Closed serkonda7 closed 10 months ago
did you try to dump memory from a Windows target?
-memmap auto
works by initializing MemProcFS with some best-guess half-safe parameters to try to find out the memory map as seen by the Windows kernel. Sometimes this will not work and fail (error message indicates this). Obviously on non-Windows targets but also sometimes on Windows targets as well.
You could go with a manual memmap instead (recommended).
Or if things work fine without it, just skip it :)
But you're probably right that I should update the guide. I should say more than that it's just a high risk operation and also mention it won't always work.
But I don't think there is a bug as-such here.
Thanks for all your helpful replies!
My target was windows 10 x64 and the host linux. As it was a lab setup, in the end I went with taking a memmap manually using RamMap on the target.
The error message implied for me that pcileech does not recognize auto
as instruction to attempt taking a memory map on it's own but instead looked for a file called auto.
It's just a bit unclear error message I think. Internally PCILeech will extract the memmap "file" from MemProcFS and when it fails the resulting "file" will be invalid as well.
Anyway, I'm glad to see the issue is now resolved and I'm closing this issue.
I have built all repos from source using the latest master.
Running
./pcileech dump -memmap auto -v -device fpga
results in the following error:Access to the memory using
./pcileech display -min 0x1000 -v -device fpga
works fine.Is the wiki outdated? e.g. https://github.com/ufrisk/LeechCore/wiki/Device_FPGA_AMD_Thunderbolt#unknown-memory-map-and-no-system-access
Or is this a bug in pcileech/memprocfs?