static void ExampleVmm() { bool result; uint nt; // initialize vmm with verbose mode with fpga device //vmm.Initialize("-printf", "-v", "-device", "fpga"); // initialize vmm with verbose mode with dump file vmm.Initialize("-printf", "-v", "-device", "c:\\dumps\\WIN7-X64-SP1-1.pmem"); // get / set vmm config options ulong ulOptionMM, ulOptionVV; result = vmm.ConfigGet(vmm.OPT_CORE_MEMORYMODEL, out ulOptionMM); result = vmm.ConfigGet(vmm.OPT_CORE_VERBOSE_EXTRA, out ulOptionVV); result = vmm.ConfigSet(vmm.OPT_CORE_VERBOSE_EXTRA, 1); result = vmm.ConfigGet(vmm.OPT_CORE_VERBOSE_EXTRA, out ulOptionVV); // initialize plugins (required for vfs) vmm.InitializePlugins(); // vfs (virtual file system) list / read / write result = vmm.VfsList("\\", 1, ExampleVfsCallBack_AddFile, ExampleVfsCallBack_AddDirectory); byte[] pbMemoryRead; nt = vmm.VfsRead("\\memory.pmem", 0x200, 0x1000, out pbMemoryRead); nt = vmm.VfsWrite("\\memory.pmem, 0x200", pbMemoryRead, 0x1000); // memory read : physical with scatter function (2 pages) MEM_SCATTER[] MEMsPhysical = vmm.MemReadScatter(0xffffffff, 0, 0x1000, 0x2000); // retrieve all PIDs in the system as a sorted list. uint[] dwPidAll = vmm.PidList(); // retrieve PID of explorer.exe (it's assumed it's started, otherwise example will fail) uint dwExplorerPID; vmm.PidGetFromName("explorer.exe", out dwExplorerPID); // get kernel path of explorer.exe string strKernel32KernelPath = vmm.ProcessGetInformationString(dwExplorerPID, vmm.VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_KERNEL); // retrieve process information of explorer.exe vmm.PROCESS_INFORMATION ProcInfo = vmm.ProcessGetInformation(dwExplorerPID); // get procaddress of kernel32.dll!GetTickCount64 and module base ulong vaTickCount64 = vmm.ProcessGetProcAddress(dwExplorerPID, "kernel32.dll", "GetTickCount64"); ulong vaKernel32Base = vmm.ProcessGetModuleBase(dwExplorerPID, "kernel32.dll"); // retrieve Directories/Sections/IAT/EAT from kernel32.dll of explorer.exe vmm.IMAGE_DATA_DIRECTORY[] DIRs = vmm.ProcessGetDirectories(dwExplorerPID, "kernel32.dll"); vmm.IMAGE_SECTION_HEADER[] SECTIONs = vmm.ProcessGetSections(dwExplorerPID, "kernel32.dll"); vmm.EAT_ENTRY[] EATs = vmm.ProcessGetEAT(dwExplorerPID, "kernel32.dll"); vmm.IAT_ENTRY[] IATs = vmm.ProcessGetIAT(dwExplorerPID, "kernel32.dll"); // retrieve IAT/EAT THUNK INFO vmm.THUNKINFO_EAT ThunkEAT; result = vmm.GetThunkInfoEAT(dwExplorerPID, "kernel32.dll", "GetTickCount64", out ThunkEAT); vmm.THUNKINFO_IAT ThunkIAT; result = vmm.GetThunkInfoIAT(dwExplorerPID, "kernel32.dll", "ntdll.dll", "TpAllocPool", out ThunkIAT); // retrieve different "map" structures related to explorer.exe and the system. vmm.MAP_PTEENTRY[] mPte = vmm.Map_GetPte(dwExplorerPID); vmm.MAP_VADENTRY[] mVad = vmm.Map_GetVad(dwExplorerPID); vmm.MAP_MODULEENTRY[] mModule = vmm.Map_GetModule(dwExplorerPID); vmm.MAP_MODULEENTRY mModuleKernel32 = vmm.Map_GetModuleFromName(dwExplorerPID, "kernel32.dll"); vmm.MAP_HEAPENTRY[] mHeaps = vmm.Map_GetHeap(dwExplorerPID); vmm.MAP_THREADENTRY[] mThreads = vmm.Map_GetThread(dwExplorerPID); vmm.MAP_HANDLEENTRY[] mHandles = vmm.Map_GetHandle(dwExplorerPID); vmm.MAP_NETENTRY[] mNetworkConnections = vmm.Map_GetNet(); vmm.MAP_PHYSMEMENTRY[] mPhysMemRanges = vmm.Map_GetPhysMem(); vmm.MAP_USERENTRY[] mUsers = vmm.Map_GetUsers(); vmm.MAP_PFNENTRY[] mPfn = vmm.Map_GetPfn(1, 2, 1024); // read first 128 bytes of kernel32.dll byte[] dataKernel32MZ = vmm.MemRead(dwExplorerPID, mModuleKernel32.vaBase, 128, 0); // translate virtual address of 1st page in kernel32.dll to physical address ulong paBaseKernel32; result = vmm.MemVirt2Phys(dwExplorerPID, mModuleKernel32.vaBase, out paBaseKernel32); // load .pdb of kernel32 from microsoft symbol server and query it // also do some lookups for kernel symbols. string szPdbModuleName = ""; result = vmm.PdbLoad(dwExplorerPID, mModuleKernel32.vaBase, out szPdbModuleName); if (result) { uint dwSymbolOffset = (uint)(mModuleKernel32.vaEntry - mModuleKernel32.vaBase); string szEntryPoint; uint dwEntryPointDisplacement; result = vmm.PdbSymbolName(szPdbModuleName, dwSymbolOffset, out szEntryPoint, out dwEntryPointDisplacement); } ulong vaKeQueryOwnerMutant; result = vmm.PdbSymbolAddress("nt", "KeQueryOwnerMutant", out vaKeQueryOwnerMutant); uint oOptionalHeaders; result = vmm.PdbTypeChildOffset("nt", "_IMAGE_NT_HEADERS64", "OptionalHeader", out oOptionalHeaders); // WINDOWS REGISTRY QUERY / READ / WRITE vmm.REGISTRY_HIVE_INFORMATION[] RegHives = vmm.RegHiveList(); if (RegHives.Length > 0) { byte[] RegHiveData = vmm.RegHiveRead(RegHives[0].vaCMHIVE, 0x1000, 0x100, 0); } vmm.REGISTRY_ENUM RegEnum = vmm.RegEnum("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion"); if (RegEnum.ValueList.Count > 0) { uint RegValueType; byte[] RegValueData = vmm.RegValueRead(RegEnum.wszFullPathKey + "\\" + RegEnum.ValueList[0].name, out RegValueType); } // CLOSE vmm.Close(); }
static void ExampleVmm() { bool result; uint nt; // initialize vmm with verbose mode with fpga device //vmm.Initialize("-printf", "-v", "-device", "fpga"); // initialize vmm with verbose mode with dump file vmm.Initialize("-printf", "-v", "-device", "c:\\dumps\\WIN7-X64-SP1-1.pmem"); // get / set vmm config options ulong ulOptionMM, ulOptionVV; result = vmm.ConfigGet(vmm.OPT_CORE_MEMORYMODEL, out ulOptionMM); result = vmm.ConfigGet(vmm.OPT_CORE_VERBOSE_EXTRA, out ulOptionVV); result = vmm.ConfigSet(vmm.OPT_CORE_VERBOSE_EXTRA, 1); result = vmm.ConfigGet(vmm.OPT_CORE_VERBOSE_EXTRA, out ulOptionVV); // initialize plugins (required for vfs) vmm.InitializePlugins(); // vfs (virtual file system) list / read / write result = vmm.VfsList("\\", 1, ExampleVfsCallBack_AddFile, ExampleVfsCallBack_AddDirectory); byte[] pbMemoryRead; nt = vmm.VfsRead("\\memory.pmem", 0x200, 0x1000, out pbMemoryRead); nt = vmm.VfsWrite("\\memory.pmem, 0x200", pbMemoryRead, 0x1000); // memory read : physical with scatter function (2 pages) MEM_SCATTER[] MEMsPhysical = vmm.MemReadScatter(0xffffffff, 0, 0x1000, 0x2000); // retrieve all PIDs in the system as a sorted list. uint[] dwPidAll = vmm.PidList(); // retrieve PID of explorer.exe (it's assumed it's started, otherwise example will fail) uint dwExplorerPID; vmm.PidGetFromName("explorer.exe", out dwExplorerPID); // get kernel path of explorer.exe string strKernel32KernelPath = vmm.ProcessGetInformationString(dwExplorerPID, vmm.VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_KERNEL); // retrieve process information of explorer.exe vmm.PROCESS_INFORMATION ProcInfo = vmm.ProcessGetInformation(dwExplorerPID); // get procaddress of kernel32.dll!GetTickCount64 and module base ulong vaTickCount64 = vmm.ProcessGetProcAddress(dwExplorerPID, "kernel32.dll", "GetTickCount64"); ulong vaKernel32Base = vmm.ProcessGetModuleBase(dwExplorerPID, "kernel32.dll"); // retrieve Directories/Sections/IAT/EAT from kernel32.dll of explorer.exe vmm.IMAGE_DATA_DIRECTORY[] DIRs = vmm.ProcessGetDirectories(dwExplorerPID, "kernel32.dll"); vmm.IMAGE_SECTION_HEADER[] SECTIONs = vmm.ProcessGetSections(dwExplorerPID, "kernel32.dll"); // retrieve different "map" structures related to explorer.exe and the system. vmm.MAP_PTEENTRY[] mPte = vmm.Map_GetPte(dwExplorerPID); vmm.MAP_VADENTRY[] mVad = vmm.Map_GetVad(dwExplorerPID); vmm.MAP_VADEXENTRY[] mVadEx = vmm.Map_GetVadEx(dwExplorerPID, 