Package vmm

Interface IVmm

public interface IVmm
The main MemProcFS implementation for Java.
MemProcFS for Java requires JNA - https://github.com/java-native-access/jna which must be on the classpath.
Check out the example code to get started! https://github.com/ufrisk/MemProcFS/
Author:
Ulf Frisk - pcileech@frizk.net

  • Field Details

    • OPT_CORE_PRINTF_ENABLE

      static final long OPT_CORE_PRINTF_ENABLE
      See Also:

    • OPT_CORE_VERBOSE

      static final long OPT_CORE_VERBOSE
      See Also:

    • OPT_CORE_VERBOSE_EXTRA

      static final long OPT_CORE_VERBOSE_EXTRA
      See Also:

    • OPT_CORE_VERBOSE_EXTRA_TLP

      static final long OPT_CORE_VERBOSE_EXTRA_TLP
      See Also:

    • OPT_CORE_MAX_NATIVE_ADDRESS

      static final long OPT_CORE_MAX_NATIVE_ADDRESS
      See Also:

    • OPT_CORE_LEECHCORE_HANDLE

      static final long OPT_CORE_LEECHCORE_HANDLE
      See Also:

    • OPT_CORE_SYSTEM

      static final long OPT_CORE_SYSTEM
      See Also:

    • OPT_CORE_MEMORYMODEL

      static final long OPT_CORE_MEMORYMODEL
      See Also:

    • OPT_CONFIG_IS_REFRESH_ENABLED

      static final long OPT_CONFIG_IS_REFRESH_ENABLED
      See Also:

    • OPT_CONFIG_TICK_PERIOD

      static final long OPT_CONFIG_TICK_PERIOD
      See Also:

    • OPT_CONFIG_READCACHE_TICKS

      static final long OPT_CONFIG_READCACHE_TICKS
      See Also:

    • OPT_CONFIG_TLBCACHE_TICKS

      static final long OPT_CONFIG_TLBCACHE_TICKS
      See Also:

    • OPT_CONFIG_PROCCACHE_TICKS_PARTIAL

      static final long OPT_CONFIG_PROCCACHE_TICKS_PARTIAL
      See Also:

    • OPT_CONFIG_PROCCACHE_TICKS_TOTAL

      static final long OPT_CONFIG_PROCCACHE_TICKS_TOTAL
      See Also:

    • OPT_CONFIG_VMM_VERSION_MAJOR

      static final long OPT_CONFIG_VMM_VERSION_MAJOR
      See Also:

    • OPT_CONFIG_VMM_VERSION_MINOR

      static final long OPT_CONFIG_VMM_VERSION_MINOR
      See Also:

    • OPT_CONFIG_VMM_VERSION_REVISION

      static final long OPT_CONFIG_VMM_VERSION_REVISION
      See Also:

    • OPT_CONFIG_STATISTICS_FUNCTIONCALL

      static final long OPT_CONFIG_STATISTICS_FUNCTIONCALL
      See Also:

    • OPT_CONFIG_IS_PAGING_ENABLED

      static final long OPT_CONFIG_IS_PAGING_ENABLED
      See Also:

    • OPT_WIN_VERSION_MAJOR

      static final long OPT_WIN_VERSION_MAJOR
      Retrieve the OS kernel major version.
      See Also:

    • OPT_WIN_VERSION_MINOR

      static final long OPT_WIN_VERSION_MINOR
      Retrieve the OS kernel minor version.
      See Also:

    • OPT_WIN_VERSION_BUILD

      static final long OPT_WIN_VERSION_BUILD
      Retrieve the OS kernel build.
      See Also:

    • OPT_WIN_SYSTEM_UNIQUE_ID

      static final long OPT_WIN_SYSTEM_UNIQUE_ID
      Retrieve the MemProcFS generated system id.
      See Also:

    • OPT_FORENSIC_MODE

      static final long OPT_FORENSIC_MODE
      Forensic mode.
      See Also:

