Python interface to LibVMI

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Project description

Libvmi Python bindings

If you'd rather perform introspection using Python instead of C, then these bindings will help get you going.

The bindings are Python 2 compatible.

Requirements

python3-pkgconfig
python3-cffi (> 1.6.0)
python3-future
libvmi

Setup

python setup.py build
python setup.py install

API

Constructor

The main class that you need to import is Libvmi.

The default parameters uses VMI_CONFIG_GLOBAL_FILE_ENTRY and calls vmi_init_complete:

from libvmi import Libvmi

with Libvmi("Windows_7") as vmi:
    os = vmi.get_ostype()

You can specify a string (VMI_CONFIG_STRING):

from libvmi import Libvmi, VMIConfig

config_str = '{ostype = "Windows";win_pdbase=0x28;win_pid=0x180;win_tasks=0x188;win_pname=0x2e0;}'

with Libvmi("Windows_7", mode=VMIConfig.STRING, config=config_str) as vmi:
    os = vmi.get_ostype()

Or a dict (VMI_CONFIG_GHASHTABLE):

from libvmi import Libvmi, VMIConfig

hash = {
    "ostype": "Windows",
    "win_pdbase": 0x28,
    "win_tasks": 0x188,
    "win_pid": 0x180,
    "win_pname": 0x2e0,
}

with Libvmi("Windows_7", mode=VMIConfig.DICT, config=hash) as vmi:
    os = vmi.get_ostype()

You can also use a partial initialization, which calls vmi_init. (It doesn't require a configuration):

from libvmi import Libvmi

with Libvmi("Windows_7", partial=True) as vmi:

Examples

from libvmi import Libvmi, AccessContext, TranslateMechanism

with Libvmi("Windows_7") as vmi:
    pshead = vmi.read_addr_ksym("PsActiveProcessHead")
    name = vmi.get_name()
    id = vmi.get_vmid()
    buffer, bytes_read = vmi.read_va(pshead, 4, 16)
    vmi.write_va(pshead, 4, buffer)
    ctx = AccessContext(TranslateMechanism.KERNEL_SYMBOL, ksym="PsActiveProcessHead")
    buffer, bytes_read = vmi.read(ctx, 8)

Note: The implementation already checks if the return value is VMI_FAILURE and raises a LibvmiError in such case.

Integration

Volatility

You can use the volatlity framework directly in top of the bindings.

git clone https://github.com/volatilityfoundation/volatility /tmp
cp ./volatility/vmi.py /tmp/volatility/volatility/plugins/addrspaces/

Usage

python vol.py -l vmi://domain --profile=Win7SP0x64 pslist

Rekall

The Rekall address space is already integrated upstream.

Usage

rekall -f vmi://domain pslist

Contributors

Bryan D. Payne
Mathieu Tarral

Project details

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

3.6.2

Apr 16, 2022

3.4

Sep 10, 2020

3.3

Jan 26, 2019

3.2.3

Nov 13, 2018

3.2.1

Jun 6, 2018

3.2

Jun 6, 2018

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

libvmi-3.6.2-cp311-cp311-manylinux_2_28_x86_64.whl (938.8 kB view hashes)

Uploaded Dec 5, 2023 CPython 3.11 manylinux: glibc 2.28+ x86-64

libvmi-3.6.2-cp310-cp310-manylinux_2_28_x86_64.whl (938.8 kB view hashes)

Uploaded Dec 5, 2023 CPython 3.10 manylinux: glibc 2.28+ x86-64

libvmi-3.6.2-cp39-cp39-manylinux_2_28_x86_64.whl (938.8 kB view hashes)

Uploaded Dec 5, 2023 CPython 3.9 manylinux: glibc 2.28+ x86-64

libvmi-3.6.2-cp39-cp39-manylinux_2_24_x86_64.whl (844.0 kB view hashes)

Uploaded Apr 16, 2022 CPython 3.9 manylinux: glibc 2.24+ x86-64

libvmi-3.6.2-cp38-cp38-manylinux_2_28_x86_64.whl (939.1 kB view hashes)

Uploaded Dec 5, 2023 CPython 3.8 manylinux: glibc 2.28+ x86-64

libvmi-3.6.2-cp38-cp38-manylinux_2_24_x86_64.whl (844.3 kB view hashes)

Uploaded Apr 16, 2022 CPython 3.8 manylinux: glibc 2.24+ x86-64

libvmi-3.6.2-cp37-cp37m-manylinux_2_28_x86_64.whl (938.4 kB view hashes)

Uploaded Dec 5, 2023 CPython 3.7m manylinux: glibc 2.28+ x86-64

libvmi-3.6.2-cp37-cp37m-manylinux_2_24_x86_64.whl (843.4 kB view hashes)

Uploaded Apr 16, 2022 CPython 3.7m manylinux: glibc 2.24+ x86-64

libvmi-3.6.2-cp36-cp36m-manylinux_2_24_x86_64.whl (843.4 kB view hashes)

