-
-
Notifications
You must be signed in to change notification settings - Fork 382
API_Python
MemProcFS is available on Python pip! pip install memprocfs
If installing on Linux supporting packages may be required: sudo apt-get install make gcc pkg-config libusb-1.0 libusb-1.0-0-dev libfuse2 libfuse-dev openssl libssl-dev lz4 liblz4-dev
Some functionality may be degraded on Linux. Please see the Linux section for more information.
Most functionality in MemProcFS is exported in a Python API. To make things easier the API is packaged in a pip package which is available as memprocfs
on Python PIP. This is also the preferred way of installing the Python package even though it's completely possible to compile and install locally or to run it from the MemProcFS folder.
If using the Python API outside the Python PIP package please note that Python may have to be started from the same folder as vmmpyc.pyd
(Windows) or vmmpyc.so
(Linux).
The Python pip package is a native binary CPython C Extension. It has been tested on 64-bit Windows and Linux (x64) as well as on 64-bit ARM (RPi4).
To install MemProcFS for Python please run:
pip install memprocfs
If successful, MemProcFS should now be installed and possible to use. Please note that a 64-bit Python installation is required. 32-bit Python installations will not work! Also for some functionality (such as remembering choices about debug symbols) it may be preferred to install in user-context rather than machine context; alternatively run MemProcFS as administrator the first time to persist the debug symbol choice.
It's also possible use MemProcFS for Python without installing the pip package. Please then start Python from the MemProcFS folder in which vmmpyc.pyd
/ vmmpyc.so
resides.
The MemProcFS Python API is mostly built as a native CPython extension with minor Python components.
Please also see the guide entries about base, process and registry in the guide menu.
The components are roughly related to eachother as given in the tree below:
-
memprocfs
- package.-
Vmm
- base object.-
VmmMap
- info maps. -
VmmVfs
- virtual file system (vfs) info. -
VmmKernel
- kernel info. VmmPysicalMemory
-
VmmProcess
-
VmmRegHive
VmmRegMemory
VmmRegKey
VmmRegValue
-
-
CONSTANTS
- MemProcFS constants. -
RegUtil
- registry utility functions.
-
Best way to getting started with examples is to have a look at the memprocfs_example.py
file which contains a multitude of examples.
It's also possible to run a Python program at MemProcFS start-up with the -pythonexec
parameter. This may be interesting in some live forensics scenarios. Please have a look at the example memprocfs_pythonexec_example.py
.
This example initializes a physical memory dump file for analysis. It then reads from physical memory as well as from process virtual memory.
import memprocfs
# Initialize base object vmm from dump file
vmm = memprocfs.Vmm(['-device', 'C:/Dumps/WIN10-X64-1909-18363-1.dmp'])
# read 0x20 bytes of physical memory from address 0x1000 and print it
# in hexascii on-screen.
print(vmm.hex( vmm.memory.read(0x1000, 0x20) ))
# retrieve the process object for 'explorer.exe'
process_explorer = vmm.process('explorer.exe')
# retrieve the module object 'kernel32' as seen by 'explorer.exe'
module_kernel32 = process_explorer.module('kernel32.dll')
# read 0x80 bytes from the base of 'kernel32' and print it as hexascii
virtual_address_kernel32 = module_kernel32.base
print(vmm.hex( process_explorer.memory.read(virtual_address_kernel32, 0x80) ))
Initialize from FPGA using PCIe DMA and query the live system for it's registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
import memprocfs
# Initialize base object vmm from dump file
vmm = memprocfs.Vmm(['-device', 'fpga'])
# Retrieve the RUN registry key
regkey_run = vmm.reg_key('HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run')
# Loop over the autorun keys and print their values
for regvalue in regkey_run.values():
print(regvalue.name + ': ' + regvalue.vstr())
This example initializes a physical memory dump file for analysis. It then tries to locate the powershell event log and copy it to c:\temp\powershell_eventlog_from_memory.evtx
. Files may be partially recovered from processes with open file handles. One of the svchost processes is responsible for event logging and will hold a handle to the powershell event log.
import memprocfs
# Initialize base object vmm from dump file
vmm = memprocfs.Vmm(['-device', 'C:/Dumps/WIN10-X64-1909-18363-1.dmp'])
# Iterate over all processes in the system
# if a svchost is found list its files under: 'files/handles'
for process in vmm.process_list():
if process.name == 'svchost.exe':
vfs_file_list = vmm.vfs.list('/pid/' + str(process.pid) + '/files/handles')
for file_name in vfs_file_list:
if 'PowerShell' in file_name and 'Operational' in file_name:
file_path = '/pid/' + str(process.pid) + '/files/handles/' + file_name
file_bytes = vmm.vfs.read(file_path, vfs_file_list[file_name]['size'])
outfile = open('c:\\temp\\powershell_eventlog_from_memory.evtx', 'wb')
outfile.write(file_bytes)
outfile.close()
print('powershell log extracted to: c:\\temp\\powershell_events.evtx')
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