def search_record(memory_handler, record_type, search_constraints=None, extended_search=False):
"""
Search a record in the memory dump of a process represented
by memory_handler.
The record type must have been imported using haystack functions.
If constraints exists, they will be considered during the search.
:param memory_handler: IMemoryHandler
:param record_type: a ctypes.Structure or ctypes.Union from a module imported by haystack
:param search_constraints: IModuleConstraints to be considered during the search
:param extended_search: boolean, use allocated chunks only per default (False)
:rtype a list of (ctypes records, memory offset)
"""
if extended_search:
my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler, search_constraints)
return my_searcher.search(record_type)
my_searcher = searcher.RecordSearcher(memory_handler, search_constraints)
return my_searcher.search(record_type)
def search_record_hint(memory_handler, record_type, hint, search_constraints=None, extended_search=False):
"""
Search a record in the memory dump of a process, but only on the memory page containing the hinted address.
The record type must have been imported using haystack functions.
If constraints exists, they will be considered during the search.
:param memory_handler: IMemoryHandler
:param record_type: a ctypes.Structure or ctypes.Union from a module imported by haystack
:param search_constraints: IModuleConstraints to be considered during the search
:param extended_search: boolean, use allocated chunks only per default (False)
:rtype a list of (ctypes records, memory offset)
"""
hint_mapping = memory_handler.get_mapping_for_address(hint)
if extended_search:
my_searcher = searcher.AnyOffsetRecordSearcher(memory_handler,
my_constraints=search_constraints,
target_mappings=[hint_mapping])
return my_searcher.search(record_type)
my_searcher = searcher.RecordSearcher(memory_handler,
my_constraints=search_constraints,
target_mappings=[hint_mapping])
return my_searcher.search(record_type)