The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Easy trivial point and click memory analysis without the need for complicated commandline arguments! Access memory content and artifacts via files in a mounted virtual file system or via a feature rich application library to include in your own projects!

Analyze memory dump files, live memory via DumpIt or WinPMEM, live memory in read-write mode via linked PCILeech and PCILeech-FPGA devices!

It's even possible to connect to a remote LeechAgent memory acquisition agent over a secured connection - allowing for remote live memory incident response - even over higher latency low band-width connections! Peek into Hyper-V Virtual Machines with LiveCloudKd!

Use your favorite tools to analyze memory - use your favorite hex editors, your python and powershell scripts, WinDbg or your favorite disassemblers and debuggers - all will work trivally with MemProcFS by just reading and writing files!

Include MemProcFS in your C/C++, C# or Python programming projects! Everything in MemProcFS is exposed via an easy-to-use API for use in your own projects! The Plugin friendly architecture allows users to easily extend MemProcFS with native C .DLL plugins or Python .py plugins - providing additional analysis capabilities!

MemProcFS is available on Python pip. Just type pip install memprocfs and you're ready to go! Please see the Python API documentation and the YouTube demo for examples and usage!

Please check out the project wiki for more in-depth detailed information about the file system itself, its API and its plugin modules!

Please check out the LeechCore project for information about supported memory acquisition methods and remote memory access via the LeechService.

To get going clone the sources in the repository or download the latest binaries, modules and configuration files from the releases section and check out the guide.

No matter if you have no prior knowledge of memory analysis or are an advanced user MemProcFS (and its API) may be useful! Click around the memory objects in the file system

Everything in MemProcFS is exposed as APIs. APIs exist for both C/C++ vmmdll.h, C# vmmsharp.cs and Python memprocfs.py. The file system itself is made available virtually via the API without the need to mount it. SIt is possible to read both virtual process memory as well as physical memory! The example below shows reading 0x20 bytes from physical address 0x1000:

>>> import memprocfs
>>> vmm = memprocfs.Vmm(['-device', 'c:/temp/win10_memdump.raw'])
>>> print(vmm.hex( vmm.memory.read(0x1000, 0x20) ))
0000    e9 4d 06 00 01 00 00 00  01 00 00 00 3f 00 18 10   .M..........?...
0010    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

Anyone is able to extend MemProcFS with custom plugins! It is as easy as dropping a python file in the correct directory or compiling a tiny C DLL. Existing functionality is already implemented as well documented C and Python plugins!

Get the latest binaries, modules and configuration files from the latest release. Alternatively clone the repository and build from source.

MemProcFS is dependent on the LeechCore project for memory acquisition. The necessary leechcore.dll / leechcore.so file is already pre-built and included together with the pre-built binaries.

Mounting the file system requires the Dokany file system library to be installed. Please download and install the latest version of Dokany at: https://github.com/dokan-dev/dokany/releases/latest It is recommended to download and install the DokanSetup_redist version.

Python support requires Python 3.6 or later. The user may specify the path to the Python installation with the command line parameter -pythonhome, alternatively download Python 3.7 - Windows x86-64 embeddable zip file and unzip its contents into the files/python folder when using Python modules in the file system. To use the Python API a normal 64-bit Python 3.6 or later installation for Windows is required.

To capture live memory (without PCILeech FPGA hardware) download DumpIt and start MemProcFS via DumpIt /LIVEKD mode. Alternatively, get WinPMEM by downloading the most recent signed WinPMEM driver and place it alongside MemProcFS - detailed instructions in the LeechCore Wiki.

PCILeech FPGA will require hardware as well as FTD3XX.dll to be dropped alongside the MemProcFS binaries. Please check out the LeechCore project for instructions.

MemProcFS is dependent on packages, please do a sudo apt-get install libusb-1.0 fuse openssl lz4 before trying out MemProcFS. If building from source please check out the guide about MemProcFS on Linux.

Start MemProcFS from the command line - possibly by using one of the examples below.

Or register the memory dump file extension with MemProcFS.exe so that the file system is automatically mounted when double-clicking on a memory dump file!

