Skip to content

MohamedTaoufik/MemProcFS

 
 

Repository files navigation

MemProcFS:

MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.

Easy trivial point and click memory analysis without the need for complicated commandline arguments! Access memory content and artifacts via files in a mounted virtual file system or via a feature rich application library to include in your own projects!

Analyze memory dump files, live memory via DumpIt or WinPMEM, live memory in read-write mode from virtual machines or from PCILeech FPGA hardware devices!

It's even possible to connect to a remote LeechAgent memory acquisition agent over a secured connection - allowing for remote live memory incident response - even over higher latency low band-width connections! Peek into Virtual Machines with LiveCloudKd or VMWare!

Use your favorite tools to analyze memory - use your favorite hex editors, your python and powershell scripts, WinDbg or your favorite disassemblers and debuggers - all will work trivally with MemProcFS by just reading and writing files!

Get Started!

Check out the excellent quick walkthrough from 13Cubed to get going! Also check out my older conference talks from Disobey and BlueHat.

For additional documentation please check out the project wiki for in-depth detailed information about the file system itself, its API and its plugin modules! For additional information about memory acqusition methods check out the LeechCore project or hop into the #pcileech Discord channel!

To get going clone the sources in the repository or download the latest binaries, modules and configuration files from the releases section and check out the guide.

Installing:

Get the latest binaries, modules and configuration files from the latest release. Alternatively clone the repository and build from source.

Windows

Mounting the file system requires the Dokany file system library to be installed. Please download and install the latest version of Dokany version 2 at: https://github.com/dokan-dev/dokany/releases/latest

To capture live memory (without PCILeech FPGA hardware) download DumpIt and start MemProcFS via DumpIt /LIVEKD mode. Alternatively, get WinPMEM by downloading the most recent signed WinPMEM driver and place it alongside MemProcFS - detailed instructions in the LeechCore Wiki.

PCILeech FPGA will require hardware as well as FTD3XX.dll to be dropped alongside the MemProcFS binaries. Please check out the LeechCore project for instructions.

Linux

MemProcFS is dependent on packages, please do a sudo apt-get install libusb-1.0 fuse openssl lz4 before trying out MemProcFS. If building from source please check out the guide about MemProcFS on Linux.

Extensive Python, Java, C# and C/C++ API:

Include MemProcFS in your C/C++, C#, Java or Python programming projects! Everything in MemProcFS is exposed via an easy-to-use API for use in your own projects! The Plugin friendly architecture allows users to easily extend MemProcFS with native C .DLL plugins or Python plugins!

Everything in MemProcFS is exposed as APIs. APIs exist for both C/C++ vmmdll.h, C# vmmsharp.cs, Java and Python memprocfs.py. The file system itself is made available virtually via the API without the need to mount it. SIt is possible to read both virtual process memory as well as physical memory! The example below shows reading 0x20 bytes from physical address 0x1000:

>>> import memprocfs
>>> vmm = memprocfs.Vmm(['-device', 'c:/temp/win10_memdump.raw'])
>>> print(vmm.hex( vmm.memory.read(0x1000, 0x20) ))
0000    e9 4d 06 00 01 00 00 00  01 00 00 00 3f 00 18 10   .M..........?...
0010    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

Examples:

Start MemProcFS from the command line - possibly by using one of the examples below.

Or register the memory dump file extension with MemProcFS.exe so that the file system is automatically mounted when double-clicking on a memory dump file!

  • mount the memory dump file as default M:
    memprocfs.exe -device c:\temp\win10x64-dump.raw
  • mount the memory dump file as default M: with extra verbosity:
    memprocfs.exe -device c:\temp\win10x64-dump.raw -v
  • mount the memory dump file as default M: and start forensics mode:
    memprocfs.exe -device c:\temp\win10x64-dump.raw -forensic 1
  • mount the memory dump file as /home/pi/mnt/ on Linux:
    ./memprocfs -mount /home/pi/linux -device /dumps/win10x64-dump.raw
  • mount the memory dump file as S:
    memprocfs.exe -mount s -device c:\temp\win10x64-dump.raw
  • mount live target memory, in verbose read-only mode, with DumpIt in /LIVEKD mode:
    DumpIt.exe /LIVEKD /A memprocfs.exe /C "-v"
  • mount live target memory, in read-only mode, with WinPMEM driver:
    memprocfs.exe -device pmem
  • mount live target memory, in read/write mode, with PCILeech FPGA memory acquisition device:
    memprocfs.exe -device fpga -memmap auto
  • mount a memory dump with a corresponding page files:
    memprocfs.exe -device unknown-x64-dump.raw -pagefile0 pagefile.sys -pagefile1 swapfile.sys

Building:

Pre-built binaries, modules and configuration files are found in the latest release.. MemProcFS binaries are built with Visual Studio 2022 and Ubuntu x64/AARCH64.

Detailed build instructions may be found in the Wiki in the Building section.

License:

The project source code is released under: GNU Affero General Public License v3.0. Some bundled dependencies and plugins are released under GPLv3. Some bundled Microsoft redistributable binaries are released under separate licenses. Alternative closed-source licensing may be possible upon request.

Contributing:

PCILeech, MemProcFS and LeechCore are open source but not open contribution. PCILeech, MemProcFS and LeechCore offers a highly flexible plugin architecture that will allow for contributions in the form of plugins. If you wish to make a contribution, other than a plugin, to the core projects please contact me before starting to develop.

Links:

Links - Related Projects:

Support PCILeech/MemProcFS development:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

To all my sponsors, Thank You 💖

Changelog:

Previous releases (click to expand):

v1.0

  • Initial Release.

v1.1-v3.10

  • Various updates. Please see individual relases for more information.

v4.0

  • Linux support (x64 and aarch64).
  • Separate releases for Windows and Linux.
  • API Changes and some incompatibilities.

v4.1

  • Bug fixes.
  • Offline kernel symbols (partial support). This allows for more functionality in Linux mode and in Windows offline mode.

v4.2

  • Support for VMWare live VM introspection.
  • Support for remote agent-based memory analysis.
  • Map kernel memory space into csrss.exe process (to make win32k easier to access).

v4.3

  • Support for Windows Server 2022.
  • Support for Active Memory and Full Bitmap Microsoft Crash Dump files.
  • 32-bit support for Windows and Linux (no 32-bit binary release yet).
    Many thanks to @JosiahWhite for helping out getting me going and showing this was possible!

v4.4

v4.5

  • Merge memprocfs (Windows) and memprocfs_fuse (Linux) projects.
  • New VMMDLL_Scatter_* API to simplify C/C++ ReadScatter use.
  • Pool parsing bug fixes.

v4.6

  • New ReadScatter API for Python.
  • VMMDLL_Scatter_* API efficiency improvements for some smaller reads.
  • Visual Studio 2022 Support.
  • Upgrade to Dokany2 (NB! Dokany2 will have to be installed!).

v4.7

  • New memory search functionality (file system and API).
  • New/improved logging sub-system.
  • Minor API updates.

v4.8

  • Bug fixes.
  • New WriteScatter API.
  • Process environment variables.
  • C# support for New Scatter API and Search API.
  • Forensic file consistency when analyzing local file with -forensic start-up option.
  • Search updates.
  • Bitlocker key recovery.

v4.9

  • Bug fixes.
  • Python and C# API updates.
  • Additional FindEvil detection vectors.
  • Process child/parent parsing improvements.
  • Process integrity levels and full SID list.
  • Heap parsing.
  • Web history plugin.

v5.0

  • Major release with new features to support parallel analysis tasks.
  • Breaking API changes and major updates.
  • Extended forensic analysis capabilties and CSV file support.
  • New Java API.

About

The Memory Process File System

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 96.5%
  • C# 1.1%
  • Other 2.4%