ufrisk / memprocfs Goto Github PK
View Code? Open in Web Editor NEWMemProcFS
License: GNU Affero General Public License v3.0
MemProcFS
License: GNU Affero General Public License v3.0
Hello,
I am facing an issue with the read tiny algorithm.
If i toggle it in the leechcore lib, pcileech can probe and display memory,
but in the MemProcFS lib it fails on VmmWinInit_FindNtosScan / VmmWinInit_FindSystemEPROCESS.
If i toggle it back to false it works flawessly.
Any idea of what could go wrong ?
Hi,
I need a small confirmation/information, as I would like to read a lot of data in a loop.
Could you please confirm that VMMDLL_MemReadEx automaticly reads a minimum of exactly 0x1000 bytes ?
Meaning in term of TLPs, resources, performance, timings it is EXACTLY the same to call
Which means in the end there is absolutely ZERO advantage to try to read less data >= 0x1000 bytes, right ?
Thanks :-)
It would be nice if MemProcFS could be mounted in a way that looks and behaves like a procfs normally found on unixoid systems.
Represented features might include:
/proc/<pid>
for process directories/proc/<pid>/maps
for the memory map/proc/<pid>/fd/
for the list of handles/proc/<pid>/cmdline
for the command line/proc/<pid>/exe
for the executable being runMore information can be found in the Linux Kernel documentation.
Hi,
I try to use the Python API and for some reason I can't read with the VmmPy_VfsRead.
I try to use exactly the same command line as the example: VmmPy_UtilFillHexAscii(VmmPy_VfsRead('/memory.pmem', 0x100, 0x1000)), and it gives me the error "RuntimeError: VMMPYC_VfsRead: Failed".
How do we save/load memory maps via vmm.dll? Trying to prevent master aborts.
Dear Ufrisk
I keep getting the following exception when trying to use VMMDLL_PidList(pPIDs, pcPIDs). I guess that is due to my initialization of the array:
Exception thrown at 0x00007FFB2CE6A054 (ucrtbased.dll) in vmm_example.exe: 0xC0000005: Access violation reading location 0x000000000000011A.
The initialization I have tried:
DWORD pIDs[1000]; // not working
DWORD *arrayPointer;
arrayPointer = pIDs; // not working
PDWORD pIDs; // not working
PDWORD pIDs[1000]; // not working
Can you please suggest a simple way to pass the arguments through the function.
Leo
Hi UlfFrisk. I tried to get this working today.
Installed per the instructions on git, minus PCILeech FPGA as I don't plan on testing live memory.
OS: Win 10 171343
Python36 in the 'files/python36' folder as described.
Microsoft Visual C++ 2017 14.15.26706 (newer version than the one included in your instructions)
Installed DokanSetup_redist from your link.
DumpIT mem dump of my host (Win10 171343).
Result: auto-identify failed
Tried -identify option, which failed.
Identified the DTB address using volatility and passed it into -cr3 option
Result: BSOD
Moyix's Fuzzy Hidden Process Sample Windows XP SP3 x86
(from here https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples)
Result: auto-identify failed
Tried -identify option, which failed.
Identified the DTB address using volatility and passed it into -cr3 option
Result: BSOD
Any thoughts on why I'm getting a BSOD? Any additional info or logs I could provide?
Can't wait to play with this further.
In the previous version of MemProcFS i made a few changes to be able to get the full dll name, like this:
typedef struct tdPCILEECH_VMM_MODULEMAP_ENTRY {
ULONG64 BaseAddress;
ULONG64 EntryPoint;
DWORD SizeOfImage;
BOOL fWoW64;
CHAR szName[32];
CHAR szExePath[MAX_PATH];
} PCILEECH_VMM_MODULEMAP_ENTRY, *PPCILEECH_VMM_MODULEMAP_ENTRY;
if(!VmmReadString_Unicode2Ansi(ctxVmm, pProcess, (QWORD)pLdrModule->BaseDllName.Buffer, pModule->szName, min(31, pLdrModule->BaseDllName.Length))) { break; } if (pLdrModule->FullDllName.Length != 0) { VmmReadString_Unicode2Ansi(ctxVmm, pProcess, (QWORD)pLdrModule->FullDllName.Buffer, pModule->szExePath, min(MAX_PATH, pLdrModule->FullDllName.Length)); }
But in the latest version much has changed, and it would be nice to have official support, something like this:
typedef struct tdVMMDLL_MAP_MODULEENTRY {
QWORD vaBase;
QWORD vaEntry;
DWORD cbImageSize;
BOOL fWoW64;
LPWSTR wszText;
DWORD cwszText; // wchar count not including terminating null
LPWSTR wszFullDllName;
DWORD cwszFullDllName;
DWORD _Reserved1[7];
} VMMDLL_MAP_MODULEENTRY, *PVMMDLL_MAP_MODULEENTRY;
I've spent the past couple of days trying to troubleshoot the issues I've been having with MemProcFS.exe
on my system. Not sure how to resolve this though as it doesn't look like anyone else was seeing the same errors I have been getting. I've been using the pre-compiled releases. The only thing I haven't attempted to do is build it myself.
Output when attempting to mount:
> .\MemProcFS.exe -device fpga -v -vv
DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,0,500] [v4.6,0200]
----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-ONLY SIZE: 35 BYTES -----
----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-WRITE SIZE: 30 BYTES -----
----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-ONLY SIZE: 48 BYTES -----
----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-WRITE SIZE: 84 BYTES -----
----- PCIe CORE Dynamic Reconfiguration Port (DRP) SIZE: 0x100 BYTES -----
----- PCIe CONFIGURATION SPACE (no user set values) SIZE: 0x200 BYTES -----
LcMemMap_AddRange: 0000000000000000-000000000009ffff -> 0000000000000000
LcMemMap_AddRange: 0000000000100000-000000086dffffff -> 0000000000100000
LeechCore v2.0.2: Open Device: fpga
VmmWinInit_TryInitialize: INFO: DTB located at: 00000000001ad000. MemoryModel: X64
MmX64_TlbPageTableVerify: VMM: BAD PT PAGE at PA: 00000000001ad000
MmX64_TlbPageTableVerify: VMM: BAD PT PAGE at PA: 00000000001ad000
VmmWinInit_TryInitialize: Initialization Failed. Unable to locate ntoskrnl.exe. #3
VmmProc: Unable to auto-identify operating system for PROC file system mount.
