Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system

The Memory Process File System:

The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Easy trivial point and click memory analysis without the need for complicated commandline arguments! Access memory content and artifacts via files in a mounted virtual file system or via a feature rich application library to include in your own projects!

Analyze memory dump files, live memory via DumpIt or WinPMEM, live memory in read-write mode via linked PCILeech and PCILeech-FPGA devices!

It's even possible to connect to a remote LeechAgent memory acquisition agent over a secured connection - allowing for remote live memory incident response - even over higher latency low band-width connections! Peek into Hyper-V Virtual Machines with LiveCloudKd!

Use your favorite tools to analyze memory - use your favorite hex editors, your python and powershell scripts, WinDbg or your favorite disassemblers and debuggers - all will work trivally with MemProcFS by just reading and writing files!

Include MemProcFS in your C/C++, C# or Python programming projects! Everything in MemProcFS is exposed via an easy-to-use API for use in your own projects! The Plugin friendly architecture allows users to easily extend MemProcFS with native C .DLL plugins or Python .py plugins - providing additional analysis capabilities!

MemProcFS is available on Python pip. Just type pip install memprocfs and you're ready to go! Please see the Python API documentation and the YouTube demo for examples and usage!

Please check out the project wiki for more in-depth detailed information about the file system itself, its API and its plugin modules!

Please check out the LeechCore project for information about supported memory acquisition methods and remote memory access via the LeechService.

To get going clone the sources in the repository or download the latest binaries, modules and configuration files from the releases section and check out the guide.

Fast and easy memory analysis via mounted file system:

No matter if you have no prior knowledge of memory analysis or are an advanced user MemProcFS (and its API) may be useful! Click around the memory objects in the file system

Extensive Python, C# and C/C++ API:

Everything in MemProcFS is exposed as APIs. APIs exist for both C/C++ vmmdll.h, C# vmmsharp.cs and Python memprocfs.py. The file system itself is made available virtually via the API without the need to mount it. SIt is possible to read both virtual process memory as well as physical memory! The example below shows reading 0x20 bytes from physical address 0x1000:

>>> import memprocfs
>>> vmm = memprocfs.Vmm(['-device', 'c:/temp/win10_memdump.raw'])
>>> print(vmm.hex( vmm.memory.read(0x1000, 0x20) ))
0000    e9 4d 06 00 01 00 00 00  01 00 00 00 3f 00 18 10   .M..........?...
0010    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

Modular Plugin Architecture:

Anyone is able to extend MemProcFS with custom plugins! It is as easy as dropping a python file in the correct directory or compiling a tiny C DLL. Existing functionality is already implemented as well documented C and Python plugins!

Installing:

Get the latest binaries, modules and configuration files from the latest release. Alternatively clone the repository and build from source.

MemProcFS is dependent on the LeechCore project for memory acquisition. The necessary leechcore.dll / leechcore.so file is already pre-built and included together with the pre-built binaries.

Windows

Mounting the file system requires the Dokany file system library to be installed. Please download and install the latest version of Dokany at: https://github.com/dokan-dev/dokany/releases/latest It is recommended to download and install the DokanSetup_redist version.

Python support requires Python 3.6 or later. The user may specify the path to the Python installation with the command line parameter -pythonhome, alternatively download Python 3.7 - Windows x86-64 embeddable zip file and unzip its contents into the files/python folder when using Python modules in the file system. To use the Python API a normal 64-bit Python 3.6 or later installation for Windows is required.

To capture live memory (without PCILeech FPGA hardware) download DumpIt and start MemProcFS via DumpIt /LIVEKD mode. Alternatively, get WinPMEM by downloading the most recent signed WinPMEM driver and place it alongside MemProcFS - detailed instructions in the LeechCore Wiki.

PCILeech FPGA will require hardware as well as FTD3XX.dll to be dropped alongside the MemProcFS binaries. Please check out the LeechCore project for instructions.

Linux

MemProcFS is dependent on packages, please do a sudo apt-get install libusb-1.0 fuse openssl lz4 before trying out MemProcFS. If building from source please check out the guide about MemProcFS on Linux.

Examples:

Start MemProcFS from the command line - possibly by using one of the examples below.

Or register the memory dump file extension with MemProcFS.exe so that the file system is automatically mounted when double-clicking on a memory dump file!

