A free open source windows 'screen capture' device and recorder (also allows VLC/ffmpeg and others to capture/stream desktop/audio) - rdp/screen-capture-recorder-to-video-windows-free. Capturer: Easily capture stdout/stderr of the current process and subprocesses¶. Welcome to the documentation of capturer version 3.0! The following sections are available.
Latest versionReleased:
Easily capture stdout/stderr of the current process and subprocesses
Project description
The capturer package makes it easy to capture the stdout and stderr streamsof the current process and subprocesses. Output can be relayed to theterminal in real time but is also available to the Python program foradditional processing. It's currently tested on cPython 2.7, 3.5+ and PyPy(2.7). It's tested on Linux and Mac OS X and may work on other unixes butdefinitely won't work on Windows (due to the use of the platform dependent ptymodule). For usage instructions please refer to the documentation.
- Design choices
Status
The capturer package was developed as a proof of concept over the course of aweekend, because I was curious to see if it could be done (reliably). After aweekend of extensive testing it seems to work fairly well so I'm publishing theinitial release as version 1.0, however I still consider this a proof ofconcept because I don't have extensive 'production' experience using it yet.Here's hoping it works as well in practice as it did during my testing :-).
Installation
The capturer package is available on PyPI which means installation should beas simple as:
There's actually a multitude of ways to install Python packages (e.g. the peruser site-packages directory, virtual environments or just installingsystem wide) and I have no intention of getting into that discussion here, soif this intimidates you then read up on your options before returning to theseinstructions ;-).
Getting started
The easiest way to capture output is to use a context manager:
The use of a context manager (the with statement) ensures that outputcapturing is enabled and disabled at the appropriate time, regardless ofwhether exceptions interrupt the normal flow of processing.
Note that the first call to get_bytes(), get_lines() or get_text()will stop the capturing of output by default. This is intended as a sanedefault to prevent partial reads (which can be confusing as hell when you don'thave experience with them). So we could have simply used print to showthe results without causing a recursive 'captured output is printed and thencaptured again' loop. There's an optional partial=True keyword argumentthat can be used to disable this behavior (please refer to the documentationfor details).
Design choices
There are existing solutions out there to capture the stdout and stderrstreams of (Python) processes. The capturer package was created for a veryspecific use case that wasn't catered for by existing solutions (that I couldfind). This section documents the design choices that guided the development ofthe capturer package:
Intercepts writes to low level file descriptors
Libraries like capture and iocapture change Python's sys.stdout andsys.stderr file objects to fake file objects (using StringIO). This enablescapturing of (most) output written to the stdout and stderr streams from thesame Python process, however any output from subprocesses is unaffected by theredirection and not captured.
The capturer package instead intercepts writes to low level file descriptors(similar to and inspired by how pytest does it). This enables capturing ofoutput written to the standard output and error streams from the same Pythonprocess as well as any subprocesses.
Uses a pseudo terminal to emulate a real terminal
The capturer package uses a pseudo terminal created using pty.openpty() tocapture output. This means subprocesses will use ANSI escape sequences becausethey think they're connected to a terminal. In the current implementation youcan't opt out of this, but feel free to submit a feature request to change this:-). This does have some drawbacks:
The use of pty.openpty() means you need to be running in a UNIX likeenvironment for capturer to work (Windows definitely isn't supported).
All output captured is relayed on the stderr stream by default, so capturingchanges the semantics of your programs. How much this matters obviouslydepends on your use case. For the use cases that triggered me to createcapturer it doesn't matter, which explains why this is the default mode.
There is experimental support for capturing stdout and stderr separatelyand relaying captured output to the appropriate original stream. Basicallyyou call CaptureOutput(merged=False) and then you use the stdout andstderr attributes of the CaptureOutput object to get at the outputcaptured on each stream.
Mitti 1 5 5 ml. I say experimental because this method of capturing can unintentionallychange the order in which captured output is emitted, in order to avoidinterleaving output emitted on the stdout and stderr streams (which wouldmost likely result in incomprehensible output). Basically output is relayedon each stream separately after each line break. This means interactiveprompts that block on reading from standard input without emitting a linebreak won't show up (until it's too late ;-).
Relays output to the terminal in real time
The main use case of capturer is to capture all output of a snippet of Pythoncode (including any output by subprocesses) but also relay the output to theterminal in real time. This has a couple of useful properties:
- Long running operations can provide the operator with real time feedback byemitting output on the terminal. This sounds obvious (and it is!) but it isnon-trivial to implement (an understatement :-) when you also want tocapture the output.
- Programs like gpg and ssh that use interactive password prompts will rendertheir password prompt on the terminal in real time. This avoids the awkwardinteraction where a password prompt is silenced but the program still hangs,waiting for input on stdin.
Contact
The latest version of capturer is available on PyPI and GitHub. Thedocumentation is hosted on Read the Docs and includes a changelog. For bugreports please create an issue on GitHub. If you have questions, suggestions,etc. feel free to send me an e-mail at peter@peterodding.com.
License
This software is licensed under the MIT license.
© 2020 Peter Odding.
A big thanks goes out to the pytest developers because pytest's mechanism forcapturing the output of subprocesses provided inspiration for the capturerpackage. No code was copied, but both projects are MIT licensed anyway, so it'snot like it's very relevant :-).
Release historyRelease notifications | RSS feed
3.0
2.4
2.3
2.2
2.1.1
2.1
2.0
1.1
1.0
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
| Filename, size | File type | Python version | Upload date | Hashes |
|---|---|---|---|---|
| Filename, size capturer-3.0-py2.py3-none-any.whl (15.5 kB) | File type Wheel | Python version py2.py3 | Upload date | Hashes |
| Filename, size capturer-3.0.tar.gz (18.1 kB) | File type Source | Python version None | Upload date | Hashes |
Hashes for capturer-3.0-py2.py3-none-any.whl
| Algorithm | Hash digest |
|---|---|
| SHA256 | b1ef6e8831cd170906df7c881a36c8b8a1b0b824b147b950a1a8c11776da981b |
| MD5 | 41a0439e4c25fab6a5ee4a733bd61f1d |
| BLAKE2-256 | 6398c0959507a5b99c2813ee1da7ce9b8dfe9b05d8ab0d6c20e54d8b0f0bde18 |
Capturer 1 0 5 0
Hashes for capturer-3.0.tar.gz
| Algorithm | Hash digest |
|---|---|
| SHA256 | 4849032f6a670c02be434c484a0abf43c870a1efafafbfffd2e6f1c1f7ef5001 |
| MD5 | 54e1b1540788b28a92e8a1815d054754 |
| BLAKE2-256 | 9a98e2cac95d1cba553b10552511fdb55043b00a99bf8c1ed913ecbc654d6bfb |
Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire contents of computer's volatile memory – even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the tool's footprint as much as possible. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with Live RAM Analysis in Belkasoft Evidence Center. Belkasoft Live RAM Capturer is compatible with all versions and editions of Windows including XP, Vista, Windows 7, 8 and 10, 2003 and 2008 Server.
Why Memory Dump Is the First Thing To Do During the Acquisition
Memory dumps are a valuable source of ephemeral evidence and volatile information. Memory dumps may contain passwords to encrypted volumes (TrueCrypt, BitLocker, PGP Disk), account login credentials for many webmail and social network services such as Gmail, Yahoo Mail, Hotmail; Facebook, Twitter, Google Plus; file sharing services such as Dropbox, Flickr, SkyDrive, etc.
In order to extract ephemeral evidence out of already captured memory dumps, forensic experts must use proper analysis software such as Belkasoft Evidence Center. Besides, some other tools can be used to extract passwords to encrypted volumes.
Designed to Bypass Active Anti-Debugging and Anti-Dumping Protection
Iteleport 6 1 8. Acquiring volatile memory from a computer running a debugging protection or anti-dumping system is tricky. Most memory acquisition tools run in the system's user mode, and are unable to bypass the defense of such protection system (which run in the systems' most privileged kernel mode).
Belkasoft Live RAM Capturer is designed to work correctly even if an aggressive anti-debugging or anti-memory dumping system is running. By operating in kernel mode, Belkasoft Live RAM Capturer plays on the same level with these protection systems, being able to correctly acquire address space of applications protected with the most sophisticated systems such as nProtect GameGuard.
Creates Forensically Sound Memory Dumps
Belkasoft Live RAM Capturer features the smallest footprint possible, does not require installation and can be launched in seconds from a USB flash drive. Unlike many competing tools running in system's user mode, Belkasoft Live RAM Capturer comes equipped with 32-bit and 64-bit kernel drivers allowing the tool to operate in the most privileged kernel mode. Memory dumps acquired with Belkasoft Live RAM Capturer can be then analyzed with Belkasoft Evidence Center Live RAM Analysis.
Compared to Other Volatile Memory Capturing Tools
Belkasoft Live RAM Capturer beats many popular memory dumping applications hands down due to the difference in design goals. Current versions of competing tools (AccessData FTK Imager 3.0.0.1443, PMDump 1.2) operate in the system's user mode, which makes them susceptible to anti-dumping activities performed by active debugging protection systems such as nProtect GameGuard.
An internal comparison between Belkasoft Live RAM Capturer and latest versions of competing RAM acquisition tools demonstrated the ability of Belkasoft Live RAM Capturer to acquire an image of a protected memory set while the other tools returned an empty area (FTK Imager) or random data (PMDump).
Tools tested:
- AccessData FTK Imager 3.0.0.1443
- PMDump 1.2
- Belkasoft Live RAM Capturer 1.0
Testing methodology: we launched Karos, a computer game protected with nProtect GameGuard. Flat colors generator. Then we performed an active chat session, and tried acquiring the complete memory dump of the system with all three memory dumping tools. We then analyzed the memory set belonging to the protected game.
The results:
- AccessData FTK Imager 3.0.0.1443 contained all zeroes in place of actual data for the protected memory set;
- PMDump 1.2 returned random data;
- Belkasoft Live RAM Capturer 1.0 correctly acquired the protected memory set.
Capture 1080p Video On Windows 10
Consequences of Using a Wrong Tool
Many applications protect their memory sets against dumping. Such applications include multi-player online games, malware, custom and commercial products protected with active anti-debugging systems. In mild scenarios (e.g. commercial products and games), an attempt to read a protected memory area will simply return empty or garbage data instead of the actual information.
In worst-case scenarios, an anti-debugging system detecting an attempt to read protected memory areas may take measures to destroy affected information and/or cause a kernel mode failure, locking up the computer and making further analysis impossible. This is what typically happens if a user-mode volatile memory analysis tool is used to dump content protected with a kernel-mode anti-debugging system.
Compatibility and System Requirements
Belkasoft Live RAM Capturer is compatible with 32-bit and 64-bit editions of Windows including XP, Vista, Windows 7/8/10, 2003 and 2008 Server. The tool does not require installation, and can be launched in seconds from a USB thumb drive.
Update
Since this article was published, FTK Imager got a kernel-mode driver. However, you may still consider to compare size of an executable file to select a capturer with minimum footprint.
Capturer 1 0 56
Reasons Why You Need Belkasoft Evidence Center to Fight Workplace Bullying. Part IICapturer 1 0 5 Hydrocortisone Cream
