├── .github └── FUNDING.yml ├── .gitignore ├── LICENSE ├── MemProcFS.sln ├── README.md ├── files ├── Certs │ └── readme.txt ├── Symbols │ └── pingme.txt ├── memprocfs.icns ├── memprocfs.py ├── memprocfs_example.py ├── memprocfs_pythonexec_example.py ├── plugins │ ├── pym_pluginupdater │ │ ├── __init__.py │ │ └── pym_pluginupdater.py │ ├── pym_procstruct │ │ ├── __init__.py │ │ └── pym_procstruct.py │ ├── pyp_reg_root_reg$net_bth$devices.py │ ├── pyp_reg_root_reg$net_tcpip$interfaces.py │ ├── pyp_reg_root_reg$usb_usb$devices.py │ ├── pyp_reg_root_reg$usb_usb$storage.py │ └── pyp_reg_user_reg$user_wallpaper.py ├── python │ └── information.txt └── vmmpyplugin.py ├── includes ├── dokan.h ├── fileinfo.h ├── leechcore.h ├── leechcore_device.h ├── leechgrpc.h ├── lib32 │ ├── leechcore.lib │ └── vmm.lib ├── lib64 │ ├── leechcore.lib │ └── vmm.lib ├── libarm64 │ ├── leechcore.lib │ └── vmm.lib ├── libpdbcrust.h ├── public.h ├── vmmdll.h └── vmmyara.h ├── m_vmemd ├── Makefile ├── Makefile.macos ├── m_vmemd.c ├── m_vmemd.rc ├── m_vmemd.vcxproj ├── m_vmemd.vcxproj.filters ├── m_vmemd.vcxproj.user ├── oscompatibility.c ├── oscompatibility.h └── version.h ├── memprocfs ├── Makefile ├── Makefile.macos ├── charutil.c ├── charutil.h ├── memprocfs.rc ├── memprocfs.vcxproj ├── memprocfs.vcxproj.filters ├── memprocfs.vcxproj.user ├── memprocfs_dokan.c ├── memprocfs_fuse.c ├── ob │ ├── ob.h │ ├── ob_cachemap.c │ ├── ob_core.c │ ├── ob_map.c │ └── ob_set.c ├── oscompatibility.c ├── oscompatibility.h ├── version.h ├── vfslist.c ├── vfslist.h └── wolf_icon.ico ├── vmm ├── Makefile ├── Makefile.macos ├── charutil.c ├── charutil.h ├── ext │ ├── lz4.c │ ├── lz4.h │ ├── miniz.c │ ├── miniz.h │ ├── sha256.c │ ├── sha256.h │ ├── sqlite3.c │ ├── sqlite3.h │ └── sqlite3ext.h ├── fc.c ├── fc.h ├── infodb.c ├── infodb.h ├── mm │ ├── mm.h │ ├── mm_arm64.c │ ├── mm_pfn.c │ ├── mm_pfn.h │ ├── mm_vad.c │ ├── mm_win.c │ ├── mm_x64.c │ ├── mm_x86.c │ └── mm_x86pae.c ├── modules │ ├── m_conf.c │ ├── m_evil_apc1.c │ ├── m_evil_av1.c │ ├── m_evil_entropy.c │ ├── m_evil_kern1.c │ ├── m_evil_kernproc1.c │ ├── m_evil_proc1.c │ ├── m_evil_proc2.c │ ├── m_evil_proc3.c │ ├── m_evil_thread1.c │ ├── m_fc_csv.c │ ├── m_fc_file.c │ ├── m_fc_findevil.c │ ├── m_fc_handle.c │ ├── m_fc_json.c │ ├── m_fc_module.c │ ├── m_fc_ntfs.c │ ├── m_fc_prefetch.c │ ├── m_fc_proc.c │ ├── m_fc_registry.c │ ├── m_fc_sys.c │ ├── m_fc_thread.c │ ├── m_fc_timeline.c │ ├── m_fc_web.c │ ├── m_fc_yara.c │ ├── m_misc_bitlocker.c │ ├── m_misc_eventlog.c │ ├── m_misc_procinfo.c │ ├── m_misc_view.c │ ├── m_phys2virt.c │ ├── m_proc_console.c │ ├── m_proc_file_handles_vads.c │ ├── m_proc_file_modules.c │ ├── m_proc_handle.c │ ├── m_proc_heap.c │ ├── m_proc_ldrmodules.c │ ├── m_proc_memmap.c │ ├── m_proc_minidump.c │ ├── m_proc_thread.c │ ├── m_proc_token.c │ ├── m_proc_virt2phys.c │ ├── m_search.c │ ├── m_searchyara.c │ ├── m_sys.c │ ├── m_sys_cert.c │ ├── m_sys_driver.c │ ├── m_sys_mem.c │ ├── m_sys_net.c │ ├── m_sys_netdns.c │ ├── m_sys_obj.c │ ├── m_sys_pool.c │ ├── m_sys_proc.c │ ├── m_sys_svc.c │ ├── m_sys_syscall.c │ ├── m_sys_sysinfo.c │ ├── m_sys_task.c │ ├── m_sys_user.c │ ├── m_vfsfc.c │ ├── m_vfsproc.c │ ├── m_vfsroot.c │ ├── m_vm.c │ ├── m_winreg.c │ ├── modules.h │ └── modules_init.h ├── ob │ ├── ob.h │ ├── ob_bytequeue.c │ ├── ob_cachemap.c │ ├── ob_compressed.c │ ├── ob_container.c │ ├── ob_core.c │ ├── ob_counter.c │ ├── ob_map.c │ ├── ob_memfile.c │ ├── ob_set.c │ ├── ob_strmap.c │ └── ob_tag.h ├── oscompatibility.c ├── oscompatibility.h ├── pdb.c ├── pdb.h ├── pe.c ├── pe.h ├── pluginmanager.c ├── pluginmanager.h ├── res │ ├── m_fc_json_elastic_import.ps1 │ └── m_fc_json_elastic_import_unauth.ps1 ├── resource.h ├── statistics.c ├── statistics.h ├── sysquery.c ├── sysquery.h ├── util.c ├── util.h ├── version.h ├── vmm.c ├── vmm.h ├── vmm.rc ├── vmm.vcxproj ├── vmm.vcxproj.filters ├── vmm.vcxproj.user ├── vmmdll.c ├── vmmdll.def ├── vmmdll.h ├── vmmdll_core.c ├── vmmdll_core.h ├── vmmdll_remote.c ├── vmmdll_remote.h ├── vmmdll_scatter.c ├── vmmex.h ├── vmmex_light.c ├── vmmheap.c ├── vmmheap.h ├── vmmlog.c ├── vmmlog.h ├── vmmnet.c ├── vmmnet.h ├── vmmproc.c ├── vmmproc.h ├── vmmuserconfig.c ├── vmmuserconfig.h ├── vmmvm.c ├── vmmvm.h ├── vmmwin.c ├── vmmwin.h ├── vmmwindef.h ├── vmmwininit.c ├── vmmwininit.h ├── vmmwinobj.c ├── vmmwinobj.h ├── vmmwinpool.c ├── vmmwinpool.h ├── vmmwinreg.c ├── vmmwinreg.h ├── vmmwinsvc.c ├── vmmwinsvc.h ├── vmmwinthread.c ├── vmmwinthread.h ├── vmmwork.c ├── vmmwork.h ├── vmmyarautil.c ├── vmmyarautil.h └── vmmyarawrap.c ├── vmm_example ├── Makefile ├── Makefile.macos ├── vmm_example.vcxproj ├── vmm_example.vcxproj.filters ├── vmm_example.vcxproj.user └── vmmdll_example.c ├── vmmjava ├── VmmExample.java ├── leechcore │ ├── ILeechCore.java │ ├── ILeechCoreBarCallback.java │ ├── ILeechCoreBarContext.java │ ├── ILeechCoreBarReply.java │ ├── ILeechCoreTlpCallback.java │ ├── ILeechCoreTlpContext.java │ ├── LeechCoreException.java │ └── entry │ │ ├── LeechCoreBar.java │ │ └── LeechCoreBarRequest.java └── vmm │ ├── IVmm.java │ ├── IVmmMemScatterMemory.java │ ├── IVmmModule.java │ ├── IVmmPdb.java │ ├── IVmmProcess.java │ ├── IVmmRegHive.java │ ├── IVmmRegKey.java │ ├── IVmmRegValue.java │ ├── VmmException.java │ ├── entry │ ├── VmmMap_HandleEntry.java │ ├── VmmMap_HeapAllocEntry.java │ ├── VmmMap_HeapEntry.java │ ├── VmmMap_HeapMap.java │ ├── VmmMap_HeapSegmentEntry.java │ ├── VmmMap_MemMapEntry.java │ ├── VmmMap_ModuleDataDirectory.java │ ├── VmmMap_ModuleExport.java │ ├── VmmMap_ModuleImport.java │ ├── VmmMap_ModuleSection.java │ ├── VmmMap_NetEntry.java │ ├── VmmMap_PoolEntry.java │ ├── VmmMap_PoolMap.java │ ├── VmmMap_PteEntry.java │ ├── VmmMap_ServiceEntry.java │ ├── VmmMap_ThreadEntry.java │ ├── VmmMap_UnloadedModuleEntry.java │ ├── VmmMap_UserEntry.java │ ├── VmmMap_VadEntry.java │ ├── VmmMap_VadExEntry.java │ ├── Vmm_ModuleExDebugInfo.java │ ├── Vmm_ModuleExVersionInfo.java │ └── Vmm_VfsListEntry.java │ └── internal │ ├── IVmmNativeEx.java │ ├── JnaObjectMap.java │ ├── LeechCoreImpl.java │ ├── LeechCoreNative.java │ ├── VmmImpl.java │ ├── VmmImplPanama.java │ └── VmmNative.java ├── vmmpyc ├── Makefile ├── oscompatibility.c ├── version.h ├── vmmpyc.c ├── vmmpyc.h ├── vmmpyc.rc ├── vmmpyc.vcxproj ├── vmmpyc.vcxproj.filters ├── vmmpyc.vcxproj.user ├── vmmpyc_kernel.c ├── vmmpyc_maps.c ├── vmmpyc_module.c ├── vmmpyc_modulemaps.c ├── vmmpyc_pdb.c ├── vmmpyc_physicalmemory.c ├── vmmpyc_process.c ├── vmmpyc_processmaps.c ├── vmmpyc_reghive.c ├── vmmpyc_regkey.c ├── vmmpyc_regmemory.c ├── vmmpyc_regvalue.c ├── vmmpyc_scattermemory.c ├── vmmpyc_search.c ├── vmmpyc_util.c ├── vmmpyc_vfs.c ├── vmmpyc_virtualmachine.c ├── vmmpyc_virtualmemory.c ├── vmmpyc_vmm.c ├── vmmpyc_yara.c └── vmmpycplugin.c ├── vmmrust ├── .vscode │ ├── launch.json │ └── tasks.json ├── leechcore_example │ ├── Cargo.toml │ └── src │ │ └── main.rs ├── m_example_plugin │ ├── Cargo.toml │ └── src │ │ └── lib.rs ├── memprocfs │ ├── Cargo.toml │ ├── README.md │ └── src │ │ └── lib_memprocfs.rs ├── memprocfs_example │ ├── Cargo.toml │ └── src │ │ └── main.rs └── vmmrust.code-workspace └── vmmsharp ├── README.md ├── example ├── VmmsharpExample.cs └── vmmsharp_example.csproj ├── example_48 ├── App.config ├── Properties │ └── AssemblyInfo.cs ├── VmmsharpExample.cs ├── vmmsharp_example_48.csproj └── vmmsharp_example_48.csproj.user ├── vmmsharp ├── App.config ├── Properties │ └── AssemblyInfo.cs ├── logo.png ├── vmmsharp.csproj ├── vmmsharp.csproj.user └── vmmsharp │ ├── Internal │ ├── Lci.cs │ └── Vmmi.cs │ ├── LeechCore.cs │ ├── Vmm.cs │ ├── VmmException.cs │ ├── VmmKernel.cs │ ├── VmmPdb.cs │ ├── VmmProcess.cs │ ├── VmmScatterMemory.cs │ ├── VmmSearch.cs │ └── VmmYara.cs └── vmmsharp_old ├── vmm_example.cs └── vmmsharp.cs /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: ufrisk 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /.vs 2 | *.ilk 3 | *.iobj 4 | *.ipdb 5 | *.exe 6 | *.dll 7 | *.pyd 8 | *.so 9 | *.o 10 | *.dylib 11 | *pycache* 12 | info.db 13 | /files/memprocfs 14 | /files/vmm_example.exe 15 | /files/lib 16 | /files/temp 17 | /files/ARM64 18 | /files/x86/lib 19 | /files/x86/vmm_example.exe 20 | Cargo.lock 21 | /vmmrust/memprocfs/target 22 | /vmmrust/memprocfs_example/target 23 | /vmmrust/leechcore_example/target 24 | /vmmrust/m_example_plugin/target 25 | /vmmsharp/files 26 | /vmmsharp/example/.vs 27 | /vmmsharp/example/bin 28 | /vmmsharp/example/obj 29 | /vmmsharp/example_48/bin 30 | /vmmsharp/example_48/obj 31 | /vmmsharp/vmmsharp/.vs 32 | /vmmsharp/vmmsharp/bin 33 | /vmmsharp/vmmsharp/obj 34 | -------------------------------------------------------------------------------- /files/Certs/readme.txt: -------------------------------------------------------------------------------- 1 | Example commands for generating test certificates used for gRPC mTLS remote connections. 2 | 3 | Password to the .pfx files: test 4 | 5 | Generate with commands: 6 | 7 | openssl req -x509 -newkey rsa:2048 -keyout client-tls.key -out client-tls.crt -days 365 -nodes -subj "/CN=localhost" 8 | openssl pkcs12 -export -out client-tls.p12 -inkey client-tls.key -in client-tls.crt -password pass:test 9 | 10 | openssl req -x509 -newkey rsa:2048 -keyout server-tls.key -out server-tls.crt -days 365 -nodes -subj "/CN=localhost" 11 | openssl pkcs12 -export -out server-tls.p12 -inkey server-tls.key -in server-tls.crt -password pass:test 12 | -------------------------------------------------------------------------------- /files/Symbols/pingme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/files/Symbols/pingme.txt -------------------------------------------------------------------------------- /files/memprocfs.icns: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/files/memprocfs.icns -------------------------------------------------------------------------------- /files/memprocfs_pythonexec_example.py: -------------------------------------------------------------------------------- 1 | # memprocfs_pythonexec_example.py 2 | # 3 | # MemProcFS supports running a Python program at start-up in the context of the 4 | # plugin sub-system with full access to the MemProcFS Python API. For more info 5 | # about the API - please check out the guide at: 6 | # https://github.com/ufrisk/MemProcFS/wiki/API_Python 7 | # 8 | # MemProcFS plugins and start-up programs are supported on Windows and Linux. 9 | # 10 | # Example: 11 | # memprocfs.exe -device memory.dmp -pythonexec memprocfs_pythonexec_example.py 12 | # 13 | # This example will display a process list, search for RWX-sections in memory 14 | # and (if forensic mode is enabled) copy the CSV files to C:\Temp\. 15 | # 16 | # Note how the vmm MemProcFS API object is already pre-existing ready for use. 17 | # 18 | # Also note how it's a good idea to surround your program with a try-except. 19 | # 20 | # https://github.com/ufrisk/MemProcFS 21 | # 22 | # (c) Ulf Frisk, 2022 23 | # Author: Ulf Frisk, pcileech@frizk.net 24 | # 25 | 26 | 27 | 28 | print("--------------- START MEMPROCFS PYTHONEXEC EXAMPLE ---------------") 29 | 30 | 31 | try: 32 | print("") 33 | print("1. Processes by pid/name:") 34 | print("-------------------------") 35 | for process in vmm.process_list(): 36 | print("%i: \t %s" % (process.pid, process.fullname)) 37 | except Exception as e: 38 | print("memprocfs_pythonexec_example.py: exception: " + str(e)) 39 | 40 | 41 | try: 42 | print("") 43 | print("2. RWX memory [max 5 per process]") 44 | print("---------------------------------") 45 | for process in vmm.process_list(): 46 | crwx = 0 47 | for entry in process.maps.pte(): 48 | if '-rwx' in entry['flags']: 49 | print("%i: \t %s \t %s" % (process.pid, process.name, str(entry))) 50 | crwx += 1 51 | if crwx >= 5: break 52 | except Exception as e: 53 | print("memprocfs_pythonexec_example.py: exception: " + str(e)) 54 | 55 | 56 | try: 57 | print("") 58 | print("3. Copy CSV files from forensic mode (if enabled)") 59 | print("-------------------------------------------------") 60 | import os 61 | dst_path_base = '/tmp/' if os.sep == '/' else 'C:\\Temp\\' 62 | vfs_files = vmm.vfs.list("/forensic/csv/") 63 | for vfs_file in vfs_files: 64 | if not vfs_files[vfs_file]['f_isdir']: 65 | offset = 0 66 | vfs_path = "/forensic/csv/" + vfs_file 67 | dst_path = dst_path_base + 'memprocfs_pythonexec_example_' + vfs_file 68 | print("copy file '%s' to '%s'" % (vfs_path, dst_path)) 69 | with open(dst_path, "wb") as file: 70 | while offset < vfs_files[vfs_file]['size']: 71 | chunk = vmm.vfs.read(vfs_path, 0x00100000, offset) 72 | offset += len(chunk) 73 | file.write(chunk) 74 | except Exception as e: 75 | print("memprocfs_pythonexec_example.py: exception: " + str(e)) 76 | 77 | 78 | print("---------------- END MEMPROCFS PYTHONEXEC EXAMPLE ----------------") 79 | -------------------------------------------------------------------------------- /files/plugins/pym_pluginupdater/__init__.py: -------------------------------------------------------------------------------- 1 | from plugins.pym_pluginupdater.pym_pluginupdater import ( 2 | Initialize 3 | ) 4 | 5 | __all__ = [ 6 | "Initialize" 7 | ] -------------------------------------------------------------------------------- /files/plugins/pym_procstruct/__init__.py: -------------------------------------------------------------------------------- 1 | from plugins.pym_procstruct.pym_procstruct import ( 2 | Initialize, 3 | Close, 4 | ) 5 | 6 | __all__ = [ 7 | "Initialize", 8 | "Close", 9 | ] 10 | -------------------------------------------------------------------------------- /files/plugins/pyp_reg_root_reg$net_bth$devices.py: -------------------------------------------------------------------------------- 1 | # pyp_reg_root_reg$net_bth$devices.py 2 | # 3 | # RegistryInfo module to analyze: Bluetooth devices. 