Version 5.12

ufrisk · Oct 9, 2024 · 62bebfe · 62bebfe
1 parent e47352b
commit 62bebfe
Show file tree

Hide file tree

Showing 40 changed files with 2,928 additions and 223 deletions.
diff --git a/.gitignore b/.gitignore
@@ -25,6 +25,8 @@ Cargo.lock
 /vmmsharp/example/.vs
 /vmmsharp/example/bin
 /vmmsharp/example/obj
+/vmmsharp/example_48/bin
+/vmmsharp/example_48/obj
 /vmmsharp/vmmsharp/.vs
 /vmmsharp/vmmsharp/bin
 /vmmsharp/vmmsharp/obj
diff --git a/README.md b/README.md
@@ -229,6 +229,7 @@ v5.8
 * Bug fixes.
 * [New Vmmsharp C# API](https://github.com/ufrisk/MemProcFS/wiki/API_CSharp).
 
-Latest:
+[v5.12](https://github.com/ufrisk/MemProcFS/releases/tag/v5.12)
 * Bug fixes.
-* Minor updates (FindEvil, New signatures, etc.).
+* updates (FindEvil, New signatures, etc.).
+* New APIs for Kernel Objects, Drivers and Devices.
diff --git a/includes/lib32/leechcore.lib b/includes/lib32/leechcore.lib
diff --git a/includes/lib32/vmm.lib b/includes/lib32/vmm.lib
diff --git a/includes/lib64/leechcore.lib b/includes/lib64/leechcore.lib
diff --git a/includes/lib64/vmm.lib b/includes/lib64/vmm.lib
diff --git a/includes/vmmdll.h b/includes/vmmdll.h
@@ -11,7 +11,7 @@
 // (c) Ulf Frisk, 2018-2024
 // Author: Ulf Frisk, pcileech@frizk.net
 //
-// Header Version: 5.10
+// Header Version: 5.12
 //
 
 #include "leechcore.h"
@@ -773,9 +773,10 @@ VOID VMMDLL_LogEx(
 #define VMMDLL_FLAG_NOPAGING_IO                     0x0020  // do not try to retrieve memory from paged out memory if read would incur additional I/O (even if possible).
 #define VMMDLL_FLAG_NOCACHEPUT                      0x0100  // do not write back to the data cache upon successful read from memory acquisition device.
 #define VMMDLL_FLAG_CACHE_RECENT_ONLY               0x0200  // only fetch from the most recent active cache region when reading.
-#define VMMDLL_FLAG_NO_PREDICTIVE_READ              0x0400  // do not perform additional predictive page reads (default on smaller requests).
-#define VMMDLL_FLAG_FORCECACHE_READ_DISABLE         0x0800  // disable/override any use of VMM_FLAG_FORCECACHE_READ. only recommended for local files. improves forensic artifact order.
+#define VMMDLL_FLAG_NO_PREDICTIVE_READ              0x0400  // (deprecated/unused).
+#define VMMDLL_FLAG_FORCECACHE_READ_DISABLE         0x0800  // disable/override any use of VMMDLL_FLAG_FORCECACHE_READ. only recommended for local files. improves forensic artifact order.
 #define VMMDLL_FLAG_SCATTER_PREPAREEX_NOMEMZERO     0x1000  // do not zero out the memory buffer when preparing a scatter read.
+#define VMMDLL_FLAG_NOMEMCALLBACK                   0x2000  // do not call user-set memory callback functions when reading memory (even if active).
 
 /*
 * Read memory in various non-contigious locations specified by the pointers to
@@ -1048,6 +1049,9 @@ VOID VMMDLL_Scatter_CloseHandle(_In_opt_ _Post_ptr_invalid_ VMMDLL_SCATTER_HANDL
 #define VMMDLL_MAP_THREAD_VERSION           4
 #define VMMDLL_MAP_HANDLE_VERSION           3
 #define VMMDLL_MAP_POOL_VERSION             2
+#define VMMDLL_MAP_KOBJECT_VERSION          1
+#define VMMDLL_MAP_KDRIVER_VERSION          1
+#define VMMDLL_MAP_KDEVICE_VERSION          1
 #define VMMDLL_MAP_NET_VERSION              3
 #define VMMDLL_MAP_PHYSMEM_VERSION          2
 #define VMMDLL_MAP_USER_VERSION             2
@@ -1372,6 +1376,38 @@ typedef struct tdVMMDLL_MAP_POOLENTRY {
     DWORD _Filler;
 } VMMDLL_MAP_POOLENTRY, *PVMMDLL_MAP_POOLENTRY;
 
+typedef struct tdVMMDLL_MAP_KDEVICEENTRY {
+    QWORD va;                                       // Address of this object in memory.
+    DWORD iDepth;                                   // Depth of the device object.
+    DWORD dwDeviceType;                             // Device type according to FILE_DEVICE_*
+    union { LPSTR  uszDeviceType; LPWSTR wszDeviceType; }; // Device type name.
+    QWORD vaDriverObject;                           // Address of the driver object.
+    QWORD vaAttachedDevice;                         // Address of the attached device object (if exists).
+    QWORD vaFileSystemDevice;                       // Address of the file system device object (if exists).
+    union { LPSTR  uszVolumeInfo; LPWSTR wszVolumeInfo; }; // Volume information (if exists) .
+} VMMDLL_MAP_KDEVICEENTRY, *PVMMDLL_MAP_KDEVICEENTRY;
+
+typedef struct tdVMMDLL_MAP_KDRIVERENTRY {
+    QWORD va;                                       // Address of this object in memory.
+    QWORD vaDriverStart;                            // Address of the loaded driver module in memory.
+    QWORD cbDriverSize;                             // Size of the loaded driver module in memory.
+    QWORD vaDeviceObject;                           // Address of the device object.
+    union { LPSTR  uszName; LPWSTR wszName; };      // Driver name.
+    union { LPSTR  uszPath; LPWSTR wszPath; };      // Driver path.
+    union { LPSTR  uszServiceKeyName; LPWSTR wszServiceKeyName; }; // Service key name.
+    QWORD MajorFunction[28];                        // Major function array.
+} VMMDLL_MAP_KDRIVERENTRY, *PVMMDLL_MAP_KDRIVERENTRY;
+
+typedef struct tdVMMDLL_MAP_KOBJECTENTRY {
+    QWORD va;                                       // Address of this object in memory.
+    QWORD vaParent;                                 // Address of parent object.
+    DWORD _Filler;
+    DWORD cvaChild;                                 // Number of child object addresses.
+    PQWORD pvaChild;                                // Array of child object addresses.
+    union { LPSTR uszName; LPWSTR wszName; };       // Object name.
+    union { LPSTR uszType; LPWSTR wszType; };       // Object type
+} VMMDLL_MAP_KOBJECTENTRY, *PVMMDLL_MAP_KOBJECTENTRY;
+
 typedef struct tdVMMDLL_MAP_NETENTRY {
     DWORD dwPID;
     DWORD dwState;
@@ -1563,6 +1599,33 @@ typedef struct tdVMMDLL_MAP_POOL {
     VMMDLL_MAP_POOLENTRY pMap[];    // map entries.
 } VMMDLL_MAP_POOL, *PVMMDLL_MAP_POOL;
 
+typedef struct tdVMMDLL_MAP_KOBJECT {
+    DWORD dwVersion;                // VMMDLL_MAP_KOBJECT_VERSION
+    DWORD _Reserved1[5];
+    PBYTE pbMultiText;              // multi-wstr pointed into by VMM_MAP_NETENTRY.wszText
+    DWORD cbMultiText;
+    DWORD cMap;                     // # map entries.
+    VMMDLL_MAP_KOBJECTENTRY pMap[]; // map entries.
+} VMMDLL_MAP_KOBJECT, *PVMMDLL_MAP_KOBJECT;
+
+typedef struct tdVMMDLL_MAP_KDRIVER {
+    DWORD dwVersion;                // VMMDLL_MAP_KDRIVER_VERSION
+    DWORD _Reserved1[5];
+    PBYTE pbMultiText;              // multi-wstr pointed into by VMM_MAP_NETENTRY.wszText
+    DWORD cbMultiText;
+    DWORD cMap;                     // # map entries.
+    VMMDLL_MAP_KDRIVERENTRY pMap[]; // map entries.
+} VMMDLL_MAP_KDRIVER, *PVMMDLL_MAP_KDRIVER;
+
+typedef struct tdVMMDLL_MAP_KDEVICE {
+    DWORD dwVersion;                // VMMDLL_MAP_KDEVICE_VERSION
+    DWORD _Reserved1[5];
+    PBYTE pbMultiText;              // multi-wstr pointed into by VMM_MAP_NETENTRY.wszText
+    DWORD cbMultiText;
+    DWORD cMap;                     // # map entries.
+    VMMDLL_MAP_KDEVICEENTRY pMap[]; // map entries.
+} VMMDLL_MAP_KDEVICE, *PVMMDLL_MAP_KDEVICE;
+
 typedef struct tdVMMDLL_MAP_NET {
     DWORD dwVersion;                // VMMDLL_MAP_NET_VERSION
     DWORD _Reserved1;
@@ -1770,6 +1833,39 @@ _Success_(return) BOOL VMMDLL_Map_GetHandleW(_In_ VMM_HANDLE hVMM, _In_ DWORD dw
 EXPORTED_FUNCTION
 _Success_(return) BOOL VMMDLL_Map_GetPhysMem(_In_ VMM_HANDLE hVMM, _Out_ PVMMDLL_MAP_PHYSMEM *ppPhysMemMap);
 
