Malware analysis tools

MemProcFS v2.6 releases: The Memory Process File System

The Memory Process File System:

The Memory Process File System (MemProcFS) is an easy and convenient way of accessing physical memory as files a virtual file system.

Easy trivial point and click memory analysis without the need for complicated commandline arguments! Access physical memory content and artefacts via files in a mounted virtual file system or via a feature-rich .dll application library to include in your own projects!

Analyze memory dump files – or even live memory in read-write mode via linked pcileech and pcileech-fpga devices!

Use your favorite tools to analyze memory – use your favorite hex editors, your python and powershell scripts, your disassemblers – all will work trivially with the Memory Process File System by just reading and writing files!

Include the Memory Process File System in your Python or C/C++ programming projects! Almost everything in the Memory Process File System is exposed via an easy-to-use API for use in your own projects! The Plugin friendly architecture allows users to easily extend the Memory Process File System with native C .DLL plugins or Python .py plugins – providing additional analysis capabilities!

Fast and easy memory analysis via mounted file system:

No matter if you have no prior knowledge of memory analysis or are an advanced user the Memory Process File System (and the API) may be useful! Click around the memory objects in the file system

Extensive Python and C/C++ API:

Everything in the Memory Process File System is exposed as APIs. APIs exist for both C/C++ vmmdll.h and Python vmmpy.py. The file system itself is made available virtually via the API without the need to mount it. Specialized process analysis and process alteration functionality are made easy by calling API functionality. It is possible to read both virtual process memory as well as physical memory! The example below shows reading 0x20 bytes from physical address 0x1000:

>>> from vmmpy import *
>>> VmmPy_InitializeFile('c:/temp/win10_memdump.raw')
>>> print(VmmPy_UtilFillHexAscii(VmmPy_MemRead(-1, 0x1000, 0x20)))
0000    e9 4d 06 00 01 00 00 00  01 00 00 00 3f 00 18 10   .M..........?...
0010    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

Modular Plugin Architecture:

Anyone is able to extend the Memory Process File System with custom plugins! It is as easy as dropping a python file in the correct directory or compiling a tiny C DLL. Existing functionality is already implemented as well documented C and Python plugins!

Changelog v2.6

  • Additional performance optimizations.
  • Support for process long names (previously capped to 15 chars), image path and command line.
  • New module: SysInfo – system information including OS version number and process tree with command line.

Download && Use

Copyright (C) 2018 Ufrisk 

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering