python-haystack - a memory forensic & Process heap analysis framework.

python-haystack – a memory forensic & Process heap analysis framework.

python-haystack is an heap analysis framework, focused on searching and reversing of C structure in allocated memory. The first function/API is the SEARCH function. It gives the ability to search for known record types in a process memory dump or live process’s memory.

python-haystack v0.41

Scripts & Entry Points:
A few entry points exists to handle the format your memory dump.

* Memory dump folder produced by haystack-live-dump
– haystack-find-heap allows to show details on Windows HEAP.
– haystack-search search CLI
– haystack-show show CLI for specific record type at a specific address

* Memory dump file produced by a Minidump tool
– haystack-find-heap allows to show details on Windows HEAP.
– haystack-minidump-search search CLI
– haystack-minidump-show show a specific record type at a specific address

* For live processes
– haystack-live-dump capture a process memory dump to a folder (haystack format)
– haystack-live-search search CLI in live process memory
– haystack-live-show show a specific record type at a specific addres in a live process memory

* For a Rekall memory dump
– haystack-rekall-search search CLI for a specific process in a rekall dump
– haystack-rekall-show show a specific record type at a specific address
– haystack-rekall-dump dump a specific process to a haystack process dump

For a Volatility memory dump
– haystack-volatility-search search CLI for a specific process in a volatility dump
– haystack-volatility-show show a specific record type at a specific address
– haystack-volatility-dump dump a specific process to a haystack process dump

Usage and Install:

Source: https://github.com/trolldbois