+/*
+* Retrieve the kernel device map - consisting of kernel device objects.
+* CALLER FREE: VMMDLL_MemFree(*ppKDeviceMap)
+* -- hVMM
+* -- ppKDeviceMap = ptr to receive result on success. must be free'd with VMMDLL_MemFree().
+* -- return = success/fail.
+*/
+EXPORTED_FUNCTION
+_Success_(return) BOOL VMMDLL_Map_GetKDeviceU(_In_ VMM_HANDLE hVMM, _Out_ PVMMDLL_MAP_KDEVICE *ppKDeviceMap);
+_Success_(return) BOOL VMMDLL_Map_GetKDeviceW(_In_ VMM_HANDLE hVMM, _Out_ PVMMDLL_MAP_KDEVICE *ppKDeviceMap);
+
+/*
+* Retrieve the kernel driver map - consisting of kernel driver objects.
+* CALLER FREE: VMMDLL_MemFree(*ppKDriverMap)
+* -- hVMM
+* -- ppKDriverMap = ptr to receive result on success. must be free'd with VMMDLL_MemFree().
+* -- return = success/fail.
+*/
+EXPORTED_FUNCTION
+_Success_(return) BOOL VMMDLL_Map_GetKDriverU(_In_ VMM_HANDLE hVMM, _Out_ PVMMDLL_MAP_KDRIVER *ppKDriverMap);
+_Success_(return) BOOL VMMDLL_Map_GetKDriverW(_In_ VMM_HANDLE hVMM, _Out_ PVMMDLL_MAP_KDRIVER *ppKDriverMap);
+
+/*
+* Retrieve the kernel object map - consisting of kernel objects such as devices, drivers and other objects.
+* CALLER FREE: VMMDLL_MemFree(*ppKObjectMap)
+* -- hVMM
+* -- ppKObjectMap = ptr to receive result on success. must be free'd with VMMDLL_MemFree().
+* -- return = success/fail.
+*/
+EXPORTED_FUNCTION
+_Success_(return) BOOL VMMDLL_Map_GetKObjectU(_In_ VMM_HANDLE hVMM, _Out_ PVMMDLL_MAP_KOBJECT *ppKObjectMap);
+_Success_(return) BOOL VMMDLL_Map_GetKObjectW(_In_ VMM_HANDLE hVMM, _Out_ PVMMDLL_MAP_KOBJECT *ppKObjectMap);
+
 /*
 * Retrieve the pool map - consisting of kernel allocated pool entries.
 * The pool map pMap is sorted by allocation virtual address.

diff --git a/m_vmemd/version.h b/m_vmemd/version.h
@@ -2,9 +2,9 @@
 #define STRINGIZE(s) STRINGIZE2(s)
 
 #define VERSION_MAJOR               5
-#define VERSION_MINOR               11
-#define VERSION_REVISION            7
-#define VERSION_BUILD               175
+#define VERSION_MINOR               12
+#define VERSION_REVISION            0
+#define VERSION_BUILD               177
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Plugin vmemd"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/memprocfs/version.h b/memprocfs/version.h
@@ -2,9 +2,9 @@
 #define STRINGIZE(s) STRINGIZE2(s)
 
 #define VERSION_MAJOR               5
-#define VERSION_MINOR               11
-#define VERSION_REVISION            7
-#define VERSION_BUILD               175
+#define VERSION_MINOR               12
+#define VERSION_REVISION            0
+#define VERSION_BUILD               177
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/vmm/ob/ob_bytequeue.c b/vmm/ob/ob_bytequeue.c
@@ -110,24 +110,28 @@ _Success_(return)
 BOOL _ObByteQueue_Push(_In_ POB_BYTEQUEUE pq, _In_opt_ QWORD qwTag, _In_ SIZE_T cb, _In_reads_bytes_(cb) PBYTE pb)
 {
     PBYTEQUEUE_PACKET p;
-    if(cb >= 0x80000000) {
+    SIZE_T cboEoQ, cbEoQ, cbPkt = sizeof(BYTEQUEUE_PACKET) + cb;
+    if(pq->cb < cbPkt) {
         return FALSE;
     }
-    if(pq->cPackets) {
+    if(!pq->cPackets) {
+        // 1st packet to be inserted at start-of-queue.
+        p = (PBYTEQUEUE_PACKET)pq->pb;
+    } else {
+        // Nth packet to be inserted at end-of-queue.
         p = (PBYTEQUEUE_PACKET)(pq->pb + pq->cboTail);
-        if(pq->cb - sizeof(BYTEQUEUE_PACKET) - p->cb >= cb + sizeof(BYTEQUEUE_PACKET)) {
-            p->cboNext = (DWORD)((SIZE_T)p - (SIZE_T)pq->pb + sizeof(BYTEQUEUE_PACKET) + p->cb);
+        cboEoQ = pq->cboTail + sizeof(BYTEQUEUE_PACKET) + p->cb;
+        cbEoQ = ((pq->cboHead < cboEoQ) ? pq->cb : pq->cboHead) - cboEoQ;
+        if(cbEoQ >= cbPkt) {
+            // Insert packet at next position in the circular buffer.
+            p->cboNext = (DWORD)cboEoQ;
             p = (PBYTEQUEUE_PACKET)(pq->pb + p->cboNext);
-        } else if(pq->cboHead >= cb + sizeof(BYTEQUEUE_PACKET)) {
+        } else if((pq->cboTail > pq->cboHead) && (pq->cboHead >= cbPkt)) {
+            // Insert packet at start of the circular buffer.
             p->cboNext = 0;
-            p = (PBYTEQUEUE_PACKET)pq->pb;
-        } else {
-            return FALSE;
-        }
-    } else {
-        if(pq->cb >= cb + sizeof(BYTEQUEUE_PACKET)) {
-            p = (PBYTEQUEUE_PACKET)pq->pb;
+            p = (PBYTEQUEUE_PACKET)(pq->pb + p->cboNext);
         } else {
+            // Not enough space.
             return FALSE;
         }
     }

diff --git a/vmm/ob/ob_map.c b/vmm/ob/ob_map.c
@@ -844,16 +844,20 @@ BOOL _ObMap_Push(_In_ POB_MAP pm, _In_ QWORD qwKey, _In_ PVOID pvObject)
     if(!pm->Directory[OB_MAP_INDEX_DIRECTORY(iEntry)][OB_MAP_INDEX_TABLE(iEntry)]) {    // allocate "store" if required
         if(!(pm->Directory[OB_MAP_INDEX_DIRECTORY(iEntry)][OB_MAP_INDEX_TABLE(iEntry)] = LocalAlloc(LMEM_ZEROINIT, sizeof(OB_MAP_ENTRY) * OB_MAP_ENTRIES_STORE))) { return FALSE; }
     }
-    if(pm->fObjectsOb) {
-        Ob_INCREF(pvObject);
-    }
     pm->c++;
-    pe = _ObMap_GetFromIndex(pm, iEntry);
-    pe->k = qwKey;
-    pe->v = pvObject;
-    _ObMap_InsertHash(pm, TRUE, iEntry);
-    _ObMap_InsertHash(pm, FALSE, iEntry);
-    return TRUE;
+    if((pe = _ObMap_GetFromIndex(pm, iEntry))) {
+        if(pm->fObjectsOb) {
+            Ob_INCREF(pvObject);
+        }
+        pe->k = qwKey;
+        pe->v = pvObject;
+        _ObMap_InsertHash(pm, TRUE, iEntry);
+        _ObMap_InsertHash(pm, FALSE, iEntry);
+        return TRUE;
+    } else {
+        pm->c--;
+        return FALSE;
+    }
 }
 
