Expand description
§The MemProcFS API Documentation
The MemProcFS crate contains a wrapper API around the MemProcFS physical
memory analysis framework. The native
library in the form of vmm.dll, vmm.dylib, vmm.so must be downloaded
or compiled in order to make use of the memprocfs crate.
Physical memory analysis may take place on memory dump files for forensic purposes. Analysis may also take place on live memory - either captured by using PCILeech PCIe DMA devices or by using a driver - such as WinPMEM, LiveCloudKd, VMware or similar.
The base of the MemProcFS API is the Vmm struct. Once the native vmm
has been initialized it’s possible to retrieve processes in the form of
the VmmProcess struct. Using the Vmm and VmmProcess it’s possible
to undertake a wide range of actions - such as reading/writing memory or
retrieve various information.
The use of the low-level LeechCore library is also possible. LeechCore
is used for low-level tasks such as setting a memory map,
implementing raw PCIe Transaction Layer Packet (TLP), PCIe Base Address
Register (BAR) support and more.
Read and write memory by using the methods
mem_read(),
mem_read_ex(),
mem_read_as() and
mem_write() /
mem_write_as().
Virtual memory is read from VmmProcess struct.
Physical memory is read from the Vmm struct.
Efficiently read and write memory using the VmmScatterMemory
struct. The scatter struct is retrieved by calling
mem_scatter() on either the base Vmm
struct or the individual VmmProcess structs.
Access information about loaded modules, memory regions, registry, process handles, kernel pool allocations and much more!
Access the Virtual File System (VFS) using the Rust API to get access
to the full range of built-in and external plugins. The VFS is accessed by
using the methods
vfs_list(), vfs_read() and
vfs_write() on the Vmm struct.
The MemProcFS crate and API also supports creation of native MemProcFS
plugins in the form of a library .dll or .so.
§Example projects
Check out the Example Project and the Example Plugin.
§Project documentation
Check out the project documentation for MemProcFS, LeechCore and pcileech-fpga:
§Support PCILeech/MemProcFS development:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it’s now possible to contribute by becoming a sponsor!
If you like what I’ve created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
To all my sponsors, Thank You 💖
§Questions and Comments
Please feel free to contact me!
- Github: https://github.com/ufrisk/MemProcFS
- Discord Server: https://discord.gg/pcileech.
- Twitter: https://twitter.com/UlfFrisk
- Email: pcileech@frizk.net
§Get Started!
Check out the Vmm documentation and the
Example Project!
Best wishes with your memory analysis project!
Structs§
- LcBar
- PCIe BAR info struct.
- LcBar
Context - PCIe BAR Context: Supplied by LeechCore to the BAR callback function.
- LcBar
Context Wrap - PCIe BAR wrapper context - returned to the caller of the BAR enable function.
- LcBar
Request - PCIe BAR request struct.
- LcTlp
Context - PCIe TLP Context: Supplied by LeechCore to the TLP callback function.
- LcTlp
Context Wrap - PCIe TLP wrapper context - returned to the caller of the TLP enable function.
- Leech
Core - LeechCore API Base Struct.
- Vmm
- MemProcFS API Base Struct.
- VmmKernel
- Kernel information.
- VmmMapK
Device Entry - Info: Kernel device entries.
- VmmMapK
Driver Entry - Info: Kernel driver entries.
- VmmMapK
Object Entry - Info: Kernel named object manager entries.
- VmmMap
Memory Entry - Info: Physical memory map entries.
- VmmMap
NetEntry - Info: Network connections.
- VmmMap
PfnEntry - Info: Memory PFN (Page Frame Number).
- VmmMap
Pool Entry - Info: Kernel pool entries.
- VmmMap
Service Entry - Info: Services.
- VmmMap
User Entry - Info: Users.
- VmmMap
Virtual Machine Entry - Info: Virtual Machines (VMs).
- VmmPdb
- Debug Symbol API.
- VmmPlugin
Context - Plugin Context: Supplied by MemProcFS to plugin callback functions.
- VmmPlugin
File List - Plugin File List: Supplied by MemProcFS to plugin list callback function.
- VmmPlugin
Initialization Context - Plugin Initialization Context.
- VmmPlugin
Initialization Info - Plugin Initialization System Information.
- VmmProcess
- Process API Base Struct.
- VmmProcess
Info - Process Information.
- VmmProcess
MapDirectory Entry - Info: Process Module: PE data directories.
