-
-
Notifications
You must be signed in to change notification settings - Fork 408
FS_Process_Console
The directory console exists as a sub-directory in each conhost.exe process directory.
The console module recovers console information from the conhost.exe attached to a console application. Currently only the console text (with the commands visible) are recovered.
The files in the console directory are listed in the table below:
File | Description |
---|---|
console.txt | Recovered text from the console. |
Facts in short:
- Supports Windows 7+
- Does not support Windows terminal (yet).
- May sometimes fail if memory is paged out and/or heap parsing has failed.
- Only recovers console text information, not command history (commands are visible in the console text though).
- Does not handle console wrap-arounds. If a wrap-around has taken place it may take place in the middle of the recovered console text.
Files in the console directory are read-only.
The example below shows a recovered console text screen showing some commands the user has entered.
The console sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_console.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