发布版本
源码安装
git clone https://github.com/ufrisk/MemProcFS.git
sudo apt-get install make gcc pkg-config libusb-1.0 libusb-1.0-0-dev libfuse2 libfuse-dev libpython3-dev lz4 liblz4-dev
~$ sudo apt-get install make gcc pkg-config libusb-1.0 libusb-1.0-0-dev libfuse2 libfuse-dev lz4 liblz4-dev
~$ mkdir build
~$ cd build
~/build$ git clone https://github.com/ufrisk/LeechCore
~/build$ git clone https://github.com/ufrisk/MemProcFS
~/build$ cd LeechCore/leechcore
~/build/LeechCore/leechcore$ make
~/build/LeechCore/leechcore$ cd ../../MemProcFS/vmm
~/build/MemProcFS/vmm$ make
~/build/MemProcFS/vmm$ cd ../memprocfs
~/build/MemProcFS/memprocfs$ make
~/build/MemProcFS/memprocfs$ cd ../files
### NOTE! before running memprocfs it's recommended to copy the file 'info.db' from the latest binary
### release at https://github.com/ufrisk/MemProcFS/releases/latest and put it alongside memprocfs binary.
### info.db is an sqlite database which contains common type and symbol offsets required for some tasks.
~/build/MemProcFS/files$ ./memprocfs -device <your_dumpfile_or_device> -mount <your_full_mount_point>
pip install memprocfs
pip3 install memprocfs
sudo apt-get install make gcc pkg-config libusb-1.0 libusb-1.0-0-dev libfuse2 libfuse-dev lz4 liblz4-dev
memprocfs.exe -device c:tempwin10x64-dump.raw
memprocfs.exe -device c:tempwin10x64-dump.raw -v
memprocfs.exe -device c:tempwin10x64-dump.raw -forensic 1
memprocfs.exe -device c:tempwin10x64-dump.raw -forensic 1 -forensic-yara-rules c:yararuleswindows_malware_index.yar
./memprocfs -mount /home/pi/linux -device /dumps/win10x64-dump.raw
memprocfs.exe -mount s -device c:tempwin10x64-dump.raw
memprocfs.exe -device pmem
memprocfs.exe -device fpga -memmap auto
memprocfs.exe -device unknown-x64-dump.raw -pagefile0 pagefile.sys -pagefile1 swapfile.sys
原文始发于微信公众号(FreeBuf):MemProcFS:在虚拟文件系统中以文件形式查看物理内存
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论