diff --git a/about/index.html b/about/index.html new file mode 100644 index 0000000..fdbcf1c --- /dev/null +++ b/about/index.html @@ -0,0 +1,66 @@ + + + + + memflow project + + + + + +
+ + +
+
+

About

+

memflow is a set of libraries and tools that aim to make it easy to extract information from raw physical memory. memflow offers abstractions over the Memory Management Unit (MMU) and underlying Architecture as well as the Operating System itself.

+

Contact us

+

You are welcome to contact us via Github or just join our Discord.

+

Credits & Thanks:

+ + +
+ +
ko1N
+
+
+
+ + +
+ +
h33p
+
+
+
+ +
+
+
+ + diff --git a/docs/index.html b/docs/index.html new file mode 100644 index 0000000..a08799e --- /dev/null +++ b/docs/index.html @@ -0,0 +1,80 @@ + + + + + memflow project + + + + + +
+ + +
+
+

Documentation

+

1. Introduction

+

At its core a program that is written using memflow usually consists of 4 layers.

+

connector backend ← memflow core ← memflow-[os] ← frontend code

+
    +
  • The connector is the interface that provides access to raw physical memory.
  • +
  • The memflow core will provide higher-level functions to interface with virtual memory.
  • +
  • The memflow-[os] module abstracts operating system specific functionality and encapsulates drivers, processes, and modules.
  • +
  • The frontend code is the actual high-level implementation of the program logic.
  • +
+

2. Virtual Memory Translation

+

// TODO: describe how virtual memory translation works (in memflow)

+

3. What happens on initialization?

+

3.1. Windows targets

+

The initialization phase of memflow for a win32 target consists of the following stages:

+

1. Finding the START_BLOCK in physical memory.

+

The START_BLOCK of the operating system usually sits in the lower physical memory region and contains information about the DTB when windows is initialized. +Additionally, it contains an address that gives us a hint on where to find the actual ntoskrnl.exe.

+

2. Finding the ntoskrnl.exe in virtual memory

+

Using the DTB that we acquired in the previous step it is now possible to construct a virtual memory reader. +This reader is then being used to find a valid PE header for the “ntoskrnl.exe” binary.

+

3. Finding the GUID and WinVersion of the ntoskrnl.exe

+

Microsoft provides program databases (PDBs) for all of their released Windows kernels. +These PDB files contain all information required for debugging a program. +They are usually used in conjunction with WinDbg to analyze or debug a system directly.

+

We are mostly interested in struct member offsets that are contained in those PDBs. +For this purpose memflow has a built-in feature that downloads and loads those PDB files to find the appropiate offsets for the current windows installation. +It is mandatory to acquire the GUID of the ntoskrnl.exe to acquire the proper PDB.

+

On top of that memflow will try and fetch the version and build-number of windows. +This build number is updated less frequently and is not as accurate as using the PDB directly. +This windows version can however be useful in cases where memflow does not have access to the Microsoft symbol store (e.g. it might be down, you might not have internet access on the machine running memflow or you might have compiled memflow for no-std environments).

+

In cases where the appropriate offsets cannot be obtained from a PDB, memflow has a built-in database of known windows offsets for each version and build number. +The version info acquired earlier is then used to find the proper offsets table from that database.

+

4. How does the caching work?

+

// TODO: write about caching

+ +
+
+
+ + diff --git a/index.html b/index.html new file mode 100644 index 0000000..530fb69 --- /dev/null +++ b/index.html @@ -0,0 +1,57 @@ + + + + + memflow project + + + + + +
+ + +
+
+

memflow - machine introspection framework

+

Crates.io +build and test +codecov +MIT licensed +Discord

+

memflow is a library that allows live memory introspection of running systems and their snapshots. Due to its modular approach it trivial to support almost any scenario where Direct Memory Access is available.

+

The very core of the library is a PhysicalMemory that provides direct memory access in an abstract environment. This object that can be defined both statically, and dynamically with the use of the inventory feature. If inventory is enabled, it is possible to dynamically load libraries that provide Direct Memory Access.

+

Through the use of OS abstraction layers, like memflow-win32, user can gain access to virtual memory of individual processes, by creating objects that implement VirtualMemory.

+

Bridging the two is done by a highly throughput optimized virtual address translation function, which allows for crazy fast memory transfers at scale.

+

The core is architecture independent (as long as addresses fit in 64-bits), and currently both 32, and 64-bit versions of the x86 family are available to be used.

+

For non-rust libraries, it is possible to use the FFI to interface with the library.

+ +
+
+
+ + diff --git a/quick_start/index.html b/quick_start/index.html new file mode 100644 index 0000000..7a436f1 --- /dev/null +++ b/quick_start/index.html @@ -0,0 +1,90 @@ + + + + + memflow project + + + + + +
+ + +
+
+

Quick start guide

+

1. Binary Installation

+

// TODO: provide linux/mac packages (aur, homebrew) and windows binaries

+

Currently, only source installation is available, so please follow the next section.

