-
-
Notifications
You must be signed in to change notification settings - Fork 424
FS_Root
The root directory of the Memory Process File System contains multiple directories and files which contains the physical memory of the target.
The /name/ and /pid/ directories list processes by name and by pid.
Other directories are related to plugins with primary examples being the .status and py directories.
The file memory.pmem contains the raw physical memory being analyzed.
The file memory.dmp contains the physical memory being analyzed slightly adjusted to conform with the Microsoft crash dump format and WinDbg. The file exists on Windows 7 or later.
The files are writable if a write-capable memory acquisition device is used.
The example below shows hex editing of the pmem file which reflects the physical memory of the target being analyzed. In this example the low stub is being analyzed and the kernel page table base (PML4) is marked at address 0x10a0.
It is possible to add sub-directories if registering general/root functionality in native plugins.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