Skip to content

Add rawmem : raw memory image connector (RO plugin; optional RW via Rust API) #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add rawmem : raw memory image connector (RO plugin; optional RW via Rust API) #1

wants to merge 5 commits into from

Conversation

@forensicxlab
Copy link

@forensicxlab forensicxlab commented Nov 14, 2025

Hello 👋 ,

This PR adds a new connector that maps a raw physical memory image into memflow.

  • Many forensics dumps are raw files with no header. A simple “map file at physical base” connector is useful for:
    • quick triage and scriptability,
    • testing OS layers
  • Plugin is RO focused but the crate API supports RW when needed like mentioned on the discord by segfault. I hope the code represents what he meant when discussing it.

Example ps_inventory output

 memflow-rawmem git:(main) cargo run --example ps_inventory -- "/work/MemoryForensics/20210430-Win10Home-20H2-64bit-memdump.mem"
[2025-11-14T12:33:40Z WARN  memflow::plugins::inventory] "/Users/X/.local/lib/memflow/libmemflow_win32.meta" not found, falling back via file creation date
[2025-11-14T12:33:40Z WARN  memflow::plugins::inventory] "/Users/X/.local/lib/memflow/libmemflow_rawmem.meta" not found, falling back via file creation date
[2025-11-14T12:33:40Z INFO  memflow::plugins::inventory] Found installed Os Plugin: win32 0.2.1 ("/Users/X/.local/lib/memflow/libmemflow_win32.dylib")
[2025-11-14T12:33:40Z INFO  memflow::plugins::inventory] Found installed Connector Plugin: memraw 0.2.0 ("/Users/X/.local/lib/memflow/libmemflow_rawmem.dylib")
[2025-11-14T12:33:40Z INFO  memflow::plugins::inventory] Found installed Os Plugin: win32 0.2.1 ("/Users/X/.local/lib/memflow/libmemflow_win32_ed5a039.dylib")
[2025-11-14T12:33:40Z INFO  memflow::plugins::inventory] Found installed Connector Plugin: qemu 0.2.1 ("/Users/X/.local/lib/memflow/libmemflow_qemu_2c47f89.dylib")
[2025-11-14T12:33:40Z INFO  memflow::plugins::inventory] Found installed Connector Plugin: pcileech 0.2.0 ("/Users/X/.local/lib/memflow/libmemflow_pcileech_8faf5aa.dylib")
[2025-11-14T12:33:40Z INFO  memflow::plugins::inventory] Found installed Os Plugin: native 0.2.6 ("/Users/X/.local/lib/memflow/libmemflow_native_a6513e9.dylib")
[2025-11-14T12:33:40Z INFO  memflow::plugins::inventory] Found installed Connector Plugin: coredump 0.2.1 ("/Users/X/.local/lib/memflow/libmemflow_coredump_2fdf956.dylib")
[2025-11-14T12:33:40Z INFO  memflow_rawmem] memraw: '/Users/X/work/MemoryForensics/20210430-Win10Home-20H2-64bit-memdump.mem' (RO mmap) base=0x0
[2025-11-14T12:33:40Z INFO  memflow_win32::plugins] Building kernel of type memflow_win32::win32::kernel_builder::Win32KernelBuilder<memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<'_, cglue::boxed::CBox<'_, cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<'_, cglue::boxed::CBox<'_, cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::mem::virt_translate::cache::CachedVirtualTranslate<memflow::mem::virt_translate::direct_translate::DirectTranslate, memflow::types::cache::timed_validator::TimedCacheValidator>>
[2025-11-14T12:33:40Z INFO  memflow_win32::win32::kernel_info] arch=X86(64, false) kernel_hint=fffff8043cff1ca0 dtb=1aa000
[2025-11-14T12:33:40Z INFO  memflow_win32::win32::kernel_info] base=fffff8043cc00000 size=17063936
[2025-11-14T12:33:40Z INFO  memflow_win32::win32::kernel_info] kernel_guid=Some(Win32Guid { file_name: "ntkrnlmp.pdb", guid: "769C521E4833ECF72E21F02BF33691A51" })
[2025-11-14T12:33:40Z INFO  memflow_win32::kernel::ntos] trying to find NtBuildNumber export
[2025-11-14T12:33:40Z INFO  memflow_win32::kernel::ntos] NtBuildNumber found at 0xc11f48
[2025-11-14T12:33:40Z INFO  memflow_win32::kernel::ntos] trying to find RtlGetVersion export
[2025-11-14T12:33:40Z INFO  memflow_win32::kernel::ntos] RtlGetVersion found at 0x6d8200
[2025-11-14T12:33:40Z INFO  memflow_win32::kernel::ntos] nt_build_number: 4026550882
[2025-11-14T12:33:40Z INFO  memflow_win32::kernel::ntos] kernel version: 10.0.19042
[2025-11-14T12:33:40Z INFO  memflow_win32::win32::kernel_info] kernel_winver=Win32Version { nt_major_version: 10, nt_minor_version: 0, nt_build_number: 4026550882 }
[2025-11-14T12:33:40Z INFO  memflow_win32::kernel::sysproc] PsInitialSystemProcess found at 0xfffff8043d8fc420
[2025-11-14T12:33:40Z INFO  memflow_win32::win32::kernel_info] eprocess_base=ffffbf0f64a63080
[2025-11-14T12:33:40Z INFO  memflow_win32::win32::kernel_info] start_block.dtb=1aa000
[2025-11-14T12:33:40Z INFO  memflow_win32_defs::offsets::symstore] reading pdb from local cache: /Users/X/Library/Caches/memflow/ntkrnlmp.pdb/769C521E4833ECF72E21F02BF33691A51
[2025-11-14T12:33:40Z INFO  memflow_win32::win32::kernel] updating connector mem_map=MemoryMapping: base=1000 size=9e000 real_base=1000
    MemoryMapping: base=100000 size=2000 real_base=100000
    MemoryMapping: base=103000 size=dfeed000 real_base=103000
    MemoryMapping: base=100000000 size=20000000 real_base=100000000
[2025-11-14T12:33:40Z INFO  memflow_win32::win32::kernel] updating sysproc_dtb=1aa000
[2025-11-14T12:33:40Z INFO  ps_inventory]   PID   SYS ARCH  PROC ARCH NAME
[2025-11-14T12:33:40Z INFO  ps_inventory]     4   x86_64     x86_64   System
[2025-11-14T12:33:40Z INFO  ps_inventory]   108   x86_64     x86_64   Registry
[2025-11-14T12:33:40Z INFO  ps_inventory]   396   x86_64     x86_64   smss.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   492   x86_64     x86_64   csrss.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   568   x86_64     x86_64   wininit.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   584   x86_64     x86_64   csrss.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   668   x86_64     x86_64   winlogon.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   712   x86_64     x86_64   services.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   736   x86_64     x86_64   lsass.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   856   x86_64     x86_64   svchost.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   884   x86_64     x86_64   fontdrvhost.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   892   x86_64     x86_64   fontdrvhost.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   976   x86_64     x86_64   svchost.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   320   x86_64     x86_64   svchost.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   564   x86_64     x86_64   LogonUI.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]   560   x86_64     x86_64   dwm.exe
[2025-11-14T12:33:40Z INFO  ps_inventory]  1080   x86_64     x86_64   svchost.exe
[...]

Very new to this project as a contributor and still figuring out the whole framework internals so I hope this is done the right way. Let me know what you think :)

Cheers.
k1nd0ne.

This was referenced Nov 14, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@forensicxlab