-
-
Notifications
You must be signed in to change notification settings - Fork 375
_CommandLine
This guide describes the various command line options that is possible to start MemProcFS.exe with. In addition to starting MemProcFS with command line options it's also possible to start it by double clicking on memory dumps and select open with MemProcFS.
MemProcFS uses the LeechCore library for physical memory acquisition and alteration. MemProcFS forwards LeechCore related command line options, primarily related to physical memory acquisition devices, to the LeechCore library. Find a short description about such options primarily the -device option in the LeechCore section below.
CPU / memory architecture. -arch is auto-detected. When analyzing raw arm64 memory dumps specify: -arch arm64.
| arch | description |
|---|---|
| x86 | 32-bit x86 paging. Older 32-bit Windows running on Intel/AMD CPUs. |
| x86pae | 32-bit x86 paging with physical address extension. 32-bit Windows running on Intel/AMD CPUs. |
| x64 | 64-bit x64 paging. Most common option. Intel/AMD CPUs. |
| arm64 | 64-bit arm paging. ARM CPUs such as Apple Silicon. |
Debug option. Set PTE quality threshold. May increase results on the expense of quality. Default = 32.
Completely disable PTE quality checks:
-debug-pte-quality-threshold 512
Disable usage and symbol lookup of cached symbols from the locally stored info.db. This also disables built-in Yara rules and some other functionality relying on info.db.
Symbol lookups via the Microsoft symbol subsystem may still work (disable with -disable-symbols).
Built-in Yara rules will also stop working.
Disable all Python functionality.
Disable the use of Python plugins:
-disable-python
Disable symbol lookup from debug symbols.
Any symbols still possible to look-up from info.db will still work. Disable info.db symbol lookup with -disable-infodb.
Debug symbols downloaded from Microsoft are not yet supported on Linux.
Disable automatic downloading of debug symbols from Microsoft.
Symbols already in the local cache will still be loaded, but no connections towards the Microsoft Symbol Server will take place when the -disable-symbolserver command line option is specified.
Please also note that the 1st time MemProcFS is started the user is asked to accept an EULA for the Microsoft Symbol Server. If the user answers no a file symsrv.no will be created and the symbol server will be permanently disabled until the symsrv.no file is deleted manually from the MemProcFS directory.
Debug symbols downloaded from Microsoft are not yet supported on Linux.
Disable the Yara scanning sub-system and all Yara related functionality.
Disable built-in Yara rules - but allow user-initiated Yara scans to remain intact.
Specify file / memory acquisition device. See -device for additional information.
Enable forensic mode by command line (recommended way to run forensic mode). Example: -forensic 2
Enable forensic mode by command line. The option takes a 2nd argument which is the forensic mode detailed below.
When forensic mode is enabled command line and the analysis takes place on a file the forensic results should be reproducible between runs on the same MemProcFS versions. If not enabled on startup (enabled in the file system) multi-threading and read-caches may result in slightly different results due to ordering. When doing forensic processing it's recommended to enabled the forensic mode via command line.
| Value | Forensic mode |
|---|---|
| 1 | In-memory only SQLITE database. |
| 2 | Temporary SQLITE database deleted upon MemProcFS exit. |
| 3 | Temporary SQLITE database kept upon MemProcFS exit. |
| 4 | Well known SQLITE database kept upon MemProcFS exit. |
Forensic mode will also enable the detection of virtual machines akin to the -vm option. To enable forensic modes inside any detected Windows virtual machines please use the option -vm-nested
List of comma-separated short process names (max 15 chars/process) to skip in forensic yara and findevil scans in addition to default skip list. Allows skipping problematic processes such as anti-virus processes that may contain signatures resulting in false positives.
Example: -forensic-process-skip "AvastSvc.exe,navapsvc.exe"
Yara rules file. The rules file may contain compiled rules or source rules (including index rules referencing other rules).
Example: -forensic-yara-rules C:\rules\malware\MALW_TrickBot.yar
Accept the Elastic License 2.0 License agreement required for built-in Yara rules used by forensic FindEvil functionality. Acceptance is cached and only has to be given for the first forensic run.
The Elastic License 2.0 applies to some built-in FindEvil yara rules. The Elastic License 2.0 does not apply to MemProcFS itself.
Logfile. Use in conjunction with -loglevel. Example: -logfile c:\temp\memprocfslog.txt.
Logging level. -loglevel is a comma-separated list of logging options. -loglevel is more fine grained than -v and -vv.
| loglevel | description |
|---|---|
| 0 | off / no logging |
| 1 | critical |
| 2 | warning |
| 3 | info / normal |
| 4 | verbose |
| 5 | debug |
| 6 | trace |
| 7 | all |
Each loglevel item may be specified as either:
-
[loglevel]= apply [loglevel] to all modules. -
[module]:[loglevel]= apply [loglevel] to specified [module]. -
f:[loglevel]= apply [loglevel] to all modules and log its output to file specified in-logfileoption. -
f:[module]:[loglevel]= apply [loglevel] to specified [module] and log its output to file specified in-logfileoption. -
fflush= apply file flushing to any log files (see below example).
-
-loglevel 4= Set default log level to verbose (4) -
-loglevel 4,vmm:7= Set default log level to verbose (4) and loglevel of the VMM module to all. -
-loglevel f:4,f:registry:7= Enable verbose file logging to file specified in-logfile <file>option except for registry module which will log all to file. -
-loglevel fflush,f:4,f:registry:7= Same as above example, but the log file is flushed after each log line written.
MemProcFS tries to mount as drive letter M: by default on Windows. MemProcFS may mount at other drive letters as specified by the -mount option. On Linux the -mount option must be given with the path to mount the fuse file system on.
To mount MemProcFS as drive letter Q specify command line option:
-mount Q
To mount MemProcFS at /home/pi/mnt specify command line option:
-mount /home/pi/mnt
If live memory is captured either via driver or PCIleech FPGA device MemProcFS will auto-detect this and do background updates to update process listings and other information. Background refreshes are done to keep data up-to-date and to provide a good user experience (= fast and responsive with relevant current data).
Background refreshes take up small amounts of system resources and may not always be desirable. It's possible to disable background refreshes by specifying the -norefresh command line option. Please note that it's usually not recommended to set this option. This option have no meaning if static memory such as a memory dump file is analyzed.
Windows use page files to page out memory not frequently used to disk. Page files are in a state of flux and are usually not recommended to use for memory analysis unless they are acquired at the same time, or at the very least very close in time, to the memory dump file acquisition.
On a modern Windows 10 system each page file is given an index number. On a default configured Windows 10 system pagefile.sys will get index 0 while swapfile.sys will get index 1. On a non-default configured system with less or more page files this may differ.
To use page files with MemProcFS please use the -pagefileX command line option - where X is the page file index number. Please note that if old page files taken at different points time as compared to the memory dump are used then the memory analysis will be severely degraded by bad data.
Use pagefile.sys and swapfile.sys to increase memory analysis quality of a Windows 10 memory dump:
-pagefile0 pagefile.sys -pagefile1 swapfile.sys
Execute a Python batch program at MemProcFS startup.
MemProcFS allows execution of a Python program at startup. The Python program is run inside the MemProcFS Python API context.
If the -pythonexec option is specified MemProcFS will not mount the virtual file system at startup unless the -mount option is explicitly specified. This makes it a perfect way to perform headless command line memory forensics.
If forensic mode is activated by command line the Python program will run only after the forensic mode processing is completed. This may take some time.
An example use case would be to copy MemProcFS with winpmem_x64.sys and an embedded Python installation in the Python sub-directory to a remote host to perform fast physical memory forensics in batch mode without having to install the Dokany file system driver.
The complete MemProcFS Python API is available in the Python execution environment. MemProcFS is already initialized in the object vmm. The vmm object may be used but should not be closed.
An example program is found in the file: memprocfs_pythonexec_example.py.
Execute the Python program memprocfs_pythonexec_example.py after forensic mode is completed and without mounting a file system:
memprocfs -forensic 1 -pythonexec memprocfs_pythonexec_example.py
Execute the Python program memprocfs_pythonexec_example.py before mounting the file system as M:
memprocfs -mount m -pythonexec memprocfs_pythonexec_example.py
Specify a custom path to the Python installation to be used.
By default MemProcFS will use the 64-bit Python 3.6 or later installation found on the current PATH. If no Python installation is found on the PATH MemProcFS will try load a Python environment from its Python sub-directory.
If loading of a Python installation fails or one wish to load a separate Python installation please use the -pythonpath command line option.
