Comments (8)
-
WinDBG works with MemProcFS, but as you mention actively setting breakpoints do not; so it's more useful in analysis scenarios. It would be very hard to get it to work over DMA, and in some scenarios outright impossible.
-
A lot of default utilities working on files directly for obvious reasons work quite well; if you want to do strings or similar on a process for example. For more specialized tools I'm aware that various cheats do work with it (even if not supported by me).
-
I had functionality for quite a while ago which allowed you to load unsigned kernel drivers from disk from the target system. It patched the signature verification check, loaded the driver and then restored the check. I haven't tested that for a while, but you should be able to find the source code for it in the PCILeech project. Chances are that it might not work with the most recent Win10 though. To load drivers without touching disk would require you to have some kind of loader in shellcode - it would be feasible, but I have not looked into it.
-
PCILeech/MemProcFS allows you to kind of write to already allocated process virtual memory, but not directly allocate new virtual memory. The writes will happen to underlying physical memory, so if multiple processes use the same .dll/.exe a write will affect all processes. I'm not likely to support allocation of memory directly via MemProcFS. The way to go would be to insert a small shellcode with DMA that allocates the required memory and spawn a thread. Since the initial shellcode would affect multiple processes some kind of PID and Atomicity check would be required in there.
-
The stack would be an obvious point to allow code injection. Please keep in mind that the stack is likely to be in a lot of flux though; and MemProcFS read/write would be millions of times slower than the topmost stack operations... Another way could be to patch some kind of function with a small trampoline to some shellcode in a code cave...
If you're interested in some integrations I'd be very happy to add that plugin and/or do some promotion for it. I've gotten similar contributions for the awesome pypykatz plugin which provides mimikatz style functionality. You may code plugins in either Python or C/C++. If you would need more features in the core functionality that the API provides please let me know and I'll add it if it's reasonable work for me.
About changing core functionality (non-API functionality) please do check with me before starting to work on something. I don't want to get in a situation with you doing coding for something that I might not accept a pull request for.
Also, If you're looking into doing a more specialized plugin for cheating I won't be able to add it or promote it though. I know my projects are used for cheating and that's the way how things are; but I won't actively promote it.
from memprocfs.
Thanks for a quick response!
The stack would be an obvious point to allow code injection. Please keep in mind that the stack is likely to be in a lot of flux though;
Yeah, but what if I suspend the target process prior to modifying the stack? That would help, right?
I'm not likely to support allocation of memory directly via MemProcFS.
Why not? To me it seems as an essential feature that this kind of software should have. (I am not trying to talk you into supporting it, just sharing my opinion and curious about your view)
Since the initial shellcode would affect multiple processes some kind of PID and Atomicity check would be required in there.
I don't quite understand why it would affect multiple processes. Also, if I were to consider adding code injection functionality, I would probably start from requiring suspension of the target process to simplify things. It would be a reasonable requirement given the complexity of the task (limited support would be better than no support).
If you're interested in some integrations I'd be very happy to add that plugin and/or do some promotion for it.
...
Also, If you're looking into doing a more specialized plugin for cheating I won't be able to add it or promote it though.
It would not be a specialized plugin for cheating. In fact, it would not be a plugin at all, but a standalone GUI application that would make search of values of interest easier. See, most memory scanners can do search in files, but only in one file at a time; with MemProcFS you need to search in bunch of files which makes them not suitable for this job.
from memprocfs.
-
I'm not aware of any way to suspend a process using DMA. For that you would already need to have code execution on the target system already I think. Or if you know a way of doing it by just writing some bytes to memory I would be super interested in knowing how :) I guess it's possible to make it rely on a PCILeech kernel module on the target system to do the work, but then you won't need MemProcFS anyway, just do the coding inside the injected kernel shellcode.
-
Reason for not supporting allocation of memory in MemProcFS is that the Windows Kernel Memory Manager is super complex, memory structures are in a constant flux and might be changed/updated thousands of times worst case just in between a single DMA read/write cycle.
-
exe's and dll's and other executable code are most often loaded as images. As an example the kernel32.dll which exists in every process only exist in one spot in RAM. The executable code in Kernel32.dll is shared between all processes in physical memory. I'm only able to write to actual physical memory (I do virtual->physical translation first and then write to the physical memory). To change this I would need to be able to Allocate/Modity virtual memory over DMA as per 2. If you should happen to find some piece of executable code that is mapped as "process private" then it would be quite easy; but such memory is quite rare nowdays.