• mount the memory dump file as /home/pi/mnt/ on Linux:
  ./memprocfs -mount /home/pi/linux -device /dumps/win10x64-dump.raw
• mount the memory dump file as default M:
  memprocfs.exe -device c:\temp\win10x64-dump.raw
• mount the memory dump file as default M: with extra verbosity:
  memprocfs.exe -device c:\temp\win10x64-dump.raw -v
• mount the memory dump file as default M: with extra extra verbosity:
  memprocfs.exe -device c:\temp\win10x64-dump.raw -v -vv
• mount the memory dump file as S:
  memprocfs.exe -mount s -device c:\temp\win10x64-dump.raw
• mount live target memory, in verbose read-only mode, with DumpIt in /LIVEKD mode:
  DumpIt.exe /LIVEKD /A memprocfs.exe /C "-v"
• mount live target memory, in read-only mode, with WinPMEM driver:
  memprocfs.exe -device pmem
• mount live target memory, in read/write mode, with PCILeech FPGA memory acquisition device:
  memprocfs.exe -device fpga -memmap auto
• mount a memory dump with a corresponding page files:
  memprocfs.exe -device unknown-x64-dump.raw -pagefile0 pagefile.sys -pagefile1 swapfile.sys

For additional documentation please check out the project wiki for in-depth detailed information about the file system itself, its API and its plugin modules! For additional information about memory acqusition methods check out the LeechCore project

Also check out my Microsoft BlueHatIL 2019 talk Practical Uses for Hardware-assisted Memory Visualization and my Disobey 2020 talk Live Memory Attacks and Forensics about MemProcFS.

Pre-built binaries, modules and configuration files are found in the latest release.. MemProcFS binaries are built with Visual Studio. MemProcFS is not supported on Linux.

Detailed build instructions may be found in the Wiki in the Building section.

MemProcFS is currently limited to analyzing Windows (32-bit and 64-bit XP to 10) memory dumps.

Some features are missing in Linux version (compressed windows memory and offline symbols). This both limits and degrades the analysis on Linux systems. These features are planned for future versions.

Please find some ideas for possible future expansions of the memory process file system listed below. This is a list of ideas - not a list of features that will be implemented. Even though some items are put as prioritized there is no guarantee that they will be implemented in a timely fashion.

• More/new plugins.

• Hash lookup of executable memory pages in DB.
• Forensic mode more analysis tasks.

The project source code is released under: GNU Affero General Public License v3.0. Some bundled dependencies and plugins are released under GPLv3. Some bundled Microsoft redistributable binaries are released under separate licenses. Alternative licensing may be possible.

PCILeech, MemProcFS and LeechCore are open source but not open contribution. PCILeech, MemProcFS and LeechCore offers a highly flexible plugin architecture that will allow for contributions in the form of plugins. If you wish to make a contribution, other than a plugin, to the core projects please contact me before starting to develop.

• Twitter:
• Discord:
• PCILeech: https://github.com/ufrisk/pcileech
• PCILeech FPGA: https://github.com/ufrisk/pcileech-fpga
• LeechCore: https://github.com/ufrisk/LeechCore
• MemProcFS: https://github.com/ufrisk/MemProcFS
• YouTube: https://www.youtube.com/channel/UC2aAi-gjqvKiC7s7Opzv9rg
• Blog: http://blog.frizk.net

• MemProcFSHunter: https://github.com/memprocfshunt/MemProcFSHunter
• MemProcFS-Analyzer: https://github.com/evild3ad/MemProcFS-Analyzer

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

To all my sponsors, Thank You 💖

All sponsorships are welcome, no matter how large or small. I especially wish to thank my bronze sponsors: grandprixgp.

v4.0

• Linux support (x64 and aarch64).
• Separate releases for Windows and Linux.
• API Changes and some incompatibilities.

v4.1

• Bug fixes.
• Offline kernel symbols (partial support). This allows for more functionality in Linux mode and in Windows offline mode.

v4.2

• Support for VMWare live VM introspection.
• Support for remote agent-based memory analysis.
• Map kernel memory space into csrss.exe process (to make win32k easier to access).

Latest:

• Support for Windows Server 2022