  • mount the memory dump file as /home/pi/mnt/ on Linux:
    ./memprocfs -mount /home/pi/linux -device /dumps/win10x64-dump.raw
  • mount the memory dump file as default M:
    memprocfs.exe -device c:\temp\win10x64-dump.raw
  • mount the memory dump file as default M: with extra verbosity:
    memprocfs.exe -device c:\temp\win10x64-dump.raw -v
  • mount the memory dump file as default M: with extra extra verbosity:
    memprocfs.exe -device c:\temp\win10x64-dump.raw -v -vv
  • mount the memory dump file as S:
    memprocfs.exe -mount s -device c:\temp\win10x64-dump.raw
  • mount live target memory, in verbose read-only mode, with DumpIt in /LIVEKD mode:
    DumpIt.exe /LIVEKD /A memprocfs.exe /C "-v"
  • mount live target memory, in read-only mode, with WinPMEM driver:
    memprocfs.exe -device pmem
  • mount live target memory, in read/write mode, with PCILeech FPGA memory acquisition device:
    memprocfs.exe -device fpga -memmap auto
  • mount a memory dump with a corresponding page files:
    memprocfs.exe -device unknown-x64-dump.raw -pagefile0 pagefile.sys -pagefile1 swapfile.sys

Documentation:

For additional documentation please check out the project wiki for in-depth detailed information about the file system itself, its API and its plugin modules! For additional information about memory acqusition methods check out the LeechCore project

Also check out my Microsoft BlueHatIL 2019 talk Practical Uses for Hardware-assisted Memory Visualization and my Disobey 2020 talk Live Memory Attacks and Forensics about MemProcFS.

Building:

Pre-built binaries, modules and configuration files are found in the latest release.. MemProcFS binaries are built with Visual Studio. MemProcFS is not supported on Linux.

Detailed build instructions may be found in the Wiki in the Building section.

Current Limitations & Future Development:

MemProcFS is currently limited to analyzing Windows (32-bit and 64-bit XP to 10) memory dumps.

Some features are missing in Linux version (compressed windows memory and offline symbols). This both limits and degrades the analysis on Linux systems. These features are planned for future versions.

Please find some ideas for possible future expansions of the memory process file system listed below. This is a list of ideas - not a list of features that will be implemented. Even though some items are put as prioritized there is no guarantee that they will be implemented in a timely fashion.

Prioritized items:

  • More/new plugins.

Other items:

  • Hash lookup of executable memory pages in DB.
  • Forensic mode more analysis tasks.

License:

The project source code is released under: GNU Affero General Public License v3.0. Some bundled dependencies and plugins are released under GPLv3. Some bundled Microsoft redistributable binaries are released under separate licenses. Alternative licensing may be possible.

Contributing:

PCILeech, MemProcFS and LeechCore are open source but not open contribution. PCILeech, MemProcFS and LeechCore offers a highly flexible plugin architecture that will allow for contributions in the form of plugins. If you wish to make a contribution, other than a plugin, to the core projects please contact me before starting to develop.

Links:

Links - Related Projects:

Support PCILeech/MemProcFS development:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

To all my sponsors, Thank You 馃挅

All sponsorships are welcome, no matter how large or small. I especially wish to thank my bronze sponsors: grandprixgp.

Changelog:

Previous releases (click to expand):

v1.0

  • Initial Release.

v1.1-v2.10

  • Various updates. Please see individual relases for more information.

v3.0

  • Major release with new features, optimizations and refactorings.
  • New virtual memory core for increased speed and memory recovery:
    • VAD (virtual address descriptor) support.
    • Win10 memory decompression bug-fixes.
    • Pagefile support.
  • Handles.
  • Threads.
  • API: new features and updates (module names from ansi to wide string).

v3.1

  • Bug fixes and refactorings.
  • Code signing of binaries.
  • New Features:
    • Users.
    • Volatile registry keys.
    • File recovery via Handles and Vads.

v3.2

  • Bug fixes.
  • Support for low-memory x64 systems.
  • New Features:
    • Certificates.
    • Physical memory map.
    • Per-page physical memory information (PFN database).
    • Registry "big data" value type support.

v3.3

  • Bug fixes.
  • Better write support.
  • AMD Ryzen FPGA support.
  • Module map: new info - Full .DLL Path.
  • Thread map: new info - CPU registers.
  • New forensic mode:
    • Timelining.
    • NTFS MFT parsing.
    • SQLITE database generation.
  • New Features:
    • Minidump .DMP file generation for individual processes.
    • Syscalls - nt & win32k.

v3.4

  • Bug fixes.
  • Support for LiveCloudKd.
  • Network UDP and TCP listen socket support.
  • C# API and examples - located in vmmsharp project.

v3.5

  • Bug fixes.
  • New Features:
    • Minidump for live processes.
    • Services information.
    • Memmap: Verbose VAD with individual page info.