Specify PageDirectoryBase (DTB/CR3) in -cr3 option if value if known.
MOUNT: INFO: PROC file system not mounted.
System information:
Version 10.0.18363 Build 18363
Hardware Abstraction Layer Version = "10.0.18362.387"
Processor Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz, 3600 Mhz, 8 Core(s), 16 Logical Processor(s)
BaseBoard Product ROG MAXIMUS XI EXTREME
Kernel DMA Protection Off
Virtualization-based security Not enabled
Device Encryption Support Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not
supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s)
detected, TPM is not usable
Hyper-V - VM Monitor Mode Extensions Yes
Hyper-V - Second Level Address Translation Extensions Yes
Hyper-V - Virtualization Enabled in Firmware No
Hyper-V - Data Execution Protection Yes
I can read/write memory. Probe, dump, and display all function for me as well.
> .\pcileech.exe testmemreadwrite -min 0x1000
Memory Test Read: starting, reading 1000 times from address: 0x00001000
Memory Test Read: SUCCESS!
Memory Test Write: starting, reading/writing 100 times from address: 0x00001000
Memory Test Write: Success!
> .\pcileech probe -device fpga
Memory Map:
START END #PAGES
0000000000000000 - 000000000009ffff 000000a0
00000000000c0000 - 000000008f6fffff 0008f640
0000000100000000 - 000000086dffffff 0076e000
Current Action: Probing Memory
Access Mode: Normal
Progress: 34528 / 34528 (100%)
Speed: 486 MB/s
Address: 0x000000086E000000
Pages read: 8378080 / 8839168 (94%)
Pages failed: 461088 (5%)
Memory Probe: Completed.
Dear Ufrisk
Is there a way to attach a debugger like the two above directly to the memory file system with FPGA devices? I have tried to dump the raw binary of a function at the target virtual address and analyze with IDA but honestly without dependencies the disassembler code is not quite meaningful.
Leo
Hello,
I am trying to figure out the most efficient way to read data in term of performance/latency using the lib.
I have a loop which reads (pciescreamer r02, 4.0 and 4.3) data. I then parse it (c++).
The loop reads about 45000 bytes of continuous data, but I don't use most of it.
I made another version which reads (vmm readmem) only the parts that I use, which results in 4 calls of 800 bytes, 400, 2 and 2.
Is that better to grab one big amount of data or to split it up in smaller multiple reads ?
I profiled the execution with both implementation but the results are vague, and I can't determine the best way to use the lib/hardware to get optimal performances. Any recommendation ? Thanks :-)
This version not support windows 10.0.18363?
Hi,
I try to use the python api with the pmem device.
I use the line VmmPy_Initialize(["-device", "pmem"]) and it returns error "Initialization of VMM failed".
When I use the memprocfs it works perfectly with the pmem, and it also works fine when I use the python api with normal file.
Thank you,
Ittai
Hello,
In this function
Lines 529 to 530 in 4a12179
IMHO, the parameter _In_ PSIZE_T pcbProcessInformation
isn't needed, that's because the size of filled data is statically always sizeof(VMMDLL_PROCESS_INFORMATION)
: we don't need to call the function (with pProcessInformation
as NULL) to get how many bytes of data will be filled.
Indeed, the implementation:
Lines 880 to 883 in 4a12179
(In reading the code, I understand the technique of passing NULL first to get the needed size of allocated data, but in this case it may not necessary?)
Hi ,
My code is working for the old version, but with version "3.4," it's not working. I believe it is an issue with detecting the architecture; when I trace the code's problem, it's trying to access winpmem x86 version where the system is x64.
CreateFile C:\Users*\source\repos*\x64\Debug\att_winpmem_32.sys NAME NOT FOUND
I found solutions to most of my problems and now reading and writing are work fine.
I have now decided to look into a process which is protected by an anti-cheat.
The process and PID can be seen when I look from within the target PC but VMMDLL_PidGetFromName fails to find the process from the attacker PC.
Would you like for me to upload a memory dump for analysis?
So the actual process name is FortniteClient-Win64-Shipping.exe but when I dump and mount memory it appears as FortniteClient
Hello,
The Ctrl-C
handler stops the process with:
MemProcFS/MemProcFS/memprocfs.c
Lines 68 to 80 in 4a12179
so there is a cleanup thread created, and the main process sleeps 500ms
..., then its sleeps about 1000ms
. (so any Ctrl+C
takes at least ~1.5s for the termination).
Instead of using Sleep
, why didn't it use a simple wait with timeout, e.g.
HANDLE thrd_handle = CreateThread(...);
WaitForSingleObject(thrd_handle, 500);
HANDLE proc_handle = GetCurrentProcess();
TerminateProcess(proc_handle, 1);
WaitForSingleObject(proc_handle, 1000);
so it takes at most ~1.5s for termination.
Many thank for any response.
is it possible if I can allocate memory with VirtualAlloc on target process by using MemProcFS? Is it called VirtualAlloc or something else?
It seems that VmmWinInit_FindNtosScan fails when your deviceid if 0xffff. It has something to do with VmmWinInit_FindNtosScanHint64
This can be fixed by literally just removing the highlighted code shown here:
https://gyazo.com/c87a434b28be5f69fc9d96b632dd8838
I wanted to come here with solutions in case any one else has similar issues, and then leave this open for documentation improvements. I was looking to just compile and run vmm_example.c
So I'm not a dumb guy, I'm just not familiar with the tool chain and my os preference is linux. My goodness this whole experience was rough. Part of it is that I need to go get fisher price my first visual studio, but the tool chain doesn't even have like native help docs as far as I can tell. I feel like all the tools and arguments are SUPER clunky.