4 | # 5 | # https://github.com/ufrisk/ 6 | # 7 | # (c) Ulf Frisk, 2021 8 | # Author: Ulf Frisk, pcileech@frizk.net 9 | # 10 | 11 | from memprocfs import RegUtil 12 | 13 | print('MemProcFS Registry: Bluetooth Devices [ver: 2021-03-13] \n') 14 | 15 | bthport_dict = {} 16 | bthport_path = 'HKLM\\SYSTEM\\ControlSet001\\Services\\BTHPORT\\Parameters\\Devices' 17 | print(bthport_path) 18 | 19 | for dev_key in vmm.reg_key(bthport_path).subkeys(): 20 | dev_path = bthport_path + '\\' + dev_key.name 21 | bthport_dict[dev_key.name.upper()] = [ 22 | RegUtil.read_ascii(vmm, dev_path + '\\Name'), 23 | RegUtil.read_qword(vmm, dev_path + '\\LastConnected'), 24 | RegUtil.read_qword(vmm, dev_path + '\\LastSeen') 25 | ] 26 | 27 | root_path = 'HKLM\\SYSTEM\\ControlSet001\\Enum\\BTHENUM' 28 | print(root_path) 29 | 30 | for vendor_key in vmm.reg_key(root_path).subkeys(): 31 | if vendor_key.name[:4] != 'Dev_': 32 | continue 33 | vendor_path = root_path + '\\' + vendor_key.name 34 | RegUtil.print_keyvalue(2, vendor_key.name, vendor_key.time_str, 80, False, True) 35 | for dev_key in vmm.reg_key(vendor_path).subkeys(): 36 | dev_path = vendor_path + '\\' + dev_key.name 37 | a = dev_path[-12:].upper() 38 | ah = "%s:%s:%s:%s:%s:%s" % (a[0:2], a[2:4], a[4:6], a[6:8], a[8:10], a[10:12]) 39 | if a in bthport_dict: 40 | bthport = bthport_dict[a] 41 | else: 42 | bthport = {'', -1, -1} 43 | RegUtil.print_keyvalue(4, 'Address: ' + a + ' / ' + ah, dev_key.time_str, 80, False, True) 44 | RegUtil.print_keyvalue(4, 'Device Name: ' + RegUtil.read_utf16(vmm, dev_path + '\\FriendlyName')) 45 | RegUtil.print_keyvalue(4, 'First Insert: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, dev_path + '\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0065\\(Default)', True))) 46 | RegUtil.print_keyvalue(4, 'Last Insert: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, dev_path + '\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0066\\(Default)', True))) 47 | RegUtil.print_keyvalue(4, 'Last Removal: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, dev_path + '\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067\\(Default)', True))) 48 | RegUtil.print_keyvalue(4, 'BTHPORT Name: ' + bthport[0]) 49 | RegUtil.print_keyvalue(4, 'Last Connected: ' + RegUtil.ft2str(bthport[1])) 50 | RegUtil.print_keyvalue(4, 'Last Seen: ' + RegUtil.ft2str(bthport[2])) 51 | print(' ---') 52 | -------------------------------------------------------------------------------- /files/plugins/pyp_reg_root_reg$net_tcpip$interfaces.py: -------------------------------------------------------------------------------- 1 | # pyp_reg_root_reg$tcpip_interfaces.py 2 | # 3 | # RegistryInfo module to analyze: Network Interfaces. 4 | # 5 | # https://github.com/ufrisk/ 6 | # 7 | # (c) Ulf Frisk, 2021 8 | # Author: Ulf Frisk, pcileech@frizk.net 9 | # 10 | 11 | from memprocfs import RegUtil 12 | 13 | print('MemProcFS Registry: Network Interfaces [ver: 2021-03-13] \n') 14 | 15 | root_path = 'HKLM\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces' 16 | print(root_path) 17 | 18 | def print_values(path, values, off): 19 | value_names_time = ['LeaseObtainedTime', 'LeaseTerminatesTime', 'T1', 'T2'] 20 | value_names_str = [ 21 | 'Domain', 'NameServer', 'DefaultGateway', 'IPAddress', 'SubnetMask', 22 | 'DhcpIPAddress', 'DhcpSubnetMask', 'DhcpServer', 'DhcpDefaultGateway', 'DhcpNameServer', 'DhcpDomain', 'DhcpSubnetMaskOpt'] 23 | if 'DhcpNetworkHint' in values: 24 | data_hex = RegUtil.read_utf16(vmm, values['DhcpNetworkHint'].value)[::-1] 25 | data_str = bytes.fromhex(data_hex).decode('utf-8')[::-1] 26 | RegUtil.print_keyvalue(off, 'DhcpNetworkHint:', data_str, 50) 27 | if 'DhcpGatewayHardware' in values and values['DhcpGatewayHardware'].size >= 14: 28 | data_str = values['DhcpGatewayHardware'].value[8:14].hex(':') 29 | RegUtil.print_keyvalue(off, 'DhcpGatewayHardware:', data_str, 50) 30 | for name in value_names_time: 31 | if name in values: 32 | time_unix = RegUtil.read_dword(vmm, values[name].value) 33 | if time_unix > 10000: 34 | time_ft = (11644473600 + time_unix) * 10000000 35 | RegUtil.print_filetime(off, name + ':', time_ft, 50) 36 | for name in value_names_str: 37 | if name in values and values[name].size > 2: 38 | RegUtil.print_keyvalue(off, name + ':', RegUtil.read_utf16(vmm, values[name].value), 50) 39 | 40 | for if_key in vmm.reg_key(root_path).subkeys(): 41 | if_path = root_path + '\\' + if_key.name 42 | RegUtil.print_keyvalue(2, if_key.name, if_key.time_str, 80, False, True) 43 | print_values(if_path, if_key.values_dict(), 4) 44 | for a_key in if_key.subkeys(): 45 | a_path = if_path + '\\' + a_key.name 46 | RegUtil.print_keyvalue(4, a_key.name, a_key.time_str, 80, False, True) 47 | print_values(a_path, a_key.values_dict(), 6) 48 | -------------------------------------------------------------------------------- /files/plugins/pyp_reg_root_reg$usb_usb$devices.py: -------------------------------------------------------------------------------- 1 | # pyp_reg_root_reg$usb_usb$devices.py 2 | # 3 | # RegistryInfo module to analyze: USB devices. 4 | # 5 | # https://github.com/ufrisk/ 6 | # 7 | # (c) Ulf Frisk, 2021 8 | # Author: Ulf Frisk, pcileech@frizk.net 9 | # 10 | 11 | from memprocfs import RegUtil 12 | 13 | print('MemProcFS Registry: USB Devices [ver: 2021-03-13] \n') 14 | 15 | root_path = 'HKLM\\SYSTEM\\ControlSet001\\Enum\\USB' 16 | print(root_path) 17 | 18 | for vendor_key in vmm.reg_key(root_path).subkeys(): 19 | vendor_path = root_path + '\\' + vendor_key.name 20 | RegUtil.print_keyvalue(2, vendor_key.name, vendor_key.time_str, 80, False, True) 21 | for dev_key in vmm.reg_key(vendor_path).subkeys(): 22 | dev_path = vendor_path + '\\' + dev_key.name 23 | RegUtil.print_keyvalue(4, 'Serial Number: ' + dev_key.name, dev_key.time_str, 80, False, True) 24 | RegUtil.print_keyvalue(6, 'Device Name: ' + RegUtil.read_utf16(vmm, dev_path + '\\Properties\\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\\0004\\(Default)', True)) 25 | RegUtil.print_keyvalue(6, 'First Insert: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, dev_path + '\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0065\\(Default)', True))) 26 | RegUtil.print_keyvalue(6, 'Last Insert: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, dev_path + '\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0066\\(Default)', True))) 27 | RegUtil.print_keyvalue(6, 'Last Removal: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, dev_path + '\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067\\(Default)', True))) 28 | print(' ---') 29 | -------------------------------------------------------------------------------- /files/plugins/pyp_reg_root_reg$usb_usb$storage.py: -------------------------------------------------------------------------------- 1 | # pyp_reg_root_reg$usb_usb$storage.py 2 | # 3 | # RegistryInfo module to analyze: USB storage devices. 4 | # https://www.researchgate.net/publication/318514858_USB_Storage_Device_Forensics_for_Windows_10 5 | # 6 | # https://github.com/ufrisk/ 7 | # 8 | # (c) Ulf Frisk, 2021 9 | # Author: Ulf Frisk, pcileech@frizk.net 10 | # 11 | 12 | from memprocfs import RegUtil 13 | 14 | print('MemProcFS Registry: USB Storage [ver: 2021-03-13] \n') 15 | 16 | root_path = 'HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR' 17 | print(root_path) 18 | 19 | for vendor_key in vmm.reg_key(root_path).subkeys(): 20 | vendor_path = root_path + '\\' + vendor_key.name 21 | vendor_name = vendor_key.name.replace('Disk&Ven_', 'Vendor=').replace('&Prod_', ', Product=').replace('&Rev_', ', Rev=') 22 | RegUtil.print_keyvalue(2, vendor_name, vendor_key.time_str, 80, False, True) 23 | for dev_key in vmm.reg_key(vendor_path).subkeys(): 24 | dev_path = vendor_path + '\\' + dev_key.name 25 | props_path = dev_path + '\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}' 26 | RegUtil.print_keyvalue(4, 'Serial Number: ' + dev_key.name, dev_key.time_str, 80, False, True) 27 | vidpid = RegUtil.read_utf16(vmm, props_path + '\\000A\\(Default)', True) 28 | vidpid = vidpid.replace('USB\VID_', 'VID=').replace('&PID_', ', PID=').replace('\\', ', SN=') 29 | RegUtil.print_keyvalue(6, 'Device IDs: ' + vidpid) 30 | RegUtil.print_keyvalue(6, 'Device Name: ' + RegUtil.read_utf16(vmm, dev_path + '\\FriendlyName')) 31 | RegUtil.print_keyvalue(6, 'First Insert: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, props_path + '\\0065\\(Default)', True))) 32 | RegUtil.print_keyvalue(6, 'Last Insert: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, props_path + '\\0066\\(Default)', True))) 33 | RegUtil.print_keyvalue(6, 'Last Removal: ' + RegUtil.ft2str(RegUtil.read_qword(vmm, props_path + '\\0067\\(Default)', True))) 34 | print(' ---') 35 | -------------------------------------------------------------------------------- /files/plugins/pyp_reg_user_reg$user_wallpaper.py: -------------------------------------------------------------------------------- 1 | # pyp_reg_user_reg$user_wallpaper.py 2 | # 3 | # RegistryInfo module to analyze: User Desktop Wallpapers. 4 | # 5 | # https://github.com/ufrisk/ 6 | # 7 | # (c) Ulf Frisk, 2021 8 | # Author: Ulf Frisk, pcileech@frizk.net 9 | # 10 | 11 | import memprocfs 12 | 13 | print('MemProcFS Registry: User Desktop Wallpapers [ver: 2021-03-13] \n') 14 | 15 | # NB! string 'path' and objects 'vmm' and 'user' are guaranteed to exist in user light plugins. 16 | root_path = 'HKU\\' + user['name'] + '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU' 17 | print(root_path) 18 | 19 | reg_wp = vmm.reg_key(root_path).values_dict() 20 | mrulist = memprocfs.RegUtil.mrulistex_expand(reg_wp['MRUListEx'].value) 21 | 22 | print('MRU# Path') 23 | print('===========') 24 | for mru in mrulist: 25 | print("%4i %s" % (mru, reg_wp[str(mru)].vstr(False))) 26 | -------------------------------------------------------------------------------- /files/python/information.txt: -------------------------------------------------------------------------------- 1 | Put your Python 3.6 (or later) embedded for Windows 64-bit in this directory to enable Python functionality. 2 | Download Python 3.6 (or later) "Windows x86-64 embeddable zip file" and unzip in this folder. 3 | Python may be downloaded from: https://www.python.org/downloads/ 4 | This is not required if Python 3.6 (or later) for Windows 64-bit is already on the path. -------------------------------------------------------------------------------- /includes/lib32/leechcore.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/includes/lib32/leechcore.lib -------------------------------------------------------------------------------- /includes/lib32/vmm.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/includes/lib32/vmm.lib -------------------------------------------------------------------------------- /includes/lib64/leechcore.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/includes/lib64/leechcore.lib -------------------------------------------------------------------------------- /includes/lib64/vmm.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/includes/lib64/vmm.lib -------------------------------------------------------------------------------- /includes/libarm64/leechcore.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/includes/libarm64/leechcore.lib -------------------------------------------------------------------------------- /includes/libarm64/vmm.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/includes/libarm64/vmm.lib -------------------------------------------------------------------------------- /includes/libpdbcrust.h: -------------------------------------------------------------------------------- 1 | // C library wrapper around the rust PDB crate and related useful utilities. 2 | // 3 | // (c) Ulf Frisk, 2023 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | // Licensed under the Apache License, Version 2.0, or the MIT license , at your option. This file may not be 9 | // copied, modified, or distributed except according to those terms. 10 | // 11 | 12 | #include 13 | #include 14 | 15 | /* 16 | * Open a PDB file given its full path and return a handle to it. 17 | * The handle should be closed by calling pdbcrust_close(). 18 | */ 19 | size_t pdbcrust_open( 20 | char *sz_pdb_full_path 21 | ); 22 | 23 | /* 24 | * Close a PDB handle and free its resources. 25 | */ 26 | void pdbcrust_close( 27 | size_t hnd 28 | ); 29 | 30 | /* 31 | * Ensure that a PDB file exists on the specified path and upon success return 32 | * the full file path in sz_pdb_path_result. If the PDB file does not exist it 33 | * may optionally be downloaded from the Microsoft symbol server. 34 | * -- sz_pdb_basepath = base path (directory must exist). 35 | * -- sz_pdb_guidage = the combined GUID+AGE in uppercase hexascii string. 36 | * -- sz_pdb_name = the pdb file name. 37 | * -- is_mspdb_download = download the PDB from the microsoft symbol server. 38 | * -- len_path_path_result = byte length of sz_pdb_path_result. 39 | * -- sz_pdb_path_result = buffer to receive full pdb file path on success. 40 | * -- return 41 | */ 42 | bool pdbcrust_pdb_download_ensure( 43 | char *sz_pdb_basepath, 44 | char *sz_pdb_guidage, 45 | char *sz_pdb_name, 46 | bool is_mspdb_download, 47 | size_t len_path_path_result, 48 | char *sz_pdb_path_result 49 | ); 50 | 51 | /* 52 | * Retrieve a symbol offset given a symbol name. 53 | * -- hnd 54 | * -- sz_symbol_name = the symbol name to retrieve 55 | * -- return = the symbol offset on success. zero on fail. 56 | */ 57 | unsigned int pdbcrust_symbol_offset( 58 | size_t hnd, 59 | char *sz_symbol_name 60 | ); 61 | 62 | /* 63 | * Retrieve a symbol name given an offset. 64 | * -- hnd 65 | * -- symbol_offset = the symbol offset. 66 | * -- len_symbol_name 67 | * -- sz_symbol_name 68 | * -- displacement = the displacement, currently not functional. 69 | * -- return 70 | */ 71 | bool pdbcrust_symbol_name_from_offset( 72 | size_t hnd, 73 | unsigned int symbol_offset, 74 | size_t len_symbol_name, 75 | char *sz_symbol_name, 76 | unsigned int *displacement 77 | ); 78 | 79 | /* 80 | * Retrieve the size of a type / struct. 81 | * -- hnd 82 | * -- sz_type_name 83 | * -- return = the type size on success, 0 on fail. 84 | */ 85 | unsigned int pdbcrust_type_size( 86 | size_t hnd, 87 | char *sz_type_name 88 | ); 89 | 90 | /* 91 | * Retrieve the child offset inside a type/struct. 92 | * -- hnd 93 | * -- sz_type_name 94 | * -- sz_type_child 95 | * -- offset_type_child = ptr to receive the child offset on success. 