Package vmm
Interface IVmmProcess
public interface IVmmProcess
Interface representing a process.
- Author:
- Ulf Frisk - pcileech@frizk.net
-
Method Summary
Modifier and TypeMethodDescriptionGet the process command line.longgetDTB()Get the kernel directory table base (default).longGet the user mode directory table base (if exists).longRetrieve the virtual address of the EPROCESS struct.longGetLUID()Get the LUID from the process token.getName()Get the short process name.Get the full process name.Get the kernel mode process path.Get the user mode process path.longgetPEB()Get the virtual address of the PEB.intgetPEB32()Get the virtual address of the 32-bit PEB in WoW64 processes.intgetPID()Retrieve the PID of this process object.intgetPPID()Retrieve the parent process id (PPID).intGet the SesssionID from the process token.getSID()Get the SID from the process token.intgetState()Get the process state.intGet the memory model.intGet the system type.booleanCheck whether the process is a user-mode or kernel-mode process.booleanisWow64()Check whether the process is a Wow64 process.Retrieve handles.mapHeap()Retrieve the process heaps.mapHeapAlloc(long qwHeapNumOrAddress) Retrieve heap allocations given a heap address or heap number.mapPte()Retrieve the process PTEs.Retrieve the process threads.Retrieve the process unloaded modules.mapVad()Retrieve the process VADs.mapVadEx(int oPage, int cPage) Retrieve extended VAD information given a starting page offset (oPage) and number of pages (cPage).voidmemPrefetchPages(long[] vas) Prefetch a number of addresses into the internal memory cache.byte[]memRead(long va, int size) Read a single chunk of memory.byte[]memRead(long va, int size, int flags) Read a single chunk of memory with the given flagsmemScatterInitialize(int flags) Create a new IVmmMemScatter object used for efficient reading and writing.longmemVirtualToPhysical(long va) Try translating a virtual memory address to a physical memory address.voidmemWrite(long va, byte[] data) Write data to the memory.moduleGet(long va, boolean isExtendedInfo) Retrieve a module by its virtual address.Retrieve a module by its name.moduleGetAll(boolean isExtendedInfo) Retrieve all modules loaded into the process.
-
Method Details
-
getPID
int getPID()Retrieve the PID of this process object.- Returns:
-
getPPID
int getPPID()Retrieve the parent process id (PPID).- Returns:
-
getEPROCESS
long getEPROCESS()Retrieve the virtual address of the EPROCESS struct.- Returns:
-
getDTB
long getDTB()Get the kernel directory table base (default).- Returns:
-
getDTBUser
long getDTBUser()Get the user mode directory table base (if exists).- Returns:
-
getState
int getState()Get the process state.- Returns:
-
getPEB
long getPEB()Get the virtual address of the PEB.- Returns:
-
getPEB32
int getPEB32()Get the virtual address of the 32-bit PEB in WoW64 processes.- Returns:
-
isWow64
boolean isWow64()Check whether the process is a Wow64 process.- Returns:
-
isUserMode
boolean isUserMode()Check whether the process is a user-mode or kernel-mode process.- Returns:
-
getName
String getName()Get the short process name.- Returns:
-
getNameFull
String getNameFull()Get the full process name.- Returns:
-
getCmdLine
String getCmdLine()Get the process command line.- Returns:
-
getPathUser
String getPathUser()Get the user mode process path.- Returns:
-
getPathKernel
String getPathKernel()Get the kernel mode process path.- Returns:
-
getTpMemoryModel
int getTpMemoryModel()Get the memory model.- Returns:
-
getTpSystem
int getTpSystem()Get the system type.- Returns:
-
GetLUID
long GetLUID()Get the LUID from the process token.- Returns:
-
GetSessionID
int GetSessionID()Get the SesssionID from the process token.- Returns:
-
getSID
String getSID()Get the SID from the process token.- Returns:
-
memRead
byte[] memRead(long va, int size) Read a single chunk of memory.- Parameters:
va- virtual address to read.size- number of bytes to read.- Returns:
-
memRead
byte[] memRead(long va, int size, int flags) Read a single chunk of memory with the given flags- Parameters:
va- virtual address to read.size- number of bytes to read.flags- flags as specified by IVmm.FLAG_*- Returns:
-
memWrite
void memWrite(long va, byte[] data) Write data to the memory. NB! writing may fail silently. If important it's recommended to verify a write with a subsequent read.- Parameters:
va- virtual address to read.data- data to write.
-
memPrefetchPages
void memPrefetchPages(long[] vas) Prefetch a number of addresses into the internal memory cache. This is used to achieve faster subsequent reading speeds.- Parameters:
vas- array of virtual addresses to prefetch.
-
memScatterInitialize
Create a new IVmmMemScatter object used for efficient reading and writing. Upon completion it's recommended to call Close() to free native resources.- Parameters:
flags- flags as specified by IVmm.FLAG_*- Returns:
- IVmmMemScatter object used for scatter reading.
-
memVirtualToPhysical
long memVirtualToPhysical(long va) Try translating a virtual memory address to a physical memory address.- Parameters:
va-- Returns:
-
moduleGet
Retrieve a module by its virtual address.- Parameters:
va-- Returns:
-
moduleGet
Retrieve a module by its name.- Parameters:
name-- Returns:
-
moduleGetAll
Retrieve all modules loaded into the process.- Returns:
-
mapHandle
List<VmmMap_HandleEntry> mapHandle()Retrieve handles.- Returns:
-
mapHeapAlloc
Retrieve heap allocations given a heap address or heap number.- Parameters:
qwHeapNumOrAddress-- Returns:
-
mapHeap
VmmMap_HeapMap mapHeap()Retrieve the process heaps.- Returns:
-
mapPte
List<VmmMap_PteEntry> mapPte()Retrieve the process PTEs.- Returns:
-
mapThread
List<VmmMap_ThreadEntry> mapThread()Retrieve the process threads.- Returns:
-
mapUnloadedModule
List<VmmMap_UnloadedModuleEntry> mapUnloadedModule()Retrieve the process unloaded modules.- Returns:
-
mapVad
List<VmmMap_VadEntry> mapVad()Retrieve the process VADs.- Returns:
-
mapVadEx
Retrieve extended VAD information given a starting page offset (oPage) and number of pages (cPage).- Parameters:
oPage-cPage-- Returns:
-