{ "info": { "author": "Loic Jaquemet", "author_email": "loic.jaquemet+python@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Console", "Intended Audience :: Developers", "License :: OSI Approved :: GNU General Public License (GPL)", "Programming Language :: Python", "Topic :: Security", "Topic :: System :: Networking" ], "description": "python-haystack-reverse memory forensics\n########################################\n\n|travis| |coverage| |landscape| |pypi|\n\nQuick Start:\n============\n`Haystack-reverse CLI `_ in the docs/ folder.\n\n\nIntroduction:\n=============\n\npython-haystack-reverse is extension of `python-haystack `_ focused on\nreversing memory structure in allocated memory.\n\nIt aims at helping an analyst in reverse engineering the memory records types present in a process heap.\nIt focuses on reconstruction, classification of classic C structures from memory.\nIt attempts to recreate types definition.\n\nScripts & Entry Points:\n=======================\n\nA few entry points exists to handle the format your memory dump.\n\nMemory dump folder produced by ``haystack-live-dump`` from the haystack package\n-------------------------------------------------------------------------------\n - ``haystack-reverse`` reverse CLI - reverse all allocation chunks\n - ``haystack-reverse-show`` show the reversed record at a specific address\n - ``haystack-reverse-hex`` show a specific record hex bytes at a specific address\n - ``haystack-reverse-parents`` show the records pointing to the allocated record at a specific address\n\nMemory dump file produced by a Minidump tool\n--------------------------------------------\n - ``haystack-minidump-reverse`` reverse CLI - reverse all allocation chunks\n - ``haystack-minidump-reverse-show`` show the reversed record at a specific address\n - ``haystack-minidump-reverse-hex`` show a specific record hex bytes at a specific address\n - ``haystack-minidump-reverse-parents`` show the records pointing to the allocated record at a specific address\n\nHow to get a memory dump:\n=========================\n\nSee `python-haystack `_ or use Sysinternals procdump.\n\nHeap analysis / forensics:\n==========================\n\nQuick info:\n - The ``haystack-xxx-reverse`` family of entry points parse the heap for allocator structures,\npointers values, small integers and text (ascii/utf).\nGiven all the previous information, it can extract instances and helps you\nin classifying and defining structures types.\n\nIPython notebook usage guide:\n - `Haystack-reverse CLI `_ in the docs/ folder.\n\nCommand line example:\n--------------------_\nThe first step is to launch the analysis process with the ``haystack-xxx-reverse`` entry point.\nThis will create several files in the ``cache/`` folder in the memory dump folder:\n\n.. code-block:: bash\n\n $ haystack-reverse haystack/test/src/test-ctypes6.64.dump\n $ ls -l haystack/test/src/test-ctypes6.64.dump/cache\n $ ls -l haystack/test/src/test-ctypes6.64.dump/cache/structs\n\nThis will create a few files. The most interesting one being the ``/cache/xxxxx.headers_values.py`` that\ngives you an ctypes listing of all found structures, with guesstimates\non fields types.\n\nA ``/cache/graph.gexf`` file is also produced to help you visualize\ninstances links. It gets messy for any kind of serious application.\n\n- ``*.headers_values.py`` contains the list of heuristicly reversed record types.\n- ``*.strings`` contains the list of heuristicly typed strings field in reversed record.\n\nOther Entry points for reversing:\n---------------------------------\n\n - ``haystack-reverse-show`` show a specific record at a specific address\n - ``haystack-reverse-hex`` show a specific record hex bytes at a specific address\n - ``haystack-reverse-parents`` show the records pointing to the allocated record at a specific address\n - ``haystack-minidump-reverse-show`` show a specific record at a specific address\n - ``haystack-minidump-reverse-hex`` show a specific record hex bytes at a specific address\n - ``haystack-minidump-reverse-parents`` show the records pointing to the allocated record at a specific address\n\n\nDependencies:\n-------------\n\n- haystack\n- python-numpy\n- python-networkx\n- python-levenshtein\n- several others...