adding some entry points for minidump

haystack/cli.py

@@ -26,18 +26,21 @@
 SHOW_DESC = 'Cast the bytes at this address into a record_type. '
 WATCH_DESC = 'Cast the bytes at this address into a record_type and refresh regularly. '
 DUMP_DESC = 'Extract the process dump from the OS memory dump in haystack format. '
+REVERSE_DESC = 'Reverse the data structure from the process memory'
 
 # some dumptype constants
 DUMPTYPE_BASE = 'haystack'
 DUMPTYPE_VOLATILITY = 'volatility'
 DUMPTYPE_REKALL = 'rekall'
 DUMPTYPE_LIVE = 'live'
+DUMPTYPE_MINIDUMP = 'minidump'
 
 # the description of the dump type
 DUMPTYPE_BASE_DESC = 'The process dump is a folder produced by a haystack-dump script.'
 DUMPTYPE_VOL_DESC = 'The process dump is a volatility OS dump. The PID is the targeted process.'
 DUMPTYPE_REKALL_DESC = 'The process dump is a rekall OS dump. The PID is the targeted process.'
 DUMPTYPE_LIVE_DESC = 'The PID must be a running process.'
+DUMPTYPE_MINIDUMP_DESC = 'The process dump is a Minidump (MDMP) process dump.'
 
 
 class HaystackError(Exception):
@@ -56,6 +59,10 @@ def _get_memory_handler(opts):
         memory_handler = mapper.make_memory_handler()
     elif opts.dumptype == DUMPTYPE_LIVE:
         memory_handler = dbg.make_local_process_memory_handler(pid=opts.pid, use_mmap=opts.mmap)
+    elif opts.dumptype == DUMPTYPE_MINIDUMP:
+        from haystack.mappings import minidump
+        loader = minidump.MDMP_Mapper(opts.dump_filename)
+        memory_handler = loader.make_memory_handler()
     else:
         raise RuntimeError('dump type has no case support. %s', opts.dumptype)
     return memory_handler
@@ -249,6 +256,16 @@ def watch(args):
         py_obj = output[0][0]
 
 
+def reverse_cmdline(args):
+    """ Reverse """
+    from haystack.reverse import api as rapi
+    # get the memory handler adequate for the type requested
+    memory_handler = _get_memory_handler(args)
+    # do the search
+    rapi.reverse_instances(memory_handler)
+    return
+
+
 def base_argparser(program_name, description):
     """ Base options shared by all console scripts """
     rootparser = argparse.ArgumentParser(prog=program_name, description=description)
@@ -309,6 +326,11 @@ def dump_argparser(dump_parser):
     return dump_parser
 
 
+def reverse_argparser(reverse_parser):
+    reverse_parser.set_defaults(func=reverse_cmdline)
+    return reverse_parser
+
+
 def output_argparser(rootparser):
     """ Output choices options argument parser """
     output = rootparser.add_mutually_exclusive_group(required=False)
@@ -525,3 +547,51 @@ def rekall_dump():
     # execute function
     opts.func(opts)
     return
+
+
+def minidump_reverse():
+    argv = sys.argv[1:]
+    desc = REVERSE_DESC + DUMPTYPE_MINIDUMP_DESC
+    rootparser = base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
+    rootparser.add_argument('dump_filename', type=argparse_utils.readable, help='Use this memory dump file')
+    reverse_argparser(rootparser)
+    opts = rootparser.parse_args(argv)
+    opts.dumptype = DUMPTYPE_MINIDUMP
+    # apply verbosity
+    set_logging_level(opts)
+    # execute function
+    opts.func(opts)
+    return
+
+
+def minidump_search():
+    argv = sys.argv[1:]
+    desc = SEARCH_DESC + DUMPTYPE_MINIDUMP_DESC
+    rootparser = base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
+    rootparser.add_argument('dump_filename', type=argparse_utils.readable, help='Use this memory dump file')
+    search_argparser(rootparser)
+    output_argparser(rootparser)
+    opts = rootparser.parse_args(argv)
+    opts.dumptype = DUMPTYPE_MINIDUMP
+    # apply verbosity
+    set_logging_level(opts)
+    # execute function
+    opts.func(opts)
+    return
+
+
+def minidump_show():
+    argv = sys.argv[1:]
+    desc = SHOW_DESC + DUMPTYPE_MINIDUMP_DESC
+    rootparser = base_argparser(program_name=os.path.basename(sys.argv[0]), description=desc)
+    rootparser.add_argument('dump_filename', type=argparse_utils.readable, help='Use this memory dump file')
+    show_argparser(rootparser)
+    output_argparser(rootparser)
+    opts = rootparser.parse_args(argv)
+    opts.dumptype = DUMPTYPE_MINIDUMP
+    # apply verbosity
+    set_logging_level(opts)
+    # execute function
+    opts.func(opts)
+    return
+

haystack/mappings/minidump.py

@@ -962,8 +962,10 @@ def DirectoryEntry(kind):
 import mmap
 import logging
 
+
 log = logging.getLogger("minidump")
 
+
 class MDMP_Mapper(interfaces.IMemoryLoader):
     """Container:
             StreamType = 'Memory64ListStream'
@@ -980,13 +982,11 @@ class MDMP_Mapper(interfaces.IMemoryLoader):
     """
 
     def __init__(self, filename):
-        construct_data = MINIDUMP_HEADER.parse_stream(open(sys.argv[1], 'rb'))
+        construct_data = MINIDUMP_HEADER.parse_stream(open(filename, 'rb'))
         #
         self.filename = filename
         self._init_mappings(construct_data)
 
-        print target
-
     def _init_mappings(self, construct_data):
         content_file = open(self.filename, 'rb')
         fsize = os.path.getsize(self.filename)
@@ -1043,7 +1043,6 @@ def make_memory_handler(self):
         return self._memory_handler
 
 
-
 if __name__ == "__main__":
     import sys
     x = MINIDUMP_HEADER.parse_stream(open(sys.argv[1], 'rb'))

setup.py

@@ -99,6 +99,9 @@ def run(self):
               'haystack-volatility-search = haystack.cli:volatility_search',
               'haystack-volatility-show = haystack.cli:volatility_show',
               'haystack-volatility-dump = haystack.cli:volatility_dump',
+              'haystack-minidump-search = haystack.cli:minidump_search',
+              'haystack-minidump-show = haystack.cli:minidump_show',
+              'haystack-minidump-reverse = haystack.cli:minidump_reverse',
           ]
       },
       scripts=[ #"scripts/haystack",