Uploaded Apr 16, 2022 CPython 3.6m manylinux: glibc 2.24+ x86-64

Hashes for libvmi-3.6.2-cp311-cp311-manylinux_2_28_x86_64.whl

Hashes for libvmi-3.6.2-cp311-cp311-manylinux_2_28_x86_64.whl
Algorithm	Hash digest
SHA256	`2d85d37164afb8451204f015de0aee1934779a35847040cab7c1350017e2b6d1`
MD5	`f1eb09fd31604d6d6ad94343588f903f`
BLAKE2b-256	`449caa903a25f72b0efe36801c445505f6615bc3221260d9fa0e2c37ccbf2797`

Hashes for libvmi-3.6.2-cp310-cp310-manylinux_2_28_x86_64.whl

Hashes for libvmi-3.6.2-cp310-cp310-manylinux_2_28_x86_64.whl
Algorithm	Hash digest
SHA256	`00ce93eee0405fb0495743fb80ded11eb0f7b30941cbb318661f88f5aa013067`
MD5	`133473a60cd5d9fb5bb2623562ef5c11`
BLAKE2b-256	`afbddacb89aa856fce210b3973d306859e8e2b6c08488d3fc204701ef838f850`

Hashes for libvmi-3.6.2-cp39-cp39-manylinux_2_28_x86_64.whl

Hashes for libvmi-3.6.2-cp39-cp39-manylinux_2_28_x86_64.whl
Algorithm	Hash digest
SHA256	`518a5e3a20cb7b238427141412ffac2df1c6a45310f8ec96268f1a9743533c5e`
MD5	`acb34b90fbcc7867207a37e67bfb5f7d`
BLAKE2b-256	`96d8d9c96582e7d5d6771dd78d126b61533218609efac84434be8bd0b79a453d`

Hashes for libvmi-3.6.2-cp39-cp39-manylinux_2_24_x86_64.whl

Hashes for libvmi-3.6.2-cp39-cp39-manylinux_2_24_x86_64.whl
Algorithm	Hash digest
SHA256	`bf69a56413d7c8c97fcdc3b8593252e6a371d2b37ecca8b75ea763afb60b6872`
MD5	`147828febf81eccedd3c2bc29c2c0d70`
BLAKE2b-256	`2c82b55a2cad64b6eccb9fc4a12267341b11a91f0e50ce5f9baa223f5ae03bae`

Hashes for libvmi-3.6.2-cp38-cp38-manylinux_2_28_x86_64.whl

Hashes for libvmi-3.6.2-cp38-cp38-manylinux_2_28_x86_64.whl
Algorithm	Hash digest
SHA256	`2864ad27539cf8803ebc2e35afc1081b568bd009e7135af6fb223d2529af09a4`
MD5	`bcb4dc41ed2f8ed67e0a1650b429b163`
BLAKE2b-256	`69480d6b9bcd4df30658d05baa8bed3cb29df60358008cd3bf1f346246218674`

Hashes for libvmi-3.6.2-cp38-cp38-manylinux_2_24_x86_64.whl

Hashes for libvmi-3.6.2-cp38-cp38-manylinux_2_24_x86_64.whl
Algorithm	Hash digest
SHA256	`5aa9b118ac49b35b52a1f66d62bd54b622a71fc4a2a315b3a0be17bbcd1653fb`
MD5	`80df14bac17d85f5fc3a46c500c99833`
BLAKE2b-256	`2d183a7251e99b0da062de92414c5a9370213173bc2b9670c44696a25ecd4e8e`

Hashes for libvmi-3.6.2-cp37-cp37m-manylinux_2_28_x86_64.whl

Hashes for libvmi-3.6.2-cp37-cp37m-manylinux_2_28_x86_64.whl
Algorithm	Hash digest
SHA256	`936180a1dc97c68b08425191bc232d4599ebab2a1be7ca6f3f3a6d14d51c2d6c`
MD5	`cce8fcacd02d5aa4e0328235b8787dac`
BLAKE2b-256	`067e2f3121b94d272aac71b70285ce8bf2b50671b20fa8526702a2dea8f91015`

Hashes for libvmi-3.6.2-cp37-cp37m-manylinux_2_24_x86_64.whl

Hashes for libvmi-3.6.2-cp37-cp37m-manylinux_2_24_x86_64.whl
Algorithm	Hash digest
SHA256	`be7827c48c1782d09683822251b518bba059cefbdefffb1db5ab60bdc3b1dcad`
MD5	`4d984a9b9c6a3cbc80d6c44c8edd3388`
BLAKE2b-256	`c12b99f8d18fc348474d76e5d3c2e4abe11bbdb9c6e93a26017cbf9ae52007cc`

Hashes for libvmi-3.6.2-cp36-cp36m-manylinux_2_24_x86_64.whl

Hashes for libvmi-3.6.2-cp36-cp36m-manylinux_2_24_x86_64.whl
Algorithm	Hash digest
SHA256	`8d1e5a8923e4ac90ae6d5e14146dfed147973cc7879d9a86be9708f512c1c770`
MD5	`949f65ebaedb11f6dcbd42ac89b3f9a5`
BLAKE2b-256	`a5728425fb425195d28e1b6abe105669aac228386a425368c9f60f55cf6a0d5e`