There has to be a better way then this (which worked):
Quick preface if you're here looking for help. You'll need the windows 10 SDK and then if you can't find something you can search for it: name:=exact_file_name
Your paths below will be similar but different based on which packages you installed
$Env:INCLUDE = "C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um;C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared;C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29333\include;C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt;C:\Users\Ryan\Documents\MemProcFS\includes"
C:\Program` Files` `(x86`)\Microsoft` Visual` Studio\2019\Community\VC\Tools\MSVC\14.16.27023\bin\Hostx64\x64\cl.exe /EHsc .\vmmdll_example.c "C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\x64\Uuid.Lib" "C:\Users\Ryan\Documents\MemProcFS\includes\lib64\leechcore.lib" "C:\Users\Ryan\Documents\MemProcFS\includes\lib64\vmm.lib" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.16.27023\lib\x64\libcmt.lib" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.16.27023\lib\x64\oldnames.lib" "C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\x64\kernel32.Lib" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.16.27023\lib\x64\libvcruntime.lib" "C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\ucrt\x64\libucrt.lib" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.16.27023\lib\x64\msvcrt.lib" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.16.27023\lib\onecore\x64\msvcrtd.lib" /link /subsystem:console
I want to access paged memory however after starting MemProcFS with:
.\MemProcFS.exe -pagefile0 pagefile.sys -pagefile1 swapfile.sys -device FPGA -v
I am told:
WARNING: CANNOT OPEN PAGE FILE #0 'pagefile.sys'
WARNING: CANNOT OPEN PAGE FILE #1 'swapfile.sys'```
How may I gain access to these? I have a default windows 10 installation.
I want to access paged memory however after starting MemProcFS with:
.\MemProcFS.exe -pagefile0 pagefile.sys -pagefile1 swapfile.sys -device FPGA -v
I am told:
WARNING: CANNOT OPEN PAGE FILE #0 'pagefile.sys'
WARNING: CANNOT OPEN PAGE FILE #1 'swapfile.sys'
How may I gain access to these? I have a default windows 10 installation.
after execute the command and i want to check network connection the following error happen the exit
VmmNet_TcpE_GetAddressEPs: UNEXPECTED POOL HDR: ' àÿÿ' EXPECT: 'HTab' AT VA: 0xffffe0005fee5ff0
VmmNet_TcpE_GetAddressEPs: UNEXPECTED POOL HDR: ' àÿÿ' EXPECT: 'HTab' AT VA: 0xffffe0005fee87f0
VmmNet_TcpE_GetAddressEPs: UNEXPECTED POOL HDR: ' àÿÿ' EXPECT: 'HTab' AT VA: 0xffffe0005fee47f0
VmmNet_TcpE_GetAddressEPs: UNEXPECTED POOL HDR: ' àÿÿ' EXPECT: 'HTab' AT VA: 0xffffe0005ff717f0
using the lateset MemProcFS version + all dependency
I just updated everything to LeechCore v2.0.2
however on the new version it wont find ntoskrnl.exe (it worked fine on the old release)
DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,0,500] [v4.6,0500]
X570 asus chipset
Winver: 1909 Build 18363.959
FPGA: TINY PCIe TLP algrithm auto-selected!
LcMemMap_AddRange: 0000000000000000-000000000009ffff -> 0000000000000000
LcMemMap_AddRange: 0000000000100000-000000081f37ffff -> 0000000000100000
LeechCore v2.0.2: Open Device: fpga
VmmWinInit_TryInitialize: INFO: DTB located at: 00000000001ad000. MemoryModel: X64
VmmWinInit_TryInitialize: Initialization Failed. Unable to locate ntoskrnl.exe. #3
I want to read a Virtual Address however it's not consistently accessible, is there a way to force it to be? Or to read it another way? Sometimes I just get zeroed memory and other times the actual data.
I've tried disabling the Page File on Windows but that doesn't seem to help.
Has anyone got any suggestions how I might do this?
Thank you very much for your reply and guidance!The error in version 3.3 is due to the use of windows 7 system, which can be used normally now.I have placed an order on Amazon for the books you recommended, and I will step up my study later.For dumping memory based on a specific process number, I intended to write custom rules to retrieve memory based on a specific string or sequence of bytes, but because of the entire memory dump, the file size was too large.I have carefully checked the vmmpy_example.py file and found no module to implement this function. Do you have any good Suggestions?Or can I try to write a program based on the Python API you provide?
Hello,
I am having an issue with MemReadScatter results, the pb data seems corrupted (/might be not read) over 128 bytes (at least in my tests it seems to be over 128). The size I am trying to read is initially around 4080 bytes, read result was not valid, so I've tried with 720 and I have realized first part of the data seems to be fine (around 128B) and all the rest is like not read.
With the function ReadEx on the same address same size to read, the bytes are the good ones.
Here are the results between use of both functions, used with a scatter call on only one address which is the same used on readex, page aligned :
Scatter :
0000 32 3e dc bd aa b7 5a 3f 1e 28 02 bf d6 5e 04 c3 2>....Z?.(...^..
0010 66 27 c5 bd 8e 02 00 3f 9e 52 5c 3f 98 9b df c3 f'.....?.R?....
0020 c7 51 7d 3f b6 e4 10 3e b8 3e e9 3c 89 f2 18 42 .Q}?...>.>.<...B
0030 d4 23 8d 3e bf 14 76 bf 00 00 00 00 00 00 00 c3 .#.>..v.........
0040 bf 14 76 3f d4 23 8d 3e 00 00 00 00 00 00 e0 c3 ..v?.#.>........
0050 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 f0 be ...........?....
0060 d4 23 8d 3e bf 14 76 bf 00 00 00 00 00 00 00 c3 .#.>..v.........
0070 bf 14 76 3f d4 23 8d 3e 00 00 00 00 00 00 e0 c3 ..v?.#.>........
0080 90 00 91 00 92 00 93 00 94 00 95 00 96 00 97 00 ................
0090 98 00 99 00 9a 00 9b 00 9c 00 9d 00 9e 00 9f 00 ................
00a0 a0 00 a1 00 a2 00 a3 00 a4 00 a5 00 a6 00 a7 00 ................
00b0 a8 00 a9 00 aa 00 ab 00 ac 00 ad 00 ae 00 af 00 ................
00c0 b0 00 b1 00 b2 00 b3 00 b4 00 b5 00 b6 00 b7 00 ................
00d0 b8 00 b9 00 ba 00 bb 00 bc 00 bd 00 be 00 bf 00 ................
00e0 c0 00 c1 00 c2 00 c3 00 c4 00 c5 00 c6 00 c7 00 ................
00f0 c8 00 c9 00 ca 00 cb 00 cc 00 cd 00 ce 00 cf 00 ................
0100 d0 00 d1 00 d2 00 d3 00 d4 00 d5 00 d6 00 d7 00 ................
0110 d8 00 d9 00 da 00 db 00 dc 00 dd 00 de 00 df 00 ................
0120 e0 00 e1 00 e2 00 e3 00 e4 00 e5 00 e6 00 e7 00 ................
0130 e8 00 e9 00 ea 00 eb 00 ec 00 ed 00 ee 00 ef 00 ................
0140 f0 00 f1 00 f2 00 f3 00 f4 00 f5 00 f6 00 f7 00 ................
0150 f8 00 f9 00 fa 00 fb 00 fc 00 fd 00 fe 00 ff 00 ................
0160 00 01 01 01 02 01 03 01 04 01 05 01 06 01 07 01 ................
0170 08 01 09 01 0a 01 0b 01 0c 01 0d 01 0e 01 0f 01 ................
0180 10 01 11 01 12 01 13 01 14 01 15 01 16 01 17 01 ................
0190 18 01 19 01 1a 01 1b 01 1c 01 1d 01 1e 01 1f 01 ................
01a0 20 01 21 01 22 01 23 01 24 01 25 01 26 01 27 01 .!.".#.$.%.&.'.
01b0 28 01 29 01 2a 01 2b 01 2c 01 2d 01 2e 01 2f 01 (.).*.+.,.-.../.
01c0 30 01 31 01 32 01 33 01 34 01 35 01 36 01 37 01 0.1.2.3.4.5.6.7.
01d0 38 01 39 01 3a 01 3b 01 3c 01 3d 01 3e 01 3f 01 8.9.:.;.<.=.>.?.
01e0 40 01 41 01 42 01 43 01 44 01 45 01 46 01 47 01 @.A.B.C.D.E.F.G.
01f0 48 01 49 01 4a 01 4b 01 4c 01 4d 01 4e 01 4f 01 H.I.J.K.L.M.N.O.
0200 50 01 51 01 52 01 53 01 54 01 55 01 56 01 57 01 P.Q.R.S.T.U.V.W.
0210 58 01 59 01 5a 01 5b 01 5c 01 5d 01 5e 01 5f 01 X.Y.Z.[..].^._.
0220 60 01 61 01 62 01 63 01 64 01 65 01 66 01 67 01 `.a.b.c.d.e.f.g.
0230 68 01 69 01 6a 01 6b 01 6c 01 6d 01 6e 01 6f 01 h.i.j.k.l.m.n.o.
0240 70 01 71 01 72 01 73 01 74 01 75 01 76 01 77 01 p.q.r.s.t.u.v.w.
0250 78 01 79 01 7a 01 7b 01 7c 01 7d 01 7e 01 7f 01 x.y.z.{.|.}.~...
0260 80 01 81 01 82 01 83 01 84 01 85 01 86 01 87 01 ................
0270 88 01 89 01 8a 01 8b 01 8c 01 8d 01 8e 01 8f 01 ................
0280 90 01 91 01 92 01 93 01 94 01 95 01 96 01 97 01 ................
0290 98 01 99 01 9a 01 9b 01 9c 01 9d 01 9e 01 9f 01 ................
02a0 a0 01 a1 01 a2 01 a3 01 a4 01 a5 01 a6 01 a7 01 ................
02b0 a8 01 a9 01 aa 01 ab 01 ac 01 ad 01 ae 01 af 01 ................
02c0 b0 01 b1 01 b2 01 b3 01 b4 01 b5 01 b6 01 b7 01 ................
ReadEx :
0000 32 3e dc bd aa b7 5a 3f 1e 28 02 bf d6 5e 04 c3 2>....Z?.(...^..
0010 66 27 c5 bd 8e 02 00 3f 9e 52 5c 3f 98 9b df c3 f'.....?.R?....
0020 c7 51 7d 3f b6 e4 10 3e b8 3e e9 3c 89 f2 18 42 .Q}?...>.>.<...B
0030 d4 23 8d 3e bf 14 76 bf 00 00 00 00 00 00 00 c3 .#.>..v.........
0040 bf 14 76 3f d4 23 8d 3e 00 00 00 00 00 00 e0 c3 ..v?.#.>........
0050 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 f0 be ...........?....
0060 d4 23 8d 3e bf 14 76 bf 00 00 00 00 00 00 00 c3 .#.>..v.........
0070 bf 14 76 3f d4 23 8d 3e 00 00 00 00 00 00 e0 c3 ..v?.#.>........
0080 00 00 00 00 00 00 00 00 00 00 80 3f 00 20 7e 42 ...........?.BZ?D...
0090 e2 2c 00 3e ab 7d 58 3f b4 d1 04 bf 3a 5c 04 c3 .,.>.}X?....:..
00a0 54 a4 9f 3c 49 4f 05 3f 7a 7e 5a 3f 44 b2 df c3 T..<IO.?z
00b0 09 f0 7d 3f f8 7f ef bd 37 7b 47 3d fd e2 1c 42 ..}?....7{G=...B
00c0 ac 42 46 3e ee b9 43 3f fc 62 1d bf f0 df 03 c3 .BF>..C?.b......
00d0 e0 42 20 3d 0d c1 1e 3f ca 94 48 3f 97 a8 df c3 .B =...?..H?....
00e0 c6 f4 7a 3f 12 f9 33 be 7b a1 b8 3d cb 46 2c 42 ..z?..3.{..=.F,B
00f0 b8 59 7d 3e 3e fe 2e 3f fe c9 2f bf 7c f6 02 c3 .Y}>>..?../.|...
0100 fc 86 04 3c dd 0c 35 3f 02 fa 34 3f 00 91 df c3 ...<..5?..4?....
0110 4b 08 78 3f 93 ca 38 be 9e 83 2d 3e d0 be 3e 42 K.x?..8...->..>B
0120 b8 8d 9c 3e 0d e7 06 3f af 00 4b bf b3 3f 01 c3 ...>...?..K..?..
0130 1b e5 8c 3e ba 97 3f 3f fd 7b 1a 3f d4 89 df c3 ...>..??.{.?....
0140 22 56 69 3f 20 33 ce be 96 ad ab 3d fe 97 59 42 "Vi? 3.....=..YB
0150 7e 9f b6 3e a2 8b eb 3e 44 27 50 bf 17 b1 fe c2..>...>D'P......v.7...
0160 9a 21 07 3f 88 6d 1e 3f ab ea 14 3f 9d ae de c3 .!.?.m.?...?....
0170 96 53 45 3f d3 fd 22 bf 48 10 b5 bc b4 48 70 42 .SE?..".H....HpB
0180 e0 eb ad 3d 2e fd 80 3e 7e c9 76 bf 37 c2 fb c2 ...=...>
0190 00 e6 37 3e 7a a2 72 3f 2c eb 86 3e cf 1d dd c3 ..7>z.r?,..>....
01a0 d4 e5 7a 3f 1e 32 48 be bc 5c 10 3d 15 46 7f 42 ..z?.2H...=.F.B
01b0 d7 b1 49 3f 54 58 f6 3d 76 9e 1a bf be bd 00 c3 ..I?TX.=v.......
01c0 9e da 1c bf 16 f5 80 3e d8 c4 3f bf df 9a df c3 .......>..?.....
01d0 6b 07 7e 3d 60 d3 75 3f 12 56 8b 3e 62 3a 7d 42 k.=`.u?.V.>b:}B.3.b.cB
01e0 76 d8 71 bf 4e 15 a7 3e 50 89 03 3d 65 b5 fe c2 v.q.N..>P..=e...
01f0 95 f8 a5 3e 2c b6 71 3f 50 f5 6f bd ed 6f dd c3 ...>,.q?P.o..o..
0200 98 80 4a bd 48 0d 38 bd 99 6d 7f bf d5 e5 64 42 ..J.H.8..m....dB
0210 18 b1 3a be 02 30 46 3f e3 2c 1b 3f b4 a6 05 c3 ..:..0F?.,.?....
0220 a3 4d 4b 3f 97 77 f5 3e 9c 35 bf be 5c 5b dc c3 .MK?.w.>.5..[..
0230 e0 68 14 bf 05 9b d3 3e 7e c4 33 bf 62 94 63 42 .h.....>
0240 be 51 0a 3f 25 da 1a 3f a3 bf 15 3f f4 c3 07 c3 .Q.?%..?...?....
0250 a5 66 57 3f d1 f8 ca be 47 08 bc be 8a c0 d7 c3 .fW?....G.......
0260 40 b2 1f 3c 3c cc 30 3f bf 20 39 bf 28 b0 48 42 @..<<.0?. 9.(.HB
0270 ac 84 19 3f 47 de f6 3e f6 7f 23 bf 16 8f 01 c3 ...?G..>..#.....
0280 71 0d 49 3f 78 41 4e be a1 d9 15 3f 63 eb d2 c3 q.I?xAN....?c...
0290 ba 47 1d 3e c3 44 5a bf 7e b9 ff be cf 22 49 42 .G.>.DZ.~...."IB
02a0 45 93 d7 3e 90 16 18 3f 63 76 2f bf 74 ec 00 c3 E..>...?cv/.t...
02b0 65 26 54 3f 0c 2f 62 3d 08 94 0e 3f 65 ab d2 c3 e&T?./b=...?e...
02c0 c4 c9 bc 3e 80 70 4d bf 82 2b f0 be 35 07 4a 42 ...>.pM..+..5.JB
Hello,
Not really an issue more of a question....
How does one find this info: Specify PageDirectoryBase (DTB/CR3) in -cr3 option if value if known.
Can you share a bit more info on what it is? I watched your talk on BlueHat where I think you were referencing this.
I guess issue arises when you are dealing with a RAW memory dump or just CP of a vmem file?
Crash dumps are fine if I understand correctly....
Fantastic work by the way!!!
Line 83 in f2d15cf
I was trying to create a project which included vmm.h
, however received the error:
a value of type "const char *" cannot be used to initialize an entity of type "const LPSTR"
It seems to me from this Stackoverflow question that you cannot create a const LPSTR
as using a typedef seals it from further modification and should use LPCSTR
.
Making this change let me compile, however I'm unsure if I'm missing something here.
Thank you very much. Both problems have been solved.For MemProcFS, the main problem is the FTD3XX. DLL version. The version I used is 12.0.4 and the program needs 13.0.2 or above.I am very interested in your project. I am a beginner and I am not in this research direction, so I do not have the time to study, but the tools you provide are very friendly and convenient for a beginner like me, so I want to use my spare time to learn.For example, perform some memory analysis operations using the Python interface.I watched a video you posted on YouTube. You said the full memory dump is too slow, so how can you dump the memory of a particular process according to the process number?In addition, can you recommend some papers or books on memory analysis or Python API development?I do appreciate it.Thanks so much for your great support!
The DLL problem appears in the latest version of MemprocfS3.3, but everything works fine in version 3.2.
This is the folder for version 3.3
recently i had some crashes and then i noticed that the AddrBase i get from VMMDLL_ProcessGetMemoryMap is not really correct, i have checked with VMMap (https://docs.microsoft.com/en-us/sysinternals/downloads/vmmap) and it's seems so.
am i missing something ?
Hi,
The problem might be more a leechcore issue, I am not sure but as I m using the top level vmm init so I am posting here.
When I used 3.2/3.4 + pcileech, init time was around 3 seconds. Since I moved to leechcore + vmm, just the vmm init call takes around 20-25s. Is that a normal behavior ? I use the -device fpga arguments.
Hi Ufrisk
While testing for the performance of the interop C# I noticed something strange. I have a loop which calls VMM_MemReadEx with VMMDLL_FLAG_NOCACHE about 200 times. I cannot read all of them in one go because there are some addresses which provide pointers to other addresses and even with some sort of encryption. The average total ellapsed time is about 40ms but I saw some bumps at 300ms-400ms in between.
So I thought I would test them again with the original C lib, I just grab the PID of notepad and read at base address 500 times. Result is in the pic below:
As you can see there are two bumps after about 30 reads, sometimes more sometimes less. I wonder what might have caused this and is there a way to mitigate.
Leo
Hello,
it's about a week im smashing my head on this with no solution:
I got a PCIScreamer M.2 a while ago, used it with the PCIe adapter into a desktop computer running Windows 10 1903
on an Intel i5-3470 Processor. As you can see the processor is quite old, but everything was working perfectly and i had quite a lot of fun with PCILeech and MemProcFS.
Now i have a much more powerful machine running Windows 10 1903 on an Intel i7-8750H, problem is that being a laptop i do not have access to intenal PCIe ports. Even checked, the only M.2 Slot is used by the SSD and the WiFi card uses different Key.
I purchased an ADT-LINK R43SG-TB3 PCIe to Thunderbolt and using the M.2 to Thunderbolt 3 Adapter it came with for the Screamer.
The ethernet device is successfully detected by the computer, however no DMA is possible.
VT-d is Disabled.
Kernel DMA Protection is Disabled.
Device Guard is Disabled.
Thunderbolt Security is set to No Security.
Group Policies are set to Enumerate all Thunderbolt Devices in all scenarios (logged off, logged on etc)
Virtualization Based Security is Disabled.
Hypervisor is not Running.
I disabled every single option i could find regarding DMA or Memory protection, but still nothing, sadly.
"pcileech.exe probe -device fpga" detects the correct amount of RAM, however all pages fail read.
Here is the output of "pcieleech.exe testmemreadwrite -device fpga -v -vv":
DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,0,500] [v4.6,0b00]
----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-ONLY SIZE: 35 BYTES -----
0000 89 ab 00 00 23 00 00 00 04 06 04 00 00 00 00 00 ....#...........
0010 c8 3d 6e 55 06 00 00 00 ca 3d 6e 55 06 00 00 00 .=nU.....=nU....
0020 00 00 03 ...
----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-WRITE SIZE: 30 BYTES -----
0000 cd cf 04 00 1e 00 00 00 a0 86 01 00 00 00 00 00 ................
0010 ea 10 07 00 ee 10 66 06 02 3c 00 00 7f 00 ......f..<.. .
----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-ONLY SIZE: 48 BYTES -----
0000 01 23 00 00 30 00 00 00 0b 00 16 08 5c 00 00 00 .#..0.......\...
0010 00 00 00 00 06 00 00 00 10 29 00 00 04 00 00 00 .........)......
0020 12 10 00 00 01 7f 00 00 00 00 ff f9 00 00 00 00 ..... ..........
----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-WRITE SIZE: 84 BYTES -----
0000 45 67 00 f0 54 00 00 00 35 0a 00 01 01 00 00 00 Eg..T...5.......
0010 00 00 00 00 ff fd 48 00 00 00 00 0e 00 00 00 00 ......H.........
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 ....
----- PCIe CORE Dynamic Reconfiguration Port (DRP) SIZE: 0x100 BYTES -----
0000 00 00 00 01 00 02 00 00 00 00 00 00 00 00 f0 00 ................
0010 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 ...........@....
0030 01 00 09 0f 30 00 22 7f 02 00 01 00 00 03 11 0c ....0." ........
0040 02 a1 00 43 01 00 1f fd 7f ff 09 ff 01 20 01 48 ...C.... .... .H
0050 00 05 01 60 11 9c 00 00 00 00 00 00 00 00 00 00 ...`............
0060 00 00 10 60 00 02 40 21 00 40 3d 48 00 23 00 00 ...`..@!.@=H.#..
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 01 ................
0080 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ................
0090 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 02 00 00 12 34 10 18 .............4..
00b0 00 0b 00 01 00 11 00 00 00 00 00 00 00 01 00 00 ................
00c0 00 28 00 41 ff ff ff ff 00 e0 00 00 80 08 00 22 .(.A..........."
00d0 07 ff 03 52 02 48 00 08 00 40 0e 84 fa ac 00 00 ...R.H...@......
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
----- PCIe CONFIGURATION SPACE (no user set values) SIZE: 0x200 BYTES -----
0000 00 00 00 00 06 00 10 20 01 00 01 0f 20 00 00 00 ....... .... ...
0010 00 00 00 94 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 02 10 01 00 ................
0030 00 00 00 00 40 00 00 00 00 00 00 00 ff 01 00 00 ....@...........
0040 01 48 03 78 08 00 00 00 05 60 80 00 00 00 00 00 .H.x.....`......
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 10 00 02 00 e2 8f 00 00 10 29 04 00 12 f4 03 00 .........)......
0070 00 00 12 10 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
0090 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 03 00 c1 10 ................
0100 00 00 00 00 35 0a 00 01 01 00 00 00 00 00 00 00 ....5...........
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Successfully loaded LeechCore v1.7.0 Device 3
Memory Test Read: starting, reading 1000 times from address: 0x00000000
Memory Test Read: Failed. DMA failed / data changed by target computer / memory corruption. Read: 0. Run: 0. Offset: 0x000
MemProcFS fails with "Initialization Failed. Unable to locate valid DTB".
Do you have any idea for further attempts i could try?
Thanks
My friend finally got his screamer up and running but he is getting this now.
IDENTIFY: Scanning to identify target operating system and page directories...
Currently supported oprerating systems:
- Windows (64-bit).
Current Action: Scanning 0-4GB to Identify (2/2) ...
Access Mode: Normal
Progress: 4080 / 4080 (100%)
Speed: 170 MB/s
Address: 0x0000000100000000
Pages read: 0 / 1044480 (0%)
Pages failed: 1044480 (100%)
IDENTIFY: Failed. No fully supported operating system detected.
VmmProc: Unable to auto-identify operating system for PROC file system mount.
Please specify PageDirectoryBase (DTB/CR3) in the -cr3 option if value
is known. If unknown it may be recoverable with command 'identify'.
MOUNT: INFO: PROC file system not mounted.
The only thing i can think of is he is using an AMD 8350; is only Intel supported?
