search

ufrisk / MemProcFS

MemProcFS
GNU Affero General Public License v3.0
2.8k stars 352 forks source link

VMMDLL_Initialize init problems on AMD + LINUX #282

Closed AurelienConte closed 3 months ago

AurelienConte commented 3 months ago

Hi !

I'm getting some problems right now on initializing the device with VMMDLL_Initialize method.

My target computer as an AMD processor and a Linux distribution ( Ubuntu like )

I have read this documentation : https://github.com/ufrisk/LeechCore/wiki/Device_FPGA_AMD_Thunderbolt

Saying that i need to provide a mmap.txt containing the adresses ranges of my physical memory

Otherwise, on linux i can not use Rammap and i'm trying to figure out how to generate this file. I was playing with the file "/proc/iomem" but i don't know if it's good or not.

Actually when initializing with verbose flags i'm getting this error : 

LeechCore v2.17.3: Open Device: fpga
LcMemMap_AddRange: 0000000000000000-0000000000000fff -> 0000000000000000
LcMemMap_AddRange: 0000000000001000-000000000009ffff -> 0000000000001000
LcMemMap_AddRange: 00000000000a0000-00000000000fffff -> 00000000000a0000
LcMemMap_AddRange: 0000000000100000-0000000009d01fff -> 0000000000100000
LcMemMap_AddRange: 0000000009d02000-0000000009ffffff -> 0000000009d02000
LcMemMap_AddRange: 000000000a000000-000000000a1fffff -> 000000000a000000
LcMemMap_AddRange: 000000000a200000-000000000a20bfff -> 000000000a200000
LcMemMap_AddRange: 0000000100000000-000000101f2fffff -> 0000000100000000
LcMemMap_AddRange: 000000101f300000-000000101fffffff -> 000000101f300000
[CORE]     Initialization Failed. Unable to locate valid DTB. #2
VmmProc: Unable to auto-identify operating system.                            
         Specify PageDirectoryBase (DTB/CR3) in -dtb option if value if known.
         If arm64 dump, specify architecture: -arch arm64                     
[CORE]     Failed to initialize.

[CORE]     SHUTDOWN COMPLETED (0x7d6242293010).
[CORE]       TIME: 2024-03-16 18:37:41 UTC.
[CORE]       RUNTIME: 0s.

Previously, i was testing it against the same target but on windows and with Rammap i was able to generate the good mmap.txt and being able to init the device.

Any advice to help me ?

Thanks in advance !

ufrisk commented 3 months ago

MemProcFS unfortunately only supports analysis of Windows systems and memory related to Windows systems.

MemProcFS does not support the analysis of Linux systems. For analysis of Linux systems I'd have to recommend Volatility.

With that being said, MemProcFS runs fine on Linux, but still only analyzing Windows targets.

PCILeech have some support for Linux, i.e. kernel injections etc.

Main reason for not fully supporting Linux in MemProcFS is time. This is a side project of mine. I have a normal job to take care of as well, and keeping Windows memory analysis up-to-date and adding new things to it is already taking a lot of time. Due to this I unfortunately don't have any plans on supporting analysis of Linux memory systems with this tool currently.

Thanks for understanding and best wishes with your memory analysis.