96 | * -- return 97 | */ 98 | bool pdbcrust_type_child_offset( 99 | size_t hnd, 100 | char *sz_type_name, 101 | char *sz_type_child, 102 | unsigned int *offset_type_child 103 | ); 104 | -------------------------------------------------------------------------------- /m_vmemd/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # NOTE! PACKAGE DEPENDENCY ON LeechCore: 3 | # The build script require leechcore.so built from the leechcore project 4 | # which is found at https://github.com/ufrisk/LeechCore to build. This 5 | # file is assumed to exist in either of the directories: 6 | # . (current), ../files, ../../LeechCore*/files 7 | # 8 | CC=gcc 9 | CFLAGS += -std=c11 -I. -I../includes -D LINUX -D _GNU_SOURCE -fPIC -fvisibility=hidden -pthread `pkg-config liblz4 openssl --cflags` 10 | CFLAGS += -fPIE -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O1 11 | CFLAGS += -Wall -Wno-format-truncation -Wno-enum-compare -Wno-pointer-sign -Wno-multichar -Wno-unused-variable -Wno-unused-value 12 | CFLAGS += -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast 13 | ifeq ($(shell basename $(CC)),gcc) 14 | CFLAGS += -pie 15 | # DEBUG FLAGS BELOW 16 | #CFLAGS += -g -O0 -Wextra -Wno-unused-parameter -Wno-cast-function-type 17 | # DEBUG FLAGS ABOVE 18 | endif 19 | LDFLAGS += -L../files -Wl,-rpath,'$$ORIGIN' -g -ldl -shared -L. -lm -l:vmm.so -Wl,-z,noexecstack `pkg-config liblz4 openssl --libs` 20 | DEPS = vmmdll.h 21 | OBJ = m_vmemd.o oscompatibility.o 22 | 23 | %.o: %.c $(DEPS) 24 | $(CC) -c -o $@ $< $(CFLAGS) 25 | 26 | m_vmemd: $(OBJ) 27 | $(CC) -o $@ $^ $(CFLAGS) -o m_vmemd.so $(LDFLAGS) 28 | mv m_vmemd.so ../files/plugins/ 29 | rm -f *.o || true 30 | rm -f */*.o || true 31 | rm -f *.so || true 32 | true 33 | 34 | clean: 35 | rm -f *.o || true 36 | rm -f */*.o || true 37 | rm -f *.so || true 38 | -------------------------------------------------------------------------------- /m_vmemd/Makefile.macos: -------------------------------------------------------------------------------- 1 | # 2 | # NOTE! PACKAGE DEPENDENCY ON LeechCore: 3 | # The build script require leechcore.so built from the leechcore project 4 | # which is found at https://github.com/ufrisk/LeechCore to build. This 5 | # file is assumed to exist in either of the directories: 6 | # . (current), ../files, ../../LeechCore*/files 7 | # 8 | CC=clang 9 | CFLAGS += -I. -I../includes -D MACOS -D _GNU_SOURCE -fvisibility=hidden -pthread 10 | CFLAGS += -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O1 11 | CFLAGS += -Wall -Wno-multichar -Wno-unused-result -Wno-unused-variable -Wno-unused-value -Wno-pointer-sign 12 | CFLAGS += -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast 13 | CFLAGS += -mmacosx-version-min=11.0 14 | # DEBUG FLAGS BELOW 15 | #CFLAGS += -O0 16 | #CFLAGS += -fsanitize=address 17 | # DEBUG FLAGS ABOVE 18 | LDFLAGS += -dynamiclib -L. ./leechcore.dylib ./vmm.dylib -lm 19 | LDFLAGS += -Wl,-rpath,@loader_path 20 | LDFLAGS += -g -mmacosx-version-min=11.0 21 | 22 | DEPS = 23 | OBJ = m_vmemd.o oscompatibility.o 24 | 25 | # ARCH SPECIFIC FLAGS: 26 | CFLAGS_X86_64 = $(CFLAGS) -arch x86_64 27 | CFLAGS_ARM64 = $(CFLAGS) -arch arm64 28 | LDFLAGS_X86_64 = $(LDFLAGS) -arch x86_64 29 | LDFLAGS_ARM64 = $(LDFLAGS) -arch arm64 30 | OBJ_X86_64 = $(OBJ:.o=.o.x86_64) 31 | OBJ_ARM64 = $(OBJ:.o=.o.arm64) 32 | 33 | all: m_vmemd.dylib 34 | 35 | %.o.x86_64: %.c $(DEPS) 36 | $(CC) $(CFLAGS_X86_64) -c -o $@ $< 37 | 38 | %.o.arm64: %.c $(DEPS) 39 | $(CC) $(CFLAGS_ARM64) -c -o $@ $< 40 | 41 | m_vmemd_x86_64.dylib: $(OBJ_X86_64) 42 | cp ../files/vmm.dylib . || cp ../../LeechCore*/files/vmm.dylib . || true 43 | cp ../files/leechcore.dylib . || cp ../../LeechCore*/files/leechcore.dylib . || true 44 | $(CC) $(LDFLAGS_X86_64) -o $@ $^ 45 | 46 | m_vmemd_arm64.dylib: $(OBJ_ARM64) 47 | cp ../files/vmm.dylib . || cp ../../LeechCore*/files/vmm.dylib . || true 48 | cp ../files/leechcore.dylib . || cp ../../LeechCore*/files/leechcore.dylib . || true 49 | $(CC) $(LDFLAGS_ARM64) -o $@ $^ 50 | 51 | m_vmemd.dylib: m_vmemd_x86_64.dylib m_vmemd_arm64.dylib 52 | lipo -create -output m_vmemd.dylib m_vmemd_x86_64.dylib m_vmemd_arm64.dylib 53 | install_name_tool -id @rpath/m_vmemd.dylib m_vmemd.dylib 54 | mkdir -p ../files/plugins 55 | mv m_vmemd.dylib ../files/plugins/ 56 | rm -f *.o *.o.x86_64 *.o.arm64 || true 57 | rm -f */*.o */*.o.x86_64 */*.o.arm64 || true 58 | rm -f *.dylib || true 59 | true 60 | 61 | clean: 62 | rm -f *.o *.o.x86_64 *.o.arm64 || true 63 | rm -f */*.o */*.o.x86_64 */*.o.arm64 || true 64 | rm -f *.dylib || true 65 | -------------------------------------------------------------------------------- /m_vmemd/m_vmemd.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/m_vmemd/m_vmemd.rc -------------------------------------------------------------------------------- /m_vmemd/m_vmemd.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {3225bbc7-de37-47cb-bb93-33074f5dbcc2} 18 | 19 | 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files\includes 31 | 32 | 33 | Header Files\includes 34 | 35 | 36 | 37 | 38 | Resource Files 39 | 40 | 41 | 42 | 43 | Resource Files 44 | 45 | 46 | Resource Files 47 | 48 | 49 | -------------------------------------------------------------------------------- /m_vmemd/m_vmemd.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /m_vmemd/version.h: -------------------------------------------------------------------------------- 1 | #define STRINGIZE2(s) #s 2 | #define STRINGIZE(s) STRINGIZE2(s) 3 | 4 | #define VERSION_MAJOR 5 5 | #define VERSION_MINOR 16 6 | #define VERSION_REVISION 7 7 | #define VERSION_BUILD 221 8 | 9 | #define VER_FILE_DESCRIPTION_STR "MemProcFS : Plugin vmemd" 10 | #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD 11 | #define VER_FILE_VERSION_STR STRINGIZE(VERSION_MAJOR) \ 12 | "." STRINGIZE(VERSION_MINOR) \ 13 | "." STRINGIZE(VERSION_REVISION) \ 14 | "." STRINGIZE(VERSION_BUILD) \ 15 | 16 | #define VER_COMPANY_NAME_STR "" 17 | #define VER_PRODUCTNAME_STR "m_vmemd" 18 | #define VER_PRODUCT_VERSION VER_FILE_VERSION 19 | #define VER_PRODUCT_VERSION_STR VER_FILE_VERSION_STR 20 | #define VER_ORIGINAL_FILENAME_STR VER_PRODUCTNAME_STR ".dll" 21 | #define VER_INTERNAL_NAME_STR VER_ORIGINAL_FILENAME_STR 22 | #define VER_COPYRIGHT_STR "Copyright (c) Ulf Frisk 2018-2025" 23 | -------------------------------------------------------------------------------- /memprocfs/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for memprocfs_fuse. Note that this build script requires MemProcFS 3 | # and LeechCore to be built prior. Both shared libraries should be located in 4 | # the folder '../files/'. 5 | # 6 | CC=gcc 7 | CFLAGS += -I. -I../includes -D LINUX -D_FILE_OFFSET_BITS=64 -pthread `pkg-config fuse --cflags` 8 | CFLAGS += -fPIE -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O1 9 | CFLAGS += -Wall -Wno-multichar -Wno-unused-variable -Wno-unused-parameter -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast 10 | ifeq ($(shell basename $(CC)),gcc) 11 | CFLAGS += -pie 12 | #DEBUG FLAGS BELOW 13 | #CFLAGS += -g -O0 -Wextra 14 | endif 15 | LDFLAGS += -Wl,-rpath,'$$ORIGIN' -ldl -L. -l:vmm.so -Wl,-z,noexecstack `pkg-config fuse --libs` 16 | DEPS = vfs.h 17 | OBJ = oscompatibility.o charutil.o vfslist.o memprocfs_fuse.o ob/ob_cachemap.o ob/ob_core.o ob/ob_map.o ob/ob_set.o 18 | 19 | %.o: %.c $(DEPS) 20 | $(CC) -c -o $@ $< $(CFLAGS) 21 | 22 | memprocfs: $(OBJ) 23 | cp ../files/leechcore.so . || true 24 | cp ../files/vmm.so . || true 25 | $(CC) -o $@ $^ $(CFLAGS) $(LDFLAGS) 26 | mv memprocfs ../files/ || true 27 | rm -f *.o || true 28 | rm -f */*.o || true 29 | rm -f *.so || true 30 | 31 | clean: 32 | rm -f *.o || true 33 | rm -f */*.o || true 34 | rm -f *.so || true 35 | -------------------------------------------------------------------------------- /memprocfs/Makefile.macos: -------------------------------------------------------------------------------- 1 | CC=clang 2 | CFLAGS += -I. -I../includes -D MACOS -D _GNU_SOURCE -D _FILE_OFFSET_BITS=64 -pthread 3 | CFLAGS += -fPIE -fPIC -fstack-protector -D_FORTIFY_SOURCE=2 -O1 4 | #CFLAGS += `pkg-config fuse --cflags` 5 | CFLAGS += -Wall -Wno-enum-compare -Wno-pointer-sign -Wno-multichar -Wno-unused-variable -Wno-unused-value 6 | CFLAGS += -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast 7 | CFLAGS += -mmacosx-version-min=11.0 8 | # DEBUG FLAGS BELOW 9 | #CFLAGS += -O0 10 | #CFLAGS += -fsanitize=address 11 | # DEBUG FLAGS ABOVE 12 | LDFLAGS += -ldl -L. ./leechcore.dylib ./vmm.dylib 13 | #LDFLAGS += `pkg-config fuse --libs` 14 | LDFLAGS += -L/usr/local/lib -lfuse -pthread 15 | LDFLAGS += -Wl,-rpath,@loader_path 16 | LDFLAGS += -mmacosx-version-min=11.0 17 | 18 | DEPS = vfslist.h 19 | OBJ = oscompatibility.o charutil.o vfslist.o memprocfs_fuse.o ob/ob_cachemap.o ob/ob_core.o ob/ob_map.o ob/ob_set.o 20 | 21 | # ARCH SPECIFIC FLAGS: 22 | CFLAGS_X86_64 = $(CFLAGS) -arch x86_64 23 | CFLAGS_ARM64 = $(CFLAGS) -arch arm64 24 | LDFLAGS_X86_64 = $(LDFLAGS) -arch x86_64 25 | LDFLAGS_ARM64 = $(LDFLAGS) -arch arm64 26 | OBJ_X86_64 = $(OBJ:.o=.o.x86_64) 27 | OBJ_ARM64 = $(OBJ:.o=.o.arm64) 28 | 29 | all: memprocfs 30 | 31 | %.o.x86_64: %.c $(DEPS) 32 | $(CC) $(CFLAGS_X86_64) -c -o $@ $< 33 | 34 | %.o.arm64: %.c $(DEPS) 35 | $(CC) $(CFLAGS_ARM64) -c -o $@ $< 36 | 37 | memprocfs_x86_64: $(OBJ_X86_64) 38 | cp ../files/vmm.dylib . || cp ../../MemProcFS*/files/vmm.dylib . || true 39 | cp ../files/leechcore.dylib . || cp ../../LeechCore*/files/leechcore.dylib . || true 40 | $(CC) $(LDFLAGS_X86_64) -o $@ $^ 41 | 42 | memprocfs_arm64: $(OBJ_ARM64) 43 | cp ../files/vmm.dylib . || cp ../../MemProcFS*/files/vmm.dylib . || true 44 | cp ../files/leechcore.dylib . || cp ../../LeechCore*/files/leechcore.dylib . || true 45 | $(CC) $(LDFLAGS_ARM64) -o $@ $^ 46 | 47 | memprocfs: memprocfs_x86_64 memprocfs_arm64 48 | lipo -create -output memprocfs memprocfs_x86_64 memprocfs_arm64 49 | install_name_tool -id @rpath/memprocfs memprocfs 50 | mv memprocfs ../files/ |true 51 | mv vmm.dylib ../files/ |true 52 | mv leechcore.dylib ../files/ |true 53 | rm -f *.o *.o.x86_64 *.o.arm64 || true 54 | rm -f */*.o */*.o.x86_64 */*.o.arm64 || true 55 | rm -f *.dylib || true 56 | true 57 | 58 | clean: 59 | rm -f *.o *.o.x86_64 *.o.arm64 || true 60 | rm -f */*.o */*.o.x86_64 */*.o.arm64 || true 61 | rm -f *.dylib || true 62 | -------------------------------------------------------------------------------- /memprocfs/memprocfs.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/memprocfs/memprocfs.rc -------------------------------------------------------------------------------- /memprocfs/memprocfs.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {81e2f737-13dd-4ab5-8d2d-f8f822c46c53} 18 | 19 | 20 | {b9ed75de-f5b0-49ac-8690-6322fbe7421d} 21 | 22 | 23 | {d7ea25e4-3035-471b-9608-4fe0b262a79b} 24 | 25 | 26 | 27 | 28 | Source Files\ob 29 | 30 | 31 | Source Files\ob 32 | 33 | 34 | Source Files\ob 35 | 36 | 37 | Source Files\ob 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | Source Files 47 | 48 | 49 | Source Files 50 | 51 | 52 | Source Files 53 | 54 | 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files\includes 61 | 62 | 63 | Header Files\includes 64 | 65 | 66 | Header Files\includes 67 | 68 | 69 | Header Files\includes 70 | 71 | 72 | Header Files\includes 73 | 74 | 75 | Header Files\ob 76 | 77 | 78 | Header Files 79 | 80 | 81 | Header Files 82 | 83 | 84 | Header Files 85 | 86 | 87 | 88 | 89 | Resource Files 90 | 91 | 92 | 93 | 94 | Resource Files 95 | 96 | 97 | Resource Files 98 | 99 | 100 | -------------------------------------------------------------------------------- /memprocfs/memprocfs.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | WindowsLocalDebugger 5 | 6 | 7 | WindowsLocalDebugger 8 | 9 | 10 | WindowsLocalDebugger 11 | 12 | 13 | WindowsLocalDebugger 14 | 15 | 16 | WindowsLocalDebugger 17 | 18 | 19 | WindowsLocalDebugger 20 | 21 | -------------------------------------------------------------------------------- /memprocfs/version.h: -------------------------------------------------------------------------------- 1 | #define STRINGIZE2(s) #s 2 | #define STRINGIZE(s) STRINGIZE2(s) 3 | 4 | #define VERSION_MAJOR 5 5 | #define VERSION_MINOR 16 6 | #define VERSION_REVISION 7 7 | #define VERSION_BUILD 221 8 | 9 | #define VER_FILE_DESCRIPTION_STR "MemProcFS" 10 | #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD 11 | #define VER_FILE_VERSION_STR STRINGIZE(VERSION_MAJOR) \ 12 | "." STRINGIZE(VERSION_MINOR) \ 13 | "." STRINGIZE(VERSION_REVISION) \ 14 | "." STRINGIZE(VERSION_BUILD) \ 15 | 16 | #define VER_COMPANY_NAME_STR "" 17 | #define VER_PRODUCTNAME_STR "MemProcFS" 18 | #define VER_PRODUCT_VERSION VER_FILE_VERSION 19 | #define VER_PRODUCT_VERSION_STR VER_FILE_VERSION_STR 20 | #define VER_ORIGINAL_FILENAME_STR VER_PRODUCTNAME_STR ".exe" 21 | #define VER_INTERNAL_NAME_STR VER_ORIGINAL_FILENAME_STR 22 | #define VER_COPYRIGHT_STR "Copyright (c) Ulf Frisk 2018-2025" 23 | -------------------------------------------------------------------------------- /memprocfs/vfslist.h: -------------------------------------------------------------------------------- 1 | // vfslist.h : definitions related to virtual file system support. 2 | // 3 | // (c) Ulf Frisk, 2018-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifndef __VFSLIST_H__ 7 | #define __VFSLIST_H__ 8 | 9 | #ifdef _WIN32 10 | #include 11 | typedef unsigned __int64 QWORD, *PQWORD; 12 | #else 13 | #include "oscompatibility.h" 14 | #endif /* _WIN32 */ 15 | #include 16 | 17 | typedef struct tdVFS_ENTRY { 18 | FILETIME ftCreationTime; 19 | FILETIME ftLastAccessTime; 20 | FILETIME ftLastWriteTime; 21 | QWORD cbFileSize; 22 | DWORD dwFileAttributes; 23 | BOOL fDirectory; 24 | CHAR uszName[2 * MAX_PATH]; 25 | } VFS_ENTRY, *PVFS_ENTRY; 26 | 27 | typedef void(*PFN_VFSLIST_CALLBACK)(_In_ PVFS_ENTRY pVfsEntry, _In_opt_ PVOID ctx); 28 | 29 | /* 30 | * Clear cached directory entries and/or files. 31 | * -- uszPath = the directory path to clear including/excluding file name. 32 | */ 33 | VOID VfsList_Clear(_In_ LPSTR uszPath); 34 | 35 | /* 36 | * Retrieve information about a single entry inside a directory. 37 | * -- uszPath 38 | * -- uszFile 39 | * -- pVfsEntry 40 | * -- pfPathValid = receives if wszPath is valid or not. 41 | * -- return 42 | */ 43 | _Success_(return) 44 | BOOL VfsList_GetSingle(_In_ LPSTR uszPath, _In_ LPSTR uszFile, _Out_ PVFS_ENTRY pVfsEntry, _Out_ PBOOL pfPathValid); 45 | 46 | /* 47 | * List a directory using a callback function 48 | * -- uszPath 49 | * -- ctx = optional context to pass along to callback function. 