Skip to content

API_Python

Jump to bottom
ufrisk edited this page Mar 21, 2021 · 26 revisions

Python API

MemProcFS since v3.9 contains a new rewritten Python API. The new API is NOT compatible with the previous API.

MemProcFS is available on Python pip! pip install memprocfs

Most functionality in MemProcFS is exported in a Python API. To make things easier the API is packaged in a pip package which is available as memprocfs on Python PIP. This is also the preferred way of installing the Python package even though it's completely possible to compile and install locally or to run it from the MemProcFS folder.

If using the Python API outside the Python PIP package please note that Python may have to be started from the same folder as vmmpyc.pyd.

The Python pippackage is a native binary CPython C Extension.

NB! MemProcFS is only supported on 64-bit Windows. MemProcFS is not supported on Linux yet.

An introduction demo is available on YouTube.

Installing:

To install MemProcFS for Python please run:

pip install memprocfs

If successful, MemProcFS should now be installed and possible to use. Please note that a 64-bit Python installation is required. 32-bit Python installations will not work! Also for some functionality (such as remembering choices about debug symbols) it may be preferred to install in user-context rather than machine context; alternatively run MemProcFS as administrator the first time to persist the debug symbol choice.

It's also possible use MemProcFS for Python without installing the pip package. Please then start Python from the MemProcFS folder in which vmmpyc.pyd resides.

Overview:

The MemProcFS Python API is mostly built as a native CPython extension with minor Python components.

Please also see the guide entries about base, process and registry in the guide menu.

The components are roughly related to eachother as given in the tree below:

  • memprocfs - package.

Getting Started with Examples:

Best way to getting started with examples is to have a look at the memprocfs_example.py file which contains a multitude of examples.

Example #1 - Initialize from memory dump and read memory:

This example initializes a physical memory dump file for analysis. It then reads from physical memory as well as from process virtual memory.

import memprocfs

# Initialize base object vmm from dump file
vmm = memprocfs.Vmm(['-device', 'C:/Dumps/WIN10-X64-1909-18363-1.dmp'])

# read 0x20 bytes of physical memory from address 0x1000 and print it
# in hexascii on-screen.
print(vmm.hex( vmm.memory.read(0x1000, 0x20) ))

# retrieve the process object for 'explorer.exe'
process_explorer = vmm.process('explorer.exe')

# retrieve the module object 'kernel32' as seen by 'explorer.exe'
module_kernel32 = process_explorer.module('kernel32.dll')

# read 0x80 bytes from the base of 'kernel32' and print it as hexascii
virtual_address_kernel32 = module_kernel32.base
print(vmm.hex( process_explorer.memory.read(virtual_address_kernel32, 0x80) ))

Example #2 - Extract registry autorun keys from FPGA PCIe DMA live memory:

Initialize from FPGA using PCIe DMA and query the live system for it's registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

import memprocfs

# Initialize base object vmm from dump file
vmm = memprocfs.Vmm(['-device', 'fpga'])

# Retrieve the RUN registry key
regkey_run = vmm.reg_key('HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run')

# Loop over the autorun keys and print their values
for regvalue in regkey_run.values():
    print(regvalue.name + ':   ' + regvalue.vstr())

Example #3 - Extract powershell event log from memory dump:

This example initializes a physical memory dump file for analysis. It then tries to locate the powershell event log and copy it to c:\temp\powershell_eventlog_from_memory.evtx. Files may be partially recovered from processes with open file handles. One of the svchost processes is responsible for event logging and will hold a handle to the powershell event log.

import memprocfs

# Initialize base object vmm from dump file
vmm = memprocfs.Vmm(['-device', 'C:/Dumps/WIN10-X64-1909-18363-1.dmp'])

# Initialize plugin functionality
# This is required to access the virtual file system (vfs)
vmm.initialize_plugins()

# Iterate over all processes in the system
# if a svchost is found list its files under: 'files/handles'
for process in vmm.process_list():
    if process.name == 'svchost.exe':
        vfs_file_list = vmm.vfs.list('/pid/' + str(process.pid) + '/files/handles')
        for file_name in vfs_file_list:
            if 'PowerShell' in file_name and 'Operational' in file_name:
                file_path = '/pid/' + str(process.pid) + '/files/handles/' + file_name
                file_bytes = vmm.vfs.read(file_path, vfs_file_list[file_name]['size'])
                outfile = open('c:\\temp\\powershell_eventlog_from_memory.evtx', 'wb')
                outfile.write(file_bytes)
                outfile.close()
                print('powershell log extracted to: c:\\temp\\powershell_events.evtx')

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally