-
-
Notifications
You must be signed in to change notification settings - Fork 408
FS_Process_Virt2Phys
The directory virt2phys exists as a sub-directory in each process directory.
The virt2phys directory contains one special file named virt.txt that the user of MemProcFS may write a virtual address into. Once saved the other files will automatically update to reflect the user-selected virtual address written to the virt.txt file.
NB! Memory may still be readable even though virt2phys may not find it if the memory is "paged out". The virt2phys looks at currently active memory only.
File | Description |
---|---|
virt.txt | Virtual address in hex - always user writable! |
phys.txt | Physical address (in hex) that the virtual address maps to |
map.txt | virtual to physical translation map - showing page table entries and their locations in the PML4, PDPT, PD and PT page tables. |
readme.txt | Informational README file. |
pt_pml4.mem* | PML4 page table |
pt_pdpt.mem* | PDPT page table |
pt_pd.mem* | Page Directory page table |
pt_pt.mem* | Page Table page table |
page.mem | 4kB page that the virt address maps to (or corresponding 4kB section of memory if large pages are used) |
*) On arm64 architectures the page table memory files are named pt_lvl0.mem, pt_lvl1.mem, pt_lvl2.mem and pt_lvl3.mem.
The virt.txt file is always writable. The map.txt file is always read-only while all other files are writable if a write-capable memory acquisition device is used.
The example below shows the files in the virt2phys sub-directory of the explorer.exe process. The virtual memory address 00007ff75fc50000 is echoed into the virt.txt file. The page table walk is shown by viewing the map file with the cat map.txt
command. The resulting physical address of 0x1a6c96000 is shown by viewing the phys.txt file with the cat phys.txt
command. Also shown, in the HxD hex editor, is the 4th level page table for the virtual address.
The first column of the map file shows which page table. Then the physical address of the page table is shown next. Then the offset (in bytes) of the page table entry and at last the page table entry itself (PML4E/PDPTE/PDE/PTE) is shown.
The virt2phys sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_virt2phys.c in the vmm project. The plugin contains limited caching functionality that will allow it to store the contents of virt file even though the process list may be refreshed in a read/write scenario.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