Skip to main content

Python interface to LibVMI

Project description

Libvmi Python bindings

Join the chat at Build Status

If you'd rather perform introspection using Python instead of C, then these bindings will help get you going.

The bindings are Python 2 compatible.


  • python3-pkgconfig
  • python3-cffi (> 1.6.0)
  • python3-future
  • libvmi


python build
python install



The main class that you need to import is Libvmi.

The default parameters uses VMI_CONFIG_GLOBAL_FILE_ENTRY and calls vmi_init_complete:

from libvmi import Libvmi

with Libvmi("Windows_7") as vmi:
    os = vmi.get_ostype()

You can specify a string (VMI_CONFIG_STRING):

from libvmi import Libvmi, VMIConfig

config_str = '{ostype = "Windows";win_pdbase=0x28;win_pid=0x180;win_tasks=0x188;win_pname=0x2e0;}'

with Libvmi("Windows_7", mode=VMIConfig.STRING, config=config_str) as vmi:
    os = vmi.get_ostype()


from libvmi import Libvmi, VMIConfig

hash = {
    "ostype": "Windows",
    "win_pdbase": 0x28,
    "win_tasks": 0x188,
    "win_pid": 0x180,
    "win_pname": 0x2e0,

with Libvmi("Windows_7", mode=VMIConfig.DICT, config=hash) as vmi:
    os = vmi.get_ostype()

You can also use a partial initialization, which calls vmi_init. (It doesn't require a configuration):

from libvmi import Libvmi

with Libvmi("Windows_7", partial=True) as vmi:


from libvmi import Libvmi, AccessContext, TranslateMechanism

with Libvmi("Windows_7") as vmi:
    pshead = vmi.read_addr_ksym("PsActiveProcessHead")
    name = vmi.get_name()
    id = vmi.get_vmid()
    buffer, bytes_read = vmi.read_va(pshead, 4, 16)
    vmi.write_va(pshead, 4, buffer)
    ctx = AccessContext(TranslateMechanism.KERNEL_SYMBOL, ksym="PsActiveProcessHead")
    buffer, bytes_read =, 8)

Note: The implementation already checks if the return value is VMI_FAILURE and raises a LibvmiError in such case.



You can use the volatlity framework directly in top of the bindings.

git clone /tmp
cp ./volatility/ /tmp/volatility/volatility/plugins/addrspaces/


python -l vmi://domain --profile=Win7SP0x64 pslist


The Rekall address space is already integrated upstream.


rekall -f vmi://domain pslist


  • Bryan D. Payne
  • Mathieu Tarral

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
libvmi-3.3.tar.gz (16.2 kB) Copy SHA256 hash SHA256 Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page