\n\n\n\n.. |pypi| image:: https://img.shields.io/pypi/v/haystack-reverse.svg?style=flat-square&label=latest%20stable%20version\n :target: https://pypi.python.org/pypi/haystack-reverse\n :alt: Latest version released on PyPi\n\n.. |coverage| image:: https://img.shields.io/coveralls/trolldbois/python-haystack-reverse/master.svg?style=flat-square&label=coverage\n :target: https://coveralls.io/github/trolldbois/python-haystack-reverse?branch=master\n :alt: Test coverage\n\n.. |travis| image:: https://img.shields.io/travis/trolldbois/python-haystack-reverse/master.svg?style=flat-square&label=travis-ci\n :target: http://travis-ci.org/trolldbois/python-haystack-reverse\n :alt: Build status of the master branch on Mac/Linux\n\n.. |landscape| image:: https://landscape.io/github/trolldbois/python-haystack-reverse/master/landscape.svg?style=flat\n :target: https://landscape.io/github/trolldbois/python-haystack-reverse/master\n :alt: Code Health\n", "description_content_type": null, "docs_url": null, "download_url": "http://github.com/trolldbois/python-haystack-reverse/tree/master", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://packages.python.org/haystack-reverse/", "keywords": "memory", "license": "GPL", "maintainer": "", "maintainer_email": "", "name": "haystack-reverse", "package_url": "https://pypi.org/project/haystack-reverse/", "platform": "", "project_url": "https://pypi.org/project/haystack-reverse/", "project_urls": { "Download": "http://github.com/trolldbois/python-haystack-reverse/tree/master", "Homepage": "http://packages.python.org/haystack-reverse/" }, "release_url": "https://pypi.org/project/haystack-reverse/0.42/", "requires_dist": null, "requires_python": "", "summary": "Reverse C Structures from a process' memory", "version": "0.42" }, "last_serial": 3048843, "releases": { "0.41": [ { "comment_text": "", "digests": { "md5": "39bcbe9d2e5366144a735ef0e4d04864", "sha256": "d9f30d0099beeca34e58dfc32b4722a99c6c8ac08b5514a36db0e580de78ca12" }, "downloads": -1, "filename": "haystack_reverse-0.41-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "39bcbe9d2e5366144a735ef0e4d04864", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 84423, "upload_time": "2017-06-25T23:39:55", "url": "https://files.pythonhosted.org/packages/8b/32/6ecd6d4aed6d33f33edd0dd2cceb383fa60ebc72c37cb06b2149521152a3/haystack_reverse-0.41-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "39100605d02d7b35e82eb5c0ac81fc3e", "sha256": "2048957b859dcc90f0ff5ef8e40ae31bcd6502f0fc3e8b2ea7fcf91e9edb099f" }, "downloads": -1, "filename": "haystack-reverse-0.41.tar.gz", "has_sig": false, "md5_digest": "39100605d02d7b35e82eb5c0ac81fc3e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 83290, "upload_time": "2017-06-25T23:39:57", "url": "https://files.pythonhosted.org/packages/8e/d3/4a68fd98f0f3da9dd8cca01c278a7d852c3fd3bf2f42d009f9050cc27948/haystack-reverse-0.41.tar.gz" } ], "0.42": [ { "comment_text": "", "digests": { "md5": "11528f1b6e783051b16203ce9dad1e02", "sha256": "327c4fe47b22e1efe89dd936374e4835160de7eff3309f9e3968f3b441163e7b" }, "downloads": -1, "filename": "haystack_reverse-0.42-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "11528f1b6e783051b16203ce9dad1e02", "packagetype": "bdist_wheel", "python_version": "3.5", "requires_python": null, "size": 84199, "upload_time": "2017-07-26T00:27:03", "url": "https://files.pythonhosted.org/packages/1f/24/76b650f0607d60372252ce8cd588e297efa25d39794987c89ad8dfed9271/haystack_reverse-0.42-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "51d079752a67578fc41052e0fa2fe086", "sha256": "b2583d8a3b99fac1399a229f598a05510e3f912596f0c962ebdb98dc7e24ba58" }, "downloads": -1, "filename": "haystack-reverse-0.42.tar.gz", "has_sig": false, "md5_digest": "51d079752a67578fc41052e0fa2fe086", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 83057, "upload_time": "2017-07-26T00:27:01", "url": "https://files.pythonhosted.org/packages/8c/b6/780c8f4ffb4ca39eddf0668306b7c1a48b3ebc69c595d1d9011beed5fbc1/haystack-reverse-0.42.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "11528f1b6e783051b16203ce9dad1e02", "sha256": "327c4fe47b22e1efe89dd936374e4835160de7eff3309f9e3968f3b441163e7b" }, "downloads": -1, "filename": "haystack_reverse-0.42-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "11528f1b6e783051b16203ce9dad1e02", "packagetype": "bdist_wheel", "python_version": "3.5", "requires_python": null, "size": 84199, "upload_time": "2017-07-26T00:27:03", "url": "https://files.pythonhosted.org/packages/1f/24/76b650f0607d60372252ce8cd588e297efa25d39794987c89ad8dfed9271/haystack_reverse-0.42-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "51d079752a67578fc41052e0fa2fe086", "sha256": "b2583d8a3b99fac1399a229f598a05510e3f912596f0c962ebdb98dc7e24ba58" }, "downloads": -1, "filename": "haystack-reverse-0.42.tar.gz", "has_sig": false, "md5_digest": "51d079752a67578fc41052e0fa2fe086", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 83057, "upload_time": "2017-07-26T00:27:01", "url": "https://files.pythonhosted.org/packages/8c/b6/780c8f4ffb4ca39eddf0668306b7c1a48b3ebc69c595d1d9011beed5fbc1/haystack-reverse-0.42.tar.gz" } ] }