-
-
Notifications
You must be signed in to change notification settings - Fork 103
Device_File
The LeechCore library supports reading memory from memory dump files in various formats.
Facts in short:
- Is supported on all supported platforms.
- Acquires memory in read-only mode (unless otherwise specified).
- Acquired memory is assumed to be static (unless otherwise specified).
- No additional requirements.
The currently supported formats are:
- Raw Memory Dump File.
- Full Microsoft Crash Dump File.
- Windows Hibernation File (hiberfil.sys, Win10+).
- Full ELF Core Dump.
- LiME v1 Dump File.
- VMware memory save file.
The dump file must be a minimum of 16MB to be recognized as a dump file. i.e. - if the file opened contains the crash dump header it will be treated as a crash dump file. If no special file format is detected the file will be treated as a raw linear memory dump file.
Memory dumps are assumed to be static (non changing) by default. This will allow PCILeech and MemProcFS to optimize internal access. It's possible to override this behavior by setting the parameter volatile=1
which will cause the file to be treated as volatile (live/changing). It's also possible to change the read-only behavior to read/write. See below for examples.
VMware note: Please copy both the .vmem and .vmss/.vmsn files. In some cases the .vmss file is required in order to properly parse the .vmem memory file.
LeechCore API:
Please specify the file name in LC_CONFIG.szDevice
when calling LcCreate
If a dump file have the same name as another device it's also possible to set the file name on the format file://file=<file_name>
.
Options:
file=
Specify the file name to open.
volatile=1
Specify that the file/device contains live volatile updating memory.
write=1
Specify that the file/device is writable.
PCILeech / MemProcFS:
Please specify the file name in the -device
option.
Examples:
Open a memory dump file: -device c:\temp\mydumpfile.dmp
Open a memory dump file: -device "file://file=c:\temp\mydumpfile.dmp"
Open a memory dump file and set it to volatile and writable: -device "file://file=/dev/my-volatile-memdump.raw,volatile=1,write=1"
No additional requirements exist.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