MemProcFS v3.9 support

README.md

@@ -19,7 +19,7 @@ _pypykatz_ for MemProcFS exposes mimikatz functionality in the folder `/py/secre
 3) Copy the _pypykatz_ for _MemProcFS_ plugin by copying all files from [`/files/plugins/pym_pypykatz`](https://github.com/ufrisk/MemProcFS-plugins/tree/master/files/plugins/pym_pypykatz) to corresponding folder in MemProcFS - overwriting any existing files there.
 4) Start MemProcFS.
 
-#### Last updated: 2021-01-11
+#### Last updated: 2021-03-21
 
 ## pypykatz regsecrets
 
@@ -36,4 +36,4 @@ _regsecrets_ for MemProcFS exposes mimikatz functionality in the folder `/py/reg
 3) Copy the _pyregsecrets_ for _MemProcFS_ plugin by copying all files from [`/files/plugins/pym_regsecrets`](https://github.com/ufrisk/MemProcFS-plugins/tree/master/files/plugins/pym_regsecrets) to corresponding folder in MemProcFS - overwriting any existing files there.
 4) Start MemProcFS.
 
-#### Last updated: 2021-01-11
+#### Last updated: 2021-03-21

files/plugins/pym_pypykatz/pym_pypykatz.py

@@ -8,7 +8,7 @@
 # Author: Tamas Jos (@skelsec), info@skelsec.com
 #
 
-from vmmpy import *
+import memprocfs
 from vmmpyplugin import *
 import json
 import traceback
@@ -282,7 +282,7 @@ def List(pid, path):
 
 
 def Notify(fEvent, bytesData):
-	if fEvent == VMMPY_PLUGIN_EVENT_TOTALREFRESH and not import_failed and not parsing_failed:
+	if fEvent == memprocfs.PLUGIN_EVENT_TOTALREFRESH and not import_failed and not parsing_failed:
 		global first_run
 		first_run = True
 
@@ -290,7 +290,7 @@ def Notify(fEvent, bytesData):
 def Initialize(target_system, target_memorymodel):
 	# Check that the operating system is 32-bit or 64-bit Windows. If it's not
 	# then raise an exception to terminate loading of this module.
-	if target_system != VMMPY_SYSTEM_WINDOWS_X64 and target_system != VMMPY_SYSTEM_WINDOWS_X86:
+	if target_system != memprocfs.SYSTEM_WINDOWS_X64 and target_system != memprocfs.SYSTEM_WINDOWS_X86:
 		raise RuntimeError("Only Windows is supported by the pym_pypykatz module.")
 	VmmPyPlugin_FileRegisterDirectory(None, 'secrets', List)
 	

files/plugins/pym_pypykatz/pypyreader.py

@@ -11,7 +11,8 @@
 from pypykatz.commons.common import KatzSystemArchitecture, KatzSystemInfo
 from .sysinfo_helpers import *
 
-from vmmpy import *
+import memprocfs
+from vmmpyplugin import *
 import copy
 
 class Module:
@@ -31,9 +32,9 @@ class Module:
 		
 	def parse(data, timestamp = None):
 		m = Module()
-		m.name = data['name']
-		m.baseaddress = data['va']
-		m.size = data['size']
+		m.name = data.name
+		m.baseaddress = data.base
+		m.size = data.image_size
 		m.endaddress = m.baseaddress + m.size
 		
 		m.timestamp = timestamp
@@ -50,7 +51,6 @@ class Page:
 		self.AllocationProtect  = None
 		self.RegionSize  = None
 		self.EndAddress = None
-		
 		self.data = None
 	
 	@staticmethod
@@ -74,7 +74,7 @@ class Page:
 		return p
 		
 	def read_data(self, pid):
-		self.data = VmmPy_MemRead(pid, self.BaseAddress, self.RegionSize)
+		self.data = vmm.process(pid).memory.read(self.BaseAddress, self.RegionSize)
 		
 	def inrange(self, addr):
 		return self.BaseAddress <= addr < self.EndAddress
@@ -82,7 +82,7 @@ class Page:
 	def search(self, pattern, pid):
 		if len(pattern) > self.RegionSize:
 			return []
-		data = VmmPy_MemRead(pid, self.BaseAddress, self.RegionSize)
+		data = vmm.process(pid).memory.read(self.BaseAddress, self.RegionSize)
 		fl = []
 		offset = 0
 		while len(data) > len(pattern):
@@ -104,7 +104,7 @@ class MemProcFsReader:
 		self.filename = filename
 		self.process_name = process_name
 		self.sysinfo = None
-		self.process_pid = None
+		self.process = None
 		self.current_position = None
 		self.modules = []
 		
