memflow-pcileech vmware / remote implementation #95
Comments
|
Hey there, better place for this issue would be memflow-pcileech project. Anyways, does leechcore require to set the device argument to "vmware://" or is "vmware" sufficient? I personally haven't tried anything besides FPGA yet. |
|
Both are fine I think (vmware:// and vmware), this for example works fine: |
|
Device is straight put into LC_CONFIG: Does it need anything else being setup apart from running as admin? |
|
Don't think so |
|
I couldnt see any additional steps that memprocfs is doing to initialize leechcore, but there probably is something i overlooked. Otherwise im kinda out of ideas right now, will have to test this on my setup at one point. |
|
Also wanted to ask, is it currently possible to dump memory remotely, e.g. using pcileech -remote? (LC_CONFIG.szRemote) |
|
Oh I see, is support for it planned anytime soon? |
|
No one used them before but it should be quite straight forward to add those parameters, do you have an example on how they would be set? I Assume remote and remoteDisableCompress are bools and szRemote is just a string that we should pass through? |
|
Not sure how they're set in the code specifically, this is what I was using: |
|
|
|
It seems to only require szRemote to be set: I gave it a shot and added a |
|
Sure, I'll give it a shot tomorrow (actually, today since it's 2:34 AM for me). Thank you so much! 😄 |
|
Can't seem to make it work :( |
|
I noticed yesterday that more complex argument formatting will confuse our argument parser. For the time being you can parse it manually like so: I also added new test cases here: So i can fix them up. Ideally the |
|
Had some issues with ConnectorArgs struct, debugged it a bit, if anyone comes by, the solution is to use this memflow version (because those structs are different between stable and beta as of now): |
|
You can close this issue if you want to, or use it to track vmware integration in the future if you'd want to add it 😄 |
ko1N
changed the title
|
I updated the title but would like to keep this open until the original issues are resolved (and arg parsing works fine). |
|
Could you please advise if that's a bug or am I doing something wrong? Looks like the integration with memflow-win32 |
|
Again, had to use the "0.2.0-beta9" version for memflow-win32 crate, this fixed my issue, although API is different, maybe there's a documentation to it already? |
|
I also can't seem to find a way to find process info by process name, only for ntoskrnl, meaning the following example doesn't work: |
|
Can't find process_info_list() as well |
With version 0.2 of memflow all os implementations are generic over the base traits found in the memflow repository (Os, Process). You should be able to find the methods, it could be that you are not including those traits in your source file and intellij-rust cannot find the traits, could you share code? It would be advised to use the memflow applied videos as a loose reference as they have not been updated/corrected for 0.2, however they still provide good general information that carries over. @h33p might update the videos for 0.2 (once the release has been stabilized), I don't know. |
|
Thank you so much @dankope, I didn't include the trait, fixed my issue |
This comment was marked as outdated.
This comment was marked as outdated.
So this parser confusion is now fixed on the next branch and will be released in 0.2.0-beta10 somewhat soon. You should be able to put in the arguments in the format you "expect" with this update :) |
I have the following code from example:
My Win10 VM is open, MemProcFS can read from it:
However, the example does not work:
Is there anything I can do to fix this and achieve fast live memory reads/writes or is it currently a technical issue?
I'm very new to this and it would be great if you could tell if I'm doing something wrong or is it actually not working right now? :D
The text was updated successfully, but these errors were encountered: