-
-
Notifications
You must be signed in to change notification settings - Fork 410
FS_SysInfo
The directory sysinfo exists as a sub-directory to the file system root.
The directory contains directories and files displaying various system information.
The files in the sysinfo directory and their functions are listed below:
- version: operating system version on format: major.minor.build.
- version-major: operating system major version.
- version-minor: operating system minor version.
- version-build: operating system build version.
The files in the sysinfo/proc directory and their functions are listed below:
- proc/tree: process tree - list processes and their parent processes in a tree view.
- proc/tree-v: process tree verbose - also list process image path and command line.
The files in the sysinfo/net directory and their functions are listed below:
- net/netstat: netstat - list TCP connections. (UDP and TCP listening ports are not yet implemented).
- net/netstat-v: netstat verbose version - also list time and process image path.
Files in the sysinfo/ directory and sub-directories are read-only.
The file proc/tree contains a per-pid tree view of the known processes in the system. The view includes all processes including terminated ones.
T Process is terminated
* Process is outside standard paths.
Process Pid Parent Flag
--------------------------------------------
- System 4 0
-- Registry 88 4
-- smss.exe 304 4
-- MemCompression 1592 4
- csrss.exe 396 388
- wininit.exe 468 388
-- services.exe 604 468
...
-- userinit.exe 3996 564 T
--- explorer.exe 4028 3996
---- mspaint.exe 1832 4028
...
The file net/netstat contains a listing of active TCP connections similar to netstat -no. The listing currently does not display UDP and TCP listening ports - which will be implemented in the future.
TCPv4 10.8.0.101:53176 10.8.0.5:445 ESTABLISHED 4 System
TCPv4 127.0.0.1:58326 127.0.0.1:58325 ESTABLISHED 2936 firefox.exe
TCPv4 10.8.0.101:57372 40.67.251.132:443 ESTABLISHED 3796 svchost.exe
TCPv4 10.8.0.101:58523 169.254.164.112:7680 SYN_SENT 4192 svchost.exe
TCPv6 [::1]:58228 [::1]:28473 ESTABLISHED 10416 MemProcFS.exe
TCPv6 [::1]:58231 [::1]:28473 ESTABLISHED 10416 MemProcFS.exe
TCPv4 10.8.0.101:57644 13.93.117.220:443 ESTABLISHED 11824 vsls-agent.exe
TCPv4 127.0.0.1:57949 127.0.0.1:57950 ESTABLISHED 13192 firefox.exe
TCPv6 [::1]:28473 [::1]:58231 ESTABLISHED 17180 leechagent.exe
TCPv6 [::1]:28473 [::1]:58228 ESTABLISHED 17180 leechagent.exe
...
The example shows the sysinfo/ directory, the operating system version and the verbose process tree and the verbose netstat.
The sysinfo directory is implemented as a built-in native C-code plugin. The plugin source is located in the file m_sysinfo.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