50 | * -- pfnListCallback = callback function called one time per directory entry. 51 | * -- return = TRUE if directory exists, otherwise FALSE. 52 | */ 53 | BOOL VfsList_ListDirectory(_In_ LPSTR uszPath, _In_opt_ PVOID ctx, _In_opt_ PFN_VFSLIST_CALLBACK pfnListCallback); 54 | 55 | #ifdef _WIN32 56 | 57 | typedef int(__stdcall *PFN_VFSLISTW_CALLBACK)(_In_ PWIN32_FIND_DATAW pFindData, _In_opt_ PVOID ctx); 58 | 59 | /* 60 | * Retrieve information about a single entry inside a directory (Windows WCHAR version). 61 | * -- wszPath 62 | * -- wszFile 63 | * -- pFindData 64 | * -- pfPathValid = receives if wszPath is valid or not. 65 | * -- return 66 | */ 67 | _Success_(return) 68 | BOOL VfsList_GetSingleW(_In_ LPWSTR wszPath, _In_ LPWSTR wszFile, _Out_ PWIN32_FIND_DATAW pFindData, _Out_ PBOOL pfPathValid); 69 | 70 | /* 71 | * List a directory using a callback function (Windows WCHAR version). 72 | * -- wszPath 73 | * -- ctx = optional context to pass along to callback function. 74 | * -- pfnListCallback = callback function called one time per directory entry. 75 | * -- return = TRUE if directory exists, otherwise FALSE. 76 | */ 77 | BOOL VfsList_ListDirectoryW(_In_ LPWSTR wszPath, _In_opt_ PVOID ctx, _In_opt_ PFN_VFSLISTW_CALLBACK pfnListCallback); 78 | 79 | #endif /* _WIN32 */ 80 | 81 | /* 82 | * typedef for VMMDLL_VfsListU function or any functions that may override it. 83 | */ 84 | typedef BOOL(*VFS_LIST_U_PFN)(_In_ LPSTR uszPath, _Inout_ PVMMDLL_VFS_FILELIST2 pFileList); 85 | 86 | /* 87 | * Initialize the vfs list functionality. 88 | * -- pfnVfsListU 89 | * -- dwCacheValidMs 90 | * -- cCacheMaxEntries 91 | * -- fSingleThread = pfnVfsListU is single-threaded 92 | * -- return 93 | */ 94 | _Success_(return) 95 | BOOL VfsList_Initialize(_In_ VFS_LIST_U_PFN pfnVfsListU, _In_ DWORD dwCacheValidMs, _In_ DWORD cCacheMaxEntries, _In_ BOOL fSingleThread); 96 | 97 | /* 98 | * Close and clean up the vfs list functionality. 99 | */ 100 | VOID VfsList_Close(); 101 | 102 | #endif /* __VFSLIST_H__ */ 103 | -------------------------------------------------------------------------------- /memprocfs/wolf_icon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/memprocfs/wolf_icon.ico -------------------------------------------------------------------------------- /vmm/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # NOTE! PACKAGE DEPENDENCY ON LeechCore: 3 | # The build script require leechcore.so built from the leechcore project 4 | # which is found at https://github.com/ufrisk/LeechCore to build. This 5 | # file is assumed to exist in either of the directories: 6 | # . (current), ../files, ../../LeechCore*/files 7 | # 8 | CC=gcc 9 | CFLAGS += -std=c11 -I. -I../includes -D LINUX -D _GNU_SOURCE -D SQLITE_THREADSAFE=2 -D SQLITE_CORE -fPIC -fvisibility=hidden -pthread 10 | CFLAGS += -fPIE -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O1 11 | CFLAGS += -Wall -Wno-format-truncation -Wno-enum-compare -Wno-pointer-sign -Wno-multichar -Wno-unused-variable -Wno-unused-value 12 | CFLAGS += -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast 13 | ifeq ($(shell basename $(CC)),gcc) 14 | CFLAGS += -pie 15 | # DEBUG FLAGS BELOW 16 | #export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:detect_invalid_pointer_pairs=2 17 | #CFLAGS += -g -O0 -Wextra -Wno-unused-parameter -Wno-cast-function-type 18 | #CFLAGS += -fsanitize=address -fsanitize=leak -fno-omit-frame-pointer -fsanitize=undefined -fsanitize=bounds-strict -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow 19 | #CFLAGS += -fsanitize=pointer-compare -fsanitize=pointer-subtract -fanalyzer 20 | # DEBUG FLAGS ABOVE 21 | endif 22 | LDFLAGS += -Wl,-rpath,'$$ORIGIN' -g -ldl -shared -L. -l:leechcore.so -lm -Wl,-z,noexecstack 23 | DEPS = vmmdll.h 24 | OBJ = oscompatibility.o charutil.o util.o pe.o vmmdll.o vmmdll_core.o \ 25 | vmmdll_remote.o vmmdll_scatter.o vmm.o vmmex_light.o fc.o \ 26 | mm/mm_arm64.o mm/mm_x64.o mm/mm_x86.o mm/mm_x86pae.o mm/mm_pfn.o \ 27 | mm/mm_vad.o mm/mm_win.o \ 28 | pluginmanager.o pdb.o infodb.o \ 29 | ext/lz4.o ext/miniz.o ext/sha256.o ext/sqlite3.o \ 30 | ob/ob_bytequeue.o ob/ob_cachemap.o ob/ob_compressed.o \ 31 | ob/ob_container.o ob/ob_core.o ob/ob_counter.o ob/ob_map.o \ 32 | ob/ob_memfile.o ob/ob_set.o ob/ob_strmap.o \ 33 | statistics.o sysquery.o vmmheap.o vmmlog.o vmmnet.o \ 34 | vmmproc.o vmmvm.o vmmwininit.o vmmwin.o vmmwinobj.o vmmwinpool.o \ 35 | vmmwinreg.o vmmwinsvc.o vmmwinthread.o vmmuserconfig.o vmmwork.o \ 36 | vmmyarautil.o vmmyarawrap.o \ 37 | modules/m_vfsroot.o modules/m_vfsproc.o modules/m_vfsfc.o \ 38 | modules/m_conf.o modules/m_vm.o modules/m_winreg.o \ 39 | modules/m_fc_csv.o modules/m_fc_file.o modules/m_fc_findevil.o \ 40 | modules/m_fc_handle.o modules/m_fc_json.o modules/m_fc_module.o \ 41 | modules/m_fc_ntfs.o modules/m_fc_prefetch.o modules/m_fc_proc.o \ 42 | modules/m_fc_registry.o modules/m_fc_sys.o modules/m_fc_thread.o \ 43 | modules/m_fc_timeline.o modules/m_fc_web.o modules/m_fc_yara.o \ 44 | modules/m_evil_apc1.o modules/m_evil_av1.o modules/m_evil_entropy.o \ 45 | modules/m_evil_kern1.o modules/m_evil_kernproc1.o \ 46 | modules/m_evil_proc1.o modules/m_evil_proc2.o modules/m_evil_proc3.o \ 47 | modules/m_evil_thread1.o \ 48 | modules/m_misc_bitlocker.o modules/m_misc_eventlog.o \ 49 | modules/m_misc_procinfo.o modules/m_misc_view.o \ 50 | modules/m_sys.o modules/m_sys_driver.o modules/m_sys_mem.o \ 51 | modules/m_sys_net.o modules/m_sys_netdns.o modules/m_sys_obj.o \ 52 | modules/m_sys_pool.o modules/m_sys_proc.o modules/m_sys_svc.o \ 53 | modules/m_sys_syscall.o modules/m_sys_sysinfo.o modules/m_sys_task.o \ 54 | modules/m_sys_user.o \ 55 | modules/m_phys2virt.o modules/m_search.o modules/m_searchyara.o \ 56 | modules/m_proc_console.o modules/m_proc_file_handles_vads.o \ 57 | modules/m_proc_file_modules.o modules/m_proc_handle.o \ 58 | modules/m_proc_heap.o modules/m_proc_ldrmodules.o \ 59 | modules/m_proc_memmap.o modules/m_proc_minidump.o \ 60 | modules/m_proc_thread.o modules/m_proc_token.o \ 61 | modules/m_proc_virt2phys.o 62 | 63 | %.o: %.c $(DEPS) 64 | $(CC) -c -o $@ $< $(CFLAGS) 65 | 66 | vmm: $(OBJ) 67 | cp ../files/leechcore.so . || cp ../../LeechCore*/files/leechcore.so . || true 68 | $(CC) -o $@ $^ $(CFLAGS) -o vmm.so $(LDFLAGS) 69 | mv vmm.so ../files/ 70 | mv leechcore.so ../files/ 71 | rm -f *.o || true 72 | rm -f */*.o || true 73 | rm -f *.so || true 74 | true 75 | 76 | clean: 77 | rm -f *.o || true 78 | rm -f */*.o || true 79 | rm -f *.so || true 80 | -------------------------------------------------------------------------------- /vmm/Makefile.macos: -------------------------------------------------------------------------------- 1 | CC=clang 2 | CFLAGS += -I. -I../includes -D MACOS -D _GNU_SOURCE -D SQLITE_THREADSAFE=2 -D SQLITE_CORE -fvisibility=hidden -pthread 3 | CFLAGS += -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O1 4 | CFLAGS += -Wall -Wno-multichar -Wno-unused-result -Wno-unused-variable -Wno-unused-value -Wno-pointer-sign 5 | CFLAGS += -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast 6 | CFLAGS += -mmacosx-version-min=11.0 7 | # DEBUG FLAGS BELOW 8 | #CFLAGS += -O0 9 | #CFLAGS += -fsanitize=address 10 | # DEBUG FLAGS ABOVE 11 | LDFLAGS += -dynamiclib -L. ./leechcore.dylib -lm 12 | LDFLAGS += -Wl,-rpath,@loader_path 13 | LDFLAGS += -g -mmacosx-version-min=11.0 14 | 15 | DEPS = vmmdll.h 16 | OBJ = oscompatibility.o charutil.o util.o pe.o vmmdll.o vmmdll_core.o \ 17 | vmmdll_remote.o vmmdll_scatter.o vmm.o vmmex_light.o fc.o \ 18 | mm/mm_arm64.o mm/mm_x64.o mm/mm_x86.o mm/mm_x86pae.o mm/mm_pfn.o \ 19 | mm/mm_vad.o mm/mm_win.o \ 20 | pluginmanager.o pdb.o infodb.o \ 21 | ext/lz4.o ext/miniz.o ext/sha256.o ext/sqlite3.o \ 22 | ob/ob_bytequeue.o ob/ob_cachemap.o ob/ob_compressed.o \ 23 | ob/ob_container.o ob/ob_core.o ob/ob_counter.o ob/ob_map.o \ 24 | ob/ob_memfile.o ob/ob_set.o ob/ob_strmap.o \ 25 | statistics.o sysquery.o vmmheap.o vmmlog.o vmmnet.o \ 26 | vmmproc.o vmmvm.o vmmwininit.o vmmwin.o vmmwinobj.o vmmwinpool.o \ 27 | vmmwinreg.o vmmwinsvc.o vmmwinthread.o vmmuserconfig.o vmmwork.o \ 28 | vmmyarautil.o vmmyarawrap.o \ 29 | modules/m_vfsroot.o modules/m_vfsproc.o modules/m_vfsfc.o \ 30 | modules/m_conf.o modules/m_vm.o modules/m_winreg.o \ 31 | modules/m_fc_csv.o modules/m_fc_file.o modules/m_fc_findevil.o \ 32 | modules/m_fc_handle.o modules/m_fc_json.o modules/m_fc_module.o \ 33 | modules/m_fc_ntfs.o modules/m_fc_prefetch.o modules/m_fc_proc.o \ 34 | modules/m_fc_registry.o modules/m_fc_sys.o modules/m_fc_thread.o \ 35 | modules/m_fc_timeline.o modules/m_fc_web.o modules/m_fc_yara.o \ 36 | modules/m_evil_apc1.o modules/m_evil_av1.o modules/m_evil_entropy.o \ 37 | modules/m_evil_kern1.o modules/m_evil_kernproc1.o \ 38 | modules/m_evil_proc1.o modules/m_evil_proc2.o modules/m_evil_proc3.o \ 39 | modules/m_evil_thread1.o \ 40 | modules/m_misc_bitlocker.o modules/m_misc_eventlog.o \ 41 | modules/m_misc_procinfo.o modules/m_misc_view.o \ 42 | modules/m_sys.o modules/m_sys_driver.o modules/m_sys_mem.o \ 43 | modules/m_sys_net.o modules/m_sys_netdns.o modules/m_sys_obj.o \ 44 | modules/m_sys_pool.o modules/m_sys_proc.o modules/m_sys_svc.o \ 45 | modules/m_sys_syscall.o modules/m_sys_sysinfo.o modules/m_sys_task.o \ 46 | modules/m_sys_user.o \ 47 | modules/m_phys2virt.o modules/m_search.o modules/m_searchyara.o \ 48 | modules/m_proc_console.o modules/m_proc_file_handles_vads.o \ 49 | modules/m_proc_file_modules.o modules/m_proc_handle.o \ 50 | modules/m_proc_heap.o modules/m_proc_ldrmodules.o \ 51 | modules/m_proc_memmap.o modules/m_proc_minidump.o \ 52 | modules/m_proc_thread.o modules/m_proc_token.o \ 53 | modules/m_proc_virt2phys.o 54 | 55 | # ARCH SPECIFIC FLAGS: 56 | CFLAGS_X86_64 = $(CFLAGS) -arch x86_64 57 | CFLAGS_ARM64 = $(CFLAGS) -arch arm64 58 | LDFLAGS_X86_64 = $(LDFLAGS) -arch x86_64 59 | LDFLAGS_ARM64 = $(LDFLAGS) -arch arm64 60 | OBJ_X86_64 = $(OBJ:.o=.o.x86_64) 61 | OBJ_ARM64 = $(OBJ:.o=.o.arm64) 62 | 63 | all: vmm.dylib 64 | 65 | %.o.x86_64: %.c $(DEPS) 66 | $(CC) $(CFLAGS_X86_64) -c -o $@ $< 67 | 68 | %.o.arm64: %.c $(DEPS) 69 | $(CC) $(CFLAGS_ARM64) -c -o $@ $< 70 | 71 | vmm_x86_64.dylib: $(OBJ_X86_64) 72 | cp ../files/leechcore.dylib . || cp ../../LeechCore*/files/leechcore.dylib . || true 73 | $(CC) $(LDFLAGS_X86_64) -o $@ $^ 74 | 75 | vmm_arm64.dylib: $(OBJ_ARM64) 76 | cp ../files/leechcore.dylib . || cp ../../LeechCore*/files/leechcore.dylib . || true 77 | $(CC) $(LDFLAGS_ARM64) -o $@ $^ 78 | 79 | vmm.dylib: vmm_x86_64.dylib vmm_arm64.dylib 80 | lipo -create -output vmm.dylib vmm_x86_64.dylib vmm_arm64.dylib 81 | install_name_tool -id @rpath/vmm.dylib vmm.dylib 82 | mv vmm.dylib ../files/ 83 | mv leechcore.dylib ../files/ 84 | rm -f *.o *.o.x86_64 *.o.arm64 || true 85 | rm -f */*.o */*.o.x86_64 */*.o.arm64 || true 86 | rm -f *.dylib || true 87 | true 88 | 89 | clean: 90 | rm -f *.o *.o.x86_64 *.o.arm64 || true 91 | rm -f */*.o */*.o.x86_64 */*.o.arm64 || true 92 | rm -f *.dylib || true 93 | -------------------------------------------------------------------------------- /vmm/ext/sha256.h: -------------------------------------------------------------------------------- 1 | /********************************************************************* 2 | * Filename: sha256.h 3 | * Author: Brad Conte (brad AT bradconte.com) 4 | * Copyright: 5 | * Disclaimer: This code is presented "as is" without any guarantees. 6 | * Details: Defines the API for the corresponding SHA1 implementation. 7 | *********************************************************************/ 8 | 9 | #ifndef SHA256_H 10 | #define SHA256_H 11 | 12 | /*************************** HEADER FILES ***************************/ 13 | #include 14 | 15 | /****************************** MACROS ******************************/ 16 | #define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest 17 | 18 | /**************************** DATA TYPES ****************************/ 19 | typedef unsigned char BYTE; // 8-bit byte 20 | typedef unsigned int UINT; // 32-bit word, change to "long" for 16-bit machines 21 | 22 | typedef struct { 23 | BYTE data[64]; 24 | UINT datalen; 25 | unsigned long long bitlen; 26 | UINT state[8]; 27 | } SHA256_CTX; 28 | 29 | /*********************** FUNCTION DECLARATIONS **********************/ 30 | void sha256_init(SHA256_CTX *ctx); 31 | void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len); 32 | void sha256_final(SHA256_CTX *ctx, BYTE hash[]); 33 | 34 | #endif // SHA256_H 35 | -------------------------------------------------------------------------------- /vmm/mm/mm.h: -------------------------------------------------------------------------------- 1 | // mm.h : definitions related to the core memory manager. 2 | // 3 | // (c) Ulf Frisk, 2018-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifndef __MM_H__ 7 | #define __MM_H__ 8 | #include "../vmm.h" 9 | 10 | /* 11 | * Initialize the X86 32-bit protected mode memory model. 12 | * -- H 13 | */ 14 | VOID MmX86_Initialize(_In_ VMM_HANDLE H); 15 | 16 | /* 17 | * Initialize the X86 PAE 32-bit protected mode memory model. 18 | * -- H 19 | */ 20 | VOID MmX86PAE_Initialize(_In_ VMM_HANDLE H); 21 | 22 | /* 23 | * Initialize the X64 / IA32e / Long-Mode paging / memory model. 24 | * -- H 25 | */ 26 | VOID MmX64_Initialize(_In_ VMM_HANDLE H); 27 | 28 | /* 29 | * Initialize ARM64 memory model. 30 | * -- H 31 | */ 32 | VOID MmARM64_Initialize(_In_ VMM_HANDLE H); 33 | 34 | /* 35 | * Initialize the paging sub-system for Windows in a limited or full fashion. 36 | * In full mode Win10 memory decompression will be initialized. 37 | * -- H 38 | * -- fModeFull 39 | */ 40 | VOID MmWin_PagingInitialize(_In_ VMM_HANDLE H, _In_ BOOL fModeFull); 41 | 42 | /* 43 | * Close / Shutdown the paging subsystem. This function should not be called 44 | * when there is an active thread executing inside the sub-system - ideally 45 | * it should only be called on shutdown. 46 | * -- H 47 | */ 48 | VOID MmWin_PagingClose(_In_ VMM_HANDLE H); 49 | 50 | /* 51 | * Initialize / Ensure that a VAD map is initialized for the specific process. 52 | * -- H 53 | * -- pProcess 54 | * -- tp = VMM_VADMAP_TP_* 55 | * -- fVmmRead = VMM_FLAGS_* flags. 56 | * -- return 57 | */ 58 | _Success_(return) 59 | BOOL MmVad_MapInitialize(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _In_ VMM_VADMAP_TP tp, _In_ QWORD fVmmRead); 60 | 61 | /* 62 | * Try to read a prototype page table entry (PTE). 63 | * -- H 64 | * -- pProcess 65 | * -- va 66 | * -- pfInRange 67 | * -- fVmmRead = VMM_FLAGS_* flags. 68 | * -- return = prototype pte or zero on fail. 69 | */ 70 | QWORD MmVad_PrototypePte(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _In_ QWORD va, _Out_opt_ PBOOL pfInRange, _In_ QWORD fVmmRead); 71 | 72 | /* 73 | * Interprete VAD protection flags into string p[mgn]rwxc. 74 | * -- pVad 75 | * -- sz = buffer to receive written characters - not null terminated! 76 | */ 77 | VOID MmVad_StrProtectionFlags(_In_ PVMM_MAP_VADENTRY pVad, _Out_writes_(6) LPSTR sz); 78 | 79 | /* 80 | * Retrieve the type of the VAD entry as an ansi string. 81 | * The string must _not_ be free'd. 82 | * -- pVad 83 | * -- return 84 | */ 85 | LPCSTR MmVad_StrType(_In_ PVMM_MAP_VADENTRY pVad); 86 | 87 | /* 88 | * Retrieve the page type as a character. 89 | * -- tp 90 | * -- return 91 | */ 92 | CHAR MmVadEx_StrType(_In_ VMM_PTE_TP tp); 93 | 94 | /* 95 | * Initialize / Retrieve an extended VAD map with info about individual pages in 96 | * the ranges pecified by the iPage and cPage variables. 97 | * CALLER DECREF: return 98 | * -- H 99 | * -- pProcess 100 | * -- tpVmmVadMap = VMM_VADMAP_TP_* 101 | * -- iPage = index of range start in vad map. 102 | * -- cPage = number of pages, starting at iPage. 103 | * -- return 104 | */ 105 | _Success_(return != NULL) 106 | PVMMOB_MAP_VADEX MmVadEx_MapInitialize(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _In_ VMM_VADMAP_TP tpVmmVadMap, _In_ DWORD iPage, _In_ DWORD cPage); 107 | 108 | #endif /* __MM_H__ */ 109 | -------------------------------------------------------------------------------- /vmm/mm/mm_pfn.h: -------------------------------------------------------------------------------- 1 | // mm_pfn.h : definitions related to the pfn (page frame number) database and 2 | // related physical memory functionality. 3 | // 4 | // (c) Ulf Frisk, 2020-2025 5 | // Author: Ulf Frisk, pcileech@frizk.net 6 | // 7 | #ifndef __MM_PFN_H__ 8 | #define __MM_PFN_H__ 9 | #include "../vmm.h" 10 | 11 | static LPCSTR MMPFN_TYPE_TEXT[] = { "Zero", "Free", "Standby", "Modifiy", "ModNoWr", "Bad", "Active", "Transit" }; 12 | static LPCSTR MMPFN_TYPEEXTENDED_TEXT[] = { "-", "Unused", "ProcPriv", "PageTable", "LargePage", "DriverLock", "Shareable", "File" }; 13 | 14 | typedef enum tdMMPFN_TYPE { 15 | MmPfnTypeZero = 0, 16 | MmPfnTypeFree = 1, 17 | MmPfnTypeStandby = 2, 18 | MmPfnTypeModified = 3, 19 | MmPfnTypeModifiedNoWrite = 4, 20 | MmPfnTypeBad = 5, 21 | MmPfnTypeActive = 6, 22 | MmPfnTypeTransition = 7 23 | } MMPFN_TYPE; 24 | 25 | typedef enum tdMMPFN_TYPEEXTENDED { 26 | MmPfnExType_Unknown = 0, 27 | MmPfnExType_Unused = 1, 28 | MmPfnExType_ProcessPrivate = 2, 29 | MmPfnExType_PageTable = 3, 30 | MmPfnExType_LargePage = 4, 31 | MmPfnExType_DriverLocked = 5, 32 | MmPfnExType_Shareable = 6, 33 | MmPfnExType_File = 7, 34 | } MMPFN_TYPEEXTENDED; 35 | 36 | typedef struct tdMMPFN_MAP_ENTRY { 37 | DWORD dwPfn; 38 | MMPFN_TYPEEXTENDED tpExtended; 39 | struct { // Only valid if active non-prototype PFN 40 | union { 41 | DWORD dwPid; 42 | DWORD dwPfnPte[5]; // PFN of paging levels 1-4 (x64) 43 | }; 44 | QWORD va; // valid if non-zero 45 | } AddressInfo; 46 | QWORD vaPte; 47 | QWORD OriginalPte; 48 | union { 49 | DWORD _u3; 50 | struct { 51 | WORD ReferenceCount; 52 | // MMPFNENTRY 53 | BYTE PageLocation : 3; // Pos 0 54 | BYTE WriteInProgress : 1; // Pos 3 55 | BYTE Modified : 1; // Pos 4 56 | BYTE ReadInProgress : 1; // Pos 5 57 | BYTE CacheAttribute : 2; // Pos 6 58 | BYTE Priority : 3; // Pos 0 59 | BYTE Rom_OnProtectedStandby : 1; // Pos 3 60 | BYTE InPageError : 1; // Pos 4 61 | BYTE KernelStack_SystemChargedPage : 1; // Pos 5 62 | BYTE RemovalRequested : 1; // Pos 6 63 | BYTE ParityError : 1; // Pos 7 64 | }; 65 | }; 66 | union { 67 | QWORD _u4; 68 | struct { 69 | DWORD PteFrame; 70 | DWORD PteFrameHigh : 4; // Pos 32 71 | DWORD _Reserved : 21; // Pos 36 72 | DWORD PrototypePte : 1; // Pos 57 73 | DWORD PageColor : 6; // Pos 58 74 | }; 75 | }; 76 | DWORD _FutureUse[6]; 77 | } MMPFN_MAP_ENTRY, *PMMPFN_MAP_ENTRY; 78 | 79 | typedef struct tdMMPFNOB_MAP { 80 | OB ObHdr; 81 | DWORD cMap; // # map entries. 82 | MMPFN_MAP_ENTRY pMap[]; // map entries. 83 | } MMPFNOB_MAP, *PMMPFNOB_MAP; 84 | 85 | /* 86 | * Close / Shutdown the PFN subsystem. This function should never be called when 87 | * there may be an active thread in the PFN subsystem. This function should only 88 | * be called on shutdown. 89 | * -- H 90 | */ 91 | VOID MmPfn_Close(_In_ VMM_HANDLE H); 92 | 93 | /* 94 | * Refresh the PFN (page frame number) subsystem. 95 | * This should be performed after each process list refresh. 96 | * -- H 97 | */ 98 | VOID MmPfn_Refresh(_In_ VMM_HANDLE H); 99 | 100 | /* 101 | * Retrieve information about a sequential number of PFNs. 102 | * CALLER DECREF: pObPfnMap 103 | * -- H 104 | * -- dwPfnStart = starting PFN. PFN = physical address / 0x1000. 105 | * -- cPfn 106 | * -- ppObPfnMap 107 | * -- fExtended = extended information such as process id's. 108 | * -- return 109 | */ 110 | _Success_(return) 111 | BOOL MmPfn_Map_GetPfn(_In_ VMM_HANDLE H, _In_ DWORD dwPfnStart, _In_ DWORD cPfn, _Out_ PMMPFNOB_MAP *ppObPfnMap, _In_ BOOL fExtended); 112 | 113 | /* 114 | * Retrieve information about scattered PFNs. The PFNs are returned in order of 115 | * in which they are stored in the psPfn set. 116 | * NB! POB_SET does not support ZERO, for PFN zero use 0x8000000000000000. 117 | * CALLER DECREF: pObPfnMap 118 | * -- H 119 | * -- psPfn = Set of PFNs. PFN = physical address / 0x1000. 120 | * -- cPfn 121 | * -- ppObPfnMap 122 | * -- fExtended = extended information such as process id's. 123 | * -- return 124 | */ 125 | _Success_(return) 126 | BOOL MmPfn_Map_GetPfnScatter(_In_ VMM_HANDLE H, _In_ POB_SET psPfn, _Out_ PMMPFNOB_MAP *ppObPfnMap, _In_ BOOL fExtended); 127 | 128 | /* 129 | * Retrieve the system PTEs aka DTB PFNs in a fairly optimized way. 130 | * -- H 131 | * -- ppObPfnMap 132 | * -- fExtended = extended information such as process id's. 133 | * -- ppcProgress = optional progress counter to be updated continuously within function. 134 | * -- return 135 | */ 136 | _Success_(return) 137 | BOOL MmPfn_Map_GetPfnSystem(_In_ VMM_HANDLE H, _Out_ PMMPFNOB_MAP *ppObPfnMap, _In_ BOOL fExtended, _Out_opt_ PDWORD ppcProgress); 138 | 139 | #endif /* __MM_PFN_H__ */ 140 | -------------------------------------------------------------------------------- /vmm/modules/m_evil_av1.c: -------------------------------------------------------------------------------- 1 | // m_evil_av1.c : various anti-virus detections. 2 | // 3 | // Detections: 4 | // - Windows Defender: Malware Detected 5 | // 6 | // (c) Ulf Frisk, 2023-2025 7 | // Author: Ulf Frisk, pcileech@frizk.net 8 | // 9 | 10 | #include "modules.h" 11 | #include "../vmmwinobj.h" 12 | 13 | #define MEVILAV1_MAX_FINDINGS_PER_FILE 64 14 | #define MEVILAV1_MAX_FILE_SIZE 0x10000000 // 256MB 15 | 16 | VOID MEvilAV1_DoWork_WinDefend_MPLog(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_ POB_VMMWINOBJ_FILE pFile) 17 | { 18 | SIZE_T oFile = 0, cbFile = 0, cbLine; 19 | PBYTE pbFile = NULL; 20 | LPSTR uszText = NULL, uszLine, szTokenizerContext; 21 | DWORD cProtect = 0; 22 | // read file: 23 | cbFile = min(MEVILAV1_MAX_FILE_SIZE, (SIZE_T)pFile->cb); 24 | if(!cbFile || !(pbFile = LocalAlloc(0, cbFile + sizeof(DWORD)))) { goto fail; } 25 | if(0 == VmmWinObjFile_Read(H, pFile, 0, pbFile, (DWORD)cbFile, VMMDLL_FLAG_ZEROPAD_ON_FAIL, VMMWINOBJ_FILE_TP_DEFAULT)) { goto fail; } 26 | *(PDWORD)(pbFile + cbFile) = 0; 27 | // data is likely to be zero-padded on a per-page basis and will be in UTF-16LE, convert to UTF-8: 28 | while(oFile < cbFile) { 29 | if(!pbFile[oFile]) { 30 | oFile = (oFile + 0x1000) & ~0xfff; 31 | continue; 32 | } 33 | if(CharUtil_WtoU((LPWSTR)(pbFile + oFile), (DWORD)-1, NULL, 0, &uszText, NULL, CHARUTIL_FLAG_ALLOC)) { 34 | // iterate per-line in text: 35 | szTokenizerContext = NULL; 36 | uszLine = strtok_s(uszText, "\r\n", &szTokenizerContext); 37 | while(uszLine) { 38 | cbLine = strlen(uszLine); 39 | if(cbLine > 25) { 40 | if(CharUtil_StrStartsWith(uszLine + 25, "DETECTIONEVENT", FALSE) || CharUtil_StrStartsWith(uszLine + 25, "DETECTION_ADD", FALSE)) { 41 | cProtect++; 42 | if(cProtect < MEVILAV1_MAX_FINDINGS_PER_FILE) { 43 | FcEvilAdd(H, EVIL_AV_DETECT, NULL, 0, "AV:[Windows Defender] EVENT:[%s]", uszLine); 44 | VmmLog(H, MID, LOGLEVEL_5_DEBUG, "DETECTION: AV:[Windows Defender] EVENT:[%s]", uszLine); 45 | } 46 | } 47 | } 48 | uszLine = strtok_s(NULL, "\r\n", &szTokenizerContext); 49 | } 50 | LocalFree(uszText); 51 | uszText = NULL; 52 | } 53 | while((oFile < cbFile) && pbFile[oFile]) { 54 | oFile += 0x1000; 55 | } 56 | } 57 | fail: 58 | LocalFree(pbFile); 59 | } 60 | 61 | VOID MEvilAV1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PVOID ctxfc) 62 | { 63 | // Iterate all files to find anti-virus log files: 64 | POB_MAP pmObFiles = NULL; 65 | POB_SET psObDuplicates = NULL; 66 | POB_VMMWINOBJ_FILE pObFile = NULL; 67 | psObDuplicates = ObSet_New(H); 68 | if(VmmWinObjFile_GetAll(H, &pmObFiles)) { 69 | while((pObFile = ObMap_GetNext(pmObFiles, pObFile))) { 70 | // Windows Defender MPLog: 71 | if(CharUtil_StrStartsWith(pObFile->uszName, "MPLog-", FALSE) && CharUtil_StrStartsWith(pObFile->uszPath, "\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-", FALSE)) { 72 | if(ObSet_Push(psObDuplicates, CharUtil_Hash64U(pObFile->uszPath, FALSE))) { 73 | VmmLog(H, MID, LOGLEVEL_5_DEBUG, "ANALYZE_FILE: AV:[Windows Defender] FILE:[%s]", pObFile->uszPath); 74 | MEvilAV1_DoWork_WinDefend_MPLog(H, MID, pObFile); 75 | } 76 | } 77 | } 78 | } 79 | Ob_DECREF(psObDuplicates); 80 | Ob_DECREF(pmObFiles); 81 | } 82 | 83 | VOID M_Evil_AV1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 84 | { 85 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 86 | // register findevil plugin: 87 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\findevil\\EvAV1"); 88 | pRI->reg_info.fRootModule = TRUE; 89 | pRI->reg_info.fRootModuleHidden = TRUE; 90 | pRI->reg_fnfc.pfnFindEvil = MEvilAV1_DoWork; 91 | pRI->pfnPluginManager_Register(H, pRI); 92 | } 93 | -------------------------------------------------------------------------------- /vmm/modules/m_evil_kern1.c: -------------------------------------------------------------------------------- 1 | // m_evil_kern1.c : evil detectors for various kernel issues #1. 2 | // 3 | // Detections: 4 | // - DRIVER_PATH 5 | // 6 | // (c) Ulf Frisk, 2023-2025 7 | // Author: Ulf Frisk, pcileech@frizk.net 8 | // 9 | 10 | #include "modules.h" 11 | 12 | /* 13 | * VMMEVIL_TYPE: DRIVER_PATH 14 | * Locate kernel drivers loaded from non standard paths. 15 | */ 16 | VOID MEvilKern1_KDriverPath(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_ PVMM_PROCESS pSystemProcess) 17 | { 18 | // add more allowed paths to the list below: 19 | LPSTR szPATH_ALLOWLIST[] = { 20 | "\\SystemRoot\\system32\\DRIVERS\\", 21 | "\\SystemRoot\\System32\\DriverStore\\", 22 | "\\SystemRoot\\system32\\ntoskrnl.exe", 23 | "\\SystemRoot\\System32\\win32k", 24 | "\\SystemRoot\\system32\\hal.dll", 25 | "\\SystemRoot\\system32\\cdd.dll", 26 | "\\??\\C:\\Windows\\system32\\DRIVERS\\", 27 | "\\??\\C:\\Windows\\System32\\DriverStore\\", 28 | "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\", 29 | }; 30 | POB_MAP pmObModuleByVA = NULL; 31 | PVMMOB_MAP_MODULE pObModuleMap = NULL; 32 | PVMMOB_MAP_KDRIVER pObDriverMap = NULL; 33 | PVMM_MAP_KDRIVERENTRY peDriver; 34 | PVMM_MAP_MODULEENTRY peModule; 35 | DWORD iDriver, iPathAllow; 36 | BOOL fOK; 37 | if(!VmmMap_GetKDriver(H, &pObDriverMap)) { goto fail; } 38 | if(!VmmMap_GetModule(H, pSystemProcess, 0, &pObModuleMap)) { goto fail; } 39 | if(!VmmMap_GetModuleEntryEx3(H, pObModuleMap, &pmObModuleByVA)) { goto fail; } 40 | for(iDriver = 0; iDriver < pObDriverMap->cMap; iDriver++) { 41 | peDriver = pObDriverMap->pMap + iDriver; 42 | peModule = ObMap_GetByKey(pmObModuleByVA, peDriver->vaStart); 43 | if(!peModule) { 44 | if(CharUtil_StrStartsWith(peDriver->uszPath, "\\FileSystem\\RAW", TRUE)) { continue; } 45 | // evil: driver has no linked module: 46 | FcEvilAdd(H, EVIL_DRIVER_PATH, pSystemProcess, peDriver->va, "Driver:[%s] Module:[NOT_FOUND]", peDriver->uszName); 47 | VmmLog(H, MID, LOGLEVEL_5_DEBUG, "%s: Driver:[%s] Module:[NOT_FOUND]", EVIL_DRIVER_PATH.Name, peDriver->uszName); 48 | continue; 49 | } 50 | fOK = FALSE; 51 | for(iPathAllow = 0; iPathAllow < (sizeof(szPATH_ALLOWLIST) / sizeof(LPCSTR)); iPathAllow++) { 52 | if(CharUtil_StrStartsWith(peModule->uszFullName, szPATH_ALLOWLIST[iPathAllow], TRUE)) { 53 | fOK = TRUE; 54 | break; 55 | } 56 | } 57 | if(fOK) { continue; } 58 | // evil: driver module not loaded from path in allowlist: 59 | FcEvilAdd(H, EVIL_DRIVER_PATH, pSystemProcess, peDriver->va, "Driver:[%s] Module:[%s]", peDriver->uszName, peModule->uszFullName); 60 | VmmLog(H, MID, LOGLEVEL_5_DEBUG, "%s: Driver:[%s] Module:[%s] ", EVIL_DRIVER_PATH.Name, peDriver->uszName, peModule->uszFullName); 61 | } 62 | fail: 63 | Ob_DECREF(pmObModuleByVA); 64 | Ob_DECREF(pObModuleMap); 65 | Ob_DECREF(pObDriverMap); 66 | } 67 | 68 | VOID MEvilKern1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PVOID ctxfc) 69 | { 70 | PVMM_PROCESS pObSystemProcess = NULL; 71 | if(H->fAbort) { return; } 72 | if(!(pObSystemProcess = VmmProcessGet(H, 4))) { return; } 73 | MEvilKern1_KDriverPath(H, MID, pObSystemProcess); 74 | VmmLog(H, MID, LOGLEVEL_6_TRACE, "COMPLETED FINDEVIL SCAN"); 75 | Ob_DECREF(pObSystemProcess); 76 | } 77 | 78 | VOID M_Evil_Kern1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 79 | { 80 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 81 | if(pRI->sysinfo.f32 || (pRI->sysinfo.dwVersionBuild < 9600)) { return; } // only support 64-bit Win8.1+ for now 82 | // register findevil plugin: 83 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\findevil\\EvKRNL1"); 84 | pRI->reg_info.fRootModule = TRUE; 85 | pRI->reg_info.fRootModuleHidden = TRUE; 86 | pRI->reg_fnfc.pfnFindEvil = MEvilKern1_DoWork; 87 | pRI->pfnPluginManager_Register(H, pRI); 88 | } 89 | -------------------------------------------------------------------------------- /vmm/modules/m_evil_kernproc1.c: -------------------------------------------------------------------------------- 1 | // m_evil_kernproc1.c : evil detectors common between user/kernel processes. 