    • VMMDLL_OPT_REFRESH_ALL

      static final long VMMDLL_OPT_REFRESH_ALL
      Total refresh.
      See Also:

    • VMMDLL_OPT_REFRESH_FREQ_MEM

      static final long VMMDLL_OPT_REFRESH_FREQ_MEM
      Refresh total memory caches.
      See Also:

    • VMMDLL_OPT_REFRESH_FREQ_MEM_PARTIAL

      static final long VMMDLL_OPT_REFRESH_FREQ_MEM_PARTIAL
      Refresh partial (1/3) memory caches.
      See Also:

    • VMMDLL_OPT_REFRESH_FREQ_TLB

      static final long VMMDLL_OPT_REFRESH_FREQ_TLB
      Refresh completely page table caches.
      See Also:

    • VMMDLL_OPT_REFRESH_FREQ_TLB_PARTIAL

      static final long VMMDLL_OPT_REFRESH_FREQ_TLB_PARTIAL
      Refresh partial (1/3) of page table caches.
      See Also:

    • VMMDLL_OPT_REFRESH_FREQ_FAST

      static final long VMMDLL_OPT_REFRESH_FREQ_FAST
      Refresh fast frequency (minor refresh).
      See Also:

    • VMMDLL_OPT_REFRESH_FREQ_MEDIUM

      static final long VMMDLL_OPT_REFRESH_FREQ_MEDIUM
      Refresh medium frequency (medium refresh).
      See Also:

    • VMMDLL_OPT_REFRESH_FREQ_SLOW

      static final long VMMDLL_OPT_REFRESH_FREQ_SLOW
      Refresh slow frequency (maximum refresh).
      See Also:

    • FLAG_NOCACHE

      static final int FLAG_NOCACHE
      See Also:

    • FLAG_ZEROPAD_ON_FAIL

      static final int FLAG_ZEROPAD_ON_FAIL
      See Also:

    • FLAG_FORCECACHE_READ

      static final int FLAG_FORCECACHE_READ
      See Also:

    • FLAG_NOPAGING

      static final int FLAG_NOPAGING
      See Also:

    • FLAG_NOPAGING_IO

      static final int FLAG_NOPAGING_IO
      See Also:

    • FLAG_NOCACHEPUT

      static final int FLAG_NOCACHEPUT
      See Also:

    • FLAG_CACHE_RECENT_ONLY

      static final int FLAG_CACHE_RECENT_ONLY
      See Also:

    • FLAG_NO_PREDICTIVE_READ

      static final int FLAG_NO_PREDICTIVE_READ
      See Also:

    • FLAG_FORCECACHE_READ_DISABLE

      static final int FLAG_FORCECACHE_READ_DISABLE
      See Also:

  • Method Details

    • initializeVmm

      static IVmm initializeVmm(String vmmNativeLibraryPath, String[] argv)
      Initialize a new MemProcFS instance.
      Parameters:
      vmmNativeLibraryPath - path to vmm.dll / vmm.so native binaries, ex: "C:\\Program FIles\\MemProcFS".
      argv - VMM/MemProcFS initialization arguments.
      Returns:

    • isValid

      boolean isValid()
      Check whether the current VMM instance is active/valid or not.
      Returns:

    • getNativeLibraryPath

      String getNativeLibraryPath()
      Retrieve the native library path set at initialization time.
      Returns:

    • close

      void close()
      Close the active instance of MemProcFS

    • getConfig

      long getConfig(long fOption)
      Get a device specific option value. Please see defines OPT_* for information about valid option values. Please note that option values may overlap between different device types with different meanings.
      Parameters:
      fOption -
      Returns:

    • setConfig

      void setConfig(long fOption, long qw)
      Set a device specific option value. Please see defines OPT_* for information about valid option values. Please note that option values may overlap between different device types with different meanings.
      Parameters:
      fOption -
      qw -

