API_C

Native C/C++ API

All functionality in the Memory Process File System is exported in a C/C++ API for use by developers. The header file is named: vmmdll.h which use vmm.dll / vmm.lib.

It may also be interesting to look into the more basic API related to read/write physical memory exported by the LeechCore library.

NB! Currently 64-bit Windows is supported. Linux support for the C/C++ API is planned in the future.

The complete documentation is found in vmmdll.h - this wiki entry however contains an overview.

Example:

An example file containing a lot of use cases are found in the file vmmdll_example.c in the vmmdll_example project in the visual studio solution.

Functionality:

After vmm.dll is loaded it has to be initialized.

Depending on whether it should be initialized from file, fpga or something else different VMMDLL_Initialize should be called with a different list of string parameters in the first argument. The arguments are the same as given as options when starting The Memory Process File System except for argv[0] which is recommended to set to blank.

BOOL VMMDLL_Initialize(_In_ DWORD argc, _In_ LPSTR argv[]);
BOOL VMMDLL_Close();
BOOL VMMDLL_Refresh(_In_ DWORD dwReserved);

API to retrieve or set various configuration entries:

BOOL VMMDLL_ConfigGet(_In_ ULONG64 fOption, _Out_ PULONG64 pqwValue);
BOOL VMMDLL_ConfigSet(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);

File System API.

The MemProcFS.exe file is just a wrapper around the API below:

BOOL VMMDLL_VfsList(_In_ LPCWSTR wcsPath, _Inout_ PVMMDLL_VFS_FILELIST pFileList);

NTSTATUS VMMDLL_VfsRead(
    _In_ LPCWSTR wcsFileName,
    _Out_ LPVOID pb,
    _In_ DWORD cb,
    _Out_ PDWORD pcbRead,
    _In_ ULONG64 cbOffset
);

NTSTATUS VMMDLL_VfsWrite(
    _In_ LPCWSTR wcsFileName,
    _In_ LPVOID pb,
    _In_ DWORD cb,
    _Out_ PDWORD pcbWrite,
    _In_ ULONG64 cbOffset
);

NTSTATUS VMMDLL_UtilVfsReadFile_FromPBYTE(
    _In_ PBYTE pbFile,
    _In_ ULONG64 cbFile,
    _Out_ LPVOID pb,
    _In_ DWORD cb,
    _Out_ PDWORD pcbRead,
    _In_ ULONG64 cbOffset
);

NTSTATUS VMMDLL_UtilVfsReadFile_FromQWORD(
    _In_ ULONG64 qwValue,
    _Out_ LPVOID pb,
    _In_ DWORD cb,
    _Out_ PDWORD pcbRead,
    _In_ ULONG64 cbOffset,
    _In_ BOOL fPrefix
);

NTSTATUS VMMDLL_UtilVfsReadFile_FromDWORD(
    _In_ DWORD dwValue,
    _Out_ LPVOID pb,
    _In_ DWORD cb,
    _Out_ PDWORD pcbRead,
    _In_ ULONG64 cbOffset,
    _In_ BOOL fPrefix
);

NTSTATUS VMMDLL_UtilVfsReadFile_FromBOOL(
    _In_ BOOL fValue,
    _Out_ LPVOID pb,
    _In_ DWORD cb,
    _Out_ PDWORD pcbRead,
    _In_ ULONG64 cbOffset
);

NTSTATUS VMMDLL_UtilVfsWriteFile_BOOL(
    _Inout_ PBOOL pfTarget,
    _In_ LPVOID pb,
    _In_ DWORD cb,
    _Out_ PDWORD pcbWrite,
    _In_ ULONG64 cbOffset
);

NTSTATUS VMMDLL_UtilVfsWriteFile_DWORD(
    _Inout_ PDWORD pdwTarget,
    _In_ LPVOID pb, _In_ DWORD cb,
    _Out_ PDWORD pcbWrite,
    _In_ ULONG64 cbOffset,
    _In_ DWORD dwMinAllow
);

Read and write both physical and virtual memory via the functions listed below.

In most instances it's possible to specify (DWORD)-1 instead of the process pid to read physical memory instead of process virtual memory.

DWORD VMMDLL_MemReadScatter(
    _In_ DWORD dwPID,
    _Inout_ PPVMMDLL_MEM_IO_SCATTER_HEADER ppMEMs,
    _In_ DWORD cpMEMs,
    _In_ DWORD flags
);

BOOL VMMDLL_MemReadPage(
    _In_ DWORD dwPID,
    _In_ ULONG64 qwVA,
    _Inout_bytecount_(4096) PBYTE pbPage
);

BOOL VMMDLL_MemRead(
    _In_ DWORD dwPID,
    _In_ ULONG64 qwVA,
    _Out_ PBYTE pb,
    _In_ DWORD cb
);

BOOL VMMDLL_MemReadEx(
    _In_ DWORD dwPID,
    _In_ ULONG64 qwVA,
    _Inout_ PBYTE pb,
    _In_ DWORD cb,
    _Out_opt_ PDWORD pcbReadOpt,
    _In_ ULONG64 flags
);

BOOL VMMDLL_MemPrefetchPages(
    _In_ DWORD dwPID,
    _In_reads_(cPrefetchAddresses) PULONG64 pPrefetchAddresses,
    _In_ DWORD cPrefetchAddresses
);

