-
-
Notifications
You must be signed in to change notification settings - Fork 382
/
memprocfs_pythonexec_example.py
78 lines (67 loc) · 2.67 KB
/
memprocfs_pythonexec_example.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# memprocfs_pythonexec_example.py
#
# MemProcFS supports running a Python program at start-up in the context of the
# plugin sub-system with full access to the MemProcFS Python API. For more info
# about the API - please check out the guide at:
# https://github.com/ufrisk/MemProcFS/wiki/API_Python
#
# MemProcFS plugins and start-up programs are supported on Windows and Linux.
#
# Example:
# memprocfs.exe -device memory.dmp -pythonexec memprocfs_pythonexec_example.py
#
# This example will display a process list, search for RWX-sections in memory
# and (if forensic mode is enabled) copy the CSV files to C:\Temp\.
#
# Note how the vmm MemProcFS API object is already pre-existing ready for use.
#
# Also note how it's a good idea to surround your program with a try-except.
#
# https://github.com/ufrisk/MemProcFS
#
# (c) Ulf Frisk, 2022
# Author: Ulf Frisk, pcileech@frizk.net
#
print("--------------- START MEMPROCFS PYTHONEXEC EXAMPLE ---------------")
try:
print("")
print("1. Processes by pid/name:")
print("-------------------------")
for process in vmm.process_list():
print("%i: \t %s" % (process.pid, process.fullname))
except Exception as e:
print("memprocfs_pythonexec_example.py: exception: " + str(e))
try:
print("")
print("2. RWX memory [max 5 per process]")
print("---------------------------------")
for process in vmm.process_list():
crwx = 0
for entry in process.maps.pte():
if '-rwx' in entry['flags']:
print("%i: \t %s \t %s" % (process.pid, process.name, str(entry)))
crwx += 1
if crwx >= 5: break
except Exception as e:
print("memprocfs_pythonexec_example.py: exception: " + str(e))
try:
print("")
print("3. Copy CSV files from forensic mode (if enabled)")
print("-------------------------------------------------")
import os
dst_path_base = '/tmp/' if os.sep == '/' else 'C:\\Temp\\'
vfs_files = vmm.vfs.list("/forensic/csv/")
for vfs_file in vfs_files:
if not vfs_files[vfs_file]['f_isdir']:
offset = 0
vfs_path = "/forensic/csv/" + vfs_file
dst_path = dst_path_base + 'memprocfs_pythonexec_example_' + vfs_file
print("copy file '%s' to '%s'" % (vfs_path, dst_path))
with open(dst_path, "wb") as file:
while offset < vfs_files[vfs_file]['size']:
chunk = vmm.vfs.read(vfs_path, 0x00100000, offset)
offset += len(chunk)
file.write(chunk)
except Exception as e:
print("memprocfs_pythonexec_example.py: exception: " + str(e))
print("---------------- END MEMPROCFS PYTHONEXEC EXAMPLE ----------------")