def load(dumpname, cpu=None, os_name=None):
"""Loads a process memory dump."""
dumpname = os.path.abspath(dumpname)
mapper = None
if os.path.isdir(dumpname):
mapper = VeryLazyProcessMemoryDumpLoader(dumpname, cpu=cpu, os_name=os_name)
elif os.path.isfile(dumpname):
# try minidump
from haystack.mappings import minidump
mapper = minidump.MDMP_Mapper(dumpname, cpu=cpu, os_name=os_name)
else:
raise IOError('couldnt load %s' % dumpname)
memory_handler = mapper.make_memory_handler()
log.debug('%d dump file loaded' % len(memory_handler))
# excep mmap.error - to much openfile - increase ulimit
return memory_handler
def get_memory_handler(opts):
if opts.dumptype == DUMPTYPE_BASE:
loader = dump_loader.ProcessMemoryDumpLoader(opts.dump_folder_name)
memory_handler = loader.make_memory_handler()
elif opts.dumptype == DUMPTYPE_VOLATILITY:
mapper = vol.VolatilityProcessMapper(opts.dump_filename, "WinXPSP2x86", opts.pid)
memory_handler = mapper.make_memory_handler()
elif opts.dumptype == DUMPTYPE_REKALL:
mapper = rek.RekallProcessMapper(opts.dump_filename, opts.pid)
memory_handler = mapper.make_memory_handler()
elif opts.dumptype == DUMPTYPE_LIVE:
memory_handler = dbg.make_local_process_memory_handler(pid=opts.pid, use_mmap=opts.mmap)
elif opts.dumptype == DUMPTYPE_MINIDUMP:
from haystack.mappings import minidump
loader = minidump.MDMP_Mapper(opts.dump_filename)
memory_handler = loader.make_memory_handler()
else:
raise RuntimeError('dump type has no case support. %s', opts.dumptype)
return memory_handler