v3.6

  • Bug fixes & refactorings.
  • NB! Breaking C/C++ API changes (function renames).
  • New Features:
    • Unloaded modules.
    • FindEvil - find select signs of injections and malware.

v3.7

  • Updates & Improvements:
    • Registry.
    • Services.
    • NTFS MFT.
  • New Features:
    • Time: process-time, boot-time, current-time, timezone.
    • Python Light Plugins: print('file system plugins as easy as Python print!')
    • Registry Parsing: usb-storage, bluetooth, wallpapers and more in 'py/reg' & 'py/by-user/reg'.

v3.8

  • Updates & Improvements:
    • Rename 'sysinfo' directory to 'sys'.
    • Better os detection (symbol fallback).
    • Handles: additional object info.
    • Info header in most info-files (enabled by default - possible to disable).
  • New Features:
    • Windows Kernel Object Manager Objects.
    • Additional kernel driver information.
    • Detailed Object and Object Header Info.

v3.9

  • Bug fixes.
  • License Change: GNU Affero General Public License v3.0.
  • Updates & Improvements:
    • Faster and more robust parsing of physical memory map
    • Rename per-process user to token and add more info.
  • New Features:

v3.10

  • Bug fixes.
  • New Features:
    • Scheduled Tasks at /sys/tasks/
    • Forensic mode: JSON info file generation /forensic/json/ (compatible with Elasticsearch).

v4.0

  • Linux support (x64 and aarch64).
  • Separate releases for Windows and Linux.
  • API Changes and some incompatibilities.

v4.1

  • Bug fixes.
  • Offline kernel symbols (partial support). This allows for more functionality in Linux mode and in Windows offline mode.

v4.2

  • Support for VMWare live VM introspection.
  • Support for remote agent-based memory analysis.
  • Map kernel memory space into csrss.exe process (to make win32k easier to access).

Latest:

  • Support for Windows Server 2022
Owner
Ulf Frisk
IT-Security Minion | DMA Hacker
Ulf Frisk
Comments
  • Unable to Initialize and Identify OS

    Unable to Initialize and Identify OS

    I've spent the past couple of days trying to troubleshoot the issues I've been having with MemProcFS.exe on my system. Not sure how to resolve this though as it doesn't look like anyone else was seeing the same errors I have been getting. I've been using the pre-compiled releases. The only thing I haven't attempted to do is build it myself.

    Output when attempting to mount:

    > .\MemProcFS.exe -device fpga -v -vv    
                                        
    DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,0,500] [v4.6,0200]
    ----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-ONLY     SIZE: 35 BYTES -----
    ----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-WRITE    SIZE: 30 BYTES -----
    ----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-ONLY     SIZE: 48 BYTES -----
    ----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-WRITE    SIZE: 84 BYTES -----
    ----- PCIe CORE Dynamic Reconfiguration Port (DRP)     SIZE: 0x100 BYTES -----
    ----- PCIe CONFIGURATION SPACE (no user set values)    SIZE: 0x200 BYTES -----
    
    LcMemMap_AddRange: 0000000000000000-000000000009ffff -> 0000000000000000
    LcMemMap_AddRange: 0000000000100000-000000086dffffff -> 0000000000100000
    LeechCore v2.0.2: Open Device: fpga
    VmmWinInit_TryInitialize: INFO: DTB  located at: 00000000001ad000. MemoryModel: X64
    MmX64_TlbPageTableVerify: VMM: BAD PT PAGE at PA: 00000000001ad000
    MmX64_TlbPageTableVerify: VMM: BAD PT PAGE at PA: 00000000001ad000
    VmmWinInit_TryInitialize: Initialization Failed. Unable to locate ntoskrnl.exe. #3
    VmmProc: Unable to auto-identify operating system for PROC file system mount.
             Specify PageDirectoryBase (DTB/CR3) in -cr3 option if value if known.
    MOUNT: INFO: PROC file system not mounted.
    

    System information:

    Version	10.0.18363 Build 18363
    Hardware Abstraction Layer	Version = "10.0.18362.387"
    Processor	Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz, 3600 Mhz, 8 Core(s), 16 Logical Processor(s)
    BaseBoard Product	ROG MAXIMUS XI EXTREME
    Kernel DMA Protection	Off
    Virtualization-based security	Not enabled
    Device Encryption Support	Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not
    supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s)
    detected, TPM is not usable
    Hyper-V - VM Monitor Mode Extensions	Yes
    Hyper-V - Second Level Address Translation Extensions	Yes
    Hyper-V - Virtualization Enabled in Firmware	No
    Hyper-V - Data Execution Protection	Yes
    

    I can read/write memory. Probe, dump, and display all function for me as well.

    > .\pcileech.exe testmemreadwrite -min 0x1000
    Memory Test Read: starting, reading 1000 times from address: 0x00001000
    Memory Test Read: SUCCESS!
    Memory Test Write: starting, reading/writing 100 times from address: 0x00001000
    Memory Test Write: Success!
    
    > .\pcileech probe -device fpga
    
     Memory Map:
     START              END               #PAGES
     0000000000000000 - 000000000009ffff  000000a0
     00000000000c0000 - 000000008f6fffff  0008f640
     0000000100000000 - 000000086dffffff  0076e000
    
     Current Action: Probing Memory
     Access Mode:    Normal
     Progress:       34528 / 34528 (100%)
     Speed:          486 MB/s
     Address:        0x000000086E000000
     Pages read:     8378080 / 8839168 (94%)
     Pages failed:   461088 (5%)
    Memory Probe: Completed.
    
  • TB3 Unable to DMA

    TB3 Unable to DMA

    Hello, it's about a week im smashing my head on this with no solution: I got a PCIScreamer M.2 a while ago, used it with the PCIe adapter into a desktop computer running Windows 10 1903 on an Intel i5-3470 Processor. As you can see the processor is quite old, but everything was working perfectly and i had quite a lot of fun with PCILeech and MemProcFS. Now i have a much more powerful machine running Windows 10 1903 on an Intel i7-8750H, problem is that being a laptop i do not have access to intenal PCIe ports. Even checked, the only M.2 Slot is used by the SSD and the WiFi card uses different Key. I purchased an ADT-LINK R43SG-TB3 PCIe to Thunderbolt and using the M.2 to Thunderbolt 3 Adapter it came with for the Screamer. The ethernet device is successfully detected by the computer, however no DMA is possible. VT-d is Disabled. Kernel DMA Protection is Disabled. Device Guard is Disabled. Thunderbolt Security is set to No Security. Group Policies are set to Enumerate all Thunderbolt Devices in all scenarios (logged off, logged on etc) Virtualization Based Security is Disabled. Hypervisor is not Running.

    I disabled every single option i could find regarding DMA or Memory protection, but still nothing, sadly. "pcileech.exe probe -device fpga" detects the correct amount of RAM, however all pages fail read.

    Here is the output of "pcieleech.exe testmemreadwrite -device fpga -v -vv":

    DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,0,500] [v4.6,0b00]
    
    ----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-ONLY     SIZE: 35 BYTES -----
    0000    89 ab 00 00 23 00 00 00  04 06 04 00 00 00 00 00   ....#...........
    0010    c8 3d 6e 55 06 00 00 00  ca 3d 6e 55 06 00 00 00   .=nU.....=nU....
    0020    00 00 03                                           ...             
    
    ----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-WRITE    SIZE: 30 BYTES -----
    0000    cd cf 04 00 1e 00 00 00  a0 86 01 00 00 00 00 00   ................
    0010    ea 10 07 00 ee 10 66 06  02 3c 00 00 7f 00         ......f..<.. .  
    
    ----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-ONLY     SIZE: 48 BYTES -----
    0000    01 23 00 00 30 00 00 00  0b 00 16 08 5c 00 00 00   .#..0.......\...
    0010    00 00 00 00 06 00 00 00  10 29 00 00 04 00 00 00   .........)......
    0020    12 10 00 00 01 7f 00 00  00 00 ff f9 00 00 00 00   ..... ..........
    
    ----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-WRITE    SIZE: 84 BYTES -----
    0000    45 67 00 f0 54 00 00 00  35 0a 00 01 01 00 00 00   Eg..T...5.......
    0010    00 00 00 00 ff fd 48 00  00 00 00 0e 00 00 00 00   ......H.........
    0020    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0030    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0040    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0050    00 00 00 00                                        ....            
    
