pedump
per-process directoryThe directory pedump exists as a sub-directory in each process directory.
The pedump directory contains best-effort reconstructed modules such as .exe, .dll and .sys files from memory fragments.
Please note that files in the pedump directory are best-effort reconstructed files. The files may not match the real file system files since all fragments may not reside in memory and as such will be zero-padded. Even if most memory is available certain parts, such as the import table, of PE images that changed in runtime will not be re-constructed perfectly.
Files are writable if a write-capable memory acquisition device is used. Please note that physical memory backing modules are normally shared between all processes and that any writes may affect all processes with the module being written into.
The example below shows the files in the pedump sub-directory of the explorer.exe process. The directory contains best-effort reconstructed .exe and .dll PE modules. Missing information will be zero-padded if possible.
The modules are likely to have missing information and may not be executable as such. They may however be useful for other operations, such as looking at properties, reversing, debugging and scanning for known strings and signatures.
[[resources/proc_pedump.png]]
The pedump sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file m_pedump.c in the vmm project. The plugin does not provide an external API, but functionality may be accessed using the MemProcFS general filesystem APIs.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。