vmemd
per-process directoryThe directory vmemd exists as a sub-directory in each process directory.
The directory contains files of virtual memory according to the process memory map. Each file maps towards a memory map entry. Primarily entries from the virtual address descriptor (VAD) memory map are used. If a memory entry exists in the hardware page table map (PTE) but not in the VAD memory map it will also be displayed.
A file may consist of one or more contiguous virtual memory pages. Please note that often not all pages are allocated towards physical pages. They may also be unmapped, mapped towards a page file or mapped towards compressed virtual memory. If a page is unreadable it will be zero padded.
The Memory Process File System will use tag information in the memory map, such as module/.dll name, and include it in file names should such information exist.
The files in the vmemd directory does not allow read/write past the end of file even if virtual memory with different page permissions should exist contiguously in virtual memory after the end of the file.
Files are writable if a write-capable memory acquisition device is used.
The example below shows hex editing of the file 0x00007ff750930000-explorer.exe.vvmem - when looking at the process memory map file the hex edited file maps perfectly towards the virtual memory page containing the PE(MZ) header of the cmd.exe module in the cmd.exe process.
[[resources/proc_vmemd_2.png|hexediting a virtual memory file in the vmemd directory.]]
The vmemd sub-directory is implemented as a separate native C-code plugin. The plugin m_vmemd.dll is located in the plugins directory that exists as a sub-directory to the directory of MemProcFS.exe. Well documented source code exists in the m_vmemd project in the Visual Studio solution.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。