0, 10); vmm.MAP_MODULEENTRY[] mModule = vmm.Map_GetModule(dwExplorerPID); vmm.MAP_MODULEENTRY mModuleKernel32 = vmm.Map_GetModuleFromName(dwExplorerPID, "kernel32.dll"); vmm.MAP_UNLOADEDMODULEENTRY[] mUnloadedModule = vmm.Map_GetUnloadedModule(dwExplorerPID); vmm.MAP_EATINFO EatInfo; vmm.MAP_EATENTRY[] mEAT = vmm.Map_GetEAT(dwExplorerPID, "kernel32.dll", out EatInfo); vmm.MAP_IATENTRY[] mIAT = vmm.Map_GetIAT(dwExplorerPID, "kernel32.dll"); vmm.MAP_HEAPENTRY[] mHeaps = vmm.Map_GetHeap(dwExplorerPID); vmm.MAP_THREADENTRY[] mThreads = vmm.Map_GetThread(dwExplorerPID); vmm.MAP_HANDLEENTRY[] mHandles = vmm.Map_GetHandle(dwExplorerPID); vmm.MAP_NETENTRY[] mNetworkConnections = vmm.Map_GetNet(); vmm.MAP_PHYSMEMENTRY[] mPhysMemRanges = vmm.Map_GetPhysMem(); vmm.MAP_USERENTRY[] mUsers = vmm.Map_GetUsers(); vmm.MAP_SERVICEENTRY[] mServices = vmm.Map_GetServices(); vmm.MAP_PFNENTRY[] mPfn = vmm.Map_GetPfn(1, 2, 1024); // read first 128 bytes of kernel32.dll byte[] dataKernel32MZ = vmm.MemRead(dwExplorerPID, mModuleKernel32.vaBase, 128, 0); // translate virtual address of 1st page in kernel32.dll to physical address ulong paBaseKernel32; result = vmm.MemVirt2Phys(dwExplorerPID, mModuleKernel32.vaBase, out paBaseKernel32); // read two independent chunks of memory in one single efficient call. // also use the nocache flag. IntPtr hS; if (vmm.Scatter_Initialize(dwExplorerPID, vmm.FLAG_NOCACHE, out hS)) { // prepare multiple ranges to read vmm.Scatter_Prepare(hS, mModuleKernel32.vaBase, 0x100); vmm.Scatter_Prepare(hS, mModuleKernel32.vaBase + 0x2000, 0x100); // execute actual read operation to underlying system vmm.Scatter_Execute(hS); byte[] pbKernel32_100_1 = vmm.Scatter_Read(hS, mModuleKernel32.vaBase, 0x80); byte[] pbKernel32_100_2 = vmm.Scatter_Read(hS, mModuleKernel32.vaBase + 0x2000, 0x100); // clean up scatter handle hS (free native memory) // NB! hS handle should not be used after this! vmm.Scatter_CloseHandle(ref hS); } // load .pdb of kernel32 from microsoft symbol server and query it // also do some lookups for kernel symbols. string szPdbModuleName = ""; result = vmm.PdbLoad(dwExplorerPID, mModuleKernel32.vaBase, out szPdbModuleName); if (result) { uint dwSymbolOffset = (uint)(mModuleKernel32.vaEntry - mModuleKernel32.vaBase); string szEntryPoint; uint dwEntryPointDisplacement; result = vmm.PdbSymbolName(szPdbModuleName, dwSymbolOffset, out szEntryPoint, out dwEntryPointDisplacement); } ulong vaKeQueryOwnerMutant; result = vmm.PdbSymbolAddress("nt", "KeQueryOwnerMutant", out vaKeQueryOwnerMutant); uint oOptionalHeaders; result = vmm.PdbTypeChildOffset("nt", "_IMAGE_NT_HEADERS64", "OptionalHeader", out oOptionalHeaders); // WINDOWS REGISTRY QUERY / READ / WRITE vmm.REGISTRY_HIVE_INFORMATION[] RegHives = vmm.RegHiveList(); if (RegHives.Length > 0) { byte[] RegHiveData = vmm.RegHiveRead(RegHives[0].vaCMHIVE, 0x1000, 0x100, 0); } vmm.REGISTRY_ENUM RegEnum = vmm.RegEnum("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion"); if (RegEnum.ValueList.Count > 0) { uint RegValueType; byte[] RegValueData = vmm.RegValueRead(RegEnum.wszFullPathKey + "\\" + RegEnum.ValueList[0].name, out RegValueType); } // search efficiently in explorer.exe for "This program cannot be run in DOS mode" // (in essence perform a search for PE headers). // The search function may take up quite a lot of performance / time depending on memory amount. // There is also a vmm.MemSearchM function which allows for searching multiple strings at a time. ulong[] vaExplorerPE = vmm.MemSearch1(dwExplorerPID, System.Text.Encoding.ASCII.GetBytes("cannot be run in DOS mode"), 0, 0x7fffffffffff); // CLOSE vmm.Close(); }