-
-
Notifications
You must be signed in to change notification settings - Fork 404
API_Python
Most functionality in the Memory Process File System is exported in a Python API for use by developers. The Python API is a wrapper around the C/C++ API and requires vmm.dll and vmmpyc.pyd. The Python API itself is found in the file vmmpy.pywhich also contains the complete documentation. This wiki entry however contains an overview of the Python API.
NB! Currently 64-bit Windows is supported. Linux support for VmmPy is planned in the future.
An example file containing a lot of use cases are found in the file vmmpy_example.py in the files folder.
After VmmPy is loaded it has to be initialized. Depending on whether it should be initialized from file, fpga or something else different VmmPy_Initialize* functions have to be called.
def VmmPy_InitializeFile(file_name, is_printf = True, is_verbose = False, is_verbose_extra = False, is_verbose_tlp = False, page_table_base = 0):
def VmmPy_InitializeFPGA(file_name, is_printf = True, is_verbose = False, is_verbose_extra = False, is_verbose_tlp = False, page_table_base = 0):
def VmmPy_InitializeTotalMeltdown(file_name, is_printf = True, is_verbose = False, is_verbose_extra = False, is_verbose_tlp = False, page_table_base = 0):
def VmmPy_Close():To retrieve or set various configuration entries - please call the functions below:
def VmmPy_ConfigGet(vmmpy_opt_id):
def VmmPy_ConfigSet(vmmpy_opt_id, value):
def VmmPy_GetVersion():The entire file system is accessible via API functions. Please find them below:
def VmmPy_VfsList(path):
def VmmPy_VfsRead(path_file, length, offset = 0):
def VmmPy_VfsWrite(path_file, bytes_data, offset = 0):Read and write both physical and virtual memory via the functions listed below. In most instances it's possible to specify -1 instead of the process pid to read physical memory instead of process virtual memory. The main exception is VmmPy_MemVirt2Phys which only accepts valid pids.
def VmmPy_MemRead(pid, address, length, flags = 0):
def VmmPy_MemReadScatter(pid, address_list, flags = 0):
def VmmPy_MemWrite(pid, address, bytes_data):
def VmmPy_MemVirt2Phys(pid, address):Functionality related to processes running on the target system are exposed in via the functions below:
def VmmPy_PidList():
def VmmPy_PidGetFromName(process_name):
def VmmPy_ProcessGetMemoryMap(pid, is_identify_modules = False):
def VmmPy_ProcessGetMemoryMapEntry(pid, va, is_identify_modules = False):
def VmmPy_ProcessGetModuleMap(pid):
def VmmPy_ProcessGetModuleFromName(pid, module_name):
def VmmPy_ProcessGetInformation(pid):
def VmmPy_ProcessListInformation():
def VmmPy_ProcessGetEAT(pid, module_name):
def VmmPy_ProcessGetIAT(pid, module_name):
def VmmPy_ProcessGetDirectories(pid, module_name):
def VmmPy_ProcessGetSections(pid, module_name):Utility functions:
def VmmPy_UtilFillHexAscii(data_bytes, cb_initial_offset = 0):Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