ufrisk/MemProcFS: The Memory Process File System
Posted by jpluimers on 2025/02/21
Interesting: [Wayback/Archive] ufrisk/MemProcFS: The Memory Process File System
MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.
Easy trivial point and click memory analysis without the need for complicated commandline arguments! Access memory content and artifacts via files in a mounted virtual file system or via a feature rich application library to include in your own projects!
Analyze memory dump files, live memory via DumpIt or WinPMEM, live memory in read-write mode from virtual machines or from [Wayback/Archive] PCILeech [Wayback/Archive] FPGA hardware devices!
It’s even possible to connect to a remote LeechAgent memory acquisition agent over a secured connection – allowing for remote live memory incident response – even over higher latency low band-width connections! Peek into Virtual Machines with [Wayback/Archive] LiveCloudKd or [Wayback/Archive] VMWare!
Use your favorite tools to analyze memory – use your favorite hex editors, your python and powershell scripts, WinDbg or your favorite disassemblers and debuggers – all will work trivally with MemProcFS by just reading and writing files!
On Windows, there is even the cool tool [Wayback/Archive] evild3ad/MemProcFS-Analyzer: MemProcFS-Analyzer – Automated Forensic Analysis of Windows Memory Dumps for DFIR:
MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.
Via [Wayback/Archive] Evild3ad79 on Twitter: “MemProcFS-Analyzer v0.5 is now available! New features and changes: Windows Shortcut Files (LNK), Process Modules (Metadata), and much more. #memprocfs #memoryforensics #DFIR …”.
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment