Skip to content

Commit

Permalink
Deploying to gh-pages from @ ae3645d 🚀
Browse files Browse the repository at this point in the history
  • Loading branch information
h33p committed Dec 5, 2023
1 parent c9e6d45 commit d70095b
Show file tree
Hide file tree
Showing 17 changed files with 447 additions and 0 deletions.
66 changes: 66 additions & 0 deletions about/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>memflow project</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico">
<link rel="stylesheet" href="../styles.css"></head>
</head>
<body>
<div class="root">
<div class="pre-logo">
<pre class="logo">
______
____ ___ ___ ____ ___ / __/ /___ _ __
/ __ `__ \/ _ \/ __ `__ \/ /_/ / __ \ | /| / /
/ / / / / / __/ / / / / / __/ / /_/ / |/ |/ /
/_/ /_/ /_/\___/_/ /_/ /_/_/ /_/\____/|__/|__/</pre>
<ul class="navbar">

<a href=../>Home</a>
<pre> | </pre>


<a href=../about>About</a>
<pre> | </pre>


<a href=../quick_start>Quick start guide</a>
<pre> | </pre>


<a href=../docs>Documentation</a>

</ul>
</div>

<div class="pre-content">
<div class="content">
<h1>About</h1>
<p>memflow is a set of libraries and tools that aim to make it easy to extract information from raw physical memory. memflow offers abstractions over the Memory Management Unit (MMU) and underlying Architecture as well as the Operating System itself.</p>
<h2>Contact us</h2>
<p>You are welcome to contact us via <a href="https://github.com/memflow/">Github</a> or just join our <a href="https://discord.gg/afsEtMR">Discord</a>.</p>
<h1>Credits &amp; Thanks:</h1>

<a href="https://github.com/ko1N">
<div style="flex-direction: row; box-sizing: border-box; display: flex; place- content: center flex-start; align-items: center;">
<img class="profile-img" src="https://avatars3.githubusercontent.com/u/1786181?s=64&v=4">
<div>ko1N</div>
</div>
</a>
<br/>

<a href="https://github.com/h33p">
<div style="flex-direction: row; box-sizing: border-box; display: flex; place- content: center flex-start; align-items: center;">
<img class="profile-img" src="https://avatars3.githubusercontent.com/u/22240533?s=64&v=4">
<div>h33p</div>
</div>
</a>
<br/>

</div>
</div>
</div>
</body>
</html>
80 changes: 80 additions & 0 deletions docs/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>memflow project</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico">
<link rel="stylesheet" href="../styles.css"></head>
</head>
<body>
<div class="root">
<div class="pre-logo">
<pre class="logo">
______
____ ___ ___ ____ ___ / __/ /___ _ __
/ __ `__ \/ _ \/ __ `__ \/ /_/ / __ \ | /| / /
/ / / / / / __/ / / / / / __/ / /_/ / |/ |/ /
/_/ /_/ /_/\___/_/ /_/ /_/_/ /_/\____/|__/|__/</pre>
<ul class="navbar">

<a href=../>Home</a>
<pre> | </pre>


<a href=../about>About</a>
<pre> | </pre>


<a href=../quick_start>Quick start guide</a>
<pre> | </pre>


<a href=../docs>Documentation</a>

</ul>
</div>

<div class="pre-content">
<div class="content">
<h1>Documentation</h1>
<h2>1. Introduction</h2>
<p>At its core a program that is written using memflow usually consists of 4 layers.</p>
<p>connector backend ← memflow core ← memflow-[os] ← frontend code</p>
<ul>
<li>The connector is the interface that provides access to raw physical memory.</li>
<li>The memflow core will provide higher-level functions to interface with virtual memory.</li>
<li>The memflow-[os] module abstracts operating system specific functionality and encapsulates drivers, processes, and modules.</li>
<li>The frontend code is the actual high-level implementation of the program logic.</li>
</ul>
<h2>2. Virtual Memory Translation</h2>
<p>// TODO: describe how virtual memory translation works (in memflow)</p>
<h2>3. What happens on initialization?</h2>
<h3>3.1. Windows targets</h3>
<p>The initialization phase of memflow for a win32 target consists of the following stages:</p>
<h3>1. Finding the START_BLOCK in physical memory.</h3>
<p>The START_BLOCK of the operating system usually sits in the lower physical memory region and contains information about the DTB when windows is initialized.
Additionally, it contains an address that gives us a hint on where to find the actual ntoskrnl.exe.</p>
<h3>2. Finding the ntoskrnl.exe in virtual memory</h3>
<p>Using the DTB that we acquired in the previous step it is now possible to construct a virtual memory reader.
This reader is then being used to find a valid PE header for the “ntoskrnl.exe” binary.</p>
<h3>3. Finding the GUID and WinVersion of the ntoskrnl.exe</h3>
<p>Microsoft provides program databases (PDBs) for all of their released Windows kernels.
These PDB files contain all information required for debugging a program.
They are usually used in conjunction with WinDbg to analyze or debug a system directly.</p>
<p>We are mostly interested in struct member offsets that are contained in those PDBs.
For this purpose memflow has a built-in feature that downloads and loads those PDB files to find the appropiate offsets for the current windows installation.
It is mandatory to acquire the GUID of the ntoskrnl.exe to acquire the proper PDB.</p>
<p>On top of that memflow will try and fetch the version and build-number of windows.
This build number is updated less frequently and is not as accurate as using the PDB directly.
This windows version can however be useful in cases where memflow does not have access to the Microsoft symbol store (e.g. it might be down, you might not have internet access on the machine running memflow or you might have compiled memflow for no-std environments).</p>
<p>In cases where the appropriate offsets cannot be obtained from a PDB, memflow has a built-in database of known windows offsets for each version and build number.
The version info acquired earlier is then used to find the proper offsets table from that database.</p>
<h3>4. How does the caching work?</h3>
<p>// TODO: write about caching</p>

