Python interface to LibVMI

Project description

Libvmi Python bindings

If you'd rather perform introspection using Python instead of C, then these bindings will help get you going.

The bindings are Python 2 compatible.

Requirements

python3-pkgconfig
python3-cffi (> 1.6.0)
python3-future
libvmi

Setup

python setup.py build
python setup.py install

API

Constructor

The main class that you need to import is Libvmi.

The default parameters uses VMI_CONFIG_GLOBAL_FILE_ENTRY and calls vmi_init_complete:

from libvmi import Libvmi

with Libvmi("Windows_7") as vmi:
    os = vmi.get_ostype()

You can specify a string (VMI_CONFIG_STRING):

from libvmi import Libvmi, VMIConfig

config_str = '{ostype = "Windows";win_pdbase=0x28;win_pid=0x180;win_tasks=0x188;win_pname=0x2e0;}'

with Libvmi("Windows_7", mode=VMIConfig.STRING, config=config_str) as vmi:
    os = vmi.get_ostype()

Or a dict (VMI_CONFIG_GHASHTABLE):

from libvmi import Libvmi, VMIConfig

hash = {
    "ostype": "Windows",
    "win_pdbase": 0x28,
    "win_tasks": 0x188,
    "win_pid": 0x180,
    "win_pname": 0x2e0,
}

with Libvmi("Windows_7", mode=VMIConfig.DICT, config=hash) as vmi:
    os = vmi.get_ostype()

You can also use a partial initialization, which calls vmi_init. (It doesn't require a configuration):

from libvmi import Libvmi

with Libvmi("Windows_7", partial=True) as vmi:

Examples

from libvmi import Libvmi, AccessContext, TranslateMechanism

with Libvmi("Windows_7") as vmi:
    pshead = vmi.read_addr_ksym("PsActiveProcessHead")
    name = vmi.get_name()
    id = vmi.get_vmid()
    buffer, bytes_read = vmi.read_va(pshead, 4, 16)
    vmi.write_va(pshead, 4, buffer)
    ctx = AccessContext(TranslateMechanism.KERNEL_SYMBOL, ksym="PsActiveProcessHead")
    buffer, bytes_read = vmi.read(ctx, 8)

Note: The implementation already checks if the return value is VMI_FAILURE and raises a LibvmiError in such case.

Integration

Volatility

You can use the volatlity framework directly in top of the bindings.

git clone https://github.com/volatilityfoundation/volatility /tmp
cp ./volatility/vmi.py /tmp/volatility/volatility/plugins/addrspaces/

Usage

python vol.py -l vmi://domain --profile=Win7SP0x64 pslist

Rekall

The Rekall address space is already integrated upstream.

Usage

rekall -f vmi://domain pslist

Contributors

Bryan D. Payne
Mathieu Tarral

Project details

Release history Release notifications | RSS feed

3.7.1

Nov 13, 2024

3.7

Oct 30, 2024

3.6.2

Apr 16, 2022

3.4

Sep 10, 2020

This version

3.3

Jan 26, 2019

3.2.3

Nov 13, 2018

3.2.1

Jun 6, 2018

3.2

Jun 6, 2018

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

libvmi-3.3.tar.gz (16.2 kB view details)

Uploaded Jan 26, 2019 Source

File details

Details for the file libvmi-3.3.tar.gz.

File metadata

Download URL: libvmi-3.3.tar.gz
Upload date: Jan 26, 2019
Size: 16.2 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/1.12.1 pkginfo/1.4.2 requests/2.20.0 setuptools/40.4.3 requests-toolbelt/0.8.0 tqdm/4.28.1 CPython/3.7.2

File hashes

Hashes for libvmi-3.3.tar.gz
Algorithm	Hash digest
SHA256	`6f5bae5e612b016dbcf178d3252b6af4159666b926184097e9ec2a4478366f74`
MD5	`fceebdd338d6cec683419cf85d933cb4`
BLAKE2b-256	`a58fd0212b289927732e6e902bee1e7f9450a9fe8db325c91df8663bdc46db44`

See more details on using hashes here.

libvmi 3.3

Navigation

Verified details

Maintainers

Unverified details

Project links

Meta