-
-
Notifications
You must be signed in to change notification settings - Fork 413
FS_Search
The directory search exists as a sub-directory to the file system root under /misc/search and in each process directory.
The search functionality allows for flexible efficient searching in process virtual memory and/or physical memory.
The files in the search directories are listed in the table below:
File | Description |
---|---|
addr-min.txt | Minimum address to search from. |
addr-max.txt | Maximum address to search to. |
align.txt | Byte-alignment of search (1, 2, 4, 8, 16, 0x1000 bytes etc.). |
readme.txt | README file. |
reset.txt | Write 1 to prepare for new search / abort on-going search / empty previous search. |
result.txt | Addresses with search matches. |
search.txt | The search term in hexascii. Please see below for additional info. |
search-skip-bitmask.txt | Bitmask applied to each bit of search.txt. 0 = search normally. 1 = wildcard search of the specific bit. |
status.txt | Status of an ongoing or completed search. |
Files in the search directories are read-write with the exception of readme.txt, result.txt and status.txt.
Before a search is initiated it's possible to set optional constraints, such as min and max address, search alignment and any wildcard characters in the search-skip-bitmask.txt bitmask.
The search is initiated by writing a hexascii term into the file search.txt. Once written the search starts immediately.
It's possible to follow the status of the search by monitoring status.txt. It's also possible to abort/clear a previous search by writing 1 into reset.txt - this will allow for new search.
The search functionality in misc/search
will search the entire physical memory space.
The search functionality in each process will search the process virtual memory. In case of a 64-bit address space the search will only be performed on the relevant address space (as shown in the memmap functionality) for performance reasons. To search kernel address space please select the SYSTEM (PID 4) process or one of the CSRSS.EXE processes. Other processes are usually only searched in the user part of the address space - i.e. 0x0 to 0x7fffffffffff.
The example shows the search for pointer address references to the address 0xffffcf00d217eb40
in virtual address space of the System process. Please note that the byte order is reversed due to how pointers are stored in memory (little endian).
The search sub-directories are implemented as a built-in native C-code plugin. The plugin source is located in the file m_search.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