-
-
Notifications
You must be signed in to change notification settings - Fork 92
Device_DumpIt
The LeechCore library supports reading live memory by using Comae DumpIt.
Facts in short:
- Is supported on 32-bit and 64-bit Windows.
- Acquires memory in read-only mode.
- Acquired memory is assumed to be volatile.
- Have additional requirements.
The LeechCore process must be started from DumpIt in elevated administrator mode for DumpIt to be able to capture live memory.
LeechCore API:
Please specify the acquisition device type in LC_CONFIG.szDevice when calling LcCreate. The acquisition device type is dumpit.
PCILeech / MemProcFS:
Please specify the device type in the -device option or start from DumpIt directly
Examples:
-device dumpit -remote rpc://<spn>:<somehost>
DumpIt.exe /LIVEKD /A MemProcFS.exe
Depends on DumpIt.exe. Please download the latest version of DumpIt from Magnet Forensics.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