SuperFetch is a Rust library designed to speed up the memory tool and exploit development on Windows systems. This crate will help you to quickly turn the virtual address to physical, using one simple function.
This crate utilizes the Superfetch. This is a Windows service that can speed up data access by preloading it. If you are wondering how it works, I strongly recommend you to read these articles:
- Inside windows page frame numbers by Sina Karvandi
- Windows address translation deep dive by 0x14c
- The SuperFetch Query superpower by Viking
Later, I will write a small note explaining his technique on the high level, and leave it on project github.
This crate is based on the C++ library superfetch created by jonomango.
use superfetch::MemoryMap;
fn main() {
let nt_base: LPVOID = get_base_addr("ntoskrnl.exe")?;
let mm = unsafe { MemoryMap::snapshot()? };
match mm.translate(nt_base){
Ok(nt_base_pa) => {
println!("[*] ntoskrnl.exe VA: {:p}", nt_base);
println!("[*] ntosktrl.exe PA: {:#x}", nt_base_pa);
}
Err(e) => {
println!("[!] {}", e);
}
}
}You can find full example in example folder.
Example work demo. Successfull translate virtual memory to physical.
If you have any idea how to improve this crate, want to update it or want to make it utilize more of superfetch magic (ex: list running processes or other), feel free to open an issue or pull request.
prod by I3r1h0n.