Can PCileech and MemProcFS combine to implement a process memory dump? about memprocfs HOT 3 CLOSED

Hi,

This was quite a few questions on one. And I'm glad you noticed one of the main features of MemProcFS - i.e. real live memory analysis.

First off processes works with virtual memory addresses which are mostly translated into physical memory addresses - which may be scattered all around the place. Virtual addresses are sometimes also translated into compressed virtual memory or locations in a page file - so it's not always it's translated into physical memory. PCILeech works with physical memory pretty much so I'd recommend using MemProcFS for virtual memory analysis.

As for the VAD map it roughly translated into this:

{'va': 8791740059648,	# base virtual address of segment - i.e. 8791740059648 == 0x7FEFC8B1000
 'size': 24576,         # size of virtual memory segment i.e. 24576 == 0x6000 == 6 pages
 'pages' : 6,           # size of virtual memory segment in pages
 'pages-sw' : 0,        # number of non physical memory pages - i.e. paged memory inside segement
 'wow64': False,        # 32-bit memory in a 32-bit process on a 64-bit system
 'tag':'',              # some description about what it is, such as file, image (dll) or ...
 'flags-pte: 4,         # page table entry flags as defined in intel cpu manual
 'flags' : '-r-x'       # page table entry flags human readable i.e. s = supervisor (kernel); r = readable; w = writable; x = executable
}

If you wish to translate a virtual memory address into a physical call VmmPy_MemVirt2Phys - or just read memory using VmmPy_MemReadScatter / VmmPy_MemRead.

It's not currently possible to dump all virtual process memory of a live system in an easy way; or... your options are:

1. dump all physical memory = slow

2. dump memory segments programatically using MemRead functions

3. dump mmeory by copying files in /pid//vmemd using either standard tools on a mounted file systems or call APIs for file system access - i.e. VmmPy_Initialize_Plugins / VmmPy_VfsList / VmmPy_VfsRead (or do yara analysis on them straight out. Please check python examples for how to.

4. (not supported on live memory yet) I also have support for minidump generation - i.e. dump all process memory to a single file as specified by the microsoft mindump format (i.e. what comes when you dump process memory in task manager). Tools like windbg and mimikatatz and other tools are able to consume this memory. it's not available yet on live memory though; but if you mount a memory dump file. If interesting I may look into generating this for live memory too (but it's a bit tricky since live memory changes very often).

hope this answers some questions :)

from memprocfs.

Thank you very much for your answer. I am conducting the experiment according to what you said.Under your guidance, I found an interesting folder in memprofs.\ Vmemd files are memory images of all programs?What does the 0x0000000000500000-HEAP-08. vvmem file stand for?

from memprocfs.

it's a memory segment starting at address 0x500000 which is a heap. It's the 8th heap enumerated in that specific process.

from memprocfs.