Thanks
I have a problem with trying to read, for example, the PE header of win32kfull.sys
inside ntoskrnl.exe
. I can grab the base address successfully, but reads fail. I tried to set the context of the read (via PID) to both System (ntoskrnl.exe) and usermode (for example explorer.exe
) but neither worked.
It also appears to be impossible to translate this VA to a PA, and then read the physical address.
And the reason I am having to do this anyway, is because the VMMDLL_ProcessGetEAT
function does not work on win32kfull.sys
. It returns a count of 0, so the 2nd part of the function fails.
I don't think I'm doing something wrong, because even the example using VMMDLL_ProcessGetEAT does not work, which makes me think I am missing something.
Hello,
Sorry to bother you for such a trivial concern. In reading the code, I've found that sometimes the NULL pointers are not checked, e.g.
Lines 173 to 198 in 4a12179
where there is no check for wcsFileName
, so we can pass a NULL pointer via the exported API VMMDLL_VfsRead
.
IMHO, a NULL pointer dereference in C
is a undefined-behavior, i.e. if we don't check against NULL, then the behavior of a such a dereference would be unexpected: the compiler can arbitrary select a behavior here and it may not even a crash because of address zero accessing.
So I think that might lead to a minor security issue, but I'm not sure.
Thank you in advance for any response.
Hello,
i'm trying to compile the new release of memproc but getting few errors:
Severity Code Description Project File Line Suppression State
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.c 335
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.c 335
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.c 335
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.c 335
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.c 335
Error C2449 found '{' at file scope (missing function header?) vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.c 336
Error C2059 syntax error: '}' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.c 413
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ';' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2059 syntax error: ')' vmm C:\temp\MemProcFS-3.4\vmm\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' m_vmemd C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal m_vmemd C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' m_vmemd C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ';' m_vmemd C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ')' m_vmemd C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmmpyc C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmmpyc C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmmpyc C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ';' vmmpyc C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ')' vmmpyc C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ';' MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ')' MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ';' MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ')' MemProcFS C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmmpycplugin C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmmpycplugin C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmmpycplugin C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ';' vmmpycplugin C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ')' vmmpycplugin C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2146 syntax error: missing ')' before identifier 'ppLcErrorInfo' vmm_example C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2081 'PPLC_CONFIG_ERRORINFO': name in formal parameter list illegal vmm_example C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2061 syntax error: identifier 'ppLcErrorInfo' vmm_example C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ';' vmm_example C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
Error C2059 syntax error: ')' vmm_example C:\temp\MemProcFS-3.4\includes\vmmdll.h 77
using latest release of Vstudio2019 with a windows 10 version 2004 (OSBuild 19041.450)
Microsoft Visual Studio Enterprise 2019
Version 16.7.2
VisualStudio.16.Release/16.7.2+30413.136
Microsoft .NET Framework
Version 4.8.04084
Installed Version: Enterprise
Visual C++ 2019 00433-90000-00004-AA023
Microsoft Visual C++ 2019
ASP.NET and Web Tools 2019 16.7.532.28833
ASP.NET and Web Tools 2019
ASP.NET Core Razor Language Services 16.1.0.2035807+72d099b977d3a85e65fa3b0614ca8cfc803fef02
Provides languages services for ASP.NET Core Razor.
Azure App Service Tools v3.0.0 16.7.532.28833
Azure App Service Tools v3.0.0
C# Tools 3.7.0-6.20412.3+d3c3a44a4e7ad31cc75c59be0d3df4a19ff33878
C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
Common Azure Tools 1.10
Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.
Cookiecutter 16.7.20181.2
Provides tools for finding, instantiating and customizing templates in cookiecutter format.
Dotfuscator Community Edition 5.42.0.9514-e0e25f754
PreEmptive Protection - Dotfuscator CE
GitHub.VisualStudio 2.11.104.25275
A Visual Studio Extension that brings the GitHub Flow into Visual Studio.
IntelliCode Extension 1.0
IntelliCode Visual Studio Extension Detailed Info
Microsoft Azure Tools 2.9
Microsoft Azure Tools for Microsoft Visual Studio 2019 - v2.9.30701.1
Microsoft Continuous Delivery Tools for Visual Studio 0.4
Simplifying the configuration of Azure DevOps pipelines from within the Visual Studio IDE.
Microsoft JVM Debugger 1.0
Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines
Microsoft Library Manager 2.1.79+ge3567815aa.RR
Install client-side libraries easily to any web project
Microsoft MI-Based Debugger 1.0
Provides support for connecting Visual Studio to MI compatible debuggers
Microsoft Visual C++ Wizards 1.0
Microsoft Visual C++ Wizards
Microsoft Visual Studio Tools for Containers 1.1
Develop, run, validate your ASP.NET Core applications in the target environment. F5 your application directly into a container with debugging, or CTRL + F5 to edit & refresh your app without having to rebuild the container.
Microsoft Visual Studio VC Package 1.0
Microsoft Visual Studio VC Package
NuGet Package Manager 5.7.0
NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/
ProjectServicesPackage Extension 1.0
ProjectServicesPackage Visual Studio Extension Detailed Info
Python 16.7.20181.2
Provides IntelliSense, projects, templates, debugging, interactive windows, and other support for Python developers.
Python - Conda support 16.7.20181.2
Conda support for Python projects.
Python - Django support 16.7.20181.2
Provides templates and integration for the Django web framework.
Python - IronPython support 16.7.20181.2
Provides templates and integration for IronPython-based projects.
Python - Profiling support 16.7.20181.2
Profiling support for Python projects.
SQL Server Data Tools 16.0.62008.03130
Microsoft SQL Server Data Tools
Test Adapter for Boost.Test 1.0
Enables Visual Studio's testing tools with unit tests written for Boost.Test. The use terms and Third Party Notices are available in the extension installation directory.
Test Adapter for Google Test 1.0
Enables Visual Studio's testing tools with unit tests written for Google Test. The use terms and Third Party Notices are available in the extension installation directory.
