-
-
Notifications
You must be signed in to change notification settings - Fork 410
FS_Root
The root directory of the Memory Process File System contains multiple directories and files which contains the physical memory of the target.
The files in the root directory are listed in the table below:
Directory | Description |
---|---|
conf | Configuration and Status. |
forensic | Forensic mode. |
misc | Miscellaneous functionality |
name | Per-process directories listed by process name. |
pid | Per-process directories listed by process pid. |
py | Python based plugins. |
registry | Registry information. |
sys | System information. |
vm | Virtual Machine (VM) information. |
The files in the root directory are listed in the table below:
File | Description |
---|---|
memory.dmp | The physical memory slightly adjusted to conform with the Microsoft crash dump format and WinDbg. |
memory.pmem | The raw physical memory. |
The files are writable if a write-capable memory acquisition device is used.
The example below shows hex editing of the memory.pmem file which reflects the physical memory of the target being analyzed. In this example the low stub is being analyzed and the kernel page table base (PML4) is marked at address 0x10a0.
Also shown is WinDbg accessing the auto-generated memory.dmp WinDbg compatible full crash dump file.
It is possible to add sub-directories if registering general/root functionality in native plugins.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: /~https://github.com/sponsors/ufrisk
Thank You 💖