Version 2.18

ufrisk · Mar 26, 2024 · 8cdd20e · 8cdd20e
1 parent 0b9d4f0
commit 8cdd20e
Show file tree

Hide file tree

Showing 15 changed files with 599 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -233,16 +233,20 @@ v1.0-1.8
 * Improved FPGA performance for smaller reads.
 * QEMU support on Linux (VM live memory introspection).
 * Improved [MemProcFS remoting](https://github.com/ufrisk/MemProcFS/wiki/_Remoting) via a remote [LeechAgent](https://github.com/ufrisk/LeechCore/wiki/LeechAgent). Full MemProcFS remote support over SMB - tcp/445. Perfect for memory forensics Incident Response (IR)!
-</details>
 
 [v2.16](https://github.com/ufrisk/LeechCore/releases/tag/v2.16)
 * PCIe BAR information and user callback (easier implementation of custom devices).
 * ARM64 memory dump (.dmp) and VMWare Fusion (.vmem/.vmsn) support.
 * Improved handling of PCIe TLP user callback.
+</details>
 
 [v2.17](https://github.com/ufrisk/LeechCore/releases/tag/v2.17)
 * Bug fixes.
 * I/O BAR support.
 * Support for plugin device drivers.
 * Linux PCIe FPGA performance improvements.
 * Linux PCIe FPGA multiple devices (devindex) supported.
+
+[v2.18](https://github.com/ufrisk/LeechCore/releases/tag/v2.18)
+* Bug fixes.
+* Hibernation file support.
diff --git a/includes/lib32/leechcore.lib b/includes/lib32/leechcore.lib
diff --git a/includes/lib64/leechcore.lib b/includes/lib64/leechcore.lib
diff --git a/includes/libarm64/leechcore.lib b/includes/libarm64/leechcore.lib
diff --git a/leechagent/version.h b/leechagent/version.h
@@ -2,9 +2,9 @@
 #define STRINGIZE(s) STRINGIZE2(s)
 
 #define VERSION_MAJOR               2
-#define VERSION_MINOR               17
-#define VERSION_REVISION            4
-#define VERSION_BUILD               68
+#define VERSION_MINOR               18
+#define VERSION_REVISION            0
+#define VERSION_BUILD               69
 
 #define VER_FILE_DESCRIPTION_STR    "LeechAgent Memory Acquisition Service"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/leechcore/Makefile b/leechcore/Makefile
@@ -10,7 +10,7 @@ CFLAGS  += -fPIE -fPIC -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O1 -Wl
 CFLAGS  += -Wall -Wno-multichar -Wno-unused-result -Wno-unused-variable -Wno-unused-value -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast
 LDFLAGS += -g -ldl -shared
 DEPS = leechcore.h
-OBJ = oscompatibility.o leechcore.o util.o memmap.o device_file.o device_fpga.o device_pmem.o device_tmd.o device_usb3380.o device_vmm.o device_vmware.o leechrpcclient.o ob/ob_core.o ob/ob_map.o ob/ob_set.o ob/ob_bytequeue.o
+OBJ = oscompatibility.o leechcore.o util.o memmap.o device_file.o device_fpga.o device_hibr.o device_pmem.o device_tmd.o device_usb3380.o device_vmm.o device_vmware.o leechrpcclient.o ob/ob_core.o ob/ob_map.o ob/ob_set.o ob/ob_bytequeue.o
 
 %.o: %.c $(DEPS)
 	$(CC) -c -o $@ $< $(CFLAGS)

diff --git a/leechcore/device_file.c b/leechcore/device_file.c
@@ -8,6 +8,13 @@
 #include "leechcore_internal.h"
 #include "util.h"
 
+//-----------------------------------------------------------------------------
+// DEFINES: HIBERNATION 'HIBR' FILE DEVICE
+//-----------------------------------------------------------------------------
+
+_Success_(return)
+BOOL DeviceHIBR_Open(_Inout_ PLC_CONTEXT ctxLC, _Out_opt_ PPLC_CONFIG_ERRORINFO ppLcCreateErrorInfo);
+
 //-----------------------------------------------------------------------------
 // DEFINES: MICROSOFT CRASH DUMP DEFINES
 //-----------------------------------------------------------------------------
@@ -844,7 +851,7 @@ VOID DeviceFile_Close(_Inout_ PLC_CONTEXT ctxLC)
 _Success_(return)
 BOOL DeviceFile_Open(_Inout_ PLC_CONTEXT ctxLC, _Out_opt_ PPLC_CONFIG_ERRORINFO ppLcCreateErrorInfo)
 {
-    DWORD i;
+    DWORD i, dwFileMagic = 0;
     LPSTR szType;
     PDEVICE_CONTEXT_FILE ctx;
     PLC_DEVICE_PARAMETER_ENTRY pParam;
@@ -872,6 +879,19 @@ BOOL DeviceFile_Open(_Inout_ PLC_CONTEXT ctxLC, _Out_opt_ PPLC_CONFIG_ERRORINFO
     }
     // open backing file:
     if(fopen_s(&ctx->File[0].h, ctx->szFileName, (ctxLC->Config.fWritable ? "r+b" : "rb")) || !ctx->File[0].h) { goto fail; }
+    {
+        // check if file is hibernation file, in which case delegate open to hibr device:
+        _fseeki64(ctx->File[0].h, 0, SEEK_SET);
+        fread(&dwFileMagic, 1, sizeof(DWORD), ctx->File[0].h);
+        if(dwFileMagic == 0x52424948) {     // 'HIBR'
+            strncpy_s(ctxLC->Config.szDevice, _countof(ctxLC->Config.szDevice), "hibr://file=", _TRUNCATE);
+            strncpy_s(ctxLC->Config.szDevice + 12, _countof(ctxLC->Config.szDevice) - 12, ctx->szFileName, _TRUNCATE);
+            strncpy_s(ctxLC->Config.szDeviceName, _countof(ctxLC->Config.szDeviceName), "hibr", _TRUNCATE);
+            LocalFree(ctx);
+            LcCreate_FetchDeviceParameter(ctxLC);
+            return DeviceHIBR_Open(ctxLC, ppLcCreateErrorInfo);
+        }
+    }
     InitializeCriticalSection(&ctx->File[0].Lock);
     if(_fseeki64(ctx->File[0].h, 0, SEEK_END)) { goto fail; }   // seek to end of file
     ctx->cbFile = _ftelli64(ctx->File[0].h);                    // get current file pointer