    ----- PCIe CORE Dynamic Reconfiguration Port (DRP)  SIZE: 0x100 BYTES -----
    0000    00 00 00 01 00 02 00 00  00 00 00 00 00 00 f0 00   ................
    0010    ff ff 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0020    00 00 00 00 00 00 00 00  00 00 00 40 00 00 00 00   [email protected]
    0030    01 00 09 0f 30 00 22 7f  02 00 01 00 00 03 11 0c   ....0." ........
    0040    02 a1 00 43 01 00 1f fd  7f ff 09 ff 01 20 01 48   ...C.... .... .H
    0050    00 05 01 60 11 9c 00 00  00 00 00 00 00 00 00 00   ...`............
    0060    00 00 10 60 00 02 40 21  00 40 3d 48 00 23 00 00   ...`[email protected][email protected]=H.#..
    0070    00 00 00 00 00 00 00 00  00 00 00 00 00 15 00 01   ................
    0080    00 01 00 00 00 01 00 00  00 01 00 00 00 01 00 00   ................
    0090    00 01 00 00 00 01 00 00  00 00 00 00 00 00 00 00   ................
    00a0    00 00 00 00 00 00 00 00  00 02 00 00 12 34 10 18   .............4..
    00b0    00 0b 00 01 00 11 00 00  00 00 00 00 00 01 00 00   ................
    00c0    00 28 00 41 ff ff ff ff  00 e0 00 00 80 08 00 22   .(.A..........."
    00d0    07 ff 03 52 02 48 00 08  00 40 0e 84 fa ac 00 00   [email protected]
    00e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    
    ----- PCIe CONFIGURATION SPACE (no user set values) SIZE: 0x200 BYTES -----
    0000    00 00 00 00 06 00 10 20  01 00 01 0f 20 00 00 00   ....... .... ...
    0010    00 00 00 94 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0020    00 00 00 00 00 00 00 00  00 00 00 00 02 10 01 00   ................
    0030    00 00 00 00 40 00 00 00  00 00 00 00 ff 01 00 00   [email protected]
    0040    01 48 03 78 08 00 00 00  05 60 80 00 00 00 00 00   .H.x.....`......
    0050    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0060    10 00 02 00 e2 8f 00 00  10 29 04 00 12 f4 03 00   .........)......
    0070    00 00 12 10 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0080    00 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00   ................
    0090    02 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00a0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00b0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00c0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00d0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00f0    00 00 00 00 00 00 00 00  00 00 00 00 03 00 c1 10   ................
    0100    00 00 00 00 35 0a 00 01  01 00 00 00 00 00 00 00   ....5...........
    0110    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0120    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0130    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0140    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0150    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0160    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0170    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0180    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0190    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    01a0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    01b0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    01c0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    01d0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    01e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    01f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    
    Successfully loaded LeechCore v1.7.0 Device 3
    Memory Test Read: starting, reading 1000 times from address: 0x00000000
    Memory Test Read: Failed. DMA failed / data changed by target computer / memory corruption. Read: 0. Run: 0. Offset: 0x000
    

    MemProcFS fails with "Initialization Failed. Unable to locate valid DTB".

    Do you have any idea for further attempts i could try?

    Thanks

  • VmmWinInit_xxx + tiny algorithm

    VmmWinInit_xxx + tiny algorithm

    Hello, I am facing an issue with the read tiny algorithm. If i toggle it in the leechcore lib, pcileech can probe and display memory, but in the MemProcFS lib it fails on VmmWinInit_FindNtosScan / VmmWinInit_FindSystemEPROCESS. If i toggle it back to false it works flawessly. Any idea of what could go wrong ?

  • Unable to get Memory Map

    Unable to get Memory Map

    Hello! Thank you so much for your work. I encountered several issues while utilizing your vmmsharp library, and trying to generate a physical memory map programmatically.

    I have tried several methods (from info I found in #42 & the wiki)

    1. I tried calling vmm.Map_GetPhysMem() which returns a 0 length array.
    2. I tried reading sys/memory/physmemmap.txt which returns a blank table:
       #         Base            Top
    --------------------------------
    

    Here is the code I am using:

                    vmm.Initialize("-printf", "-v", "-device", "FPGA");
                    vmm.InitializePlugins();
                    vmm.VfsRead("sys/memory/physmemmap.txt", 4096, 0x0, out var map);
                    File.WriteAllBytes("memmap.raw", map);
    

    The target computer is running Windows 11. device firmware version 4.7 memprocfs 4.6

    MemProcFs inits OK and can otherwise read memory.

  • Unable to read VA of ntoskrnl module.

    Unable to read VA of ntoskrnl module.

    @ufrisk

    I have a problem with trying to read, for example, the PE header of win32kfull.sys inside ntoskrnl.exe. I can grab the base address successfully, but reads fail. I tried to set the context of the read (via PID) to both System (ntoskrnl.exe) and usermode (for example explorer.exe) but neither worked.

    It also appears to be impossible to translate this VA to a PA, and then read the physical address.

    And the reason I am having to do this anyway, is because the VMMDLL_ProcessGetEAT function does not work on win32kfull.sys. It returns a count of 0, so the 2nd part of the function fails.

