The MemProcFS crate contains a wrapper API around the MemProcFS physical
memory analysis framework. The native
libray in the form of vmm.dll or vmm.so must be compiled or
downloaded in order
to make use of the memprocfs rust crate.
The aim of the MemProcFS Rust Crate and API is to make MemProcFS usage easy and smooth on Rust! Please let me know what you think or if you have any improvement suggestions!
Physical memory analysis may take place on memory dump files for forensic purposes. Analysis may also take place on live memory - either captured by using PCILeech PCIe DMA devices or by using drivers - such as WinPMEM, LiveCloudKd, VMware or similar.
The MemProcFS API base is the Vmm
struct. Once the native vmm has been initialized it's possible to retrieve
processes in the form of the VmmProcess struct.
Using the Vmm and VmmProcess it's possible to undertake a wide range of
actions - such as reading/writing memory and retrieving various information.
Read and write memory by using the methods
mem_read(),
mem_read_ex,
mem_write of the
Vmm and
VmmProcess structs.
Efficiently read and write memory using the VmmScatterMemory struct.
Get info about loaded modules, memory regions, registry, process handles, kernel pool allocations and much more!
Access the VFS (Virtual File System) via the Rust API to get access to the full range of built-in and external plugins.
The MemProcFS rust API supports creation of native MemProcFS plugins in the form of a library .dll or .so for the more advanced user.
// Initialize MemProcFS on Linux targeting a live Windows system
// by reading memory using a PCILeech PCIe FPGA hardware device.
// After initialization list all processes.
let mut args = ["-printf", "-device", "fpga"].to_vec();
let vmm = Vmm::new("/home/user/memprocfs/vmm.so", &args)?
if let Ok(process_all) = vmm.process_list() {
for process in &*process_all {
println!("{} : {}", process.pid, process.info()?.name);
}
}
// Initialize MemProcFS on Windows - analyzing a memory dump file.
// Also trigger the forensic mode and scan for VMs.
// List all processes in the virtual file system directory /name/.
let mut args = ["-printf", "-forensic", "1", "-vm",
"-device", "C:\\dumps\\memory.dmp"].to_vec();
let vmm = Vmm::new("C:\\MemProcFS\\vmm.dll", &args)?
if let Ok(vfs_all) = vmm.vfs_list("/name/") {
println!("Number of files/directories: {}.", vfs_all.len());
for vfs in &*vfs_all {
println!("{vfs}");
}
}
Check out the example project and the example MemProcFS plugin.
Check out the project documentation for MemProcFS, LeechCore and pcileech-fpga: * MemProcFS - Documentation. * LeechCore - Documentation. * PCILeech - Documentation. * PCILeech-FPGA.
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
To all my sponsors, Thank You 💖
Please feel free to contact me! * Github: https://github.com/ufrisk/MemProcFS * Discord #pcileech channel at the Porchetta server. * Twitter: https://twitter.com/UlfFrisk * Email: pcileech@frizk.net
Check out the MemProcFS documentation and the example project!
Best wishes with your Rust memory analysis project!