BOOL VMMDLL_MemWrite(
    _In_ DWORD dwPID,
    _In_ ULONG64 qwVA,
    _Out_ PBYTE pb,
    _In_ DWORD cb
);

BOOL VMMDLL_MemVirt2Phys(
    _In_ DWORD dwPID,
    _In_ ULONG64 qwVA,
    _Out_ PULONG64 pqwPA
);

Functionality related to processes running on the target system are exposed in via the functions below:

BOOL VMMDLL_PidGetFromName(
    _In_ LPSTR szProcName,
    _Out_ PDWORD pdwPID
);

BOOL VMMDLL_PidList(
    _Out_opt_ PDWORD pPIDs,
    _Inout_ PULONG64 pcPIDs
);

BOOL VMMDLL_ProcessGetMemoryMap(
    _In_ DWORD dwPID,
    _Out_opt_ PVMMDLL_MEMMAP_ENTRY pMemMapEntries,
    _Inout_ PULONG64 pcMemMapEntries,
    _In_ BOOL fIdentifyModules
);

BOOL VMMDLL_ProcessGetMemoryMapEntry(
    _In_ DWORD dwPID,
    _Out_ PVMMDLL_MEMMAP_ENTRY pMemMapEntry,
    _In_ ULONG64 va,
    _In_ BOOL fIdentifyModules
);

BOOL VMMDLL_ProcessGetModuleMap(
    _In_ DWORD dwPID,
    _Out_opt_ PVMMDLL_MODULEMAP_ENTRY pModuleEntries,
    _Inout_ PULONG64 pcModuleEntries
);

BOOL VMMDLL_ProcessGetModuleFromName(
    _In_ DWORD dwPID,
    _In_ LPSTR szModuleName,
    _Out_ PVMMDLL_MODULEMAP_ENTRY pModuleEntry
);

BOOL VMMDLL_ProcessGetInformation(
    _In_ DWORD dwPID,
    _Inout_opt_ PVMMDLL_PROCESS_INFORMATION pProcessInformation,
    _In_ PSIZE_T pcbProcessInformation
);

BOOL VMMDLL_ProcessGetDirectories(
    _In_ DWORD dwPID,
    _In_ LPSTR szModule,
    _Out_writes_(16) PIMAGE_DATA_DIRECTORY pData,
    _In_ DWORD cData,
    _Out_ PDWORD pcData
);

BOOL VMMDLL_ProcessGetSections(
    _In_ DWORD dwPID,
    _In_ LPSTR szModule,
    _Out_opt_ PIMAGE_SECTION_HEADER pData,
    _In_ DWORD cData,
    _Out_ PDWORD pcData
);

BOOL VMMDLL_ProcessGetEAT(
    _In_ DWORD dwPID,
    _In_ LPSTR szModule,
    _Out_opt_ PVMMDLL_EAT_ENTRY pData,
    _In_ DWORD cData,
    _Out_ PDWORD pcData
);

BOOL VMMDLL_ProcessGetIAT(
    _In_ DWORD dwPID,
    _In_ LPSTR szModule,
    _Out_opt_ PVMMDLL_IAT_ENTRY pData,
    _In_ DWORD cData,
    _Out_ PDWORD pcData
);

ULONG64 VMMDLL_ProcessGetProcAddress(
    _In_ DWORD dwPID,
    _In_ LPSTR szModuleName,
    _In_ LPSTR szFunctionName
);

ULONG64 VMMDLL_ProcessGetModuleBase(
    _In_ DWORD dwPID,
    _In_ LPSTR szModuleName
);

Windows specific utility functions:

BOOL VMMDLL_WinGetThunkInfoIAT(
    _In_ DWORD dwPID,
    _In_ LPSTR szModuleName,
    _In_ LPSTR szImportModuleName,
    _In_ LPSTR szImportFunctionName,
    _Out_ PVMMDLL_WIN_THUNKINFO_IAT pThunkInfoIAT
);

BOOL VMMDLL_WinGetThunkInfoEAT(
    _In_ DWORD dwPID,
    _In_ LPSTR szModuleName,
    _In_ LPSTR szExportFunctionName,
    _Out_ PVMMDLL_WIN_THUNKINFO_EAT pThunkInfoEAT
);

BOOL VMMDLL_WinMemCompression_DecompressPage(
    _In_ ULONG64 vaCompressedData,
    _In_opt_ DWORD cbCompressedData,
    _Out_writes_(4096) PBYTE pbDecompressedPage,
    _Out_opt_ PDWORD pcbCompressedData
);

Utility functions:

BOOL VMMDLL_UtilFillHexAscii(
    _In_ PBYTE pb,
    _In_ DWORD cb,
    _In_ DWORD cbInitialOffset,
    _Inout_ LPSTR sz,
    _Inout_ PDWORD pcsz);

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

(root)
conf
forensic
- csv
- files
- findevil
- json
- ntfs
- prefetch
- timeline
- web
- yara
misc
- bitlocker
- eventlog
- phys2virt
- procinfo
- search
  - bin
  - yara
- view
registry
sys
- certificates
- drivers
- memory
- objects
- net
- pool
- proc
- services
- syscall
- sysinfo
- tasks
- users
vm

Provide feedback

Saved searches

Use saved searches to filter your results more quickly