MemProcFS
MemProcFS copied to clipboard
ufrisk
Committed memory not present in PTE?
Hi,
I am trying to read something on 0x16a1cedeac8 which should be located on this heap 0x16a1ce64000 - 0x16a1cfd0000. Looking at the region in VMMap:
But my read failed. I think it is because pte does not have this entry? Loading memprocfs gives
snippet of memmap/pte.txt
0078 7544 1760 0000016a1aea0000-0000016a1c5fffff -r--
0079 7544 148 0000016a1d800000-0000016a1d947fff -r--
snippet of memmap/vad.txt
0047 7544 ffffaa810e2dd2c0 171 16c 1 0000016a1ce60000-0000016a1cfd0fff p-rw--
I am using the livecloudkd plugin to read hyperv vm memory. However, dumping whole linear memory with livecloud and reading the resulted memory dump file does not work either. Other programs, which I assume use readprocessmemory, work fine. BTW i tried disabling pagefiles, the problem seems to persist.
Is there anything I should do? Maybe try leechagent first?
The PTE map is derived from hardware PTE entries that the CPU sees.
In this case there is probably no memory mapped at that virtual address. When the program reads it the kernel will page fault and dynamically add it (and update the non existing PTE entry) on the fly transparently.
You can check this more in detail in the VAD map and also the extended VAD map. Especially the extended VAD info in MemProcFS may contain interesting info about the state of the actual memory address.
You can try to read the specific memory. It may be that it's compressed by the Windows memory manager and MemProcFS will recover it. It may also be that it's paged out to disk in which case MemProcFS won't be able to read it.
In essence, Windows memory manager is really complex. I'm unable to say for sure whats the issue with your memory here. But check the vad-v info files. Also, it's not always Windows is very good at caring about the disabled page file, sometimes it seems to be used anyway.
Please let me know how it goes.
The vad-d txt file of the corresponding address range is empty, also I tried pmem, it is also not reading the area. creating a dump via taskmgr, then reading the address range with memprocfs reads 0 length. using rpm to read address range (this yields data, not zeros), then reading the address range with memprocfs reads 0 length too :(
BTW i tried pmem, mostly same results it seems I can add a memory dump, but only if it is really something interesting
what happens if you use rpm to read the address range and then start memprocfs to read the range afterwards?
I used this pymem package to read around a bit and started memprocfs, still the same, addresss range only shows up in vad and not in the vad-v or pte
Are you able to send me a full physical memory dump which contains this issue so that I may take a look?
The memory dump may contain sensitive information though, so don't send it if it belongs to some corporate computers and such.
This should hopefully be fixed in the upcoming version that I plan to publish in the not too distant future. Huge thanks for your help on this one. I hope it will work, otherwise please let me know.
Can you please check out it's working in the new version?
NB! The API has changed to this major release so if using it, it will requite some work adapting.
Since I use the python api I guess I will have to wait until that is updated, currently I overwrite the vmmpyd.pyd along with the others in the old package, and it seems to stop working altogether :/
I'm sorry about that. I actually forgot about the Python packages this morning. They should be updated now. You may need to update both the memprocfs and leechcorepyc packages.
Please let me know how it goes.
looks like this problem does not exist with the new version anymore. thank you again for the great project❤️
The same issue seems to still exist but only very rarely, I finally caught it in action and made another memory dump for you to take a look (if you would 😄), but i use significantly less memory in the VM environment now, with pagefile and memory compress and whatnot activated, so it could be something else, I guess?