-
-
Notifications
You must be signed in to change notification settings - Fork 408
FS_Process_PEDump
The directory pedump exists as a sub-directory in each process directory.
The pedump directory contains best-effort reconstructed modules such as .exe, .dll and .sys files from memory fragments.
Please note that files in the pedump directory are best-effort reconstructed files. The files may not match the real file system files since all fragments may not reside in memory and as such will be zero-padded. Even if most memory is available certain parts, such as the import table, of PE images that changed in runtime will not be re-constructed perfectly.
Files are writable if a write-capable memory acquisition device is used. Please note that physical memory backing modules are normally shared between all processes and that any writes may affect all processes with the module being written into.
The example below shows the files in the pedump sub-directory of the explorer.exe process. The directory contains best-effort reconstructed .exe and .dll PE modules. Missing information will be zero-padded if possible.
The modules are likely to have missing information and may not be executable as such. They may however be useful for other operations, such as looking at properties, reversing, debugging and scanning for known strings and signatures.
The pedump sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file m_pedump.c in the vmm project. The plugin does not provide an external API, but functionality may be accessed using the MemProcFS general filesystem APIs.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