fpga. pagedisplay/dump returns incorrect data.

[eXskill]

Hello. I'm trying to read a specific fragment from the memory of the target machine. pcileech.exe pagedisplay -min 0x1520000 -device fpga -memmap auto But the returned data does not match the real one, what could be the reason?

[ufrisk]

Your HxD view show the offset from the base of your exe file.

Exe files are loaded into process virtual memory. In process virtual memory this address will be the randomized base address where the .exe is loaded PLUS this offset you have in HxD.

Furthermore pcileech deals with physical memory. Not virtual memory. You'd first need to translate your virtual memory address into physical memory to view it like that. For that you'd have to traverse the page tables.

In my MemProcFS program you may view virtual memory directly in HxD. Open the memory.vmem file found under M:\name\\memory.vmem

[eXskill]

Thanks a lot! I didn't pay attention to the vmem/pmem extension.