We'll start with a very simple task - what if we want to list running processes on local machine?
In classic C# this is solved by Process.GetProcesses()
But as we're operating withing EyeAuras API, we have additional capabilities, which will allow
us to very easily switch between different memory reading techniques allowing to counteract any defensive measures out there.
Process
using EyeAuras.Memory;
var processes = LocalProcess.GetProcesses();
Log.Info(processes.DumpToNamedTable("Processes"));
As a result of running that script, you should see something like this in EventLog
- list with a very-very basic information about running processes, containing their ProcessId
(aka PID
) and ProcessName
Now, we'll use a different approach and instead of using LocalProcess
as our entry point, we'll call LCProcess
(LeechCore Process). LeechCore is a fantastic library developed by Ulf Frisk.
There are which so-called acquisition device
which are available in LC. You can find more arguments on his Wiki
using EyeAuras.Memory;
using EyeAuras.Memory.MPFS; //LCProcess is inside MPFS
var processes = LCProcess.WinPMEM().GetProcesses(); //use kernel driver
Log.Info(processes.DumpToNamedTable("Processes"));
LCProcess.WinPMEM().GetProcesses(); //use WinPMEM Kernel driver
LCProcess.WinPMEM().WithAdditionalArguments("-printf", "-v").GetProcesses(); //same, but with verbose logging
//using other acquisition devices
LCProcess.FPGA().GetProcesses(); //use FPGA DMA PCI-E
LCProcess.HyperV().GetProcesses(); //read info from the first system Hyper-V VM
//or go full-custom with LeechCore args
LCProcess.Custom("-device", "pmem").GetProcesses(); //allows to supply any custom arguments