- VmmProcess
MapEat Entry - Info: Process Module: PE exported entries.
- VmmProcess
MapHandle Entry - Info: Process: Handles.
- VmmProcess
MapHeap Alloc Entry - Info: Process: Heap allocations.
- VmmProcess
MapHeap Entry - Info: Process: Heaps.
- VmmProcess
MapIat Entry - Info: Process Module: PE imported entries.
- VmmProcess
MapModule Debug Entry - Info: Process: Modules (loaded DLLs) debug information.
- VmmProcess
MapModule Entry - Info: Process: Modules (loaded DLLs).
- VmmProcess
MapModule Version Entry - Info: Process: Modules (loaded DLLs) version information.
- VmmProcess
MapPte Entry - Info: Process: PTE memory map entries.
- VmmProcess
MapThread Callstack Entry - Info: Process: Thread Callstack.
- VmmProcess
MapThread Entry - Info: Process: Threads.
- VmmProcess
MapUnloaded Module Entry - Info: Process: Unloaded modules.
- VmmProcess
MapVad Entry - Info: Process: VAD (Virtual Address Descriptor) memory map entries.
- VmmProcess
MapVad ExEntry - Info: Process: Extended VAD memory map entries.
- VmmProcess
Section Entry - Info: Process Module: PE sections.
- VmmReg
Hive - Registry Hive API.
- VmmReg
Key - Registry Key API.
- VmmReg
Value - Registry Value API.
- VmmScatter
Memory - Efficient Memory Reading API.
- VmmSearch
- Search API.
- VmmSearch
Result - Info: Search Progress/Result.
- VmmVfs
Entry - VFS (Virtual File System) entry information - file or directory.
- VmmYara
- Yara Search API.
- VmmYara
Match - Info: Yara search match.
- VmmYara
Match String - Info: Yara search match string.
- VmmYara
Result - Info: Yara search Progress/Result.
Enums§
- VmmIntegrity
Level Type - VmmLog
Level - VmmMap
PfnType - VmmMap
PfnType Extended - VmmMemory
Model Type - VmmProcess
MapHeap Alloc Type - VmmProcess
MapHeap Type - VmmProcess
MapModule Type - VmmProcess
MapVad ExType - VmmReg
Value Type - VmmSystem
Type
Constants§
- CONFIG_
OPT_ CONFIG_ DEBUG - Set native library internal custom debug.
- CONFIG_
OPT_ CONFIG_ IS_ PAGING_ ENABLED - Get/Set enable paging support 1/0.
- CONFIG_
OPT_ CONFIG_ IS_ REFRESH_ ENABLED - Get whether the refresh is enabled or not (1/0).
- CONFIG_
OPT_ CONFIG_ PROCCACHE_ TICKS_ PARTIAL - Get/Set process refresh (partial) period (in ticks).
- CONFIG_
OPT_ CONFIG_ PROCCACHE_ TICKS_ TOTAL - Get/Set process refresh (full) period (in ticks).
- CONFIG_
OPT_ CONFIG_ READCACHE_ TICKS - Get/Set memory cache validity period (in ticks).
- CONFIG_
OPT_ CONFIG_ STATISTICS_ FUNCTIONCALL - Get/Set enable function call statistics (.status/statistics_fncall file).
- CONFIG_
OPT_ CONFIG_ TICK_ PERIOD - Get/Set base tick period in ms.
- CONFIG_
OPT_ CONFIG_ TLBCACHE_ TICKS - Get/Set page table (tlb) cache validity period (in ticks).
- CONFIG_
OPT_ CONFIG_ VMM_ VERSION_ MAJOR - Get MemProcFS major version.
- CONFIG_
OPT_ CONFIG_ VMM_ VERSION_ MINOR - Get MemProcFS minor version.
- CONFIG_
OPT_ CONFIG_ VMM_ VERSION_ REVISION - Get MemProcFS revision version.
- CONFIG_
OPT_ CORE_ LEECHCORE_ HANDLE - Get the LeechCore native handle. (void*) (do not close/free).
- CONFIG_
OPT_ CORE_ MAX_ NATIVE_ ADDRESS - Get max native physical memory address.
- CONFIG_
OPT_ CORE_ MEMORYMODEL - Get the numeric memory model type according to the VMM C-API.
- CONFIG_
OPT_ CORE_ PRINTF_ ENABLE - Get/Set library console printouts.
