Python interface to LibVMI
Project description
Libvmi Python bindings
If you'd rather perform introspection using Python instead of C, then these bindings will help get you going.
The bindings are Python 2 compatible.
Requirements
python3-pkgconfigpython3-cffi(> 1.6.0)python3-futurelibvmi
Setup
python setup.py build
python setup.py install
API
Constructor
The main class that you need to import is Libvmi.
The default parameters uses VMI_CONFIG_GLOBAL_FILE_ENTRY and calls vmi_init_complete:
from libvmi import Libvmi
with Libvmi("Windows_7") as vmi:
os = vmi.get_ostype()
You can specify a string (VMI_CONFIG_STRING):
from libvmi import Libvmi, VMIConfig
config_str = '{ostype = "Windows";win_pdbase=0x28;win_pid=0x180;win_tasks=0x188;win_pname=0x2e0;}'
with Libvmi("Windows_7", mode=VMIConfig.STRING, config=config_str) as vmi:
os = vmi.get_ostype()
Or a dict (VMI_CONFIG_GHASHTABLE):
from libvmi import Libvmi, VMIConfig
hash = {
"ostype": "Windows",
"win_pdbase": 0x28,
"win_tasks": 0x188,
"win_pid": 0x180,
"win_pname": 0x2e0,
}
with Libvmi("Windows_7", mode=VMIConfig.DICT, config=hash) as vmi:
os = vmi.get_ostype()
You can also use a partial initialization, which calls vmi_init.
(It doesn't require a configuration):
from libvmi import Libvmi
with Libvmi("Windows_7", partial=True) as vmi:
Examples
from libvmi import Libvmi, AccessContext, TranslateMechanism
with Libvmi("Windows_7") as vmi:
pshead = vmi.read_addr_ksym("PsActiveProcessHead")
name = vmi.get_name()
id = vmi.get_vmid()
buffer, bytes_read = vmi.read_va(pshead, 4, 16)
vmi.write_va(pshead, 4, buffer)
ctx = AccessContext(TranslateMechanism.KERNEL_SYMBOL, ksym="PsActiveProcessHead")
buffer, bytes_read = vmi.read(ctx, 8)
Note: The implementation already checks if the return value is VMI_FAILURE and
raises a LibvmiError in such case.
Integration
Volatility
You can use the
volatlity framework
directly in top of the bindings.
git clone https://github.com/volatilityfoundation/volatility /tmp
cp ./volatility/vmi.py /tmp/volatility/volatility/plugins/addrspaces/
Usage
python vol.py -l vmi://domain --profile=Win7SP0x64 pslist
Rekall
The Rekall address space is already
integrated
upstream.
Usage
rekall -f vmi://domain pslist
Contributors
- Bryan D. Payne
- Mathieu Tarral
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distributions
File details
Details for the file libvmi-3.7-cp311-cp311-manylinux_2_28_x86_64.whl.
File metadata
- Download URL: libvmi-3.7-cp311-cp311-manylinux_2_28_x86_64.whl
- Upload date:
- Size: 939.4 kB
- Tags: CPython 3.11, manylinux: glibc 2.28+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 8ed0cf720552043371f88c07eb76ed3281d5f100efdb7abb105a238249397058 |
|
| MD5 | ed2db7426aea8eb078f4004ecddd45a0 |
|
| BLAKE2b-256 | b74f002a758a41c8505656d89e5de1c573499bb1dfffbed6a706019c26146341 |
File details
Details for the file libvmi-3.7-cp310-cp310-manylinux_2_28_x86_64.whl.
File metadata
- Download URL: libvmi-3.7-cp310-cp310-manylinux_2_28_x86_64.whl
- Upload date:
- Size: 939.4 kB
- Tags: CPython 3.10, manylinux: glibc 2.28+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 96ba2a1bd657d1bddeefbb08895c655c0d4ae36f3949bafe710f7994cc7c3361 |
|
| MD5 | f56e5e4b689a4730aae83c6ac66d5cdd |
|
| BLAKE2b-256 | fe5e84ba66103fbae20acf656ef4dcce062546b86ccbad2920d47cdc50f0dca7 |
File details
Details for the file libvmi-3.7-cp39-cp39-manylinux_2_28_x86_64.whl.
File metadata
- Download URL: libvmi-3.7-cp39-cp39-manylinux_2_28_x86_64.whl
- Upload date:
- Size: 939.4 kB
- Tags: CPython 3.9, manylinux: glibc 2.28+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ac6020bfc6e9c306347d3a963723842191c670b2c5c8567247a5c584b82d6d6f |
|
| MD5 | 5054912e47a0e9c41eb1420f4fd73ee3 |
|
| BLAKE2b-256 | cacca7467b361756009cf04bf1995a14bbecd492d112946b1348636a2ca8fbff |
File details
Details for the file libvmi-3.7-cp38-cp38-manylinux_2_28_x86_64.whl.
File metadata
- Download URL: libvmi-3.7-cp38-cp38-manylinux_2_28_x86_64.whl
- Upload date:
- Size: 939.6 kB
- Tags: CPython 3.8, manylinux: glibc 2.28+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c5d69d584bf3202fb6325260e932e8742cc169b18ef0503835e07f0613ebcf15 |
|
| MD5 | 6c416dfb8c9acca43cbe41a8effa32c9 |
|
| BLAKE2b-256 | ca9a1034988d783c4b44e1a617f5b744d34c374827907d55c1f66726a0afe890 |
File details
Details for the file libvmi-3.7-cp37-cp37m-manylinux_2_28_x86_64.whl.
File metadata
- Download URL: libvmi-3.7-cp37-cp37m-manylinux_2_28_x86_64.whl
- Upload date:
- Size: 938.9 kB
- Tags: CPython 3.7m, manylinux: glibc 2.28+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 53409fe2c11a496be9ff8cfb11cf1e7010c672f25da803d383469e4e94e7676b |
|
| MD5 | 70550a03c8b0d273ec79c8b3cd3f9aa9 |
|
| BLAKE2b-256 | a9d98e096a6969b62d28fe7ed4b5597c37f2f5a498a08f048e3ac1620351d717 |
