MemProcFS: The Memory Process File System

The Memory Process File System:

The Memory Process File System (MemProcFS) is an easy and convenient way of accessing physical memory as files a virtual file system.

Easy trivial point-and-click memory analysis without the need for complicated commandline arguments! Access physical memory content and artifacts via files in a mounted virtual file system or via a feature-rich .dll application library to include in your own projects!

Analyze memory dump files – or even live memory in read-write mode via linked pcileech and pcileech-fpga devices!

Use your favorite tools to analyze memory – use your favorite hex editors, your Python and powershell scripts, and your disassemblers – all will work trivially with the Memory Process File System by just reading and writing files!

Include the Memory Process File System in your Python or C/C++ programming projects! Almost everything in the Memory Process File System is exposed via an easy-to-use API for use in your own projects! The Plugin friendly architecture allows users to easily extend the Memory Process File System with native C .DLL plugins or Python .py plugins – providing additional analysis capabilities!

Fast and easy memory analysis via mounted file system:

No matter if you have no prior knowledge of memory analysis or are an advanced user the Memory Process File System (and the API) may be useful! Click around the memory objects in the file system

Extensive Python and C/C++ API:

Everything in the Memory Process File System is exposed as APIs. APIs exist for both C/C++ vmmdll.h and Python vmmpy.py. The file system itself is made available virtually via the API without the need to mount it. Specialized process analysis and process alteration functionality are made easy by calling API functionality. It is possible to read both virtual process memory as well as physical memory! The example below shows reading 0x20 bytes from physical address 0x1000:

>>> from vmmpy import *
>>> VmmPy_InitializeFile('c:/temp/win10_memdump.raw')
>>> print(VmmPy_UtilFillHexAscii(VmmPy_MemRead(-1, 0x1000, 0x20)))
0000    e9 4d 06 00 01 00 00 00  01 00 00 00 3f 00 18 10   .M..........?...
0010    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

Modular Plugin Architecture:

Anyone is able to extend the Memory Process File System with custom plugins! It is as easy as dropping a python file in the correct directory or compiling a tiny C DLL. Existing functionality is already implemented as well as documented C and Python plugins!

Download && Use

Copyright (C) 2018 Ufrisk