代码拉取完成,页面将自动刷新
root directoryThe root directory of the Memory Process File System contains multiple directories and files which contains the physical memory of the target.
The files in the root directory are listed in the table below:
| Directory | Description |
|---|---|
| conf | Configuration and Status. |
| forensic | Forensic mode. |
| misc | Miscellaneous functionality |
| name | Per-process directories listed by process name. |
| pid | Per-process directories listed by process pid. |
| py | Python based plugins. |
| registry | Registry information. |
| sys | System information. |
| vm | Virtual Machine (VM) information. |
The files in the root directory are listed in the table below:
| File | Description |
|---|---|
| memory.dmp | The physical memory slightly adjusted to conform with the Microsoft crash dump format and WinDbg. |
| memory.pmem | The raw physical memory. |
The files are writable if a write-capable memory acquisition device is used.
The example below shows hex editing of the memory.pmem file which reflects the physical memory of the target being analyzed. In this example the low stub is being analyzed and the kernel page table base (PML4) is marked at address 0x10a0.
Also shown is WinDbg accessing the auto-generated memory.dmp WinDbg compatible full crash dump file.
[[resources/root_root_2.png]]
It is possible to add sub-directories if registering general/root functionality in native plugins.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
