Skip to content

API_Python

Ulf Frisk edited this page Mar 8, 2019 · 5 revisions

Python API

Most functionality in the Memory Process File System is exported in a Python API for use by developers. The Python API is a wrapper around the C/C++ API and requires vmm.dll and vmmpyc.pyd. The Python API itself is found in the file vmmpy.pywhich also contains the complete documentation. This wiki entry however contains an overview of the Python API.

NB! Currently 64-bit Windows is supported. Linux support for VmmPy is planned in the future.

Example:

An example file containing a lot of use cases are found in the file vmmpy_example.py in the files folder.

Functionality:

After VmmPy is loaded it has to be initialized. Depending on whether it should be initialized from file, fpga or something else different VmmPy_Initialize should be called with a different list of string parameters in the first argument. The arguments are the same as given as options when starting The Memory Process File System.

def VmmPy_Initialize(args, is_printf = True, is_verbose = False, is_verbose_extra = False, is_verbose_tlp = False, page_table_base = 0):
def VmmPy_Close():
def VmmPy_Refresh():

To retrieve or set various configuration entries - please call the functions below:

def VmmPy_ConfigGet(vmmpy_opt_id):
def VmmPy_ConfigSet(vmmpy_opt_id, value):
def VmmPy_GetVersion():

The entire file system is accessible via API functions. Please find them below:

def VmmPy_VfsList(path):
def VmmPy_VfsRead(path_file, length, offset = 0):
def VmmPy_VfsWrite(path_file, bytes_data, offset = 0):

Read and write both physical and virtual memory via the functions listed below. In most instances it's possible to specify -1 instead of the process pid to read physical memory instead of process virtual memory. The main exception is VmmPy_MemVirt2Phys which only accepts valid pids.

def VmmPy_MemRead(pid, address, length, flags = 0):
def VmmPy_MemReadScatter(pid, address_list, flags = 0):
def VmmPy_MemWrite(pid, address, bytes_data):
def VmmPy_MemVirt2Phys(pid, address):

Functionality related to processes running on the target system are exposed in via the functions below:

def VmmPy_PidList():
def VmmPy_PidGetFromName(process_name):
def VmmPy_ProcessGetMemoryMap(pid, is_identify_modules = False):
def VmmPy_ProcessGetMemoryMapEntry(pid, va, is_identify_modules = False):
def VmmPy_ProcessGetModuleMap(pid):
def VmmPy_ProcessGetModuleFromName(pid, module_name):
def VmmPy_ProcessGetInformation(pid):
def VmmPy_ProcessListInformation():
def VmmPy_ProcessGetEAT(pid, module_name):
def VmmPy_ProcessGetIAT(pid, module_name):
def VmmPy_ProcessGetDirectories(pid, module_name):
def VmmPy_ProcessGetSections(pid, module_name):

Utility functions:

def VmmPy_UtilFillHexAscii(data_bytes, cb_initial_offset = 0):
You can’t perform that action at this time.