TypeScript Tools 16.0.20702.2001
TypeScript Tools for Microsoft Visual Studio
Visual Basic Tools 3.7.0-6.20412.3+d3c3a44a4e7ad31cc75c59be0d3df4a19ff33878
Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
Visual F# Tools 10.10.0.0 for F# 4.7 16.7.0-beta.20361.3+3ef6f0b514198c0bfa6c2c09fefe41a740b024d5
Microsoft Visual F# Tools 10.10.0.0 for F# 4.7
Visual Studio Code Debug Adapter Host Package 1.0
Interop layer for hosting Visual Studio Code debug adapters in Visual Studio
Visual Studio Container Tools Extensions (Preview) 1.0
View, manage, and diagnose containers within Visual Studio.
Visual Studio Tools for CMake 1.0
Visual Studio Tools for CMake
Visual Studio Tools for Containers 1.0
Visual Studio Tools for Containers
anything i miss or do wrong ?
had no problem with the version 3.3
thanks
{
...
7604: {
'pid': 7604,
'ppid': 884,
'pa-dtb': 7106912256,
'pa-dtb-user': 0,
'state': 0,
'tp-memorymodel': 3,
'tp-system': 2,
'usermode': True,
'name': 'SteamService.e',
'name-long': 'SteamService.exe',
'path-kernel': '\\Device\\HarddiskVolume2\\Program Files (x86)\\Common Files\\Steam\\SteamService.exe',
'path-user': 'C:\\Program Files (x86)\\Common Files\\Steam\\SteamService.exe',
'cmdline': '',
'wow64': True,
'va-peb32': 16359424,
'va-eprocess': 18446713842416627840,
'va-peb': 16355328,
'id-session': 0,
'luid': 8536613,
'sid': 'S-1-5-18'
},
...
}
In this example, 7604 should be enclosed in quotes, e.g. "7604": { or '7604': {
Line 525 in 065a25d
Hi, I don't have any expertise in reverse engineering and memory analysis fields, but I'm interested in learning this stuff, and my main question is about the compatible tooling that can be used with FPGA configuration.
The project descriptions says "Use your favorite tools to analyze memory - use your favorite hex editors, your python and powershell scripts, WinDbg or your favorite disassemblers and debuggers - all will work trivally with MemProcFS by just reading and writing files!", but I read discussion on the issue #9 and found out that, as I expected, debugger functionality is seriously limited, as you can't set breakpoints, thus even if you manage to figure out the address of a value, you can't simply check what code modifies it.
But first, of course, you need to somehow know the right address, and I am wondering if any memory scanner tools compatible with MemProcFS exist at all? I am looking for functionality similar to that Cheat Engine provides, where you can select a process, a value type, and do a serie of scans to filter out wrong values. If there is currently no such a tool, I could create one, as I have experience with Python and Qt framework that has a Python binding; I looked at vmmpy.py, and it should be more or less trivial to create a memory scanner app using provided API, but I would not like waste my time if something like this is already out there.
My other question is about kernel drivers: I know already that PCILeech allows you to load arbitrary kernel modules, but can I manipulate the drivers? More specifically, I would like to be able to load unsigned driver and unload any kernel drivers, even those that the operating system does not allow to unload (though I am not even sure if it's technically feasible, I suppose it could lead to a BSOD). The usecase I am thinking about is ability to unload a driver that constantly keeps an open IO request to prevent being unloaded (some anticheat drivers do that).
The third question is about code injection functionality. Does PCILeech/MemProcFS allow to inject and execute code into a process with selected pid? I think the answer to this one is no; Again, I just started to learn x86 Assembly, but given that you have access to the stack, I think it should be possible to do a remote code injection, but I'm not sure about the exact steps. And, of course, it would be very handy to have this feature out of the box.
Thanks a lot for reading this, any advice is much appreciated!
I may be wrong, but I will try to explain.
Step 1: Call VMMDLL_MemReadScatter with two MEMsVirt items. Each MEMsVirt has cbMax = 0x8.
Step 2: It sets cbMax to 0x1000 wheen reads physical memory:
https://github.com/ufrisk/MemProcFS/blob/master/vmm/vmm.c#L1569
pIoPA->cbMax = 0x1000;
Step 3: After reading it sets cb to 0x1000
https://github.com/ufrisk/MemProcFS/blob/master/vmm/vmm.c#L1579
((PMEM_IO_SCATTER_HEADER)ppMEMsPhys[iPA]->pvReserved1)->cb = ppMEMsPhys[iPA]->cb;
Step 4:
It check equality cb and cbMax to increase counter, but cb > cbMax
https://github.com/ufrisk/MemProcFS/blob/master/vmm/vmmdll.c#L695
for(i = 0, cMEMs = 0; i < cpMEMs; i++) {
if(ppMEMs[i]->cb == ppMEMs[i]->cbMax) {
cMEMs++;
}
}
return cMEMs;
Step 5:
VMMDLL_MemReadScatter returns 0 insted of 2.
pb of MEMsVirt filled with 0x1000 readed bytes instead of 0x8 (maybe it is ok).
In my opinion, the key of MemProFS lies in the rapid analysis and live memory analysis, especially the live memory analysis, which is not a function of volatility.Therefore, I wonder whether Memory dump can be realized by combining MemProcFS and PCILeech. First, MemProFS are used to analyze the memory and analyze the address range corresponding to the process number. Then, pcileece.exe dump -min 0x0-max 0x21e5FFFFf-force is used to store the memory located in this address segment.Finally, within this scope, yara is used to realize the extraction of specific characters.Thank you very much for your query "How do I use MemProcFS to write Custom rules to retrieve memory based on a particular String or sequence of bytes?"I used the VmmPy_ProcessGetVadMap command to find the virtual address and used the VmmPy_MemReadScatter command to print out the character information for the address.But how to use {' va: 8791740059648, 'size', 24576, 'pages' : 6,' pages - sw: 0, 'wow64: False,' tag ':', 'flags - pte: 4,' flags' : '- r - x} analysis of memory?and How does the printed character information correspond to the physical address?
Why is my memprocfs always unable to use the PY API functionality?Put vmmpyc.pyd and vmmpy.py in the same folder.But when you run the command from VMmpy import *.
Display: from VMMPyc Import *
ImportError: DLL Load failed: The specified module cannot be found.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.