2020 May 18

Close-up of multi-colored, backlit numeric keypad

Recently I’ve been concentrating on my objective to write more code for my own sake that also provides value to other information security and digital forensics professionals. As part of that I’m releasing focuslib: a Python module for interacting with virtual machines in VMware Fusion Pro with the aim of simplifying certain digital forensics procedures.

Additionally, I’m releasing a simple Python application, focus, that utilizes the module to map sixteen custom task sequences to keyboard shortcuts to create a ‘push-button’ interface of sorts for VM automation. focus also serves as a basic, concrete example of how programmers can use focuslib in their applications too.

Right now the README file for focuslib is the best place for getting started, but I also wanted to write a short post about my focus application to explain the what, why, and how that went into creating it.


Tools like Terraform let you automate infrastructure on public cloud services and baremetal, server-based hypervisors like VMware vSphere, but I couldn’t seem to find a great solution for programmatically operating local VMware VMs that:

  1. offered an easy-to-integrate interface with all of the (lower-level) functionality I needed

  2. appeared to be actively maintained and documented

while at the same time not:

  1. creating too much abstraction/separation from the underlying VMware features

  2. imposing conventions related to single-minded (software development) use cases

Practically all of my computer usage involves some type of virtualized environment, so it was clear to me that addressing this capability gap would pay dividends later on.

Also, a few months ago I wrote a blog post describing how security researchers can use VMware Fusion to improve their day-to-day productivity, online opsec, and forensic processes. Writing focuslib is a natural evolution of my interest in those topics that aims to implement my written guidance as code to further lower the barriers to entry for my peers in the industry.

Lastly, I really wanted something that would minimize the mental effort needed to perform forensic acquisition of VM memory and network traffic. Instead of memorizing command-line arguments, manually taking VM snapshots, watching and waiting for internal VMware processing to complete, searching the contents of VM folders, and other steps, all I wanted was to focus (hence the name) on what I planned to do with the VM artifact once it was extracted. I decided to map my most common VM-related task sequences to keyboard shortcuts (using my keyboard’s number pad) to create the fire-and-forget experience I was after.


To minimize button presses I decided that my application should execute actions against whichever VM was in front of me at that point in time. Using AppleScript, I was able to retrieve the name of the frontmost VMware Fusion program window on the current desktop. More often than not this window name is also the display name of the virtual machine, and it’s useful as a starting point for resolving the target virtual machine’s .vmx file.

The only other necessary input was some value specifying the desired task to execute, so a basic, two-argument CLI program (where the first argument is the VM display name, and the second is a ‘command number’) did the job.

Once I implemented the custom VM task sequences in focus (by calling functions imported from focuslib) and assigned a sequence to each of the keys on my keyboard’s number pad, I used Apple’s Automator to create corresponding “Quick Actions”. Each Quick Action begins with the AppleScript that retrieves the window name, and then this value is passed as an argument to a shell script that, in turn, executes focus providing the VM name and a hardcoded command number.

Apple Automator

Saving the Quick Actions in Automator created a collection of .workflow service files in the ~/Library/Services/ directory.

.workflow service files

To create the keyboard shortcuts, I launched System Preferences, navigated to the Services menu on the Shortcuts tab of the Keyboard preferences, and entered the desired key presses to map each Quick Action to a custom sequence.

keyboard shortcuts


It works! Now I can perform multi-step procedures against any of my VMs by only entering a simple key sequence while the target VM is the frontmost VMware Fusion window on the desktop. Here are a few of the tasks that focus now automates for me:

  1. Intercept a VM’s virtual network’s traffic (for 15 seconds) and save it to a PCAP file.

  2. Create a ‘disposable’ VM (via linked cloning) for rapid experiment staging.

  3. Acquire a memory sample of the VM’s entire RAM contents at the virtual hardware level.

  4. Maintain a clean and up-to-date ‘restore point’ via snapshots and programmatic OS updates.

Overall, I’d give my implementation a 7 out of 10. Some aspects can be improved as not everything works as desired. Here are a few limitations I’ve noticed:

  1. The VM must be running (not off/suspended/paused) for the AppleScript to retrieve the window title.

  2. The VM window itself must be clicked/selected for macOS to receive the key presses.

  3. It’s a little slow at about 1.5 seconds between the key sequence and command execution.

  4. Full screen VM window titles are not retrieved.

Writing focuslib was a worthwhile, discovery-packed experience on it’s own, but using focus on a daily basis has also improved my productivity. All things considered I’m fairly satisfied with the application at this stage, and I’m glad I took the time to rework my code from a ‘pile of scripts’ into a Python module so I can continue to benefit from it in future projects too. I plan to learn more on the subject of infrastructure-as-code in the near future, so I’m hoping that focuslib will help to better integrate VMware Fusion Pro into those efforts and enhance my overall technological capabilities as a security researcher.

Hands-on Learning

For me, finding small personal projects has been the best catalyst for hands-on learning and leveling up my coding skills. Wherever your own learning takes you, consider budgeting some time to actually implement your knowledge. It can really pay off. Thanks for reading!

Mike Iacovacci
Mike Iacovacci is an information security professional specializing in endpoint security, intrusion investigation, and security research. His efforts have prevented serious security incidents and continue to disrupt cybercrime operations and sophisticated threat actors.