vfsList API not returning the expected data

Question

vfsList API not returning the expected data

Closed this issue 3 months ago · 5 comments

Version: v5.11.7

I am running into an issue when trying to list the contents of the /registry/HKLM directory using the API. I have seen the same issue with both the Python and the Java API.

Python example:

import memprocfs

vmm = memprocfs.Vmm(['-device', 'C:\\memory_images\\win10.raw'])

vfs_file_list = vmm.vfs.list('/registry/HKLM/')
for file_name in vfs_file_list:
    print(file_name)

Output of the python example (last 15 lines):

.all
.adts
.adt
.ac3
.amr
.aac
.3mf
.3gpp
.3gp2
.3gp
.3g2
.3fr
_
(_Key_).txt
(_Key_)

This API call will output a different list of files than I see when running from the command line and viewing the mounted directory: M:\registry\HKLM. I expected the list to be the same.

Answer 1 · 2024-10-12T21:46:19.000Z

Thank you for reporting this. I quite don't understand why it's happening.

You have a slash at the end of the path though. Remove it an things should work as they should.

Now, it's quite strange that you get the file listings of the classes hive when you add the slash to the end of the path, I'll look into it even though the issue can be resolved by removing it.

Answer 2 · 2024-10-23T18:51:22.000Z

This issue should now be resolved in the very latest version. Thank you for reporting and bringing this issue to my attention.

Answer 3 · 2024-10-25T18:40:45.000Z

I tested with version 5.12.5 and I am still seeing different behavior depending on whether there is a slash at the end of the path. However the output is different than the previous version.

Python example:

import memprocfs

vmm = memprocfs.Vmm(['-device', 'C:\\memory_images\\win10.raw'])

with_slash = vmm.vfs.list('/registry/HKLM/')
print("/registry/HKLM/")
for file_name in with_slash:
    print("\t" + file_name)

print("")

print("/registry/HKLM")
without_slash = vmm.vfs.list('/registry/HKLM')
for file_name in without_slash:
    print("\t" + file_name)

output:

/registry/HKLM/
        Classes
        (_Key_).txt
        (_Key_)

/registry/HKLM
        ORPHAN
        SYSTEM
        SOFTWARE
        SECURITY
        SAM
        HARDWARE
        BCD

Answer 4 · 2024-10-25T20:49:09.000Z

This works fine for me. Ensure you have the latest version. It should be fixed in 5.12.4 and later.

vmm.get_config(memprocfs.memprocfs.OPT_CONFIG_VMM_VERSION_MAJOR)
vmm.get_config(memprocfs.memprocfs.OPT_CONFIG_VMM_VERSION_MINOR)
vmm.get_config(memprocfs.memprocfs.OPT_CONFIG_VMM_VERSION_REVISION)

Answer 5 · 2024-10-25T21:07:08.000Z

I tested again and it is working in version 5.12.5. Thank you.