Device_WinPMEM

Memory Acquisition Method: WinPmem

The LeechCore library supports reading live memory by using the WinPmem driver.

Facts in short:

• Is supported on 32-bit and 64-bit Windows.
• Acquires memory in read-only mode.
• Acquired memory is assumed to be volatile.
• Have additional requirements.

The LeechCore process must be started as elevated administrator in order to load the WinPmem memory acquisition driver into the kernel. The driver itself must also be accessible and exist on the C: drive.

---

Connection string:

LeechCore API:

Please specify the acquisition device type in LC_CONFIG.szDevice when calling LcCreate. If the required driver winpmem_x64.sys (for 64-bit systems or corresponding driver for 32-bit systems) exists in the same folder as the LeechCore please specify the string as pmem. If the required driver exists elsewhere specify it as pmem://<path_to_driver\winpmem_64.sys.

PCILeech / MemProcFS:

Please specify the device type in the -device option.

Examples:

-device pmem

-device "pmem://C:\Temp\WinPmem\kernel\binaries\winpmem_x64.sys"

---

Requirements:

Depends on the pmem driver: winpmem_x64.sys (or corresponding 32-bit versions if required). Please download winpmem from the WinPmem Github repo. Copy the signed driver file.

The driver file must be placed on a local fixed drive - such as C: in order for it to be able to be used.