py/procstruct
per-process directoryThe directory py/procstruct exists as a sub-directory in each process directory if the process is a Windows process.
The directory and its contents are implemented as a Python module. Python functionality must work for the py/procstruct directory to be visible. Please find it in the plugins/pym_procstruct relative to MemProcFS.exe.
The directory files contains the memory of the EPROCESS
and PEB
data structures related to the process being analyzed. If a 32-bit WoW64 process is analyzed files containing the memory of the 32-bit PEB
will appear as PEB32
. Both binary and test representations of memory are displayed.
The text files are always read-only. The binary files are writable if a write-capable memory acquisition device is used.
The example below shows the EPROCESS
, PEB
and PEB32
of the 32-bit OneDrive.exe process. The EPROCESS
is viewed in a hex editor while the 32-bit PEB32
is viewed in Notepad.
[[resources/proc_procstruct.png]]
The py/procstruct sub-directory is implemented as a python module. The module is located in plugins/pym_procstruct relative to MemProcFS.exe. The Python source code is well documented and make heavy use of the VmmPy library. For more information about Python modules check out the Python Modules wiki topic.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。