-
-
Notifications
You must be signed in to change notification settings - Fork 414
_ARM64
This includes Windows on Apple Silicon - i.e. Windows on Parallels or VMWare Fusion, but also other ARM devices running Windows.
For instructions regarding Linux please check out MemProcFS on Linux
- DMA is currently not supported due to lack of driver support from FTDI.
- Memory analysis of arm64 memory dumps are not yet supported.
- Full support for analyzing x86, x64 and arm64 memory dump files on arm64 Windows.
The x64 version of MemProcFS works on arm64 devices with decent performance. It's also possible to build MemProcFS for arm64 natively by yourself.
- Install the Dokany virtual file system driver (DokanSetup.exe).
- Unzip MemProcFS x64 Windows release to a folder of your choosing.
- Run MemProcFS! Example:
memprocfs.exe -device c:\dumps\yourmemorydumpfile.raw
If the above fails with Dokany error -3 this means that the dokany driver have failed to properly install. In that case see points 4-8 below:
- Download dokan.zip from Dokany releases.
- Unzip dokan.zip
- Install driver: 6.1. move into dokan\ARM64\Release\Driver\sys 6.2. right click dokan.inf and choose in the popup menu: Install
- Start driver from administrative elevated command prompt run:
sc.exe create dokan2.sys binPath=C:\windows\system32\drivers\dokan2.sys type=kernel && sc.exe start dokan2.sys
This is only required once. - Run MemProcFS!
Please note that it is not possible to perform DMA attacks using MemProcFS on arm64 Windows due to the current lack of driver support.
It is possible to analyze arm64 memory dumps, such as crashdump (.dmp) files, VMWare (.vmem/.vmsn) and raw memory dump files. If analyzing a raw memory dump file specify the additional start-up option: -arch arm64
.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