2 | // 3 | // Detections: 4 | // - PE_HDR_SPOOF 5 | // 6 | // (c) Ulf Frisk, 2023-2025 7 | // Author: Ulf Frisk, pcileech@frizk.net 8 | // 9 | 10 | #include "modules.h" 11 | #include "../vmmwin.h" 12 | 13 | 14 | 15 | //----------------------------------------------------------------------------- 16 | // PE_HDR_SPOOF 17 | //----------------------------------------------------------------------------- 18 | 19 | /* 20 | * Locate potentially spoofed PE headers. 21 | * Detect PE 'LowAlign' mode in which PE section headers are disregarded. 22 | */ 23 | VOID MEvilKernProc1_PeHdrSpoof(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess) 24 | { 25 | DWORD i; 26 | IMAGE_SECTION_HEADER Section; 27 | PVMM_MAP_MODULEENTRY peModule; 28 | PVMMOB_MAP_MODULE pObModuleMap = NULL; 29 | if(CharUtil_StrEquals(pProcess->szName, "csrss.exe", TRUE)) { goto fail; } 30 | if(!VmmMap_GetModule(H, pProcess, 0, &pObModuleMap)) { goto fail; } 31 | for(i = 0; i < pObModuleMap->cMap; i++) { 32 | peModule = pObModuleMap->pMap + i; 33 | // PE_HDR_SPOOF: 34 | if(PE_SectionGetFromName(H, pProcess, peModule->vaBase, "LOWALIGN", &Section) && (Section.VirtualAddress == 0)) { 35 | FcEvilAdd(H, EVIL_PE_HDR_SPOOF, pProcess, peModule->vaBase, "Module:[%s]", (peModule->uszFullName ? peModule->uszFullName : "")); 36 | } 37 | } 38 | fail: 39 | Ob_DECREF(pObModuleMap); 40 | } 41 | 42 | 43 | 44 | //----------------------------------------------------------------------------- 45 | // COMMON: 46 | //----------------------------------------------------------------------------- 47 | 48 | VOID MEvilKernProc1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PVOID ctxfc) 49 | { 50 | PVMM_PROCESS pObProcess = NULL; 51 | while((pObProcess = VmmProcessGetNext(H, pObProcess, VMM_FLAG_PROCESS_TOKEN | VMM_FLAG_PROCESS_SHOW_TERMINATED))) { 52 | if(H->fAbort) { goto fail; } 53 | if(FcIsProcessSkip(H, pObProcess)) { continue; } 54 | MEvilKernProc1_PeHdrSpoof(H, pObProcess); 55 | } 56 | VmmLog(H, MID, LOGLEVEL_6_TRACE, "COMPLETED FINDEVIL SCAN"); 57 | fail: 58 | Ob_DECREF(pObProcess); 59 | } 60 | 61 | VOID M_Evil_KernProc1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 62 | { 63 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 64 | if(pRI->sysinfo.f32 || (pRI->sysinfo.dwVersionBuild < 9600)) { return; } // only support 64-bit Win8.1+ for now 65 | // register findevil plugin: 66 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\findevil\\EvKERNPROC1"); 67 | pRI->reg_info.fRootModule = TRUE; 68 | pRI->reg_info.fRootModuleHidden = TRUE; 69 | pRI->reg_fnfc.pfnFindEvil = MEvilKernProc1_DoWork; 70 | pRI->pfnPluginManager_Register(H, pRI); 71 | } 72 | -------------------------------------------------------------------------------- /vmm/modules/m_fc_findevil.c: -------------------------------------------------------------------------------- 1 | // m_fc_findevil.c : implementation of the find evil built-in module. 2 | // 3 | // (c) Ulf Frisk, 2020-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | 7 | #include "modules.h" 8 | #include "../mm/mm.h" 9 | 10 | LPCSTR szM_FC_FINDEVIL_README = 11 | "Find Evil tries to identify and discover signs of malware infection. \n" \ 12 | "Find Evil currently detect some types of malware infection by memory analysis\n" \ 13 | "and does not, at this moment, support anti-virus scans and custom yara rules.\n" \ 14 | "--- \n" \ 15 | "Find Evil is enabled for 64-bit Windows 10+ to keep false positive ratio low.\n" \ 16 | "Find Evil limit select findings per virtual address decriptor and process to \n" \ 17 | "keep output manageable. Find Evil also limit findings on select processes. \n" \ 18 | "--- \n" \ 19 | "YARA: FindEvil tries to use built-in YARA rules, many which are from \n" \ 20 | "Elastic Security. The Elastic License 2.0 must be accepted to use the rules. \n" \ 21 | "https://www.elastic.co/licensing/elastic-license \n" \ 22 | "Accept with command line option: '-license-accept-elastic-license-2.0' \n" \ 23 | "--- \n" \ 24 | "Documentation: https://github.com/ufrisk/MemProcFS/wiki/FS_FindEvil \n" \ 25 | "--- \n" \ 26 | "Find Evil is a work in progress - post github issues for feature requests. \n"; 27 | 28 | NTSTATUS MFcFindEvil_Read(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset) 29 | { 30 | if(!_stricmp(ctxP->uszPath, "readme.txt")) { 31 | return Util_VfsReadFile_FromPBYTE((PBYTE)szM_FC_FINDEVIL_README, strlen(szM_FC_FINDEVIL_README), pb, cb, pcbRead, cbOffset); 32 | } 33 | if(!_stricmp(ctxP->uszPath, "findevil.txt")) { 34 | return ObMemFile_ReadFile(H->fc->FindEvil.pmf, pb, cb, pcbRead, cbOffset); 35 | } 36 | if(!_stricmp(ctxP->uszPath, "yara.txt")) { 37 | return ObMemFile_ReadFile(H->fc->FindEvil.pmfYara, pb, cb, pcbRead, cbOffset); 38 | } 39 | if(!_stricmp(ctxP->uszPath, "yara_rules.txt")) { 40 | return ObMemFile_ReadFile(H->fc->FindEvil.pmfYaraRules, pb, cb, pcbRead, cbOffset); 41 | } 42 | return VMMDLL_STATUS_FILE_INVALID; 43 | } 44 | 45 | BOOL MFcFindEvil_List(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Inout_ PHANDLE pFileList) 46 | { 47 | if(ctxP->uszPath[0]) { return FALSE; } 48 | VMMDLL_VfsList_AddFile(pFileList, "readme.txt", strlen(szM_FC_FINDEVIL_README), NULL); 49 | VMMDLL_VfsList_AddFile(pFileList, "findevil.txt", ObMemFile_Size(H->fc->FindEvil.pmf), NULL); 50 | VMMDLL_VfsList_AddFile(pFileList, "yara.txt", ObMemFile_Size(H->fc->FindEvil.pmfYara), NULL); 51 | VMMDLL_VfsList_AddFile(pFileList, "yara_rules.txt", ObMemFile_Size(H->fc->FindEvil.pmfYaraRules), NULL); 52 | return TRUE; 53 | } 54 | 55 | VOID MFcFindEvil_Notify(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _In_ DWORD fEvent, _In_opt_ PVOID pvEvent, _In_opt_ DWORD cbEvent) 56 | { 57 | if(fEvent == VMMDLL_PLUGIN_NOTIFY_FORENSIC_INIT_COMPLETE) { 58 | PluginManager_SetVisibility(H, TRUE, "\\forensic\\findevil", TRUE); 59 | } 60 | } 61 | 62 | VOID M_FcFindEvil_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 63 | { 64 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 65 | pRI->reg_fn.pfnList = MFcFindEvil_List; 66 | pRI->reg_fn.pfnRead = MFcFindEvil_Read; 67 | // register forensic plugin 68 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\forensic\\findevil"); 69 | pRI->reg_info.fRootModule = TRUE; 70 | pRI->reg_info.fRootModuleHidden = TRUE; 71 | pRI->reg_fn.pfnNotify = MFcFindEvil_Notify; 72 | pRI->pfnPluginManager_Register(H, pRI); 73 | } 74 | -------------------------------------------------------------------------------- /vmm/modules/m_fc_handle.c: -------------------------------------------------------------------------------- 1 | // m_fc_handle.c : handle forensic module. 2 | // 3 | // REQUIRE: FORENSIC SUB-SYSTEM INIT. 4 | // 5 | // NB! module generate forensic data only - no file system presence! 6 | // 7 | // (c) Ulf Frisk, 2022-2025 8 | // Author: Ulf Frisk, pcileech@frizk.net 9 | // 10 | 11 | #include "modules.h" 12 | #include "../vmmwin.h" 13 | 14 | static LPSTR MFCHANDLE_CSV_HANDLE = "PID,Handle,Object,Access,Type,Tag,HandleCount,Device,Description\n"; 15 | 16 | PVOID MFcHandle_FcInitialize(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP) 17 | { 18 | FcFileAppend(H, "handles.csv", MFCHANDLE_CSV_HANDLE); 19 | return NULL; 20 | } 21 | 22 | VOID MFcHandle_FcLogCSV(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _In_ VMMDLL_CSV_HANDLE hCSV) 23 | { 24 | PVMM_PROCESS pProcess = ctxP->pProcess; 25 | PVMMOB_MAP_HANDLE pObHandleMap = NULL; 26 | PVMM_MAP_HANDLEENTRY pe; 27 | PVMMWIN_OBJECT_TYPE pOT; 28 | CHAR szType[32] = { 0 }; 29 | CHAR szPoolTag[5] = { 0 }; 30 | CHAR uszBufferDevName[MAX_PATH] = { 0 }; 31 | DWORD i; 32 | if(pProcess && VmmMap_GetHandle(H, pProcess, &pObHandleMap, TRUE)) { 33 | for(i = 0; i < pObHandleMap->cMap; i++) { 34 | pe = pObHandleMap->pMap + i; 35 | // type&pool tag: 36 | *(PDWORD)szPoolTag = pe->dwPoolTag; 37 | if((pOT = VmmWin_ObjectTypeGet(H, (BYTE)pe->iType))) { 38 | snprintf(szType, _countof(szType), "%s", pOT->usz); 39 | szType[16] = 0; 40 | } else { 41 | *(PDWORD)szType = pe->dwPoolTag; 42 | szType[4] = 0; 43 | } 44 | // device object name: 45 | uszBufferDevName[0] = 0; 46 | if(pe->_InfoFile.dwoName) { 47 | strncpy_s(uszBufferDevName, sizeof(uszBufferDevName), pe->uszText + 1, pe->_InfoFile.dwoName - 1); 48 | } 49 | // csv file append: 50 | FcCsv_Reset(hCSV); 51 | FcFileAppend(H, "handles.csv", "%i,0x%x,0x%llx,%x,%s,%s,0x%llx,%s,%s\n", 52 | pProcess->dwPID, 53 | pe->dwHandle, 54 | pe->vaObject, 55 | pe->dwGrantedAccess, 56 | FcCsv_String(hCSV, szType), 57 | FcCsv_String(hCSV, szPoolTag), 58 | pe->qwHandleCount, 59 | FcCsv_String(hCSV, uszBufferDevName), 60 | FcCsv_String(hCSV, pe->uszText + pe->_InfoFile.dwoName) 61 | ); 62 | } 63 | } 64 | Ob_DECREF(pObHandleMap); 65 | } 66 | 67 | VOID M_FcHandle_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 68 | { 69 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 70 | if((pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_64) && (pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_32)) { return; } 71 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\forensic\\hidden\\handles"); // module name 72 | pRI->reg_info.fRootModule = TRUE; // module shows in root directory 73 | pRI->reg_info.fRootModuleHidden = TRUE; // module hidden by default 74 | pRI->reg_fnfc.pfnInitialize = MFcHandle_FcInitialize; // Forensic initialize function supported 75 | pRI->reg_fnfc.pfnLogCSV = MFcHandle_FcLogCSV; // CSV log function supported 76 | pRI->pfnPluginManager_Register(H, pRI); 77 | } 78 | -------------------------------------------------------------------------------- /vmm/modules/m_fc_sys.c: -------------------------------------------------------------------------------- 1 | // m_fc_sys.c : general system forensic module. 2 | // 3 | // REQUIRE: FORENSIC SUB-SYSTEM INIT. 4 | // 5 | // NB! module generate forensic data only - no file system presence! 6 | // 7 | // (c) Ulf Frisk, 2022-2025 8 | // Author: Ulf Frisk, pcileech@frizk.net 9 | // 10 | 11 | #include "modules.h" 12 | 13 | PVOID MFcSys_FcInitialize(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP) 14 | { 15 | return NULL; 16 | } 17 | 18 | VOID MFcSys_FcLogCSV(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _In_ VMMDLL_CSV_HANDLE hCSV) 19 | { 20 | ; 21 | } 22 | 23 | VOID M_FcSys_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 24 | { 25 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 26 | if((pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_64) && (pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_32)) { return; } 27 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\forensic\\hidden\\sys"); // module name 28 | pRI->reg_info.fRootModule = TRUE; // module shows in root directory 29 | pRI->reg_info.fRootModuleHidden = TRUE; // module hidden by default 30 | pRI->reg_fnfc.pfnInitialize = MFcSys_FcInitialize; // Forensic initialize function supported 31 | pRI->reg_fnfc.pfnLogCSV = MFcSys_FcLogCSV; // CSV log function supported 32 | pRI->pfnPluginManager_Register(H, pRI); 33 | } 34 | -------------------------------------------------------------------------------- /vmm/modules/m_fc_timeline.c: -------------------------------------------------------------------------------- 1 | // m_fc_timeline.c : implementation of timelining functionality. 2 | // 3 | // REQUIRE: FORENSIC SUB-SYSTEM INIT: TIMELINE 4 | // 5 | // (c) Ulf Frisk, 2020-2025 6 | // Author: Ulf Frisk, pcileech@frizk.net 7 | // 8 | 9 | #include "modules.h" 10 | 11 | /* 12 | * Read the text version of the timeline info files. 13 | */ 14 | NTSTATUS M_FcTimeline_ReadInfo(_In_ VMM_HANDLE H, _In_ DWORD dwTimelineType, _Out_ PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset) 15 | { 16 | NTSTATUS nt = VMMDLL_STATUS_FILE_INVALID; 17 | PFC_MAP_TIMELINEENTRY pe; 18 | PFCOB_MAP_TIMELINE pObMap = NULL; 19 | QWORD i, o, qwIdBase, qwIdTop, cId, cszuBuffer, cbOffsetBuffer; 20 | LPSTR szuBuffer = NULL; 21 | DWORD dwEntryType, dwEntryAction; 22 | CHAR szTime[24]; 23 | if(!FcTimeline_GetIdFromPosition(H, dwTimelineType, FC_FORMAT_TYPE_UTF8, cbOffset, &qwIdBase)) { goto fail; } 24 | if(!FcTimeline_GetIdFromPosition(H, dwTimelineType, FC_FORMAT_TYPE_UTF8, cbOffset + cb, &qwIdTop)) { goto fail; } 25 | cId = min(cb / FC_LINELENGTH_TIMELINE_UTF8, qwIdTop - qwIdBase) + 1; 26 | if(!FcTimelineMap_GetFromIdRange(H, dwTimelineType, qwIdBase, cId, &pObMap) || !pObMap->cMap) { goto fail; } 27 | cbOffsetBuffer = pObMap->pMap[0].cuszOffset; 28 | if((cbOffsetBuffer > cbOffset) || (cbOffset - cbOffsetBuffer > 0x10000)) { goto fail; } 29 | cszuBuffer = 0x01000000; 30 | if(!(szuBuffer = LocalAlloc(0, (SIZE_T)cszuBuffer))) { goto fail; } 31 | for(i = 0, o = 0; (i < pObMap->cMap) && (o < cszuBuffer - 0x1000); i++) { 32 | pe = pObMap->pMap + i; 33 | Util_FileTime2String(pe->ft, szTime); 34 | dwEntryType = (pe->tp < H->fc->Timeline.cTp) ? pe->tp : 0; 35 | dwEntryAction = (pe->ac <= FC_TIMELINE_ACTION_MAX) ? pe->ac : FC_TIMELINE_ACTION_NONE; 36 | o += snprintf( 37 | szuBuffer + o, 38 | (SIZE_T)(cszuBuffer - o), 39 | "%s %-*s %-3s%10u%10u %16llx %s\n", 40 | szTime, 41 | 6, 42 | H->fc->Timeline.pInfo[dwEntryType].szNameShort, 43 | FC_TIMELINE_ACTION_STR[dwEntryAction], 44 | pe->pid, 45 | pe->data32, 46 | pe->data64, 47 | pe->uszText 48 | ); 49 | } 50 | nt = Util_VfsReadFile_FromPBYTE(szuBuffer, o, pb, cb, pcbRead, cbOffset - cbOffsetBuffer); 51 | fail: 52 | LocalFree(szuBuffer); 53 | Ob_DECREF(pObMap); 54 | return nt; 55 | } 56 | 57 | NTSTATUS M_FcTimeline_Read(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset) 58 | { 59 | DWORD i; 60 | PFC_TIMELINE_INFO pi; 61 | for(i = 0; i < H->fc->Timeline.cTp; i++) { 62 | pi = H->fc->Timeline.pInfo + i; 63 | if(!_stricmp(ctxP->uszPath, pi->uszNameFileTXT)) { 64 | return M_FcTimeline_ReadInfo(H, pi->dwId, pb, cb, pcbRead, cbOffset); 65 | } 66 | } 67 | return VMMDLL_STATUS_FILE_INVALID; 68 | } 69 | 70 | BOOL M_FcTimeline_List(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Inout_ PHANDLE pFileList) 71 | { 72 | QWORD i; 73 | PFC_TIMELINE_INFO pi; 74 | if(ctxP->uszPath[0]) { return FALSE; } 75 | for(i = 0; i < H->fc->Timeline.cTp; i++) { 76 | pi = H->fc->Timeline.pInfo + i; 77 | if(pi->uszNameFileTXT[0]) { 78 | VMMDLL_VfsList_AddFile(pFileList, pi->uszNameFileTXT, pi->dwFileSizeUTF8, NULL); 79 | } 80 | } 81 | return TRUE; 82 | } 83 | 84 | VOID M_FcTimeline_Notify(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _In_ DWORD fEvent, _In_opt_ PVOID pvEvent, _In_opt_ DWORD cbEvent) 85 | { 86 | if(fEvent == VMMDLL_PLUGIN_NOTIFY_FORENSIC_INIT_COMPLETE) { 87 | PluginManager_SetVisibility(H, TRUE, "\\forensic\\timeline", TRUE); 88 | } 89 | } 90 | 91 | VOID M_FcTimeline_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 92 | { 93 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 94 | if((pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_64) && (pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_32)) { return; } 95 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\forensic\\timeline"); // module name 96 | pRI->reg_info.fRootModule = TRUE; // module shows in root directory 97 | pRI->reg_info.fRootModuleHidden = TRUE; // module hidden by default 98 | pRI->reg_fn.pfnList = M_FcTimeline_List; // List function supported 99 | pRI->reg_fn.pfnRead = M_FcTimeline_Read; // Read function supported 100 | pRI->reg_fn.pfnNotify = M_FcTimeline_Notify; // Notify function supported 101 | pRI->pfnPluginManager_Register(H, pRI); 102 | } 103 | -------------------------------------------------------------------------------- /vmm/modules/m_proc_file_handles_vads.c: -------------------------------------------------------------------------------- 1 | // m_file_handles_vads.c : implementation of the 'files/handles/vads' built-in module. 2 | // 3 | // (c) Ulf Frisk, 2020-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | 7 | #include "modules.h" 8 | #include "../vmmwinobj.h" 9 | 10 | _Success_(return == 0) 11 | NTSTATUS M_FileHandlesVads_Read(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctx, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset, _In_ BOOL fHandles) 12 | { 13 | QWORD va; 14 | POB_VMMWINOBJ_FILE pObFile = NULL; 15 | *pcbRead = 0; 16 | if(!(va = strtoull(ctx->uszPath, NULL, 16))) { return VMMDLL_STATUS_FILE_INVALID; } 17 | if(!(pObFile = VmmWinObjFile_GetByVa(H, va))) { return VMMDLL_STATUS_FILE_INVALID; } 18 | *pcbRead = VmmWinObjFile_Read(H, pObFile, cbOffset, pb, cb, 0, VMMWINOBJ_FILE_TP_DEFAULT); 19 | Ob_DECREF(pObFile); 20 | return *pcbRead ? VMM_STATUS_SUCCESS : VMM_STATUS_END_OF_FILE; 21 | } 22 | 23 | _Success_(return == 0) 24 | NTSTATUS M_FileHandles_Read(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset) 25 | { 26 | return M_FileHandlesVads_Read(H, ctxP, pb, cb, pcbRead, cbOffset, TRUE); 27 | } 28 | 29 | _Success_(return == 0) 30 | NTSTATUS M_FileVads_Read(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset) 31 | { 32 | return M_FileHandlesVads_Read(H, ctxP, pb, cb, pcbRead, cbOffset, FALSE); 33 | } 34 | 35 | BOOL M_FileHandlesVads_List(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctx, _Inout_ PHANDLE pFileList, _In_ BOOL fHandles) 36 | { 37 | POB_MAP pmObFiles; 38 | POB_VMMWINOBJ_FILE pObFile; 39 | CHAR uszAddressPath[MAX_PATH]; 40 | if(ctx->uszPath[0]) { return FALSE; } 41 | if(VmmWinObjFile_GetByProcess(H, ctx->pProcess, &pmObFiles, fHandles)) { 42 | while((pObFile = ObMap_Pop(pmObFiles))) { 43 | Util_PathPrependVA(uszAddressPath, pObFile->va, H->vmm.f32, pObFile->uszName); 44 | VMMDLL_VfsList_AddFile(pFileList, uszAddressPath, pObFile->cb, NULL); 45 | Ob_DECREF(pObFile); 46 | } 47 | Ob_DECREF_NULL(&pmObFiles); 48 | } 49 | return TRUE; 50 | } 51 | 52 | BOOL M_FileHandles_List(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Inout_ PHANDLE pFileList) 53 | { 54 | return M_FileHandlesVads_List(H, ctxP, pFileList, TRUE); 55 | } 56 | 57 | BOOL M_FileVads_List(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Inout_ PHANDLE pFileList) 58 | { 59 | return M_FileHandlesVads_List(H, ctxP, pFileList, FALSE); 60 | } 61 | 62 | VOID M_ProcFileHandlesVads_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 63 | { 64 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 65 | if(!((pRI->tpSystem == VMMDLL_SYSTEM_WINDOWS_64) || (pRI->tpSystem == VMMDLL_SYSTEM_WINDOWS_32))) { return; } 66 | // file handles 67 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\files\\handles"); // module name 68 | pRI->reg_info.fRootModule = FALSE; // module shows in root directory 69 | pRI->reg_info.fProcessModule = TRUE; // module shows in process directory 70 | pRI->reg_fn.pfnList = M_FileHandles_List; // List function supported 71 | pRI->reg_fn.pfnRead = M_FileHandles_Read; // Read function supported 72 | pRI->pfnPluginManager_Register(H, pRI); 73 | // file vads 74 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\files\\vads"); // module name 75 | pRI->reg_info.fRootModule = FALSE; // module shows in root directory 76 | pRI->reg_info.fProcessModule = TRUE; // module shows in process directory 77 | pRI->reg_fn.pfnList = M_FileVads_List; // List function supported 78 | pRI->reg_fn.pfnRead = M_FileVads_Read; // Read function supported 79 | pRI->pfnPluginManager_Register(H, pRI); 80 | } 81 | -------------------------------------------------------------------------------- /vmm/modules/m_sys_user.c: -------------------------------------------------------------------------------- 1 | // m_sys_user.c : implementation related to the sys/users built-in module. 2 | // 3 | // The '/sys/users' module is responsible for displaying the users of the system. 4 | // 5 | // (c) Ulf Frisk, 2022-2025 6 | // Author: Ulf Frisk, pcileech@frizk.net 7 | // 8 | 9 | #include "modules.h" 10 | 11 | #define MSYSUSER_LINELENGTH 120ULL 12 | #define MSYSUSER_LINEHEADER " # Username SID" 13 | 14 | VOID MSysUser_ReadLineCB(_In_ VMM_HANDLE H, _Inout_opt_ PVOID ctx, _In_ DWORD cbLineLength, _In_ DWORD ie, _In_ PVMM_MAP_USERENTRY pe, _Out_writes_(cbLineLength + 1) LPSTR usz) 15 | { 16 | Util_usnprintf_ln(usz, cbLineLength, 17 | "%04x %-32s %s", 18 | ie, 19 | pe->uszText, 20 | pe->szSID ? pe->szSID : "***" 21 | ); 22 | } 23 | 24 | NTSTATUS MSysUser_Read(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset) 25 | { 26 | NTSTATUS nt = VMMDLL_STATUS_FILE_INVALID; 27 | PVMMOB_MAP_USER pObUserMap = NULL; 28 | if(CharUtil_StrEquals(ctxP->uszPath, "users.txt", TRUE)) { 29 | if(VmmMap_GetUser(H, &pObUserMap)) { 30 | nt = Util_VfsLineFixed_Read( 31 | H, (UTIL_VFSLINEFIXED_PFN_CB)MSysUser_ReadLineCB, NULL, MSYSUSER_LINELENGTH, MSYSUSER_LINEHEADER, 32 | pObUserMap->pMap, pObUserMap->cMap, sizeof(VMM_MAP_USERENTRY), 33 | pb, cb, pcbRead, cbOffset 34 | ); 35 | Ob_DECREF(pObUserMap); 36 | } 37 | } 38 | return nt; 39 | } 40 | 41 | BOOL MSysUser_List(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Inout_ PHANDLE pFileList) 42 | { 43 | PVMMOB_MAP_USER pObUserMap = NULL; 44 | if(VmmMap_GetUser(H, &pObUserMap)) { 45 | VMMDLL_VfsList_AddFile(pFileList, "users.txt", UTIL_VFSLINEFIXED_LINECOUNT(H, pObUserMap->cMap) * MSYSUSER_LINELENGTH, NULL); 46 | } 47 | Ob_DECREF(pObUserMap); 48 | return TRUE; 49 | } 50 | 51 | VOID M_SysUser_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI) 52 | { 53 | if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } 54 | if((pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_64) && (pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_32)) { return; } 55 | strcpy_s(pRI->reg_info.uszPathName, 128, "\\sys\\users"); // module name 56 | pRI->reg_info.fRootModule = TRUE; // module shows in root directory 57 | pRI->reg_fn.pfnList = MSysUser_List; // List function supported 58 | pRI->reg_fn.pfnRead = MSysUser_Read; // Read function supported 59 | pRI->pfnPluginManager_Register(H, pRI); 60 | } 61 | -------------------------------------------------------------------------------- /vmm/modules/modules.h: -------------------------------------------------------------------------------- 1 | // modules.h : common includes used by modules. 2 | // 3 | // (c) Ulf Frisk, 2023-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifndef __MODULES_H__ 7 | #define __MODULES_H__ 8 | 9 | #include "../vmmdll.h" 10 | #include "../vmm.h" 11 | 12 | #include "../fc.h" 13 | #include "../charutil.h" 14 | #include "../pdb.h" 15 | #include "../pe.h" 16 | #include "../pluginmanager.h" 17 | #include "../statistics.h" 18 | #include "../util.h" 19 | #include "../vmmlog.h" 20 | #include "../vmmwin.h" 21 | #include "../vmmwindef.h" 22 | 23 | 24 | 25 | // EVIL TYPES: (max length = 15 chars): 26 | static const VMMEVIL_TYPE EVIL_TIME_CHANGE = { .Name = "TIME_CHANGE", .Severity = 0x10000 }; 27 | static const VMMEVIL_TYPE EVIL_AV_DETECT = { .Name = "AV_DETECT", .Severity = 0xf000 }; 28 | static const VMMEVIL_TYPE EVIL_PE_INJECT = { .Name = "PE_INJECT", .Severity = 0xe000 }; 29 | static const VMMEVIL_TYPE EVIL_UM_APC = { .Name = "UM_APC", .Severity = 0xd800 }; 30 | static const VMMEVIL_TYPE EVIL_PROC_NOLINK = { .Name = "PROC_NOLINK", .Severity = 0xd000 }; 31 | static const VMMEVIL_TYPE EVIL_PROC_PARENT = { .Name = "PROC_PARENT", .Severity = 0xc000 }; 32 | static const VMMEVIL_TYPE EVIL_PROC_BAD_DTB = { .Name = "PROC_BAD_DTB", .Severity = 0xb000 }; 33 | static const VMMEVIL_TYPE EVIL_PROC_USER = { .Name = "PROC_USER", .Severity = 0xa000 }; 34 | static const VMMEVIL_TYPE EVIL_PROC_BASEADDR= { .Name = "PROC_BASEADDR",.Severity = 0x9C00 }; 35 | static const VMMEVIL_TYPE EVIL_PE_HDR_SPOOF = { .Name = "PE_HDR_SPOOF", .Severity = 0x9800 }; 36 | static const VMMEVIL_TYPE EVIL_HIGH_ENTROPY = { .Name = "HIGH_ENTROPY", .Severity = 0x9400 }; 37 | static const VMMEVIL_TYPE EVIL_PEB_MASQ = { .Name = "PEB_MASQ", .Severity = 0x9000 }; 38 | static const VMMEVIL_TYPE EVIL_DRIVER_PATH = { .Name = "DRIVER_PATH", .Severity = 0x8000 }; 39 | static const VMMEVIL_TYPE EVIL_PROC_DEBUG = { .Name = "PROC_DEBUG", .Severity = 0x7800 }; 40 | static const VMMEVIL_TYPE EVIL_THREAD = { .Name = "THREAD", .Severity = 0x7400 }; 41 | static const VMMEVIL_TYPE EVIL_PEB_BAD_LDR = { .Name = "PEB_BAD_LDR", .Severity = 0x7000 }; 42 | static const VMMEVIL_TYPE EVIL_PE_NOLINK = { .Name = "PE_NOLINK", .Severity = 0x6000 }; 43 | static const VMMEVIL_TYPE EVIL_PE_PATCHED = { .Name = "PE_PATCHED", .Severity = 0x5000 }; 44 | static const VMMEVIL_TYPE EVIL_PRIVATE_RWX = { .Name = "PRIVATE_RWX", .Severity = 0x4000 }; 45 | static const VMMEVIL_TYPE EVIL_NOIMAGE_RWX = { .Name = "NOIMAGE_RWX", .Severity = 0x3000 }; 46 | static const VMMEVIL_TYPE EVIL_PRIVATE_RX = { .Name = "PRIVATE_RX", .Severity = 0x2000 }; 47 | static const VMMEVIL_TYPE EVIL_NOIMAGE_RX = { .Name = "NOIMAGE_RX", .Severity = 0x1000 }; 48 | 49 | #endif /* __MODULES_H__ */ 50 | -------------------------------------------------------------------------------- /vmm/ob/ob_container.c: -------------------------------------------------------------------------------- 1 | // ob_container.c : implementation of object manager container functionality. 2 | // 3 | // A container provides atomic access to a single Ob object. This is useful 4 | // if a Ob object is to frequently be replaced by a new object in an atomic 5 | // way. An example of this is the process list object containing the process 6 | // information. The container holds a reference count to the object that is 7 | // contained. The object container itself is an object manager object and 8 | // must be DECREF'ed when required. 9 | // 10 | // (c) Ulf Frisk, 2018-2025 11 | // Author: Ulf Frisk, pcileech@frizk.net 12 | // 13 | #include "ob.h" 14 | 15 | #define OB_CONTAINER_IS_VALID(p) (p && (p->ObHdr._magic2 == OB_HEADER_MAGIC) && (p->ObHdr._magic1 == OB_HEADER_MAGIC) && (p->ObHdr._tag == OB_TAG_CORE_CONTAINER)) 16 | 17 | /* 18 | * Object Container object manager cleanup function to be called when reference 19 | * count reaches zero. 20 | * -- pObContainer 21 | */ 22 | VOID ObContainer_ObCloseCallback(_In_ POB_CONTAINER pObContainer) 23 | { 24 | if(OB_CONTAINER_IS_VALID(pObContainer)) { 25 | Ob_DECREF(pObContainer->pOb); 26 | } 27 | } 28 | 29 | /* 30 | * Create a new object container object without an initial contained object. 31 | * An object container provides atomic access to its contained object in a 32 | * multithreaded environment. The object container is in itself an object 33 | * manager object and must be DECREF'ed by the caller when use is complete. 34 | * CALLER DECREF: return 35 | * -- return 36 | */ 37 | POB_CONTAINER ObContainer_New() 38 | { 39 | return Ob_Alloc(OB_TAG_CORE_CONTAINER, LMEM_ZEROINIT, sizeof(OB_CONTAINER), (OB_CLEANUP_CB)ObContainer_ObCloseCallback, NULL); 40 | } 41 | 42 | /* 43 | * Retrieve an enclosed object from the given pObContainer. 44 | * CALLER DECREF: return 45 | * -- pObContainer 46 | * -- return 47 | */ 48 | PVOID ObContainer_GetOb(_In_ POB_CONTAINER pObContainer) 49 | { 50 | POB pOb; 51 | if(!OB_CONTAINER_IS_VALID(pObContainer)) { return NULL; } 52 | AcquireSRWLockShared(&pObContainer->LockSRW); 53 | pOb = Ob_INCREF(pObContainer->pOb); 54 | ReleaseSRWLockShared(&pObContainer->LockSRW); 55 | return pOb; 56 | } 57 | 58 | /* 59 | * Set or Replace an object in the object container. 60 | * -- pObContainer 61 | * -- pOb 62 | */ 63 | VOID ObContainer_SetOb(_In_ POB_CONTAINER pObContainer, _In_opt_ PVOID pOb) 64 | { 65 | POB pObOld; 66 | if(!OB_CONTAINER_IS_VALID(pObContainer)) { return; } 67 | AcquireSRWLockExclusive(&pObContainer->LockSRW); 68 | pObOld = pObContainer->pOb; 69 | pObContainer->pOb = Ob_INCREF(pOb); 70 | ReleaseSRWLockExclusive(&pObContainer->LockSRW); 71 | Ob_DECREF(pObOld); 72 | } 73 | 74 | /* 75 | * Check if the object container is valid and contains an object. 