- CONFIG_
OPT_ CORE_ SYSTEM - Get the numeric system type according to VMM C-API.
- CONFIG_
OPT_ CORE_ VERBOSE - Get/Set standard verbosity.
- CONFIG_
OPT_ CORE_ VERBOSE_ EXTRA - Get/Set extra verbosity.
- CONFIG_
OPT_ CORE_ VERBOSE_ EXTRA_ TLP - Get/Set super extra verbosity and PCIe TLP debug.
- CONFIG_
OPT_ CORE_ VMM_ ID - Get the vmmid that may be used with startup option ‘-create-from-vmmid’ to create a thread-safe duplicate VMM instance.
- CONFIG_
OPT_ FORENSIC_ MODE - Get/Set enable/retrieve forensic mode type [0-4].
- CONFIG_
OPT_ PROCESS_ DTB - Set custom process directory table base. [LO-DWORD: Process PID].
- CONFIG_
OPT_ REFRESH_ ALL - Set - trigger refresh all caches.
- CONFIG_
OPT_ REFRESH_ FREQ_ FAST - Set - refresh fast frequency - incl. partial process refresh.
- CONFIG_
OPT_ REFRESH_ FREQ_ MEDIUM - Set - refresh medium frequency - incl. full process refresh.
- CONFIG_
OPT_ REFRESH_ FREQ_ MEM - Set - refresh memory cache (excl. TLB) (fully).
- CONFIG_
OPT_ REFRESH_ FREQ_ MEM_ PARTIAL - Set - refresh memory cache (excl. TLB) [partial 33%/call].
- CONFIG_
OPT_ REFRESH_ FREQ_ SLOW - Set - refresh slow frequency.
- CONFIG_
OPT_ REFRESH_ FREQ_ TLB - Set - refresh page table (TLB) cache (fully)
- CONFIG_
OPT_ REFRESH_ FREQ_ TLB_ PARTIAL - Set - refresh page table (TLB) cache [partial 33%/call].
- CONFIG_
OPT_ WIN_ SYSTEM_ UNIQUE_ ID - Get MemProcFS unique system id.
- CONFIG_
OPT_ WIN_ VERSION_ BUILD - Get OS version build.
- CONFIG_
OPT_ WIN_ VERSION_ MAJOR - Get OS version major.
- CONFIG_
OPT_ WIN_ VERSION_ MINOR - Get OS version minor.
- FLAG_
CACHE_ RECENT_ ONLY - Only fetch from the most recent active cache region when reading.
- FLAG_
FORCECACHE_ READ - Force use of data cache - fail non-cached pages.
- FLAG_
FORCECACHE_ READ_ DISABLE - Disable/override any use of VMM_FLAG_FORCECACHE_READ.
- FLAG_
NOCACHE - Do not use internal data cache.
- FLAG_
NOCACHEPUT - Do not populate the data cache on a successful read.
- FLAG_
NOPAGING - Do not retrieve memory from paged out memory.
- FLAG_
NOPAGING_ IO - Do not retrieve memory from paged out memory***.
- FLAG_
NO_ PREDICTIVE_ READ - Deprecated/Unused.
- FLAG_
SCATTER_ PREPAREEX_ NOMEMZERO - Disable clearing of memory supplied to VmmScatterMemory.prepare_ex
- FLAG_
ZEROPAD_ ON_ FAIL - Zero pad failed memory reads and report success.
- PLUGIN_
NOTIFY_ FORENSIC_ INIT - Forensic mode initialization start.
- PLUGIN_
NOTIFY_ FORENSIC_ INIT_ COMPLETE - Forensic mode processing is completed.
- PLUGIN_
NOTIFY_ REFRESH_ FAST - Fast refresh. Partial process refresh.
- PLUGIN_
NOTIFY_ REFRESH_ MEDIUM - Medium refresh. Full process refresh and other refresh tasks.
- PLUGIN_
NOTIFY_ REFRESH_ SLOW - Slow refresh. Total refresh of as much as possible.
- PLUGIN_
NOTIFY_ VERBOSITYCHANGE - Verbosity change. Query new verbosity with:
vmm.get_config(). - PLUGIN_
NOTIFY_ VM_ ATTACH_ DETACH - A child VM was attached or detached. Query new state with API.
Functions§
- new_
plugin_ initialization - Initialize plugin information and initialization context.
Type Aliases§
- Result
Ex - Result type for MemProcFS API.