Regarding the issue of missing data when using API to read memory process content

[sansure]

Hi, thank you very much for your feedback. Your work provides a rich set of features and API interfaces. Recently, while learning to use the API interface to read process data from memory, I noticed that a significant portion of the data from the target process is missing and filled with zeros. There are also frequent failures in the read operation. I would like to know the reasons behind this issue and if there are any possible solutions.

Here is the specific workflow I follow:

1. Use VMMDLL_ProcessGetInformationAll() to retrieve the dwPID of the target process.
2. Use VMMDLL_Map_GetModuleU() to obtain the loaded module list of the process, including the vaBase and cbImageSize of the process itself.
3. Use VMMDLL_MemRead()/VMMDLL_MemReadEx()/VMMDLL_MemReadPage() functions with the previously obtained dwPID, vaBase, and cbImageSize to read the data of the process itself.
4. After comparing the obtained data with the original process data and removing invalid data resulting from PE memory unpacking and page alignment, a significant portion of the data appears to be abnormal and consists of zeros. There are also many instances of read failures. This issue is present across multiple processes and not limited to specific cases. The target system is running Windows 10.

[FocuzJS]

Due to the nature of how memory mapped files work in windows, if the data hasn't been accessed yet it wont be in memory or in some cases if the code isn't called frequently enough it can end up flushed back to disk/paged out depending on the context.

Since I assume you're using this on a game my only advice to you is try and load into a match and possibly interact with the world for example and you will see the total bytes read fluctuate (mostly going up).

If you really must have the most complete view of the image possible the best luck you will have is trying to continuously read the failing parts of memory over a period of minutes and cache it.

In some cases I don't think you can ever recover the image 1:1 without some hybrid code injection technique to gain execution on the CPU and have it access the memory for you

[ufrisk]

Like already mentioned this is one of the big drawbacks with memory forensics. Not everything may be loaded into memory at any given time. Some data might not yet be loaded from disk, other data may be paged out to the page file.

If you're analyzing a memory dump file you could increase the quality of the analysis by also supplying a page file.

If you're lucky and run MemProcFS against a memory dump file with the -forensic start-up option you'll after a while see a M:\forensic\files directory which may contain files recovered from file handles (using a slightly different method) which may or may not be more complete. But generally things will be missing when doing memory forensics.

A good example how it works is by checking out the files in the M:\name\<yourprocess>\memmap\vad-v\ directory. The first parts up until 'A' etc tells whether the page is laoded/active (A) or if its a prototype page (P) in which memory is derived from the 2nd section. In the example (Z) means ZERO which in this case means the memory just isn't loaded into memory so MemProcFS is unable to recover those specific addresses.

Other memory forensics tools will have the same problems or even worse. MemProcFS is one of the best in recovering memory as things are right now. Especially when a memory dump file is analyzed together with the page file.

I hope this explains things a bit. There just isn't anything I can do to recover everything perfectly sadly.

[sansure]

Thank you very much for your response. I have gained a better understanding of the issue at hand. I will now try again to see how I can retrieve as much memory data as possible.

[imerzan]

Thank you very much for your response. I have gained a better understanding of the issue at hand. I will now try again to see how I can retrieve as much memory data as possible.

One thing I can suggest, is if you increase the amount of available System Memory in your target PC , it will greatly reduce the chance of things getting paged to disk (to fix one of the possible causes for the issue you experience).

Windows seems to handle these decisions internally, but memory pressure seems to be a big component to this in my experience.

[ufrisk]

I'm closing this issue since I believe the initial question was answered.