What kind of memory does the probe command actually enumerate?

[B3njey]

Hello,

I want to start of by praising this interesting project and the creation of this powerful tool. But I would like to understand how the probe command works exactly and I couldn't find a more detailed information about it's technical functionality and now wanted to ask via this issue.

• The virtual memory pages are presumably probed. So when the command tests a virtual address and there is no physical address assigned to that, the page counts as failed? Or are there other factors that the command assumes a fail like when they are outsourced on the harddrive? Can OS restriction or encrypted parts in the RAM be a factor?

Excuse me if there are some logical errors in my questions, I would just like to understand how the commands work.

Best regards Benjamin

[ufrisk]

Hi,

The probe command read (if I remember correctly) 4 bytes from each 4096-byte physical memory page. It does not do anything with regards to virtual memory.

There are some commands that work with both virtual and physical memory, such as the search and patch commands (if a pid is supplied in the -pid option a virtual memory search is undertaken, otherwise a physical memory search).

If wanting to dig deeper into processes and their virtual memory I strongly recommend my MemProcFS project. It's fully compatible with PCILeech and it allows you to easily view process internals (and also manipulate them over DMA) utilizing a virtual file system.

[B3njey]

I see, that is helpful, thank you. So i presume if those 4 bytes in one physical memory page can't be read it counts as failed. But do you know why a certain number of pages always seem to fail? Or simply why pages fail anyway?

Yes, I looked into them as well already. Testing all the commands with a FPGA and looking at the available and possible security measures against attacks on DMA interfaces.

[ufrisk]

Pages may fail for a number of reasons: 1) page is protected by memory controller, this is the case with SMM memory. 2) page is protected by hypervisor IOMMU 3) page is not backed by physical RAM, the memory may be related to a memory mapped device as an example. 4) page is above the max addressable space.

also, probe usually works fine on Intel. Not so on AMD or Thunderbolt. If you do an invalid read the device usually stops working.

[B3njey]

Alright, good to know, thank you. Yes I am testing explicitly on Intel based systems and PCIe.

• How are the failed pages then represented in a memory dump with the dump command for instance? Are they replaced with zeros? Or are those failed pages blocks distinguishable from empty pages?

Then I would be interested on your take on the following thought.

• How useful would be a memory dump while the system is just booting? Considering a Windows 10 OS.
• Do you think the memory would be consistent, as in, would there be information blocks where a part is seemingly cut off? Atleast that would make sense to me, being that at the startup the memory is changing quite a bit.
• And at what time of the boot do you think it makes the most sense to start a memory dump?

[ufrisk]

Failed/Skipped pages are zero-padded.

The OS kernel initializes very early, when the starting Windows appears it will probably be able to identify the OS if you're doing a memory dump.

There would be considerable drift/smear though since a lot of things are happening. It will be very low quality and a lot of things will be missing and/or not parse due to data corruption.

To get a better quality dump wait a short while after the logon-screen appears to allow for some delayed services to start.

[B3njey]

Thank you for your explanation, that's what i figured as well.

When you are refering to 'pages in memory' or 'pages read' in PCILeech, do mean a section of virtual memory or actually a page frame, a section of physical memory? Since as far as i know "page" is the term usually used when referring to virtual memory.

[ufrisk]

I use that term a bit sloppily, I mean a 4kB chunk of memory aligned to 4kB.

[B3njey]

Alright, thanks for your fast answers. There is one final question left. To give you some perspective, some colleagues and me used your wonderful tool in a student project and we used redmine to create man-pages like wiki pages for each command of PCILeech and gave it some structure and added some testcases where you can see the used command and the output with a certain setup. Now we were wondering if you could have some use for those documentations, to give an easier overview over each command for future users?

[ufrisk]

My LeechCore and MemProcFS tools/libraries are quite well documented already, but PCILeech documentation in the form of wiki pages are very lacking as you already noticed. I'd be super happy to accept a wiki guide.

I already have some rudimentary built in help if you use the help command though. If improving upon this it should also be possible, but I would need it contributed in a way that will still allow me to retain the ability to do dual licensing, i.e. not GPL/AGPL, but something more permissible such as public domain / MIT.

[B3njey]

Sorry for the very late response. There has been much going on the last few months.

It is indeed already well documented. As already said, we created man-pages like documentations about the usable commands to get a better idea of its possibilities. I can send you one of those and you can decide if it will contribute to your documentation or not.

That is understandable, I would just need to check with the company we did this project in cooperation with, but as of the last information I got, this shouldn't be a problem.

[ufrisk]

I'm closing this issue due to old age. Also, I believe the questions have been answered in the thread.