevel(logging.DEBUG)

@rchateauneu , dans ton script, haystack_essai.py, ces deux lignes forcent la production de debug log pour l'ensemble des modules. Le module minidump produit donc les logs de DEBUG. si tu ne veux pas les logs de DEBUG de tout les modules, il faut desactiver le logging DEBUG, ou choisir precisement quel logs tu souhaite produire.

import logging
logging.basicConfig(logging.INFO)
logging.getLogger("root").setLevel(logging.DEBUG)
trolldbois commented 8 years ago

Regarding this "verbosity" issue. I can't reproduce the verbosity, with your script, even with all logs to DEBUG. I checked the haystack source code, and I don't see where it would be coming from. Can you confirm, and maybe trace where it's coming from with pdb ?

trolldbois commented 8 years ago

Ok I found it. Stupid me.