MemProcFS icon indicating copy to clipboard operation
MemProcFS copied to clipboard
verified publisher icon ufrisk

Can we further optimize it

Open lishaoju opened this issue 1 year ago • 2 comments

I want to use DMA to only read system process information or specific process Pid memory data. Is there any way to achieve this? I am a beginner

lishaoju avatar Apr 27 '24 11:04 lishaoju

Then just read from the process you're targeting and don't read from the other processes. You don't have to read from the other processes you aren't interested in if you don't want to... Or am I missing something here?

ufrisk avatar Apr 27 '24 11:04 ufrisk

然后只从你的目标进程中读取,而不是从其他进程中读取。如果您不想,则不必从您不感兴趣的其他进程中读取...还是我在这里遗漏了什么?

VMMDLL_Scatter_PrepareEx The return may be successful, but the received value is incorrect VMMDLL_Map_GetEATU The return value may be successful, but cMap will receive a null value. Restarting the host has a certain chance of receiving the correct value of cMap

lishaoju avatar Apr 28 '24 17:04 lishaoju

Unfortunately this is how DMA memory forensics work. It's not guaranteed to give proper results always.

Sometimes the operating system "page out" memory to disk where PCILeech/MemProcFS DMA is unable to reach.

And yeah, cMap may be 0, and it would indicate a fail so both the return value and the cMap value would have to be checked unfortunately.

ufrisk avatar May 22 '24 22:05 ufrisk