How do I dump process memory based on process number? about memprocfs HOT 7 CLOSED

Thanks for reporting. I'll investigate this eavning and get back to you. Python should just work; but obviously it's not in your case.

from memprocfs.

I've looked into this now. It's working perfectly on my test system with clean win10 install with latest python / anaconda and latest MemProcFS. You don't happen to run an older Windows like Windows 7; that may cause these issues since some imported symbols I recently started to use are missing and was introduced only in Windows 8.1. If you're running this on Windows 10 which version and build number are you running?

About python programming; I'm rather clueless unfortunately about good resources around this; but for memory forensics I'd say "The Art of Memory Forensics" is very good; albeit a bit old.

MemProcFS only retrieves memory required for a specific task so it's quite efficient. If you wish to get the memory dump for an individual process only you may do so, provided that you started MemProcFS with a memory dump file (i.e. not live memory from the FPGA, in that case dump to file first and then run MemProcFS on the created dump). The process minidump files are located in /name//minidump/minidump.dmp

From Python you may access this by:

from vmmpy import *
VmmPy_Initialize(['-device', 'C:/temp/memimage.raw'])
VmmPy_Initialize_Plugins()
pid = VmmPy_PidGetFromName('explorer.exe')
print(pid)
  -> 4066
dumpinfo = VmmPy_VfsList('/pid/' + str(pid) + '/minidump/')
print(dumpinfo)
  -> {'minidump.dmp': {'f_isdir': False, 'size': 466829312}, 'readme.txt': {'f_isdir': False, 'size': 546}}
# READ 16 bytes from the file /pid/4066/minidump/minidump.dmp starting at offset zero
VmmPy_VfsRead('/pid/' + str(pid) + '/minidump/minidump.dmp', 16, 0)
  -> b'MDMP\x93\xa7\xb1d\x0b\x00\x00\x00 \x00\x00\x00'

from memprocfs.

i tried your code for getting "lsass.exe" minidump,but fail!
when i use MemProcFS.exe to mount the same memory image file ,i got "lsass.exe" minidump

fail with python code

success_with_memprocFs mount

from memprocfs.

code execute poc

from memprocfs.

@DK1998U I tried this and it's working with same windows version. Is your PC running Python connected to the Internet?

Minidump may download symbols from the microsoft server if this is the first time doing this and will fail if this is not possible.

from memprocfs.

it seems that after VmmPy_Initialize() function executed the initialization is not complete

from memprocfs.

@DK1998U It's completing in the background for faster startup times. If you require it to be complete at startup please add extra parameter -waitinitialize to VmmPy_Initialize() call.

from memprocfs.