Error opening pagefile.sys

[slack2450]

I want to access paged memory however after starting MemProcFS with: .\MemProcFS.exe -pagefile0 pagefile.sys -pagefile1 swapfile.sys -device FPGA -v I am told:

WARNING: CANNOT OPEN PAGE FILE #0 'pagefile.sys'
WARNING: CANNOT OPEN PAGE FILE #1 'swapfile.sys'

How may I gain access to these? I have a default windows 10 installation.

[ufrisk]

Windows won't let anyone open those files if it's running, or at least I'm not aware of a way. The pagefile options are mostly there to support page files retrieved from virtual machines and such.

But what are you trying to do? What kind of memory are you trying to read that you cannot access? stack, heap, dll/exe-image? If memory is frequently accessed it's not very likely to be paged out to disk.

also, is the problem that you're unable to read the memory completely? or that it's not updating fast enough (i.e. you're reading from the cache instead of live memory)?

[slack2450]

I'm trying to read sections of a dll however it's inaccessible through pcileech unless I've recently read the memory using a local tool. I've tried reading from the memory bypassing the cache however get the same result. I assumed this must mean the virtual address must not be stored in the physical memory and thus paged to disk.

I'd have assumed if it was a dll it would almost certainly never be paged however this seems to be the case. Because I know for certain this memory region should be non-zero. If it is paged does this mean it is unreadable? Would it be possible to write a kernel implant to move paged memory?

[ufrisk]

the windows memory manager maps the dll into a process page tables on the first use of that page.

the dll in your case is most certainly already existing in memory, but MemProcFS won't read that memory since it's not mapped in the process page tables. I'll fix this in the next version in which it will try to read from the backing virtual address descriptor (VAD) in case of a missing page table entry.

If you wish to recompile you can change this line (for x64) https://github.com/ufrisk/MemProcFS/blob/f2d15cf4fe4f19cfeea3dad52971fae2e491064b/vmm/mm_win.c#L1306 remove !pte || from the if-statement and it should hopefully work.

If that's not working, it may be that it's paged out as well, but the above is the most likely issue. If you decide to go ahead and try the fix can you please let me know if it's working for you.

[slack2450]

I tried the fix you suggested and sadly it didnt work. Have you got any other suggestions what I could do to access it? Or a place to start on how to read the VAD?

[ufrisk]

You can check out the module files in the "files" folder under in the process directory. It tries to recover the files using different techniques, if any of the files for your module contains your info it will be in the memory.

about info, sadly I don't have any good quick tips to give, and it's quite complex, google is your friend here I'm afraid.

[slack2450]

Okay thank you! I guess I've got a lot of reading to do.

[ufrisk]

I hope things will become a little bit better with regards to this in the next release. Also I wish you good luck with your research :)

I'm closing this issue now though.