@@ -115,16 +115,16 @@ class MemProcFsReader:
 		self.sysinfo = KatzSystemInfo()
 
 		#print('[+] Getting BuildNumer')
-		self.sysinfo.buildnumber = VmmPy_ConfigGet(VMMDLL_OPT_WIN_VERSION_BUILD)
+		self.sysinfo.buildnumber = vmm.get_config(memprocfs.OPT_WIN_VERSION_BUILD)
 		#print('[+] Found BuildNumber %s' % self.sysinfo.buildnumber)
 		
 		#print('[+] Getting msv_dll_timestamp')
-		self.sysinfo.msv_dll_timestamp = int(PEGetFileTime(self.process_pid, self.process_name))
+		self.sysinfo.msv_dll_timestamp = int(PEGetFileTime(self.process, self.process_name))
 		#print('[+] Found msv_dll_timestamp %s' % self.sysinfo.msv_dll_timestamp)
 		
 		#print('[+] Getting arch')		
-		val = VmmPy_ConfigGet(VMMPY_OPT_CORE_SYSTEM)
-		if val == VMMPY_SYSTEM_WINDOWS_X64:
+		val = vmm.get_config(memprocfs.OPT_CORE_SYSTEM)
+		if val == memprocfs.SYSTEM_WINDOWS_X64:
 			self.sysinfo.architecture = KatzSystemArchitecture.X64
 		else:
 			self.sysinfo.architecture = KatzSystemArchitecture.X86
@@ -139,17 +139,17 @@ class MemProcFsReader:
 			VmmPy_Initialize(["-device", self.filename,'-vv'])
 		
 		#print('[+] Searching LSASS')
-		self.process_pid = VmmPy_PidGetFromName(self.process_name)
-		#print('[+] Found LSASS on PID %s' % self.process_pid)
+		self.process = vmm.process(self.process_name)
+		#print('[+] Found LSASS on PID %s' % self.process.pid)
 		
 		self.get_sysinfo()
 		
 		#print('[+] Getting modules info')
-		for moduleinfo in VmmPy_ProcessGetModuleMap(self.process_pid):
+		for module in self.process.module_list():
 			#print('moduleinfo: %s' % str(moduleinfo))
-			m = Module.parse(moduleinfo)
+			m = Module.parse(module)
 			try:
-				for pageinfo in VmmPy_ProcessGetSections(self.process_pid, m.name):
+				for pageinfo in module.maps.sections():
 					#print('pageinfo: %s' % str(pageinfo))
 					m.pages.append(Page.parse(pageinfo, m))
 					
@@ -192,7 +192,7 @@ class MemProcFsReader:
 		"""
 		Searches for all occurrences of a pattern in the current memory segment, returns all occurrences as a list
 		"""
-		data = VmmPy_MemRead(self.process_pid, start, end - start)
+		data = self.process.memory.read(start, end - start)
 		pos = []
 		for p in MemProcFsReader.find_all_pattern(data, pattern):
 			pos.append( p + start)
@@ -242,7 +242,7 @@ class MemProcFsReader:
 		return data
 	
 	def read(self, size = -1):
-		data = VmmPy_MemRead(self.process_pid, self.current_position, size)
+		data = self.process.memory.read(self.current_position, size)
 		self.current_position += size
 		return data
 	

files/plugins/pym_pypykatz/sysinfo_helpers.py

@@ -5,13 +5,13 @@
 #
 # https://github.com/ufrisk/
 #
-# (c) Ulf Frisk, 2019
+# (c) Ulf Frisk, 2019-2021
 # Author: Ulf Frisk, pcileech@frizk.net
 #
 
 from io import BytesIO
 from dissect import cstruct
-from vmmpy import *
+import memprocfs
 
 PE_STRUCT_DEFINITIONS = """
     #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
@@ -49,9 +49,9 @@ PE_STRUCT_DEFINITIONS = """
     } IMAGE_FILE_HEADER;
 """
 
