search

ufrisk / MemProcFS

MemProcFS
GNU Affero General Public License v3.0
3k stars 371 forks source link

[Not an Issue, just help request] How to find all available "virtual addresses" for process. #271

Closed BubonicPestilence closed 7 months ago

BubonicPestilence commented 7 months ago

Hello ufrisk

1) Do you accept support using USDT/BTC?

2) I'm not memory-expert, just learning basics, and i'm interested is there a way to properly find all available virtual addresses of a process/module to read from?

I have a feeling that reading outside of "claimed/registered" v-addresses causing my card to hangup. I'm already using mmap... but victim system is using AMD CPU... And by testing reads over and over small range of addresses that nearly guarantedly "claimed" by app (also, i've limited big reads to 1000 bytes per call), made my app working for last ≈6h without hangups.

What i have found, is process.maps.heap()["segment"] and process.maps.pte(), i assuming it's like range(start_vaddr, start_vaddr + size * 4096)

Also I have seen, that you told someone to watch for vte, to check for paged memory parts.

If possible, i will be glad to hear, what is best way to get list of "safe-to-read" memory address ranges.

ufrisk commented 7 months ago

  1. Unfortunately not. Github Sponsors is unfortunately the way to go. I know everyone don't have access to a CC and it's quite unfortunate, but thanks for asking 👍 If you have the chance to use Github Sponsors it would be greatly appreciated.

  2. This shouldn't happen. Reading outside of physical addresses may cause issues. The memmap addresses that issue.

There are some periodic background updates that might shortly result in higher read latencies, but it should be noticed every few seconds / minutes.

If the memory is paged out it may take longer times as well to access due to inefficiencies in internal MemProcFS and just because it's more complicated as well. There are some read flags you can add to your read request to avoid this, namely VMMDLL_FLAG_NOPAGING and VMMDLL_FLAG_NOPAGING_IO. Other than that there shouldn't be anything around reading bad virtual memory.

You can check the memory layout if you use MemProcFS to mount the memory as a virtual file system, you can check it out in the M:\name\\memmap\ vad.txt pte.txt and vad-v sub-directory.

Hope this explains it a bit. Also it may be faster to ask general questions on the Discord.

Please let me know if this would somehow explain things a bit and if it would resolve your issues, or if you still experience issues.

BubonicPestilence commented 7 months ago

Thank you very much!