and prepare the road for plugin-able HEAP parsers.

haystack/allocators/heapwalker.py

@@ -1,13 +1,19 @@
 # -*- coding: utf-8 -*-
-#
-# Copyright (C) 2011 Loic Jaquemet loic.jaquemet+python@gmail.com
-#
+
 import logging
+import pkg_resources
 
 from haystack.abc import interfaces
 
 log = logging.getLogger('heapwalker')
 
+SUPPORTED_ALLOCATORS = {}
+
+# TODO use it in memory dump discovery. Maybe add platform selectors to Finder interface
+for entry_point in pkg_resources.iter_entry_points("haystack.heap_finder"):
+    ep = entry_point.resolve()
+    SUPPORTED_ALLOCATORS[entry_point.name] = entry_point.resolve()
+
 
 class HeapWalker(interfaces.IHeapWalker):
 

setup.py

@@ -34,8 +34,8 @@ def run(self):
         import sys
         os.getcwd()
         # all dump files are in .tgz
-        makeCmd = ['make', '-d']
-        p = subprocess.Popen(makeCmd, stdout=sys.stdout, cwd='test/src/')
+        make_cmd = ['make', '-d']
+        p = subprocess.Popen(make_cmd, stdout=sys.stdout, cwd='test/src/')
         p.wait()
         return p.returncode
 
@@ -68,44 +68,50 @@ def run(self):
                 "haystack.allocators",
                 "haystack.allocators.libc",
                 "haystack.allocators.win32"],
-      package_data={ "haystack.allocators.win32": ['win7heap32.constraints',
-                                                  'win7heap64.constraints',
-                                                  'winxpheap32.constraints',
-                                                  'winxpheap64.constraints'],
-                    "haystack.allocators.libc": ['libcheap.constraints']},
+      package_data={
+            "haystack.allocators.win32": ['win7heap32.constraints',
+                                          'win7heap64.constraints',
+                                          'winxpheap32.constraints',
+                                          'winxpheap64.constraints'],
+            "haystack.allocators.libc": ['libcheap.constraints']},
       entry_points={
-          'console_scripts': [
-              'haystack-find-heap = haystack.cliwin:find_heap',
-              'haystack-search = haystack.cli:search',
-              'haystack-show = haystack.cli:main_show',
-              'haystack-live-dump = haystack.memory_dumper:main',
-              'haystack-live-watch = haystack.cli:live_watch',
-              'haystack-rekall-dump = haystack.cli:rekall_dump',
-              'haystack-volatility-dump = haystack.cli:volatility_dump',
-          ],
-          # protocol
-          'haystack.mappings_loader': [
-              'dir = haystack.mappings.folder:FolderLoader',
-              'dmp = haystack.mappings.minidump:DMPLoader',
-              'volatility = haystack.mappings.vol:VolatilityLoader',
-              'rekall = haystack.mappings.rek:RekallLoader',
-              'live = haystack.mappings.process:ProcessLoader',
-              'frida = haystack.mappings.fridaprocess:FridaLoader',
-              'cuckoo = haystack.mappings.cuckoo:CuckooProcessLoader',
-          ]
-
+            'console_scripts': [
+                'haystack-find-heap = haystack.cliwin:find_heap',
+                'haystack-search = haystack.cli:search',
+                'haystack-show = haystack.cli:main_show',
+                'haystack-live-dump = haystack.memory_dumper:main',
+                'haystack-live-watch = haystack.cli:live_watch',
+                'haystack-rekall-dump = haystack.cli:rekall_dump',
+                'haystack-volatility-dump = haystack.cli:volatility_dump',
+            ],
+            # memory mappings loader haystack.abc.interfaces.IMemoryLoader
+            'haystack.mappings_loader': [
+                'dir = haystack.mappings.folder:FolderLoader',
+                'dmp = haystack.mappings.minidump:DMPLoader',
+                'volatility = haystack.mappings.vol:VolatilityLoader',
+                'rekall = haystack.mappings.rek:RekallLoader',
+                'live = haystack.mappings.process:ProcessLoader',
+                'frida = haystack.mappings.fridaprocess:FridaLoader',
+                'cuckoo = haystack.mappings.cuckoo:CuckooProcessLoader',
+            ],
+            # HEAP parsing haystack.abc.interfaces.IHeapFinder
+            'haystack.heap_finder': [
+                'ptmalloc2 = haystack.allocators.libc.LibcHeapFinder',
+                'winxp = haystack.allocators.win32.winxpheapwalker.WinXPHeapFinder',
+                'win7 = haystack.allocators.win32.win7heapwalker.Win7HeapFinder',
+            ]
       },
       # search: install requires only pefile, python-ptrace for memory-dump
       # reverse: install requires networkx, numpy, Levenshtein for signatures
-      install_requires=["pefile", #>=1.2.10_139
+      install_requires=["pefile",  # >=1.2.10_139
                         "construct<2.8",
                         ] + ["python-ptrace>=0.8.1"] if "win" not in sys.platform else []
-                        + ["winappdbg"] if "win" in sys.platform else [],
+                          + ["winappdbg"] if "win" in sys.platform else [],
       dependency_links=[
                         # "https://github.com/trolldbois/ctypeslib/tarball/dev#egg=ctypeslib2-2.4beta",
                         "https://github.com/volatilityfoundation/volatility/tarball/master#egg=volatility-trunk",
                         "https://github.com/google/rekall/tarball/master#egg=rekall-trunk",
-                        #"https://github.com/erocarrera/pefile/archive/pefile-1.2.10-139.tar.gz"
+                        # "https://github.com/erocarrera/pefile/archive/pefile-1.2.10-139.tar.gz"
                         ],
       test_suite="test.alltests",
       # https://pythonhosted.org/setuptools/setuptools.html
@@ -115,5 +121,4 @@ def run(self):
       cmdclass={
           'preptests': PyPrepTestsCommand,
       },
-)
-
+      )