haystack is a Python module to search C structures in a process' memory.
What does it do?:
The basic functionnality is to search in a process' memory maps for a specific C Structures.
How do it knows that the structures is valid?:
You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.
Where does the idea comes from?:
use http://www.hsc.fr/ressources/breves/passe-partout.html.fr to get keys
or http://www.rtfm.com/ssldump/ to read streams
use scapy, because it's fun ? but we need IP reassembly .
pynids could be more useful...
dsniff is now in python ?
>>> import haystack
>>> haystack.findStruct( pid , 'ctypes.c_int')
>>> haystack.findStruct( pid , 'ctypes_example.big_struct')
It's easy to add new structures (check ctypeslib or do it by hand).