-def PEGetFileTime(pid, module):
-    mz_va = VmmPy_ProcessGetModuleFromName(pid, module)['va']
-    mz_bytes = VmmPy_MemRead(pid, mz_va, 0x1000)
+def PEGetFileTime(process, module):
+    mz_va = process.module(module).base
+    mz_bytes = process.memory.read(mz_va, 0x1000)
     mz_stream = BytesIO(mz_bytes)
     # Set up dissect.cstruct
     pestruct = cstruct.cstruct()

files/plugins/pym_pypykatz/version.txt

@@ -1 +1 @@
-1.2.0
+1.3.0

files/plugins/pym_regsecrets/pym_regsecrets.py

@@ -13,7 +13,7 @@
 # Author: Ulf Frisk (@UlfFrisk), pcileech@frizk.net
 #
 
-from vmmpy import *
+import memprocfs
 from vmmpyplugin import *
 import traceback
 
@@ -76,8 +76,8 @@ class MemProcFS_RegReader:
 	This class provides buffer-like reader interface which can be delegated to AIOWinreg's HIVE classes.
 	Emulates reading and seeking capablities of a buffer but actually calling the underlying MemProcFS API. 
 	"""
-	def __init__(self, va_hive):
-		self.va_hive = va_hive
+	def __init__(self, hive):
+		self.hive = hive
 		self.position = 0
 		self.firstread = True
 
@@ -87,7 +87,7 @@ class MemProcFS_RegReader:
 		elif count == 0:
 			return None
 		
-		data = VmmPy_WinReg_HiveRead(self.va_hive, self.position, count, flags = 0)
+		data = self.hive.memory.read(self.position, count, 0)
 		self.position += count
 		return data
 	
@@ -102,27 +102,27 @@ class MemProcFS_RegReader:
 			raise Exception('Cant seek from the end!')
 
 def list_hives():
-	for x in VmmPy_WinReg_HiveList():
+	for x in vmm.reg_hive_list():
 		yield x
 
 
 
-def get_hive_va(hive_name, hive_name_short):
+def get_hive(hive_name, hive_name_short):
 	for hiveinfo in list_hives():
-		if 'name' in hiveinfo and hiveinfo['name'].endswith(hive_name):
-			return hiveinfo['va_hive']
+		if hiveinfo.name.endswith(hive_name):
+			return hiveinfo
 	for hiveinfo in list_hives():
-		if 'name' in hiveinfo and hive_name_short in hiveinfo['name']:
-			return hiveinfo['va_hive']
+		if hive_name_short in hiveinfo.name:
+			return hiveinfo
 	return None
 
 
 
 def create_hive(hive_name, hive_name_short):
-	hive_va = get_hive_va(hive_name, hive_name_short)
-	reader = MemProcFS_RegReader(hive_va)
+	hive = get_hive(hive_name, hive_name_short)
+	reader = MemProcFS_RegReader(hive)
 	hroot = NTRegistryHbin.read(reader)
-	reader = MemProcFS_RegReader(hive_va)
+	reader = MemProcFS_RegReader(hive)
 	return AIOWinRegHive(reader, hroot, is_file = False)
 
 
@@ -272,7 +272,7 @@ def List(pid, path):
 
 
 def Notify(fEvent, bytesData):
-	if fEvent == VMMPY_PLUGIN_EVENT_TOTALREFRESH and not import_failed and not parsing_failed:
+	if fEvent == memprocfs.PLUGIN_EVENT_TOTALREFRESH and not import_failed and not parsing_failed:
 		global is_initialized
 		is_initialized = False
 
@@ -281,6 +281,6 @@ def Notify(fEvent, bytesData):
 def Initialize(target_system, target_memorymodel):
 	# Check that the operating system is 32-bit or 64-bit Windows. If it's not
 	# then raise an exception to terminate loading of this module.
-	if target_system != VMMPY_SYSTEM_WINDOWS_X64 and target_system != VMMPY_SYSTEM_WINDOWS_X86:
+	if target_system != memprocfs.SYSTEM_WINDOWS_X64 and target_system != memprocfs.SYSTEM_WINDOWS_X86:
 		raise RuntimeError("Only Windows is supported by the pym_regsecrets module.")
 	VmmPyPlugin_FileRegisterDirectory(None, 'regsecrets', List)

files/plugins/pym_regsecrets/version.txt

@@ -1 +1 @@
-1.1.0
+1.2.0

versions.txt

@@ -1,2 +1,2 @@
-pypykatz 1.2.0
-regsecrets 1.1.0
+pypykatz 1.3.0
+regsecrets 1.2.0