Skip to content

FS_Process_Modules

Jump to bottom
Ulf Frisk edited this page May 6, 2019 · 13 revisions

The modules per-process directory

The directory modules exists as a sub-directory in each process directory.

The modules directory contains one sub-directory for each loaded module (.DLLs and EXEs)

For kernel "processes" such as the System process in Windows (PID 4) the directory will contain loaded drivers (.SYS-files and .DLLs)

Each module directory contains a number of informational files and directories related to the loaded module. The files and directories and their contents are listed below:

  • base: base virtual address of the module.
  • directories: information about the 16 data directories in the PE/MZ header.
  • entry: entry point virtual address of the module.
  • export: functions exported by the module.
  • import: functions imported by the module and their corresponding modules.
  • pefile.dll: best-effort reconstructed module, .exe/.dll/.sys, file from memory fragments.
  • sections: sections of the module.
  • size: size of the module.
  • directoriesd: directory containing a file for each of the 16 data directories.
  • sectionsd: directory containing a file for each section.

Files in the individual module directories are read-only. pefile.dll and files in the directoriesd and sectionsd sub-directories are writable if a write-capable memory acquisition device is used.

File: sections

The file sections contains information about the module PE sections. The meaning of the different columns are as follows:

#   name  memory address   base offset   size page file offset   size
=====================================================================
00 .text  00007ff7959a1000 00001000  0002e338 r-x  00000400  0002e400
...
05 .rsrc  00007ff7959fb000 0005b000  000084f8 r--  0003b600  00008600
06 .reloc 00007ff795a04000 00064000  00000308 r--  00043c00  00000400

Example

The example below shows the files in the modules/Actioncenter.dll sub-directory of the explorer.exe process. All files are related to the Actioncenter.dll module which is loaded into the explorer.exe process.

Shown in Notepad++ are the sections of the .DLL. While Ubuntu shows the entry, size, exported functions and the three first imported functions.

For Developers

The modules sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file m_ldrmodules.c in the vmm project. The plugin contains limited caching functionality that will allow it to cache generated listings of the export and import address tables.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally