Skip to content

CommandLineUsage

Jump to bottom Edit New page
trolldbois edited this page Jul 8, 2011 · 4 revisions 
$ haystack --help
usage: StructFinder [-h] [--string] [--debug] [--interactive] [--nommap]
                    (--pid PID | --memfile MEMFILE)
                    structType {search,refresh} ...

Parse memory structs and pickle them.

positional arguments:
  structType         Structure type name
  {search,refresh}   sub-command help
    search           search help
    refresh          refresh help

optional arguments:
  -h, --help         show this help message and exit
  --string           Print results as human readable string
  --debug            setLevel to DEBUG
  --interactive      drop to python command line after action
  --nommap           disable mmap()-ing
  --pid PID          Target PID
  --memfile MEMFILE  Use a memory dump instead of a live process ID

As an example, let’s open a ssh to localhost :

  $ ssh localhost
    # change term
  $ ps au | grep 'ssh locahost'
user      26725  0.0  0.1   5256  4968 pts/6    S+   09:20   0:00 ssh localhost

  $ sudo haystack --pid 26725 sslsnoop.ctypes_openssh.session_state search > instance.pickled
  $ sudo haystack --pid 26725 sslsnoop.ctypes_openssh.session_state refresh 0xb8b70d18 > instance.pickled
  $ sudo haystack --pid 26725 your_ctypes_Structure search > instance.pickled

You also can have a human readable version of that

  $ sudo haystack --string --pid 26725 sslsnoop.ctypes_openssh.session_state search > instance.text
Add a custom footer
Add a custom sidebar
Clone this wiki locally