    • vfsList

      List<Vmm_VfsListEntry> vfsList(String path)
      List entries in a virtual directory in the virtual file system.
      Parameters:
      path -
      Returns:

    • vfsRead

      byte[] vfsRead(String file, long offset, int size)
      Read a file in the virtual file system.
      Parameters:
      file -
      offset -
      size -
      Returns:

    • vfsReadString

      String vfsReadString(String file, long offset, int size)
      Read a file as a String in the virtual file system.
      Parameters:
      file -
      offset -
      size -
      Returns:

    • vfsWrite

      void vfsWrite(String file, byte[] data, long offset)
      Write to a file in the virtual file system.
      Parameters:
      file -
      data -
      offset -

    • memRead

      byte[] memRead(long pa, int size)
      Read a single chunk of memory.
      Parameters:
      pa - physical address to read.
      size - number of bytes to read.
      Returns:

    • memRead

      byte[] memRead(long pa, int size, int flags)
      Read a single chunk of memory with the given flags
      Parameters:
      pa - physical address to read.
      size - number of bytes to read.
      flags - flags as specified by IVmm.FLAG_*
      Returns:

    • memWrite

      void memWrite(long pa, byte[] data)
      Write data to the memory. NB! writing may fail silently. If important it's recommended to verify a write with a subsequent read.
      Parameters:
      pa - physical address to read.
      data - data to write.

    • memPrefetchPages

      void memPrefetchPages(long[] pas)
      Prefetch a number of addresses into the internal memory cache. This is used to achieve faster subsequent reading speeds.
      Parameters:
      pas - array of physical addresses to prefetch.

    • memScatterInitialize

      IVmmMemScatterMemory memScatterInitialize(int flags)
      Create a new IVmmMemScatter object used for efficient reading and writing. Upon completion it's recommended to call Close() to free native resources.
      Parameters:
      flags - flags as specified by IVmm.FLAG_*
      Returns:
      IVmmMemScatter object used for scatter reading.

    • processGet

      IVmmProcess processGet(int pid)
      Retrieve a process by its pid.
      Parameters:
      pid -
      Returns:

    • processGet

      IVmmProcess processGet(String name)
      Retrieve a process by its name. If multiple processes exists with same it's undefined which one will be returned.
      Parameters:
      name -
      Returns:

    • processGetAll

      List<IVmmProcess> processGetAll()
      Retrieve all processes in the system
      Returns:

    • kernelProcess

      IVmmProcess kernelProcess()
      Retrieve the kernel process.
      Returns:

    • kernelPdb

      IVmmPdb kernelPdb()
      Retrieve the kernel debug symbols.
      Returns:

    • kernelBuildNumber

      int kernelBuildNumber()
      Retrieve the kernel build number.
      Returns:

    • mapPhysicalMemory

      List<VmmMap_MemMapEntry> mapPhysicalMemory()
      Retrieve the system physical memory map.
      Returns:

    • mapNet

      List<VmmMap_NetEntry> mapNet()
      Retrieve network info.
      Returns:

    • mapUser

      List<VmmMap_UserEntry> mapUser()
      Retrieve users.
      Returns:

    • mapService

      List<VmmMap_ServiceEntry> mapService()
      Retrieve services.
      Returns:

    • mapPool

      VmmMap_PoolMap mapPool(boolean isBigPoolOnly)
      Retrieve pool allocations sorted by virtual address and pool tag.
      Parameters:
      isBigPoolOnly - true=only show entries from bigpool, false=show all entries.
      Returns:

    • regHive

      List<IVmmRegHive> regHive()
      Enumerate all the hives in the system and return them in a list.
      Returns:

    • regKey

      IVmmRegKey regKey(String strFullPath)
      Retrieve a registry key by its full path.
      Parameters:
      strFullPath -
      Returns:

    • regValue

      IVmmRegValue regValue(String strFullPath)
      Retrieve a registry value by its full path.
      Parameters:
      strFullPath -
      Returns: