FS_Process_Console
The directory console exists as a sub-directory in each conhost.exe process directory.
The console module recovers console information from the conhost.exe attached to a console application. Currently only the console text (with the commands visible) are recovered.
The files in the console directory are listed in the table below:
| File | Description |
|---|---|
| console.txt | Recovered text from the console. |
Facts in short:
- Supports Windows 7+
- Does not support Windows terminal (yet).
- May sometimes fail if memory is paged out and/or heap parsing has failed.
- Only recovers console text information, not command history (commands are visible in the console text though).
- Does not handle console wrap-arounds. If a wrap-around has taken place it may take place in the middle of the recovered console text.
Files in the console directory are read-only.
The example below shows a recovered console text screen showing some commands the user has entered.
The console sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_console.c in the vmm project.