</div>
</div>
</div>
</body>
</html>
57 changes: 57 additions & 0 deletions index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>memflow project</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico">
<link rel="stylesheet" href="styles.css"></head>
</head>
<body>
<div class="root">
<div class="pre-logo">
<pre class="logo">
______
____ ___ ___ ____ ___ / __/ /___ _ __
/ __ `__ \/ _ \/ __ `__ \/ /_/ / __ \ | /| / /
/ / / / / / __/ / / / / / __/ / /_/ / |/ |/ /
/_/ /_/ /_/\___/_/ /_/ /_/_/ /_/\____/|__/|__/</pre>
<ul class="navbar">

<a href=>Home</a>
<pre> | </pre>


<a href=about>About</a>
<pre> | </pre>


<a href=quick_start>Quick start guide</a>
<pre> | </pre>


<a href=docs>Documentation</a>

</ul>
</div>

<div class="pre-content">
<div class="content">
<h1><a href="https://github.com/memflow/memflow">memflow</a> - machine introspection framework</h1>
<p><a href="https://crates.io/crates/memflow"><img src="https://img.shields.io/crates/v/memflow.svg" alt="Crates.io" /></a>
<img src="https://github.com/memflow/memflow/workflows/Build%20and%20test/badge.svg?branch=dev" alt="build and test" />
<a href="https://codecov.io/gh/memflow/memflow"><img src="https://codecov.io/gh/memflow/memflow/branch/master/graph/badge.svg?token=XT7R158N6W" alt="codecov" /></a>
<a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="MIT licensed" /></a>
<a href="https://discord.gg/afsEtMR"><img src="https://img.shields.io/discord/738739624976973835?color=%20%237289da&amp;label=Discord" alt="Discord" /></a></p>
<p>memflow is a library that allows live memory introspection of running systems and their snapshots. Due to its modular approach it trivial to support almost any scenario where Direct Memory Access is available.</p>
<p>The very core of the library is a <a href="https://docs.rs/memflow/latest/memflow/mem/phys_mem/trait.PhysicalMemory.html">PhysicalMemory</a> that provides direct memory access in an abstract environment. This object that can be defined both statically, and dynamically with the use of the <code>inventory</code> feature. If <code>inventory</code> is enabled, it is possible to dynamically load libraries that provide Direct Memory Access.</p>
<p>Through the use of OS abstraction layers, like <a href="https://github.com/memflow/memflow/tree/master/memflow-win32">memflow-win32</a>, user can gain access to virtual memory of individual processes, by creating objects that implement <a href="https://docs.rs/memflow/latest/memflow/mem/virt_mem/trait.VirtualMemory.html">VirtualMemory</a>.</p>
<p>Bridging the two is done by a highly throughput optimized virtual address translation function, which allows for crazy fast memory transfers at scale.</p>
<p>The core is architecture independent (as long as addresses fit in 64-bits), and currently both 32, and 64-bit versions of the x86 family are available to be used.</p>
<p>For non-rust libraries, it is possible to use the <a href="https://github.com/memflow/memflow/tree/master/memflow-ffi">FFI</a> to interface with the library.</p>

</div>
</div>
</div>
</body>
</html>
90 changes: 90 additions & 0 deletions quick_start/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>memflow project</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico">
<link rel="stylesheet" href="../styles.css"></head>
</head>
<body>
<div class="root">
<div class="pre-logo">
<pre class="logo">
______
____ ___ ___ ____ ___ / __/ /___ _ __
/ __ `__ \/ _ \/ __ `__ \/ /_/ / __ \ | /| / /
/ / / / / / __/ / / / / / __/ / /_/ / |/ |/ /
/_/ /_/ /_/\___/_/ /_/ /_/_/ /_/\____/|__/|__/</pre>
<ul class="navbar">

<a href=../>Home</a>
<pre> | </pre>


<a href=../about>About</a>
<pre> | </pre>


<a href=../quick_start>Quick start guide</a>
<pre> | </pre>


<a href=../docs>Documentation</a>

</ul>
</div>

<div class="pre-content">
<div class="content">
<h1>Quick start guide</h1>
<h2>1. Binary Installation</h2>
<p>// TODO: provide linux/mac packages (aur, homebrew) and windows binaries</p>
<p>Currently, only source installation is available, so please follow the next section.</p>
<h2>2. Compiling from Source</h2>
<h3>2.0. Prerequisites</h3>
<p>memflow is written entirely in <a href="https://www.rust-lang.org/">Rust</a>. It is therefore required to have a Rust toolchain installed. memflow is verified to compile on the stable toolchain of Rust 1.45.1.</p>
<p>More information on how to install Rust can be obtained from the <a href="https://rustup.rs/">rustup project website</a>.</p>
<h3>2.1. Connectors</h3>
<p>Recommended way to manage multiple connectors is through the <a href="https://github.com/memflow/memflowup">memflowup</a> utility. It requires <a href="https://www.python.org/">Python 3</a>.</p>
<h4>2.1.1. Linux / macOS in one line</h4>
<div class="highlight"><pre><span></span>$<span class="w"> </span>curl<span class="w"> </span>-L<span class="w"> </span>https://raw.githubusercontent.com/memflow/memflowup/master/memflowup.py<span class="w"> </span><span class="p">|</span><span class="w"> </span>python3
</pre></div>
<h4>2.1.2. With Git</h4>
<p>Clone and run the script:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>git<span class="w"> </span>clone<span class="w"> </span>https://github.com/memflow/memflowup.git
$<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>memflowup
$<span class="w"> </span>python3<span class="w"> </span>memflowup.py
</pre></div>
<p>Update installed connectors:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>python3<span class="w"> </span>memflowup.py<span class="w"> </span>update
</pre></div>
<h3>2.2. CLI</h3>
<h4>2.2.1 Client</h4>
<p>Install the client:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>cargo<span class="w"> </span>install<span class="w"> </span>--git<span class="w"> </span>https://github.com/memflow/memflow-cli/<span class="w"> </span>memflow-cli
</pre></div>
<p>(If running local daemon) By default, memflow socket is only accessible to the memflow group, create it, and add your user:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>sudo<span class="w"> </span>groupadd<span class="w"> </span>memflow
$<span class="w"> </span>sudo<span class="w"> </span>usermod<span class="w"> </span>-aG<span class="w"> </span>memflow<span class="w"> </span><span class="o">(</span>username<span class="o">)</span>
</pre></div>
<p>You will need to logout for the group changes to be applied</p>
<h4>2.2.2 Daemon</h4>
<p>Daemon is currently only supported on Unix systems.</p>
<p>Install the daemon and create initial config:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>cargo<span class="w"> </span>install<span class="w"> </span>--git<span class="w"> </span>https://github.com/memflow/memflow-cli/<span class="w"> </span>memflow-daemon
$<span class="w"> </span>sudo<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/etc/memflow/
$<span class="w"> </span>curl<span class="w"> </span>-L<span class="w"> </span>https://raw.githubusercontent.com/memflow/memflow-cli/master/daemon.conf<span class="w"> </span><span class="p">|</span><span class="w"> </span>sudo<span class="w"> </span>tee<span class="w"> </span>/etc/memflow/daemon.conf
</pre></div>
<h2>3. Running in Docker</h2>
<p>// TODO: implement + describe docker setup</p>
<h2>4. The command-line interface</h2>
<p>// TODO: show cli usage</p>
<h2>5. Working with the library</h2>
<p>// TODO: write and explain examples</p>

</div>
</div>
</div>
</body>
</html>
Binary file added static/woff/FiraCode-Bold.woff
Binary file not shown.
Binary file added static/woff/FiraCode-Light.woff
Binary file not shown.
Binary file added static/woff/FiraCode-Medium.woff
Binary file not shown.
Binary file added static/woff/FiraCode-Regular.woff
Binary file not shown.
Binary file added static/woff/FiraCode-SemiBold.woff
Binary file not shown.
Binary file added static/woff/FiraCode-VF.woff
Binary file not shown.
Binary file added static/woff2/FiraCode-Bold.woff2
Binary file not shown.
Binary file added static/woff2/FiraCode-Light.woff2
Binary file not shown.
Binary file added static/woff2/FiraCode-Medium.woff2
Binary file not shown.
Binary file added static/woff2/FiraCode-Regular.woff2
Binary file not shown.
Binary file added static/woff2/FiraCode-SemiBold.woff2
Binary file not shown.
Binary file added static/woff2/FiraCode-VF.woff2
Binary file not shown.
Loading

0 comments on commit d70095b

Please sign in to comment.