    I don't think I'm doing something wrong, because even the example using VMMDLL_ProcessGetEAT does not work, which makes me think I am missing something.

  • Can DMA be read by multiple threads? Why is it slow? Can it be read without DMA?

    Can DMA be read by multiple threads? Why is it slow? Can it be read without DMA?

    Can DMA be read by multiple threads? Why is it slow? Can it be read without DMA? If I use multithreading to read DMA, it will be very slow, and it takes 3 seconds to read data. If I don't use multithreading, I can read data every 20 milliseconds. Why?

  • KB5016616 update is causing problems on few functions.

    KB5016616 update is causing problems on few functions.

    Hello Ulf! always wishing you good luck. As the title says, the update is causing few functions to return false like VMMDLL_Map_GetPool, etc. Discovered this after i reinstalled windows and the same problem happened again. Thank you!.

  • Slight instability in Win11 22H2

    Slight instability in Win11 22H2

    Hi Ulf - I saw you added 22H2 support in memprocfs 5.1 , and have been testing it out. It mostly seems good, but I have noticed that occasional reads error out (that didn't happen in the prior branch of Windows 11)

    Running -vv in my init, I captured my output and noticed a lot of the following throughout runtime.

    [VMM]      MmWin_CompressedPage: FAIL: #42 UnsupportedPageRecord    // A couple of these
    [VMM]      MmWin_CompressedPage: FAIL: #11 BTreeSearch    // Quite a few of these
    [VMM]      MmWin_CompressedPage: FAIL: #35 ChunkArrayTooLarge    // TONS of these
    

    Some details on my setup:

    • my FPGA Firmware is version 4.7 at the moment (haven't been able to update it).
    • Using Vmmsharp
    • I am using the symsrv and dbghlp libs that are included with the release.
    • I am using a Memory Map and verified it to be correct
    • Default FPGA algo (0)

    In earlier versions of Windows I was having issues with some of the same errors, disabling Memory Compression via this command fixed it powershell Disable-MMAgent -mc . Not sure if this is now causing issues. Also not sure how I'm getting CompressedPage errors with compression disabled =/

    From the timeline that I was able to establish, most of the instability seems to occur when these show up [VMM] MmWin_CompressedPage: FAIL: #11 BTreeSearch

    Towards the end of my debug session I had dozens of these, and it coincided with memory not being read at all for 2-4 seconds.

    Not sure if you have any insight into the above errors, or if there is a Windows setting I should adjust for 22H2.

    Once again, thanks for all of your work :)

    EDIT: I rolled back to WIN11 21H2 and all the fails went away.

  • Cannot get MemProcFs working inside vmware

    Cannot get MemProcFs working inside vmware

    Hi,

    I can't seem to get memprocfs working inside vmware running windows 10 x64.

    I've installed dokany file system and the required vs distributables and all files are stored in c:.

    The error with winpmem (I tried both att_winpmem_64.sy and winpmem_64.sy)

    .\MemProcFS.exe -device 'pmem://C:\tools\c-aff4\tools\pmem\resources\winpmem\att_winpmem_64.sys'
    DEVICE: ERROR: Unable to load driver into kernel.
    Is project executable running from the C:\ drive ?
    MemProcFS: Failed to connect to memory acquisition device.
    

    The error with dumpit

    .\DumpIt.exe /LIVEKD /A .\MemProcFS.exe
    
      DumpIt 3.0.20201127.1 (X64) (Nov 27 2020)
      Copyright (C) 2007 - 2020, Matt Suiche (msuiche)
      Copyright (C) 2016 - 2020, Comae Technologies DMCC <https://www.comae.com>
      All rights reserved.
    
      DumpIt is the best for acquisition but... our platform Stardust is also the best for analysis!
      Access it on https://my.comae.com - [email protected] if you have any questions.
    
    Launching .\MemProcFS.exe...
    VmmProc: Unable to auto-identify operating system for PROC file system mount.
             Specify PageDirectoryBase (DTB/CR3) in -cr3 option if value if known.
    MOUNT: INFO: PROC file system not mounted.
    

    The steps I that followed worked on my host machine but not in the vm.

    Any help is greatly appreciated.

  • MemprocFS network error

    MemprocFS network error

    after execute the command and i want to check network connection the following error happen the exit

    VmmNet_TcpE_GetAddressEPs: UNEXPECTED POOL HDR: ' 脿每每' EXPECT: 'HTab' AT VA: 0xffffe0005fee5ff0 VmmNet_TcpE_GetAddressEPs: UNEXPECTED POOL HDR: ' 脿每每' EXPECT: 'HTab' AT VA: 0xffffe0005fee87f0 VmmNet_TcpE_GetAddressEPs: UNEXPECTED POOL HDR: ' 脿每每' EXPECT: 'HTab' AT VA: 0xffffe0005fee47f0 VmmNet_TcpE_GetAddressEPs: UNEXPECTED POOL HDR: ' 脿每每' EXPECT: 'HTab' AT VA: 0xffffe0005ff717f0

    using the lateset MemProcFS version + all dependency

  • I am a new developer of DMA. I use C #

    I am a new developer of DMA. I use C #

    I am a new developer of DMA. I use C #. I have DMA hardware. Now I want to understand how I use C # to read the memory of another computer. What should be the steps? thank you

  • VMMDLL_Read is not ideal if you have a lot of known memory addresses to read. There is a memory read API that will allow you to read multiple memories at the same time. This will greatly save on the total time. Please have a look in the Example for a short example how to use the Memory Scatter API. https://github.com/ufrisk/MemProcFS/blob/454fa98f4080f97106d833362189d20abdebe0ed/vmm_example/vmmdll_example.c#L1264

    VMMDLL_Read is not ideal if you have a lot of known memory addresses to read. There is a memory read API that will allow you to read multiple memories at the same time. This will greatly save on the total time. Please have a look in the Example for a short example how to use the Memory Scatter API. https://github.com/ufrisk/MemProcFS/blob/454fa98f4080f97106d833362189d20abdebe0ed/vmm_example/vmmdll_example.c#L1264

        VMMDLL_Read is not ideal if you have a lot of known memory addresses to read. There is a memory read API that will allow you to read multiple memories at the same time. This will greatly save on the total time. Please have a look in the Example for a short example how to use the Memory Scatter API. https://github.com/ufrisk/MemProcFS/blob/454fa98f4080f97106d833362189d20abdebe0ed/vmm_example/vmmdll_example.c#L1264
    

    For some workloads there is a 100x increase in speed.

    Please let me know how it goes.

    Originally posted by @ufrisk in https://github.com/ufrisk/MemProcFS/issues/151#issuecomment-1330903757

  • Minidump built-in module seems partial / corrupted

    Minidump built-in module seems partial / corrupted

    Hi, An amazing development !!!!

    I have one thing I'm wondering about, which is the minidump core module.

    When I go to process name -> some process ->minidump -> minidump.dmp, and copy the dmp outside, it seems not to be fully compliant with the minidump format.

    Opening in WinDgb (Preview), this is what I'm getting:

    Microsoft (R) Windows Debugger Version 10.0.25200.1003 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\usr\Desktop\minidump.dmp]
    User Mini Dump File with Full Memory: Only application data is available
    
    
    ************* Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*
    Symbol search path is: srv*
    Executable search path is: 
    Windows 10 Version 22621 ([ Dump file generated by MemProcFS v5.2.0-86 - The Memory Process File System - https://github.com/ufrisk/MemProcFS ]) MP (16 procs) Free x64
    Product: WinNt
    Machine Name:
    Debug session time: Sun Nov 29 10:54:34.000 2076 (UTC + 2:00)
    System Uptime: 0 days 4:24:03.186
    Process Uptime: not available
    ERROR: Reload failure, partially initialized target
    ?:???> !analyze
    WARNING: The debugger does not have a current process or thread
    WARNING: Many commands will not work
    Extension called without current PC
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    Event is not an exception - analysis may be incorrect
    ***** Debugger could not find ntdll in module list, module list might be corrupt, error 0x80004005.
    

    Could you please shed some light on why this might be happening? or what changes are to be applied to the project to fix this?

  • 5.1Read the data bug

    5.1Read the data bug

    5.0 Everything is normal. After replacing h, lib and dll of 5.1, it is normal to read a small amount of data. The data can't be read more than once, and then it can be read again a few minutes later. When it can't be read, the device can't be connected after closing the program

  • VMMDLL_Initialize Failing with winpmem

    VMMDLL_Initialize Failing with winpmem

    I have a computer that can, and another computer that can't, but I don't know what the specific error is. What are the differences between operating environments. The running files are identical.

    image

  • Why do some people fail to initialize?

    Why do some people fail to initialize?