Use a non-default 64-bit Python installation at C:\Program Files\Python37:
-pythonpath C:\Program Files\Python37
The -pythonpath command line option is not supported on Linux. The default Python3 installation will be used.
Verbosity level. By default MemProcFS only print a select few info messages in the console window.
The -v option enables verbosity.
The -vv option enables extra verbosity.
The -vvv option enables extra extra verbosity and will generate a large amount of data including all memory read/written to/from files or devices. The -vvv option is not recommended.
Enable detection of supported virtual machines.
Enable detection of supported virtual machines as physical memory only.
Enable detection of supported virtual machines included nested virtual machines.
To decrease startup time tasks, such as starting the .pdb debug symbol sub-system, is started asynchronously after system startup. This may lead to certain functionality being unavailable for the first seconds after startup. This may in some cases have undesirable effects - such as missing data and limited memory recovery rates for the first seconds after startup.
If it's desirable to have full functionality available immediately after MemProcFS startup please specify the -waitinitialize command line option. Startup times may increase somewhat.
Specify file / memory acquisition device. See -device for additional information.
MemProcFS uses the LeechCore library for physical memory acquisition and alteration. MemProcFS forwards LeechCore related command line options, primarily related to physical memory acquisition devices, to the LeechCore library.
For a full detailed description of LeechCore related command line options and per-device type information please consult the LeechCore Wiki.
A brief overview of LeechCore related command line options are given below:
MemProcFS/LeechCore supports a number of different memory acquisition "devices".
Supported acquisition methods range from dump files [raw dump files, Microsoft full crash dump files, Elf full core dump files (virtualbox) to driver-assisted capture of live memory [DumpIt or WinPMEM] to hardware PCILeech FPGA devices.
For more detailed information about each memory acquisition device and also about additional supported "devices" check out the LeechCore wiki.
Analyze the physical memory dump memorydump.raw:
-device memorydump.raw
Analyze live memory acquired with a PCILeech FPGA device connected over USB (required additional DLLs - check LeechCore wiki for additional details):
-device fpga
Analyze live memory acquired in real-time with WinPMEM (requires MemProcFS to be started as elevated administrator, the WinPMEM driver att_winpmem_64.sys to be downloaded):
-device "pmem://att_winpmem_64.sys"
MemProcFS may connect to a remote instance in the form of a running LeechAgent by specifying the -remote option. The remote LeechAgent may use any of the supported memory acquisition devices. Default is to run memory analysis on the local machine - acquiring memory from the remote machine over the network. It's also possible to run memory analysis on the remote machine (recommended) with additional command line option -remotefs. For more information about the option consult the MemProcFS remoting wiki entry](https://github.com/ufrisk/MemProcFS/wiki/_Remoting).
Connect to a remote LeechAgent running on the host ad-test.ad.example.org over an insecure unauthenticated cleartext RPC connection - port tcp/28473:
-remote rpc://insecure:ad-test.ad.example.org
Connect to a remote LeechAgent running on the host ad-test.ad.example.org over an active-directory kerberos-secured mutually authenticated encrypted connection tunneled over SMB/445:
-remote smb://ad-test$@AD.EXAMPLE.ORG:ad-test.ad.example.org
Connect to a remote LeechAgent running on the host ad-test.ad.example.org over using NTLM as the authentication method. Set up an encrypted connection tunneled over SMB/445:
-remote smb://ntlm:ad-test.ad.example.org
Used in conjunction with the -remote command line option (see above). Force the memory analysis to be performed on the remote computer instead of on the local computer. Files are retrieved from the remote computer.
Connect to a remote LeechAgent, running MemProcFS on the remote host, on the host ad-test.ad.example.org over an insecure unauthenticated cleartext RPC connection - port tcp/28473:
-remote rpc://insecure:ad-test.ad.example.org -remotefs
Connect to a remote LeechAgent, running MemProcFS on the remote host, running on the host ad-test.ad.example.org over an active-directory kerberos-secured mutually authenticated encrypted connection tunneled over SMB/445:
-remote smb://ad-test$@AD.EXAMPLE.ORG:ad-test.ad.example.org -remotefs
Maximum allowed physical memory address to read from. This option should normally not be used. It's mostly available for debug purposes. If a low value is specified MemProcFS is unlikely to be able to start or analyze memory properly. If this option is not specified the maximum amount of physical memory will be auto-detected (recommended).
Set the maximum allowed physical memory address to 4GB (0x100000000):
-max 0x100000000
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