Closed rlewkowicz closed 3 years ago
So I actually went ahead and used MemprocFS (Dont forget FTD3XX.dll):
.\MemProcFS.exe -device fpga -pythonpath C:\Users\Ryan\AppData\Local\Programs\Python\Python39
https://github.com/ufrisk/MemProcFS
I don't know if I should close this. This certainly works. But I don't know if this is supposed to be functionality in the main library
Awesome that you found MemProcFS
The file system functionality have grown a lot since that blog entry. It made more sense for me to separate it into a separate general purpose memory analysis project and also support an API on top of it instead of keeping it in PCILeech (which is a command line utility only focused on PCIe DMA attacks).
Anyway; it's good to see that you found it and I'll be closing this issue. If you happen to have any more questions please let me know :)
Also huge thanks for sponsoring. I've put a lot of time into these tools and we'll see where it goes. If you feel you are missing out on some functionality you need please let me know. I have plans to release some initial detections of some malware within a week or two.
You've got this blog here: http://blog.frizk.net/2018/03/memory-process-file-system.html
And in this blog you've got: http://4.bp.blogspot.com/-Mt81Q3-Q5go/WqRcuE25i1I/AAAAAAAAARA/OVLr8Fb9fcchBOC0vlNpZUxh7j6wStMQgCK4BGAYYCw/s1600/blog_head.gif
Thats what I'm looking to do from a remote system. I can run:
.\pcileech.exe mount -device fpga -v -kmd WIN10_X64_3
(which by the way, I thought I didn't need kernel modules with the fpga devices)And that will mount the file system, but not the memory as a file system. I still only have the single raw file.