    Why do some people fail to initialize? Some people can, some people can't. But I can use other people's programs and DMA, which means that my initialization code compatibility is not enough. Do not know why?

    vmm = new Vmm("", "-device", "fpga");

Hobbyist Operating System targeting x86_64 systems. Includes userspace, Virtual File System, An InitFS (tarfs), Lua port, easy porting, a decent LibC and LibM, and a shell that supports: piping, file redirection, and more.
Hobbyist Operating System targeting x86_64 systems. Includes userspace, Virtual File System, An InitFS (tarfs), Lua port, easy porting, a decent LibC and LibM, and a shell that supports: piping, file redirection, and more.

SynnixOS Epic Hobby OS targeting x86_64 CPUs, it includes some hacked together functionality for most essential OSs although, with interactivity via Q

Oct 28, 2022
Process Ghosting - a PE injection technique, similar to Process Doppelg盲nging, but using a delete-pending file instead of a transacted file
Process Ghosting - a PE injection technique, similar to Process Doppelg盲nging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

Nov 21, 2022
Two PoC of accessing process virtual memory via NT Kernel
Two PoC of accessing process virtual memory via NT Kernel

ProcessVmAccess Two PoC of accessing process virtual memory via NT Kernel Detail You've never interested in accessing process virtual memory through N

Aug 11, 2022
Easy Dump ELF libil2cpp.so from Android Process Memory

PAD (Process Android Dumper) This dumper is made for il2cpp game but you can use it in any app you want How To Use Run the process Open PADumper Put p

Nov 26, 2022
Professor Terence Parr has taught us how to create a virtual machine Now it is time to pwn virtual machine

My First real world CTF Simple Virtual Machine Challenge description Professor Terence Parr has taught us how to create a virtual machine Now it is ti

Feb 17, 2022
Lock you keyboard and clean your screen. A simple, and easy way to clean your computers.

Pristine Cleaner A screen and keyboard cleaning application made to turn screen black, and lock keyboard for easy cleaning. With features such as star

Jan 16, 2022
Jan 19, 2022
Physical Tic-Tac-Toe smart board with PvP mode and two levels of AI. Built atop a custom PCB connected to an Arduino Mega 2560.

TicTacToe_SmartBoard The files in TicTacToe_SmartBoard are based on the files in https://wiki.illinois.edu/wiki/display/ECE110HLSF15/Tic-Tac-Toe+Smart

Jul 22, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Nov 12, 2022
sampctl-runner: Easy way to build and run package..

sampctl-runner Easy way to build and run package.. Usage Just enter the name of the repository from pawn.json and let the program do other things.. Ex

Apr 17, 2022
STM32 firmware for a physical switch to set the GRUB boot selection

STM32 firmware for a physical switch to set the GRUB boot selection

Nov 30, 2022
Breaking the physical limits of fonts
Breaking the physical limits of fonts

Breaking the physical limits of fonts The challenge: in the fewest resources possible, render meaningful text. How small can a font really go? How man

Nov 24, 2022
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

Nov 22, 2022
Off The Grid (OTG) Messenger is an easy way for people to communicate through text messages when in remote areas.
Off The Grid (OTG) Messenger is an easy way for people to communicate through text messages when in remote areas.

Off The Grid (OTG) Messenger is an easy way for people to communicate through text messages when in remote areas. With a theoretical transmission range of 10 miles (16kms), OTG messenger can be used by groups of people to stay connected when they are in areas not serviced by mobile connectivity.

Sep 15, 2022
Trident provides an easy way to pass the output of one command to any number of targets.

Trident: The multiple-pipe system Trident provides an easy way to pipe the output of one command to not just one but many targets. These targets can b

Nov 23, 2021
Allows an easy way to replace levels' songs with their respective NONG songs.

NONG-Replace Allows an easy way to replace levels' songs with their respective NONG songs. NOTE: THIS REQUIRES MEGA HACK V6!! If you do not have it, t

Nov 10, 2021
馃巵 An easy way to install DWM + Dots
馃巵 An easy way to install DWM + Dots

DWM - DOTS 鈹佲攣鈹佲攣鈹佲攣 鉂 鈹佲攣鈹佲攣鈹佲攣 Window Manager 鈥 DWM ?? Tiles Everywhere! Shell 鈥 Zsh ?? con oh-my-zsh framework! Terminal 鈥 Kitty ?? Una terminal que sopo

Oct 8, 2022
Small and convenient C2 tool for Windows targets
Small and convenient C2 tool for Windows targets

Micro Backdoor for Windows Micro Backdoor is C2 tool for Windows targets with easy customizable code base and small footprint. Micro Backdoor consists

Nov 24, 2022
Just a repository convenient for reviewing and retrieval practice.

The-art-of-multiprocessor-programming Purpose Just a repository convenient for reviewing and retrieval practice. The architecture of this repository(H

Nov 9, 2021