+

2. Compiling from Source

+

2.0. Prerequisites

+

memflow is written entirely in Rust. It is therefore required to have a Rust toolchain installed. memflow is verified to compile on the stable toolchain of Rust 1.45.1.

+

More information on how to install Rust can be obtained from the rustup project website.

+

2.1. Connectors

+

Recommended way to manage multiple connectors is through the memflowup utility. It requires Python 3.

+

2.1.1. Linux / macOS in one line

+
$ curl -L https://raw.githubusercontent.com/memflow/memflowup/master/memflowup.py | python3
+
+

2.1.2. With Git

+

Clone and run the script:

+
$ git clone https://github.com/memflow/memflowup.git
+$ cd memflowup
+$ python3 memflowup.py
+
+

Update installed connectors:

+
$ python3 memflowup.py update
+
+

2.2. CLI

+

2.2.1 Client

+

Install the client:

+
$ cargo install --git https://github.com/memflow/memflow-cli/ memflow-cli
+
+

(If running local daemon) By default, memflow socket is only accessible to the memflow group, create it, and add your user:

+
$ sudo groupadd memflow
+$ sudo usermod -aG memflow (username)
+
+

You will need to logout for the group changes to be applied

+

2.2.2 Daemon

+

Daemon is currently only supported on Unix systems.

+

Install the daemon and create initial config:

+
$ cargo install --git https://github.com/memflow/memflow-cli/ memflow-daemon
+$ sudo mkdir -p /etc/memflow/
+$ curl -L https://raw.githubusercontent.com/memflow/memflow-cli/master/daemon.conf | sudo tee /etc/memflow/daemon.conf
+
+

3. Running in Docker

+

// TODO: implement + describe docker setup

+

4. The command-line interface

+

// TODO: show cli usage

+

5. Working with the library

+

// TODO: write and explain examples

+ +
+
+
+ + diff --git a/static/woff/FiraCode-Bold.woff b/static/woff/FiraCode-Bold.woff new file mode 100644 index 0000000..d7c2099 Binary files /dev/null and b/static/woff/FiraCode-Bold.woff differ diff --git a/static/woff/FiraCode-Light.woff b/static/woff/FiraCode-Light.woff new file mode 100644 index 0000000..9e99c41 Binary files /dev/null and b/static/woff/FiraCode-Light.woff differ diff --git a/static/woff/FiraCode-Medium.woff b/static/woff/FiraCode-Medium.woff new file mode 100644 index 0000000..4ffa82d Binary files /dev/null and b/static/woff/FiraCode-Medium.woff differ diff --git a/static/woff/FiraCode-Regular.woff b/static/woff/FiraCode-Regular.woff new file mode 100644 index 0000000..01a6bfc Binary files /dev/null and b/static/woff/FiraCode-Regular.woff differ diff --git a/static/woff/FiraCode-SemiBold.woff b/static/woff/FiraCode-SemiBold.woff new file mode 100644 index 0000000..a46df49 Binary files /dev/null and b/static/woff/FiraCode-SemiBold.woff differ diff --git a/static/woff/FiraCode-VF.woff b/static/woff/FiraCode-VF.woff new file mode 100644 index 0000000..f7ac814 Binary files /dev/null and b/static/woff/FiraCode-VF.woff differ diff --git a/static/woff2/FiraCode-Bold.woff2 b/static/woff2/FiraCode-Bold.woff2 new file mode 100644 index 0000000..b76a82d Binary files /dev/null and b/static/woff2/FiraCode-Bold.woff2 differ diff --git a/static/woff2/FiraCode-Light.woff2 b/static/woff2/FiraCode-Light.woff2 new file mode 100644 index 0000000..5084487 Binary files /dev/null and b/static/woff2/FiraCode-Light.woff2 differ diff --git a/static/woff2/FiraCode-Medium.woff2 b/static/woff2/FiraCode-Medium.woff2 new file mode 100644 index 0000000..f5b273d Binary files /dev/null and b/static/woff2/FiraCode-Medium.woff2 differ diff --git a/static/woff2/FiraCode-Regular.woff2 b/static/woff2/FiraCode-Regular.woff2 new file mode 100644 index 0000000..c856e7b Binary files /dev/null and b/static/woff2/FiraCode-Regular.woff2 differ diff --git a/static/woff2/FiraCode-SemiBold.woff2 b/static/woff2/FiraCode-SemiBold.woff2 new file mode 100644 index 0000000..7fa2ac3 Binary files /dev/null and b/static/woff2/FiraCode-SemiBold.woff2 differ diff --git a/static/woff2/FiraCode-VF.woff2 b/static/woff2/FiraCode-VF.woff2 new file mode 100644 index 0000000..64ffe43 Binary files /dev/null and b/static/woff2/FiraCode-VF.woff2 differ diff --git a/styles.css b/styles.css new file mode 100644 index 0000000..c816615 --- /dev/null +++ b/styles.css @@ -0,0 +1,154 @@ +/* You can add global styles to this file, and also import other style files */ +body { + text-align: center; } + +.pre-logo { + text-align: center; } + +.pre-logo pre { + display: inline-block; + text-align: left; } + +.logo { + display: inline-block; + text-align: left; + color: #139264; } + +.root { + display: inline-block; + margin: calc(min(10px, 1vw)); + max-width: 100%; + text-align: left; + margin-top: calc(min(55px, calc(clamp((1vw - 1vh) * 0.5, 1vh, 0vh) * 5))); } + +.pre-content { + display: inline-block; + max-width: 100%; + text-align: left; } + +.content { + margin: 30px; + width: calc(min(90vw, max(50vw, 20cm))); + max-width: calc(max(60vw, 30cm)); + doverflow: hidden; } + +.content img { + max-width: 100%; } + +.profile-img { + margin-right: 1em; + border-radius: 100%; + width: 32px; + height: 32px; } + +@font-face { + font-family: 'Fira Code'; + src: url("static/woff2/FiraCode-Light.woff2?ver=1") format("woff2"), url("static/woff/FiraCode-Light.woff?ver=1") format("woff"); + font-weight: 300; + font-style: normal; } + +@font-face { + font-family: 'Fira Code'; + src: url("static/woff2/FiraCode-Regular.woff2?ver=1") format("woff2"), url("static/woff/FiraCode-Regular.woff?ver=1") format("woff"); + font-weight: 400; + font-style: normal; } + +@font-face { + font-family: 'Fira Code'; + src: url("static/woff2/FiraCode-Medium.woff2?ver=1") format("woff2"), url("static/woff/FiraCode-Medium.woff?ver=1") format("woff"); + font-weight: 500; + font-style: normal; } + +@font-face { + font-family: 'Fira Code'; + src: url("static/woff2/FiraCode-SemiBold.woff2?ver=1") format("woff2"), url("static/woff/FiraCode-SemiBold.woff?ver=1") format("woff"); + font-weight: 600; + font-style: normal; } + +@font-face { + font-family: 'Fira Code'; + src: url("static/woff2/FiraCode-Bold.woff2?ver=1") format("woff2"), url("static/woff/FiraCode-Bold.woff?ver=1") format("woff"); + font-weight: 700; + font-style: normal; } + +@font-face { + font-family: 'Fira Code VF'; + src: url("static/woff2/FiraCode-VF.woff2?ver=1") format("woff2"), url("static/woff/FiraCode-VF.woff?ver=1") format("woff"); + font-weight: 300 700; + font-style: normal; } + +html { + background: #191919; + color: #FFF5EE; + font-family: Fira Code; + font-weight: 300; + font-size: 14px; } + +a { + color: #FFF5EE; + text-decoration: underline; } + a:hover { + text-decoration: none; } + +h1 { + color: #FFF5EE; + font-family: Fira Code; + font-weight: 500; + font-size: 24px; } + +h2 { + color: #FFF5EE; + font-family: Fira Code; + font-weight: 500; + font-size: 20px; } + +h3 { + color: #FFF5EE; + font-family: Fira Code; + font-weight: 500; + font-size: 16px; } + +h4 { + color: #FFF5EE; + font-family: Fira Code; + font-weight: 400; + font-size: 15px; } + +.highlight, .asciirend { + border: 2px solid #70877F; + background-color: #1e1e1e; } + .highlight pre, .asciirend pre { + padding: 7px; + margin: 0; + overflow: scroll; + overflow-x: auto; + overflow-y: hidden; + srollbar-color: rgba(70, 70, 70, 0.5) #141414; + color: #d4d4d4; + background-color: #1e1e1e; + font-family: 'Droid Sans Mono', 'monospace', monospace, 'Droid Sans Fallback'; + font-weight: normal; + font-size: 14px; + line-height: 19px; } + .highlight pre::-webkit-scrollbar, .asciirend pre::-webkit-scrollbar { + width: 15px; + height: 15px; } + .highlight pre::-webkit-scrollbar-thumb, .asciirend pre::-webkit-scrollbar-thumb { + background: rgba(70, 70, 70, 0.5); } + .highlight pre::-webkit-scrollbar-track, .asciirend pre::-webkit-scrollbar-track { + background: #141414; } + +.asciirend { + -webkit-touch-callout: none; + -webkit-user-select: none; + -khtml-user-select: none; + -moz-user-select: none; + -ms-user-select: none; + user-select: none; + overflow: hidden; } + +.code-inline { + white-space: nowrap; + background-color: #1e1e1e; + font-weight: 400; + font-size: 15px; }