FS_Root
The root directory of the Memory Process File System contains multiple directories and files which contains the physical memory of the target.
The files in the root directory are listed in the table below:
| Directory | Description |
|---|---|
| conf | Configuration and Status. |
| forensic | Forensic mode. |
| misc | Miscellaneous functionality |
| name | Per-process directories listed by process name. |
| pid | Per-process directories listed by process pid. |
| py | Python based plugins. |
| registry | Registry information. |
| sys | System information. |
| vm | Virtual Machine (VM) information. |
The files in the root directory are listed in the table below:
| File | Description |
|---|---|
| memory.dmp | The physical memory slightly adjusted to conform with the Microsoft crash dump format and WinDbg. |
| memory.pmem | The raw physical memory. |
The files are writable if a write-capable memory acquisition device is used.
The example below shows hex editing of the memory.pmem file which reflects the physical memory of the target being analyzed. In this example the low stub is being analyzed and the kernel page table base (PML4) is marked at address 0x10a0.
Also shown is WinDbg accessing the auto-generated memory.dmp WinDbg compatible full crash dump file.
It is possible to add sub-directories if registering general/root functionality in native plugins.