API_Python

Python API

Most functionality in the Memory Process File System is exported in a Python API for use by developers. The Python API is a wrapper around the C/C++ API and requires vmm.dll and vmmpyc.pyd. The Python API itself is found in the file vmmpy.pywhich also contains the complete documentation. This wiki entry contains an overview of the Python API.

Example:

An example file containing a lot of use cases are found in the file vmmpy_example.py in the files folder.

Functionality:

Initialization API

After VmmPy is loaded it has to be initialized. Depending on whether it should be initialized from file, fpga or something else different VmmPy_Initialize should be called with a different list of string parameters in the first argument. The arguments are the same as given as options when starting The Memory Process File System.

def VmmPy_Initialize(args, is_printf = True, is_verbose = False, is_verbose_extra = False, is_verbose_tlp = False, page_table_base = 0):
def VmmPy_Initialize_Plugins():
def VmmPy_Close():
def VmmPy_Refresh():

Configuration API

To retrieve or set various configuration entries - please call the functions below:

def VmmPy_ConfigGet(vmmpy_opt_id):
def VmmPy_ConfigSet(vmmpy_opt_id, value):
def VmmPy_GetVersion():

File System API

The entire file system is accessible via API functions. Please find them below:

def VmmPy_VfsList(path):
def VmmPy_VfsRead(path_file, length, offset = 0):
def VmmPy_VfsWrite(path_file, bytes_data, offset = 0):

Memory Read/Write API:

Read and write both physical and virtual memory via the functions listed below. In most instances it's possible to specify -1 instead of the process pid to read physical memory instead of process virtual memory. The main exception is VmmPy_MemVirt2Phys which only accepts valid pids.

def VmmPy_MemRead(pid, address, length, flags = 0):
def VmmPy_MemReadScatter(pid, address_list, flags = 0):
def VmmPy_MemWrite(pid, address, bytes_data):
def VmmPy_MemVirt2Phys(pid, address):

Process API:

Functionality related to processes running on the target system are exposed in via the functions below:

def VmmPy_PidList():
def VmmPy_PidGetFromName(process_name):
def VmmPy_ProcessGetPteMap(pid, is_identify_modules = False):
def VmmPy_ProcessGetVadMap(pid, is_identify_modules = False):
def VmmPy_ProcessGetHandleMap(pid):
def VmmPy_ProcessGetHeapMap(pid):
def VmmPy_ProcessGetThreadMap(pid):
def VmmPy_ProcessGetModuleMap(pid):
def VmmPy_ProcessGetModuleFromName(pid, module_name):
def VmmPy_ProcessGetInformation(pid):
def VmmPy_ProcessListInformation():
def VmmPy_ProcessGetEAT(pid, module_name):
def VmmPy_ProcessGetIAT(pid, module_name):
def VmmPy_ProcessGetDirectories(pid, module_name):
def VmmPy_ProcessGetSections(pid, module_name):

Windows specific symbol debugging API:

Limited functionality for debugging symbols retrieved from the Microsoft symbol server.

def VmmPy_PdbLoad(pid, module_base_address):
def VmmPy_PdbSymbolName(module_name, symbol_offset):
def VmmPy_PdbSymbolAddress(module_name, symbol_name):
def VmmPy_PdbTypeSize(module_name, type_name):
def VmmPy_PdbTypeChildOffset(module_name, type_name, type_child_name):

Windows specific API:

def VmmPy_GetUsers():
def VmmPy_MapGetPhysMem():
def VmmPy_MapGetPfns(pfns):
def VmmPy_WinGetThunkInfoEAT(pid, module_name, exported_function):
def VmmPy_WinGetThunkInfoIAT(pid, module_name, imported_module_name, imported_module_function):

Windows Registry API:

The registry API supports enumerating registry hives and the reading/writing of their memory space. Reading and writing individual registry keys are not supported at the moment.

def VmmPy_WinReg_HiveList():
def VmmPy_WinReg_HiveRead(va_hive, address, length, flags = 0):
def VmmPy_WinReg_HiveWrite(va_hive, address, bytes_data):
def VmmPy_WinReg_KeyList(key):
def VmmPy_WinReg_ValueRead(keyvalue):

Network API:

def VmmPy_WinNet_Get():

Utility API:

def VmmPy_UtilFillHexAscii(data_bytes, cb_initial_offset = 0):