我想制作一个用Python获取内存图像的应用程序。我设计了这个应用程序,但在尝试对 8 GB 内存进行映像时遇到以下错误。我该如何解决这个问题?
另外,如何使该程序与 Volatility 兼容? 我使用 WinPMEM 作为驱动程序。
pymem_class.py
import win32file, os, ctypes
from ctypes import *
class PyMem:
def service_create():
try:
os.system(f"net stop winpmem") # Stop any previous instance of the driver
os.system(
f"sc delete winpmem"
) # Delete any previous instance of the driver
if ctypes.sizeof(ctypes.c_voidp) == 4:
if os.path.isfile("winpmem_x86.sys") is True:
driver_path = "winpmem_x86.sys"
else:
return "Driver file are not found"
else:
if os.path.isfile("winpmem_x64.sys") is True:
driver_path = "winpmem_x64.sys"
else:
return "Driver file are not found"
# Create a new instance of the driver
cwd = os.getcwd()
os.system(
'sc create winpmem type=kernel binPath="'
+ cwd
+ "//"
+ driver_path
+ '"'
)
print("WinPMEM Service Created")
# Start the new instance of the driver
os.system(f"net start winpmem")
print("WinPMEM Driver Created")
except Exception as e:
print("ERROR : WinPMEM can not created. Reason : " + str(e))
def dump_and_save_memory(filename, memsize = 1024 * 1024):
print("Creating AFF4 (Rekall) file")
device_handle = win32file.CreateFile(
"\\\\.\\pmem",
win32file.GENERIC_READ | win32file.GENERIC_WRITE,
win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE,
None,
win32file.OPEN_EXISTING,
win32file.FILE_ATTRIBUTE_NORMAL,
None,
)
mem_addr = 0 # Starting Memory Address
while mem_addr < memsize:
win32file.SetFilePointer(device_handle, mem_addr, 0) # Setting pointer
data = win32file.ReadFile(device_handle, memsize)[1] # Reading memory...
with open(filename + ".aff", "wb") as f:
f.write(data) # Writing to file
f.close()
mem_addr += memsize
print(f"Dumped {mem_addr} / {memsize} bytes ({mem_addr * 100 / memsize:.2f}%)")
win32file.CloseHandle(device_handle)
示例.py
from src.pymem_class import PyMem
if __name__ == "__main__":
PyMem.service_create()
# Drivers Download: https://github.com/Velocidex/WinPmem/tree/master/kernel/binaries
# Run "bcdedit /set testsigning on" command
# Check Memory Compression with "Get-MMAgent" command
# Disable Memory Compression with "Disable-MMAgent -mc" command
# Restart computer
memsize = int(8 * 1024 ** 3) # 8 GB Memory Image
PyMem.dump_and_save_memory("demo", memsize)
还有错误
Traceback (most recent call last):
File "C:\Users\dfnss\OneDrive\Desktop\pymem_snapshot\example.py", line 11, in <module>
PyMem.dump_and_save_memory("demo", memsize)
File "C:\Users\dfnss\OneDrive\Desktop\pymem_snapshot\src\pymem_class.py", line 51, in dump_and_save_memory
data = win32file.ReadFile(device_handle, memsize)[1] # Reading memory...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: Second param must be an integer or writeable buffer object
我该如何修复它?
我尝试更改代码逻辑,但没有成功
必须在类的实例上调用(常规)方法(它(以静默方式)作为第一个st参数传递)。所以,替换代码
if __name__ == "__main__":
pymem = PyMem()
pymem.service_create()
# Drivers Download: https://github.com/Velocidex/WinPmem/tree/master/kernel/binaries
# Run "bcdedit /set testsigning on" command
# Check Memory Compression with "Get-MMAgent" command
# Disable Memory Compression with "Disable-MMAgent -mc" command
# Restart computer
memsize = int(8 * 1024 ** 3) # 8 GB Memory Image
pymem.dump_and_save_memory("demo", memsize)