I think MemProcFS would be really nice for your project. It's also multi-threaded by design so it should be possible to parallelize such tasks quite easy to have a good performance :) Looking forward to seeing the result, and please let me know if you need any enhancements for the API. Allocation of virtual memory would be very complex if doing it properly though.
from memprocfs.
Okay, thanks a lot for your input, that definitely helped!
from memprocfs.
I created a prototype using Python (https://github.com/olegyadrov/RemoteMemoryScanner) and got to the point when I tried to use it to find an integer value in a running videogame which uses over 9 GB of RAM, and it took way too long. Because Python sucks when it comes to multithreading, I am rewriting everything from scratch in C++ now.
I have some questions about VMMDLL_ProcessGetInformation function:
- Retrieve various process information from a PID. Process information such as
- name, page directory bases and the process state may be retrieved.
- -- dwPID
- -- pProcessInformation = if null, size is given in *pcbProcessInfo
- -- pcbProcessInformation = size of pProcessInfo (in bytes) on entry and exit
- -- return = success/fail.
- In what situation pProcessInformation can be null?
- If pProcessInformation is null, how knowing size will help me?
- What is the meaning of pcbProcessInformation at all? pProcessInformation is a pointer to a structure; how can size of a pointer or size of a structure not be constant?
from memprocfs.
interesting, I'll take a look at the tool tomorrow :)
The API is just somewhat over-engineered; right now it should be perfectly fine to do this:
BOOL result;
DWORD dwPID = 4;
VMMDLL_PROCESS_INFORMATION Info = { 0 };
SIZE_T cbInfo = sizeof(VMMDLL_PROCESS_INFORMATION);
Info.magic = VMMDLL_PROCESS_INFORMATION_MAGIC;
Info.wVersion = VMMDLL_PROCESS_INFORMATION_VERSION;
result = VMMDLL_ProcessGetInformation(dwPID, &Info, &cbInfo);
logic here is to make the function more similar to other similar functions, and also to allow variable length data in the future. but right now it's just a bit over-engineered.
but to answer the questions,
-
set pProcessInformation to NULL when you wish to retrieve the size required to hold the struct. currently this will always return sizeof(VMMDLL_PROCESS_INFORMATION); so it's a bit meaningless at the moment.
-
it won't at the moment.
-
sometimes I add variable length data right after the structure, with pointers in the structure into this data. the VMMDLL_ProcessMap_* functions are a prime example of this, so length can be variable; not in VMMDLL_ProcessGetInformation right now though.
from memprocfs.
Oh, I see, I misunderstood the idea and was under impression that in certain circumstances the function would set pProcessInformation to null. Okay, but now I'm confused by your code snippet. Is it necessary that I set Info.magic and Info.wVersion before I call VMMDLL_ProcessGetInformation?
from memprocfs.
yes, as it's coded right now it's required.
from memprocfs.
Related Issues (20)
- DEVICE: FAIL: unable to parse elf header MemProcFS: Failed to connect to memory acquisition device. HOT 4
- MemProcFS: Failed to load initial memory map from: '...' HOT 11
- The error return value of the API VMMDLL_Map_GetPteU. HOT 4
- Linux C11 atomics compatibility HOT 5
- Linux GCC/Clang inline semantics HOT 2
- String types const correctness HOT 5
- Can't specify -memmap file HOT 2
- [Not an Issue, just help request] How to find all available "virtual addresses" for process. HOT 2
- MemProcFS C# API: problem with reading file HOT 4
- Minor Typo HOT 2
- Please add -V or -version option HOT 4
- Add check option? HOT 3
- VMMDLL_Map_GetHeapAlloc() VMMDLL_MAP_HEAPALLOCENTRY.cb off by 8 low HOT 3
- Python process.maps.heapalloc() size and memory read issues. HOT 1
- Rust API: VmmYaraResult.result is empty even if VmmYaraResult.total_results>0. HOT 9
- How do you set the interval in the configset vmmdll_opt_refresh HOT 2
- Question: Best way to get findevil results from Rust API HOT 3
- VMMDLL_Initialize init problems on AMD + LINUX HOT 1
- Some Windows 7 memory images cannot analyze dst ip and dst port. HOT 1
- An issue with mounting image files HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from memprocfs.