-
Notifications
You must be signed in to change notification settings - Fork 511
_CommandLine
This guide describes the various command line options that is possible to start MemProcFS.exe with. In addition to starting MemProcFS with command line options it's also possible to start it by double clicking on memory dumps and select open with MemProcFS.
MemProcFS uses the LeechCore library for physical memory acquisition and alteration. MemProcFS forwards LeechCore related command line options, primarily related to physical memory acquisition devices, to the LeechCore library. Please find a short description about such options primarily the -device option in the LeechCore section below.
Verbosity level. By default MemProcFS only print a select few info messages in the console window.
The -v option enables verbosity.
The -vv option enables extra verbosity.
The -vvv option enables extra extra verbosity and will generate a large amount of data including all memory read/written to/from files or devices. The -vvv option is not recommended.
MemProcFS tries to mount as drive letter M: by default. MemProcFS may mount at other drive letters as specified by the -mount option.
To mount MemProcFS as drive letter Q specify command line option:
-mount Q
MemProcFS allows for Python plugin functionality. Examples of such plugins are the procstruct plugin showing EPROCESS and PEB in a convenient format and the 3rd party pypykatz plugin providing mimikatz-style functionality to MemProcFS. In order to run Python plugins MemProcFS needs access to a Python installation.
By default MemProcFS will use the 64-bit Python 3.6 or later installation found on the current PATH. If no Python installation is found on the PATH MemProcFS will try load a Python environment from its Python sub-directory.
If loading of a Python installation fails or one wish to load a separate Python installation please use the -pythonpath command line option.
Use a non-default 64-bit Python installation at C:\Program Files\Python37:
-pythonpath C:\Program Files\Python37
MemProcFS allows for Python plugin functionality. If this is not desirable it's possible to disable loading of the Python plugin sub-system by supplying the -pythondisable command line argument.
Disable the use of Python plugins:
-pythondisable
Windows use page files to page out memory not frequently used to disk. Page files are in a state of flux and are usually not recommended to use for memory analysis unless they are acquired at the same time, or at the very least very close in time, to the memory dump file acquisition.
On a modern Windows 10 system each page file is given an index number. On a default configured Windows 10 system pagefile.sys will get index 0 while swapfile.sys will get index 1. On a non-default configured system with less or more page files this may differ.
To use page files with MemProcFS please use the -pagefileX command line option - where X is the page file index number. Please note that if old page files taken at different points time as compared to the memory dump are used then the memory analysis will be severely degraded by bad data.
Use pagefile.sys and swapfile.sys to increase memory analysis quality of a Windows 10 memory dump:
-pagefile0 pagefile.sys -pagefile1 swapfile.sys
If live memory is captured either via driver or PCIleech FPGA device MemProcFS will auto-detect this and do background updates to update process listings and other information. Background refreshes are done to keep data up-to-date and to provide a good user experience (= fast and responsive with relevant current data).
Background refreshes take up small amounts of system resources and may not always be desirable. It's possible to disable background refreshes by specifying the -norefresh command line option. Please note that it's usually not recommended to set this option. This option have no meaning if static memory such as a memory dump file is analyzed.
By default MemProcFS tries to download symbols from the Microsoft Symbol Server. Symbols are required for the MemProcFS .pdb debug symbol sub-system which some MemProcFS is dependent on. If one do not wish to automatically download symbols from the Microsoft Symbol Server it's possible to specify the -symbolserverdisable.
Symbols already in the local cache will still be loaded, but no connections towards the Microsoft Symbol Server will take place when the -symbolserverdisable command line option is specified.
Please also note that the 1st time MemProcFS is started the user is asked to accept an EULA for the Microsoft Symbol Server. If the user answers no a file symsrv.no will be created and the symbol server will be permanently disabled until the symsrv.no file is deleted manually from the MemProcFS directory.
To decrease startup time tasks, such as starting the .pdb debug symbol sub-system, is started asynchronously after system startup. This may lead to certain functionality being unavailable for the first seconds after startup. This may in some cases have undesirable effects - such as missing data and limited memory recovery rates for the first seconds after startup.
If it's desirable to have full functionality available immediately after MemProcFS startup please specify the -waitinitialize command line option. Startup times may increase somewhat.
MemProcFS uses the LeechCore library for physical memory acquisition and alteration. MemProcFS forwards LeechCore related command line options, primarily related to physical memory acquisition devices, to the LeechCore library.
For a full detailed description of LeechCore related command line options and per-device type information please consult the LeechCore Wiki.
A brief overview of LeechCore related command line options are given below:
MemProcFS/LeechCore supports a number of different memory acquisition "devices".
Supported acquisition methods range from dump files [raw dump files, Microsoft full crash dump files, Elf full core dump files (virtualbox) to driver-assisted capture of live memory [DumpIt or WinPMEM] to hardware PCILeech FPGA devices.
For more detailed information about each memory acquisition device and also about additional supported "devices" check out the LeechCore wiki.
Analyze the physical memory dump memorydump.raw:
-device memorydump.raw
Analyze live memory acquired with a PCILeech FPGA device connected over USB (required additional DLLs - check LeechCore wiki for additional details):
-device fpga
Analyze live memory acquired in real-time with WinPMEM (requires MemProcFS to be started as elevated administrator, the WinPMEM driver att_winpmem_64.sys to be downloaded):
-device "pmem://att_winpmem_64.sys"
MemProcFS/LeechCore may connect to a remote instance in the form of a running LeechAgent by specifying the -remote option. The remote LeechAgent may use any of the supported memory acquisition devices. For more information about the option consult the LeechCore wiki entry.
Connect to a remote LeechAgent running on the host ad-test.ad.example.org over an insecure unauthenticated cleartext RPC connection:
-remote rpc://insecure:ad-test.ad.example.org
Connect to a remote LeechAgent running on the host ad-test.ad.example.org over an active-directory kerberos-secured mutually authenticated encrypted connection:
-remote rpc://ad-test$@AD.EXAMPLE.ORG:ad-test.ad.example.org
Maximum allowed physical memory address to read from. This option should normally not be used. It's mostly available for debug purposes. If a low value is specified MemProcFS is unlikely to be able to start or analyze memory properly. If this option is not specified the maximum amount of physical memory will be auto-detected (recommended).
Set the maximum allowed physical memory address to 4GB (0x100000000):
-max 0x100000000