madeonukraine
commented
2 months ago I figured it out, for some reason he wanted the letter D, although I have 3 drives connected and this letter is occupied, I had to delete this letter in the hard drive management manager and the program started properly
if you run it like this, then the extended disk appears, but if you run a full-fledged script through powershell, nothing happens
good > C:\MemProcFS-Analyzer-v1.0\Tools\MemProcFS>MemProcFS.exe -device "C:\MemProcFS-Analyzer-v1.0\pcileech.raw" -v not good > PS C:\MemProcFS-Analyzer-v1.0> .\MemProcFS-Analyzer.ps1
C:\MemProcFS-Analyzer-v1.0\Tools\MemProcFS>MemProcFS.exe -device "C:\MemProcFS-Analyzer-v1.0\pcileech.raw" -v DEVICE OPEN: file DEVICE: Successfully opened file: 'C:\MemProcFS-Analyzer-v1.0\pcileech.raw' as RAW Memory Dump. [INFODB] INIT: SUCCESS: va=0xfffff80670600000 [SYMBOL] Initialized symbol subsystem (Microsoft). Initialized 64-bit Windows 10.0.22621 [PLUGIN] LOAD: built-in module: '\' [PLUGIN] LOAD: built-in module: '\' [SYMBOL] Functionality may be limited. Extended debug information disabled. [SYMBOL] Partial offline fallback symbols in use. [SYMBOL] For additional information use startup option: -loglevel symbol:4 [SYMBOL] Reason: Unable to download kernel symbols to cache from Symbol Server.
[PLUGIN] LOAD: built-in module: '\forensic' [PLUGIN] LOAD: built-in module: '\files\handles' [PLUGIN] LOAD: built-in module: '\files\vads' [PLUGIN] LOAD: built-in module: '\files\modules' [PLUGIN] LOAD: built-in module: '\phys2virt' [PLUGIN] LOAD: built-in module: '\misc\phys2virt' [PLUGIN] LOAD: built-in module: '\handles' [PLUGIN] LOAD: built-in module: '\heaps' [PLUGIN] LOAD: built-in module: '\modules' [PLUGIN] LOAD: built-in module: '\memmap' [PLUGIN] LOAD: built-in module: '\minidump' [PLUGIN] LOAD: built-in module: '\threads' [PLUGIN] LOAD: built-in module: '\token' [PLUGIN] LOAD: built-in module: '\search\bin' [PLUGIN] LOAD: built-in module: '\misc\search\bin' [PLUGIN] LOAD: built-in module: '\search\yara' [PLUGIN] LOAD: built-in module: '\misc\search\yara' [PLUGIN] LOAD: built-in module: '\virt2phys' [PLUGIN] LOAD: built-in module: '\misc\bitlocker' [PLUGIN] LOAD: built-in module: '\conf' [PLUGIN] LOAD: built-in module: '\misc\eventlog' [PLUGIN] LOAD: built-in module: '\misc\procinfo' [PLUGIN] LOAD: built-in module: '\misc\view' [PLUGIN] LOAD: built-in module: '\sys' [PLUGIN] LOAD: built-in module: '\sys\drivers' [PLUGIN] LOAD: built-in module: '\sys\memory' [PLUGIN] LOAD: built-in module: '\sys\net' [PLUGIN] LOAD: built-in module: '\sys\objects' [PLUGIN] LOAD: built-in module: '\sys\pool' [PLUGIN] LOAD: built-in module: '\sys\proc' [PLUGIN] LOAD: built-in module: '\sys\services' [PLUGIN] LOAD: built-in module: '\sys\syscall' [PLUGIN] LOAD: built-in module: '\sys\sysinfo' [PLUGIN] LOAD: built-in module: '\sys\tasks' [PLUGIN] LOAD: built-in module: '\sys\users' [PLUGIN] LOAD: built-in module: '\registry' [PLUGIN] LOAD: built-in module: '\forensic\csv' [PLUGIN] LOAD: built-in module: '\forensic\files' [PLUGIN] LOAD: built-in module: '\forensic\findevil' [PLUGIN] LOAD: built-in module: '\forensic\hidden\handles' [PLUGIN] LOAD: built-in module: '\forensic\json' [PLUGIN] LOAD: built-in module: '\forensic\timeline' [PLUGIN] LOAD: built-in module: '\forensic\hidden\module' [PLUGIN] LOAD: built-in module: '\forensic\ntfs' [PLUGIN] LOAD: built-in module: '\forensic\hidden\proc' [PLUGIN] LOAD: built-in module: '\forensic\hidden\registry' [PLUGIN] LOAD: built-in module: '\forensic\hidden\sys' [PLUGIN] LOAD: built-in module: '\forensic\hidden\thread' [PLUGIN] LOAD: built-in module: '\forensic\web' [PLUGIN] LOAD: built-in module: '\forensic\yara' [PLUGIN] LOAD: built-in module: '\findevil\EvKRNL1' [PLUGIN] LOAD: built-in module: '\findevil\EvKERNPROC1' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC1' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC2' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC3' [PLUGIN] LOAD: built-in module: '\findevil\EvTHRD1' [PLUGIN] LOAD: built-in module: '\findevil\EvAV1' [PLUGIN] LOAD: built-in module: '\sys\certificates' [PLUGIN] LOAD: native module: '\vmemd' [PROCESS] BAD DTB: PID=5500 DTB=00000001da9c5000 [PROCESS] BAD DTB: PID=11140 DTB=000000010cef1000 [PLUGIN] Python initialization failed. Python 3.6 or later not found.
============================== MemProcFS ==============================
License: GNU Affero General Public License v3.0
MemProcFS is free open source software. If you find it useful please become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)
Operating System: Windows 10.0.22621 (X64)
not good > PS C:\MemProcFS-Analyzer-v1.0> .\MemProcFS-Analyzer.ps1
MemProcFS-Analyzer v1.0 - Automated Forensic Analysis of Windows Memory Dumps for DFIR (c) 2021-2023 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)
Analysis date: 2024-05-05 13:55:07 UTC
[Info] Current Version: MemProcFS v5.9.12 [Info] Latest Release: MemProcFS v5.9.12 (2024-03-03) [Info] You are running the most recent version of MemProcFS. [Info] Current Version of YARA Custom Rules: 2024-04-03 [Info] Latest Update: 2024-04-03 [Info] You are running the most recent YARA Custom Rules. [Info] Current Version: Dokany File System Library v2.0.6.1000 (2022-10-02) [Info] Latest Release: Dokany File System Library v2.1.0.1000 (2023-12-22) [Error] Please download/install the latest release of Dokany File System Library manually: https://github.com/dokan-dev/dokany/releases/latest (DokanSetup.exe) [Info] Current Version: Elasticsearch v8.9.2 [Info] Latest Release: Elasticsearch v8.9.2 (2023-09-06) [Info] You are running the most recent version of Elasticsearch. [Info] Current Version: Kibana v8.9.2 [Info] Latest Release: Kibana v8.9.2 (2023-09-06) [Info] You are running the most recent version of Kibana. [Info] Current Version: AmcacheParser v1.5.1.0 [Info] You are running the most recent version of AmcacheParser. [Info] Current Version: AppCompatCacheParser v1.5.0.0 [Info] You are running the most recent version of AppCompatCacheParser. [Info] Current Version: entropy v1.1 (2023-07-28) [Info] Latest Release: entropy v1.1 (2023-07-28) [Info] You are running the most recent version of entropy. [Info] Current Version: EvtxECmd v1.5.0.0 [Info] You are running the most recent version of EvtxECmd. [Info] Current Version: ImportExcel v7.8.6 [Info] Latest Release: ImportExcel v7.8.6 (2023-10-12) [Info] You are running the most recent version of ImportExcel. [Info] Current Version: IPinfo CLI v3.3.0 (2024-01-01) [Info] Latest Release: IPinfo CLI v3.3.0 (2024-01-01) [Info] You are running the most recent version of IPinfo CLI. [Info] Current Version: jq v1.7.1 [Info] Latest Release: jq v1.7.1 (2023-12-13) [Info] You are running the most recent version of jq. [Info] Current Version: lnk_parser v0.2.0 (2024-05-04) [Info] Latest Release: lnk_parser v0.2.0 (2022-08-10) [Info] You are running the most recent version of lnk_parser. [Info] Current Version: RECmd v2.0.0.0 [Info] You are running the most recent version of RECmd. [Info] Current Version: SBECmd v2.0.0.0 [Info] You are running the most recent version of SBECmd. [Info] Current Version: xsv v0.13.0 (2018-05-12) [Info] Latest Release: xsv v0.13.0 (2018-05-12) [Info] You are running the most recent version of xsv. [Info] Current Version: YARA v4.5.0 (2024-02-13) [Info] Latest Release: YARA v4.5.0 (2024-02-13) [Info] You are running the most recent version of YARA. [Info] Zircolite NOT found. [Info] Latest Release: Zircolite v2.20.0 (2024-03-29) [Info] Dowloading Latest Release ... PS C:\MemProcFS-Analyzer-v1.0> TerminatingError(Invoke-WebRequest): "Invalid URI: The hostname could not be parsed." Invoke-WebRequest : Invalid URI: The hostname could not be parsed. At C:\MemProcFS-Analyzer-v1.0\MemProcFS-Analyzer.ps1:2367 char:5
[Info] Mounting the Physical Memory Dump file as D: ... [Info] Physical Memory Dump File Size: 33.99 GB [Info] MemProcFS Forensic Analysis initiated ... [Info] Processing C:\MemProcFS-Analyzer-v1.0\pcileech.raw [approx. 1-10 min] ... PS C:\MemProcFS-Analyzer-v1.0> TerminatingError(): "The pipeline has been stopped."