 _Success_(return)

diff --git a/vmm/statistics.h b/vmm/statistics.h
@@ -37,6 +37,7 @@ typedef enum tdSTATISTICS_ID {
     STATISTICS_ID_VMMDLL_MemWriteScatter,
     STATISTICS_ID_VMMDLL_MemWrite,
     STATISTICS_ID_VMMDLL_MemVirt2Phys,
+    STATISTICS_ID_VMMDLL_MemCallback,
     STATISTICS_ID_VMMDLL_MemSearch,
     STATISTICS_ID_VMMDLL_MemPrefetchPages,
     STATISTICS_ID_VMMDLL_PidList,
@@ -59,6 +60,9 @@ typedef enum tdSTATISTICS_ID {
     STATISTICS_ID_VMMDLL_Map_GetHandle,
     STATISTICS_ID_VMMDLL_Map_GetPhysMem,
     STATISTICS_ID_VMMDLL_Map_GetPool,
+    STATISTICS_ID_VMMDLL_Map_GetKObject,
+    STATISTICS_ID_VMMDLL_Map_GetKDriver,
+    STATISTICS_ID_VMMDLL_Map_GetKDevice,
     STATISTICS_ID_VMMDLL_Map_GetNet,
     STATISTICS_ID_VMMDLL_Map_GetUsers,
     STATISTICS_ID_VMMDLL_Map_GetVM,
@@ -123,6 +127,7 @@ static LPCSTR STATISTICS_ID_STR[STATISTICS_ID_MAX] = {
     [STATISTICS_ID_VMMDLL_MemWriteScatter]          = "VMMDLL_MemWriteScatter",
     [STATISTICS_ID_VMMDLL_MemWrite]                 = "VMMDLL_MemWrite",
     [STATISTICS_ID_VMMDLL_MemVirt2Phys]             = "VMMDLL_MemVirt2Phys",
+    [STATISTICS_ID_VMMDLL_MemCallback]              = "VMMDLL_MemCallback",
     [STATISTICS_ID_VMMDLL_MemSearch]                = "VMMDLL_MemSearch",
     [STATISTICS_ID_VMMDLL_MemPrefetchPages]         = "VMMDLL_MemPrefetchPages",
     [STATISTICS_ID_VMMDLL_PidList]                  = "VMMDLL_PidList",
@@ -145,6 +150,9 @@ static LPCSTR STATISTICS_ID_STR[STATISTICS_ID_MAX] = {
     [STATISTICS_ID_VMMDLL_Map_GetHandle]            = "VMMDLL_Map_GetHandle",
     [STATISTICS_ID_VMMDLL_Map_GetPhysMem]           = "VMMDLL_Map_GetPhysMem",
     [STATISTICS_ID_VMMDLL_Map_GetPool]              = "VMMDLL_Map_GetPool",
+    [STATISTICS_ID_VMMDLL_Map_GetKObject]           = "VMMDLL_Map_GetKObject",
+    [STATISTICS_ID_VMMDLL_Map_GetKDriver]           = "VMMDLL_Map_GetKDriver",
+    [STATISTICS_ID_VMMDLL_Map_GetKDevice]           = "VMMDLL_Map_GetKDevice",
     [STATISTICS_ID_VMMDLL_Map_GetNet]               = "VMMDLL_Map_GetNet",
     [STATISTICS_ID_VMMDLL_Map_GetUsers]             = "VMMDLL_Map_GetUsers",
     [STATISTICS_ID_VMMDLL_Map_GetVM]                = "MMDLL_Map_GetVM",

diff --git a/vmm/version.h b/vmm/version.h
@@ -2,9 +2,9 @@
 #define STRINGIZE(s) STRINGIZE2(s)
 
 #define VERSION_MAJOR               5
-#define VERSION_MINOR               11
-#define VERSION_REVISION            7
-#define VERSION_BUILD               175
+#define VERSION_MINOR               12
+#define VERSION_REVISION            0
+#define VERSION_BUILD               177
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Core"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD