-
-
Notifications
You must be signed in to change notification settings - Fork 410
FS_Phys2Virt
The directory phys2virt exists as a sub-directory to the file system root and in each process directory.
The phys2virt directory contains one special file named phys.txt that the user of the Memory Process File System may write a physical address into. Once saved the page tables of the specific process (or all processes if in root directory) will be scanned for matching virtual addresses. Up to four (4) virtual addresses per process will be written to the virt.txt file.
NB! Scanning the page tables of all processes for matching virtual addresses is an resource intense operation that may take time. Scanning live memory on a 4-core system with 200 active processes typically takes between 10-20 seconds.
NB! The scan is undertaken by walking all process page tables for active physical memory pages. Paged memory, even though otherwise available, will not be detected by this module.
- phys.txt: physical address in hex - always user writable!
- virt.txt: virtual addresses (in hex) that the virtual physical address maps to. If root module process identifier (PID) will also be displayed.
The phys.txt file is writable. The virt.txt file is read-only.
The example below shows how it is possible to map an interesting address in physical memory (0x1EB013000 in the example - red 🔴) to virtual addresses in process memory space.
Write the physical address into the file phys2virt/phys.txt (in the example - orange 📙). The search may take some time. The result with up to four (4) matching virtual addresses per process will be shown together with the PID in the phys2virt/virt.txt file.
Optionally, the memory map of a process may be searched for the located virtual address (in the example it seems to be the PE/MZ header of Crypt32.dll - green 📗).
The phys2virt sub-directories are implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_phys2virt.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: /~https://github.com/sponsors/ufrisk
Thank You 💖