2 unstable releases
|0.1.0||Sep 1, 2020|
|0.0.0||Sep 1, 2020|
#48 in Operating systems
Used in 3 crates
memflow is a library that allows live memory introspection of running systems and their snapshots. Due to its modular approach it trivial to support almost any scenario where Direct Memory Access is available.
The very core of the library is a PhysicalMemory that provides direct memory access in an abstract environment. This object that can be defined both statically, and dynamically with the use of the
inventory feature. If
inventory is enabled, it is possible to dynamically load libraries that provide Direct Memory Access.
Bridging the two is done by a highly throughput optimized virtual address translation function, which allows for crazy fast memory transfers at scale.
The core is architecture independent (as long as addresses fit in 64-bits), and currently both 32, and 64-bit versions of the x86 family are available to be used.
For non-rust libraries, it is possible to use the FFI to interface with the library.
In the repository you can find various examples available (which use memflow-win32 layer)
cargo build --release --workspace --all-featuresto build everything
cargo build --release --workspace --all-features --examplesto build all examples
cargo test --workspace --all-featuresto run all tests
cargo benchto run all benchmarks
cargo clippy --all-targets --all-features -- -D warningsto run clippy linting on everything
Extensive code documentation can be found on docs.rs.
An additional getting started guide as well as higher level explanations of the inner workings of memflow can be found at memflow.github.io.
If u decide to build the latest documentation you can do it by issueing:
cargo doc --workspace --no-deps --all-features --open
- run one of the examples with
cargo run --release --example(pass nothing to get a list of them).
- if ran with
qemu_procfsconnector, the runner will request root permissions to set
'CAP_SYS_PTRACE=ep'on the executables
- or run the benchmarks
cargo bench(can pass regex filters). Win32 benchmarks currently work only on Linux.
All examples support the memflow connector inventory system.
You will have to install at least one
connector to use the examples.
To install a connector just head over to the corresponding repository
and install them via the
You will find a folder called
memflow in any of the following locations:
/opt /lib /usr/lib/ /usr/local/lib /lib32 /lib64 /usr/lib32 /usr/lib64 /usr/local/lib32 /usr/local/lib64
On Windows you can put the connector dll in a folder named
that is either in your current PATH or put it in
Now you can just run the examples by providing the appropiate connector name:
Run memflow_win32/read_keys example with a procfs connector:
cargo run --example read_keys -- -vv -i target/release -c qemu_procfs -a [vmname]
Run memflow_win32/read_bench example with a coredump connector:
cargo run --example read_bench --release -- -vv -i target/release -c coredump -a coredump_win10_64bit.raw
|target||build||tests||benches||compiles on stable|
Compilation on linux and mac osx works straight of the box right now.
For compiling on Windows we currently require the
nightly rust compiler
due to a constraint in the
dummy connector that pulls in the
The same crate prevents tests and benches to be able to run aarch64 and other targets.
memflow-win32 is tested on the latest Windows 10 versions all the way down to Windows NT 4.0. If you found a version that does not work please submit an issue with the major/minor version as well as the build number.
- Provide a rust native connector for PCILeech based hardware
- Provide an UEFI Demo
- Linux target support
- CasualX for his wonderful pelite crate
- ufrisk for his prior work on the subject and many inspirations
Please check CONTRIBUTE.md