Skip to content

FS_Process_Virt2Phys

Jump to bottom
ufrisk edited this page Aug 20, 2023 · 6 revisions

The virt2phys per-process directory

The directory virt2phys exists as a sub-directory in each process directory.

The virt2phys directory contains one special file named virt.txt that the user of MemProcFS may write a virtual address into. Once saved the other files will automatically update to reflect the user-selected virtual address written to the virt.txt file.

NB! Memory may still be readable even though virt2phys may not find it if the memory is "paged out". The virt2phys looks at currently active memory only.

File Description
virt.txt Virtual address in hex - always user writable!
phys.txt Physical address (in hex) that the virtual address maps to
map.txt virtual to physical translation map - showing page table entries and their locations in the PML4, PDPT, PD and PT page tables.
readme.txt Informational README file.
pt_pml4.mem* PML4 page table
pt_pdpt.mem* PDPT page table
pt_pd.mem* Page Directory page table
pt_pt.mem* Page Table page table
page.mem 4kB page that the virt address maps to (or corresponding 4kB section of memory if large pages are used)

*) On arm64 architectures the page table memory files are named pt_lvl0.mem, pt_lvl1.mem, pt_lvl2.mem and pt_lvl3.mem.

The virt.txt file is always writable. The map.txt file is always read-only while all other files are writable if a write-capable memory acquisition device is used.

Example

The example below shows the files in the virt2phys sub-directory of the explorer.exe process. The virtual memory address 00007ff75fc50000 is echoed into the virt.txt file. The page table walk is shown by viewing the map file with the cat map.txt command. The resulting physical address of 0x1a6c96000 is shown by viewing the phys.txt file with the cat phys.txt command. Also shown, in the HxD hex editor, is the 4th level page table for the virtual address.

The first column of the map file shows which page table. Then the physical address of the page table is shown next. Then the offset (in bytes) of the page table entry and at last the page table entry itself (PML4E/PDPTE/PDE/PTE) is shown.

For Developers

The virt2phys sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_virt2phys.c in the vmm project. The plugin contains limited caching functionality that will allow it to store the contents of virt file even though the process list may be refreshed in a read/write scenario.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally