Skip to content

MemProcFS

MemProcFS is a tool to access the memory of a running process. It is a FUSE file system that allows you to explore processes memory in a similar way to a disk. It also provides a way to search and filter process memory as well as a kernel module to monitor system calls.

Installation

Download the MemProcFS repository from the official GitHub page. You can clone the repository using the following command:

Usage

Mounting MemProcFS

To mount MemProcFS, run the following command:

MemProcFS.exe -device  C:\Users\vboxuser\Desktop\MEMORY.DMP

Accessing Process Memory

After mounting MemProcFS, you can access the memory of a running process by navigating to the /proc directory. Each subdirectory in the /proc directory corresponds to a running process. You can access the memory of a specific process by navigating to its corresponding directory.

cd /proc
cd /proc/1234

Extracting Hashes/Passwords

You can grab extraced hashes/passwords from the memory dump using the following command:

type M:\py\regsecrets\all.txt