76 | * -- pObContainer 77 | * -- return 78 | */ 79 | BOOL ObContainer_Exists(_In_opt_ POB_CONTAINER pObContainer) 80 | { 81 | return OB_CONTAINER_IS_VALID(pObContainer) && pObContainer->pOb; 82 | } 83 | -------------------------------------------------------------------------------- /vmm/ob/ob_tag.h: -------------------------------------------------------------------------------- 1 | // ob.h : definitions of object tags. 2 | // 3 | // (c) Ulf Frisk, 2021-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifndef __OB_TAG_H__ 7 | #define __OB_TAG_H__ 8 | 9 | #include "ob.h" 10 | 11 | #define OB_TAG_CTX_MMISCINFO 'CMI ' 12 | #define OB_TAG_FC_FILE 'Ffil' 13 | #define OB_TAG_FC_SCANVIRTMEM_CTX 'FvmC' 14 | #define OB_TAG_FC_SCANVIRTMEM_ENTRY 'FvmE' 15 | #define OB_TAG_FC_SCANOBJECT_ENTRY 'FobE' 16 | #define OB_TAG_INFODB_CTX 'IDBC' 17 | #define OB_TAG_INFODB_YARA_RULES 'IDBY' 18 | #define OB_TAG_MAP_PTE 'Mpte' 19 | #define OB_TAG_MAP_VAD 'Mvad' 20 | #define OB_TAG_MAP_VADEX 'Mvae' 21 | #define OB_TAG_MAP_MODULE 'Mmod' 22 | #define OB_TAG_MAP_UNLOADEDMODULE 'Mumd' 23 | #define OB_TAG_MAP_EAT 'Meat' 24 | #define OB_TAG_MAP_IAT 'Miat' 25 | #define OB_TAG_MAP_POOL 'Mpol' 26 | #define OB_TAG_MAP_THREAD 'Mthr' 27 | #define OB_TAG_MAP_HANDLE 'Mhnd' 28 | #define OB_TAG_MAP_HEAP 'Mhp_' 29 | #define OB_TAG_MAP_HEAPALLOC 'MhpA' 30 | #define OB_TAG_MAP_OBJECT 'Mobj' 31 | #define OB_TAG_MAP_KDEVICE 'Mdev' 32 | #define OB_TAG_MAP_KDRIVER 'Mdrv' 33 | #define OB_TAG_MAP_PREFETCH 'Mprf' 34 | #define OB_TAG_MAP_PHYSMEM 'Mmem' 35 | #define OB_TAG_MAP_USER 'Musr' 36 | #define OB_TAG_MAP_SERVICE 'Msvc' 37 | #define OB_TAG_MAP_NET 'Mnet' 38 | #define OB_TAG_MAP_NETDNS 'Mdns' 39 | #define OB_TAG_MAP_PFN 'Mpfn' 40 | #define OB_TAG_MAP_EVIL 'Mevl' 41 | #define OB_TAG_MAP_TASK 'Mtsk' 42 | #define OB_TAG_MAP_VM 'Mvm_' 43 | #define OB_TAG_MAP_WEB 'Mweb' 44 | #define OB_TAG_MOD_CERTIFICATES 'mCer' 45 | #define OB_TAG_MOD_FCNTFS_CTX 'mFnt' 46 | #define OB_TAG_MOD_FCTIMELINE 'mFtl' 47 | #define OB_TAG_MOD_MINIDUMP_CTX 'mMDx' 48 | #define OB_TAG_MOD_SEARCH_CTX 'mSHx' 49 | #define OB_TAG_OBJ_CTX 'Octx' 50 | #define OB_TAG_OBJ_CONTROL_AREA 'Oca_' 51 | #define OB_TAG_OBJ_ERROR 'Oerr' 52 | #define OB_TAG_OBJ_FILE 'Ofil' 53 | #define OB_TAG_OBJ_DISPLAY 'Odis' 54 | #define OB_TAG_OBJ_SHARED_CACHE_MAP 'Oscc' 55 | #define OB_TAG_PDB_CTX 'PdbC' 56 | #define OB_TAG_PDB_ENTRY 'PdbE' 57 | #define OB_TAG_PDB_KERNEL_CONTEXT 'PdbK' 58 | #define OB_TAG_PDB_PARSE_CONTEXT 'PdbS' 59 | #define OB_TAG_PFN_CONTEXT 'PfnC' 60 | #define OB_TAG_PFN_PROC_TABLE 'PfnT' 61 | #define OB_TAG_REG_HIVE 'Rhve' 62 | #define OB_TAG_REG_KEY 'Rkey' 63 | #define OB_TAG_REG_KEYVALUE 'Rval' 64 | #define OB_TAG_THREAD_CALLSTACK 'ThCS' 65 | #define OB_TAG_VAD_MEM 'MmSt' 66 | #define OB_TAG_WORK_PER_PROCESS 'WrkP' 67 | #define OB_TAG_WORK_WORKUNIT 'WrkU' 68 | #define OB_TAG_VM_CONTEXT 'VmC_' 69 | #define OB_TAG_VM_CONTEXT_TRANSLATE 'VmCt' 70 | #define OB_TAG_VM_GLOBAL 'VmG_' 71 | #define OB_TAG_VMM_SCATTER 'Scat' 72 | #define OB_TAG_VMM_TOKEN 'Tok_' 73 | #define OB_TAG_VMM_PROCESS 'Ps__' 74 | #define OB_TAG_VMM_PROCESS_CLONE 'PsC_' 75 | #define OB_TAG_VMM_PROCESS_PERSISTENT 'PsSt' 76 | #define OB_TAG_VMM_PROCESSTABLE 'PsTb' 77 | #define OB_TAG_VMM_VIRT2PHYS 'PsVP' 78 | #define OB_TAB_VMMDLL_EXTERNALMEM 'EXTM' 79 | #define OB_TAG_VMMVFS_DUMPCONTEXT 'CDmp' 80 | #define OB_TAG_YARA_CONTEXT 'YrCX' 81 | #define OB_TAG_YARA_PARSEHANDLE 'YrPH' 82 | 83 | #endif /* __OB_TAG_H__ */ 84 | -------------------------------------------------------------------------------- /vmm/oscompatibility.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/vmm/oscompatibility.c -------------------------------------------------------------------------------- /vmm/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by vmm.rc 4 | 5 | // Next default values for new objects 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /vmm/sysquery.h: -------------------------------------------------------------------------------- 1 | // sysquery.h : definitions of various system queries that may be performed. 2 | // 3 | // (c) Ulf Frisk, 2019-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifndef __SYSQUERY_H__ 7 | #define __SYSQUERY_H__ 8 | #include "vmm.h" 9 | 10 | /* 11 | * Retrieve the current system time as FILETIME. 12 | * -- H 13 | * -- return 14 | */ 15 | _Success_(return != 0) 16 | QWORD SysQuery_TimeCurrent(_In_ VMM_HANDLE H); 17 | 18 | /* 19 | * Query the system for current time zone and its bias in minutes against UCT. 20 | * NB! individual sessions connected remotely may have other time zones. 21 | * -- H 22 | * -- uszTimeZone = full name text representation - ex: 'Eastern Standard Time'. 23 | * -- piActiveBias = bias against UCT in minutes - ex: (CET=UCT+1=-60). 24 | * -- return 25 | */ 26 | _Success_(return) 27 | BOOL SysQuery_TimeZone(_In_ VMM_HANDLE H, _Out_writes_opt_(32) LPSTR uszTimeZone, _Out_opt_ int *piActiveBias); 28 | 29 | /* 30 | * Query the time zone information into a formatted string. 31 | * -- H 32 | * -- uszTimeZone = formatted string representation - ex: 'Eastern Standard Time [UTC-5]'. 33 | * -- fLine = if TRUE, the string will be formatted as a single line. 34 | */ 35 | VOID SysQuery_TimeZoneEx(_In_ VMM_HANDLE H, _Out_writes_(49) LPSTR uszTimeZone, _In_ BOOL fLine); 36 | 37 | /* 38 | * Query the computer name. 39 | * -- H 40 | * -- szuComputerName = buffer to receive the computer name. 41 | * -- cbuComputerName = size of the buffer. 42 | * -- return 43 | */ 44 | _Success_(return) 45 | BOOL SysQuery_ComputerName(_In_ VMM_HANDLE H, _Out_writes_(cbuComputerName) LPSTR uszComputerName, _In_ DWORD cbuComputerName); 46 | 47 | /* 48 | * Retrieve an exported function address similar to kernel32!GetProcAddress(). 49 | * -- H 50 | * -- pProcess 51 | * -- uszModuleName 52 | * -- szFunctionName 53 | * -- return 54 | */ 55 | _Success_(return) 56 | QWORD SysQuery_GetProcAddress(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _In_ LPCSTR uszModuleName, _In_ LPCSTR szFunctionName); 57 | 58 | #endif /* __SYSQUERY_H__ */ 59 | -------------------------------------------------------------------------------- /vmm/version.h: -------------------------------------------------------------------------------- 1 | #define STRINGIZE2(s) #s 2 | #define STRINGIZE(s) STRINGIZE2(s) 3 | 4 | #define VERSION_MAJOR 5 5 | #define VERSION_MINOR 16 6 | #define VERSION_REVISION 7 7 | #define VERSION_BUILD 221 8 | 9 | #define VER_FILE_DESCRIPTION_STR "MemProcFS : Core" 10 | #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD 11 | #define VER_FILE_VERSION_STR STRINGIZE(VERSION_MAJOR) \ 12 | "." STRINGIZE(VERSION_MINOR) \ 13 | "." STRINGIZE(VERSION_REVISION) \ 14 | "." STRINGIZE(VERSION_BUILD) \ 15 | 16 | #define VER_COMPANY_NAME_STR "" 17 | #define VER_PRODUCTNAME_STR "vmm" 18 | #define VER_PRODUCT_VERSION VER_FILE_VERSION 19 | #define VER_PRODUCT_VERSION_STR VER_FILE_VERSION_STR 20 | #define VER_ORIGINAL_FILENAME_STR VER_PRODUCTNAME_STR ".dll" 21 | #define VER_INTERNAL_NAME_STR VER_ORIGINAL_FILENAME_STR 22 | #define VER_COPYRIGHT_STR "Copyright (c) Ulf Frisk 2018-2025" 23 | -------------------------------------------------------------------------------- /vmm/vmm.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/vmm/vmm.rc -------------------------------------------------------------------------------- /vmm/vmm.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | WindowsLocalDebugger 5 | 6 | 7 | WindowsLocalDebugger 8 | 9 | 10 | WindowsLocalDebugger 11 | 12 | 13 | WindowsLocalDebugger 14 | 15 | 16 | WindowsLocalDebugger 17 | 18 | 19 | WindowsLocalDebugger 20 | 21 | -------------------------------------------------------------------------------- /vmm/vmmdll.def: -------------------------------------------------------------------------------- 1 | LIBRARY VMM 2 | EXPORTS 3 | VMMDLL_Initialize 4 | VMMDLL_InitializeEx 5 | VMMDLL_Close 6 | VMMDLL_CloseAll 7 | VMMDLL_MemSize 8 | VMMDLL_MemFree 9 | 10 | VMMDLL_InitializePlugins 11 | 12 | VMMDLL_ConfigGet 13 | VMMDLL_ConfigSet 14 | 15 | VMMDLL_VfsListU 16 | VMMDLL_VfsListW 17 | VMMDLL_VfsListBlobU 18 | VMMDLL_VfsList_AddFile 19 | VMMDLL_VfsList_AddFileW 20 | VMMDLL_VfsList_AddDirectory 21 | VMMDLL_VfsList_AddDirectoryW 22 | VMMDLL_VfsReadU 23 | VMMDLL_VfsReadW 24 | VMMDLL_VfsWriteU 25 | VMMDLL_VfsWriteW 26 | 27 | VMMDLL_UtilVfsReadFile_FromPBYTE 28 | VMMDLL_UtilVfsReadFile_FromQWORD 29 | VMMDLL_UtilVfsReadFile_FromDWORD 30 | VMMDLL_UtilVfsReadFile_FromBOOL 31 | VMMDLL_UtilVfsWriteFile_BOOL 32 | VMMDLL_UtilVfsWriteFile_DWORD 33 | 34 | VMMDLL_MemCallback 35 | VMMDLL_MemPrefetchPages 36 | VMMDLL_MemRead 37 | VMMDLL_MemReadEx 38 | VMMDLL_MemReadPage 39 | VMMDLL_MemReadScatter 40 | VMMDLL_MemSearch 41 | VMMDLL_MemVirt2Phys 42 | VMMDLL_MemWrite 43 | VMMDLL_MemWriteScatter 44 | 45 | VMMDLL_Scatter_Initialize 46 | VMMDLL_Scatter_Prepare 47 | VMMDLL_Scatter_PrepareEx 48 | VMMDLL_Scatter_PrepareWrite 49 | VMMDLL_Scatter_PrepareWriteEx 50 | VMMDLL_Scatter_Execute 51 | VMMDLL_Scatter_ExecuteRead 52 | VMMDLL_Scatter_Read 53 | VMMDLL_Scatter_Clear 54 | VMMDLL_Scatter_CloseHandle 55 | 56 | VMMDLL_PidList 57 | VMMDLL_PidGetFromName 58 | 59 | VMMDLL_Map_GetNetU 60 | VMMDLL_Map_GetNetW 61 | VMMDLL_Map_GetPfn 62 | VMMDLL_Map_GetPfnEx 63 | VMMDLL_Map_GetPool 64 | VMMDLL_Map_GetKObjectU 65 | VMMDLL_Map_GetKObjectW 66 | VMMDLL_Map_GetKDriverU 67 | VMMDLL_Map_GetKDriverW 68 | VMMDLL_Map_GetKDeviceU 69 | VMMDLL_Map_GetKDeviceW 70 | VMMDLL_Map_GetPhysMem 71 | VMMDLL_Map_GetUsersU 72 | VMMDLL_Map_GetUsersW 73 | VMMDLL_Map_GetVMU 74 | VMMDLL_Map_GetVMW 75 | VMMDLL_Map_GetServicesU 76 | VMMDLL_Map_GetServicesW 77 | VMMDLL_Map_GetPteU 78 | VMMDLL_Map_GetPteW 79 | VMMDLL_Map_GetVadU 80 | VMMDLL_Map_GetVadW 81 | VMMDLL_Map_GetVadEx 82 | VMMDLL_Map_GetModuleU 83 | VMMDLL_Map_GetModuleW 84 | VMMDLL_Map_GetModuleFromNameU 85 | VMMDLL_Map_GetModuleFromNameW 86 | VMMDLL_Map_GetUnloadedModuleU 87 | VMMDLL_Map_GetUnloadedModuleW 88 | VMMDLL_Map_GetEATU 89 | VMMDLL_Map_GetEATW 90 | VMMDLL_Map_GetIATU 91 | VMMDLL_Map_GetIATW 92 | VMMDLL_Map_GetHeap 93 | VMMDLL_Map_GetHeapAlloc 94 | VMMDLL_Map_GetThread 95 | VMMDLL_Map_GetThread_CallstackU 96 | VMMDLL_Map_GetThread_CallstackW 97 | VMMDLL_Map_GetHandleU 98 | VMMDLL_Map_GetHandleW 99 | VMMDLL_ProcessGetInformation 100 | VMMDLL_ProcessGetInformationAll 101 | VMMDLL_ProcessGetInformationString 102 | 103 | VMMDLL_ProcessGetDirectoriesU 104 | VMMDLL_ProcessGetDirectoriesW 105 | VMMDLL_ProcessGetSectionsU 106 | VMMDLL_ProcessGetSectionsW 107 | VMMDLL_ProcessGetProcAddressU 108 | VMMDLL_ProcessGetProcAddressW 109 | VMMDLL_ProcessGetModuleBaseU 110 | VMMDLL_ProcessGetModuleBaseW 111 | VMMDLL_WinGetThunkInfoIATU 112 | VMMDLL_WinGetThunkInfoIATW 113 | 114 | VMMDLL_WinReg_HiveList 115 | VMMDLL_WinReg_HiveReadEx 116 | VMMDLL_WinReg_HiveWrite 117 | VMMDLL_WinReg_EnumKeyExU 118 | VMMDLL_WinReg_EnumKeyExW 119 | VMMDLL_WinReg_EnumValueU 120 | VMMDLL_WinReg_EnumValueW 121 | VMMDLL_WinReg_QueryValueExU 122 | VMMDLL_WinReg_QueryValueExW 123 | 124 | VMMDLL_VmGetVmmHandle 125 | VMMDLL_VmMemTranslateGPA 126 | VMMDLL_VmMemRead 127 | VMMDLL_VmMemReadScatter 128 | VMMDLL_VmMemWrite 129 | VMMDLL_VmMemWriteScatter 130 | VMMDLL_VmScatterInitialize 131 | 132 | VMMDLL_PdbLoad 133 | VMMDLL_PdbSymbolName 134 | VMMDLL_PdbSymbolAddress 135 | VMMDLL_PdbTypeSize 136 | VMMDLL_PdbTypeChildOffset 137 | 138 | VMMDLL_ForensicFileAppend 139 | VMMDLL_LicensedTo 140 | VMMDLL_UtilFillHexAscii 141 | VMMDLL_YaraSearch 142 | 143 | VMMDLL_Log 144 | VMMDLL_LogEx 145 | VMMDLL_LogCallback 146 | -------------------------------------------------------------------------------- /vmm/vmmdll_core.h: -------------------------------------------------------------------------------- 1 | // vmmdll_core.h : definitions of core library functionality which mainly 2 | // consists of library initialization and cleanup/close functionality. 3 | // 4 | // (c) Ulf Frisk, 2022-2025 5 | // Author: Ulf Frisk, pcileech@frizk.net 6 | // 7 | #ifndef __VMMDLL_CORE_H__ 8 | #define __VMMDLL_CORE_H__ 9 | #include "vmm.h" 10 | 11 | /* 12 | * Query the size of memory allocated by the VMMDLL. 13 | * -- pvMem 14 | * -- return = number of bytes required to hold memory allocation. 15 | */ 16 | _Success_(return != 0) 17 | SIZE_T VmmDllCore_MemSizeExternal(_In_ PVOID pvMem); 18 | 19 | /* 20 | * Free memory allocated by the VMMDLL. 21 | * -- pvMem 22 | */ 23 | VOID VmmDllCore_MemFreeExternal(_Frees_ptr_opt_ PVOID pvMem); 24 | 25 | /* 26 | * Allocate "external" memory to be free'd only by VMMDLL_MemFree // VmmDllCore_MemFreeExternal. 27 | * CALLER VMMDLL_MemFree(return) 28 | * -- H 29 | * -- tag = tag identifying the type of object. 30 | * -- cb = total size to allocate (not guaranteed to be zero-filled). 31 | * -- cbHdr = size of header (guaranteed to be zero-filled). 32 | * -- return 33 | */ 34 | _Success_(return != NULL) 35 | PVOID VmmDllCore_MemAllocExternal(_In_opt_ VMM_HANDLE H, _In_ DWORD tag, _In_ SIZE_T cb, _In_ SIZE_T cbHdr); 36 | 37 | /* 38 | * Copy internal memory to freshly allocated "external" memory to be free'd only 39 | * by VMMDLL_MemFree // VmmDllCore_MemFreeExternal. 40 | * CALLER VMMDLL_MemFree(return) 41 | * -- H 42 | * -- tag = tag identifying the type of object. 43 | * -- pb = source memory to copy. 44 | * -- cb = size of memory to allocation and copy. 45 | * -- return 46 | */ 47 | _Success_(return != NULL) 48 | PVOID VmmDllCore_MemAllocExternalAndCopy(_In_opt_ VMM_HANDLE H, _In_ DWORD tag, _In_reads_bytes_(cb) PBYTE pb, _In_ SIZE_T cb); 49 | 50 | 51 | 52 | /* 53 | * Verify that the supplied handle is valid and also check it out. 54 | * This must be called by each external access which requires a VMM_HANDLE. 55 | * Each successful VmmDllCore_HandleReserveExternal() call must be matched by 56 | * a matched call to VmmDllCore_HandleReturnExternal() after completion. 57 | * -- H 58 | * -- return 59 | */ 60 | _Success_(return) 61 | BOOL VmmDllCore_HandleReserveExternal(_In_opt_ VMM_HANDLE H); 62 | 63 | /* 64 | * Return a handle successfully reserved with a previous call to the function: 65 | * VmmDllCore_HandleReserveExternal() 66 | * -- H 67 | */ 68 | VOID VmmDllCore_HandleReturnExternal(_In_opt_ VMM_HANDLE H); 69 | 70 | /* 71 | * Duplicate a VMM_HANDLE (increase its handle count). 72 | * NB! this does not "reserve" the handle itself!. 73 | * -- H 74 | * -- return = duplicated handle (with increased dwHandleCount). 75 | */ 76 | _Success_(return != NULL) 77 | VMM_HANDLE VmmDllCore_HandleDuplicate(_In_ VMM_HANDLE H); 78 | 79 | 80 | 81 | /* 82 | * Initialize MemProcFS from user parameters. Upon success a VMM_HANDLE is returned. 83 | * -- argc 84 | * -- argv 85 | * -- ppLcErrorInfo 86 | * -- return 87 | */ 88 | _Success_(return != NULL) 89 | VMM_HANDLE VmmDllCore_Initialize(_In_ DWORD argc, _In_ LPCSTR argv[], _Out_opt_ PPLC_CONFIG_ERRORINFO ppLcErrorInfo); 90 | 91 | /* 92 | * Close all VMM_HANDLE and clean up everything! No VMM_HANDLE will be valid 93 | * after this function has been called. 94 | */ 95 | VOID VmmDllCore_CloseAll(); 96 | 97 | /* 98 | * Close a VMM_HANDLE and clean up everything! The VMM_HANDLE will not be valid 99 | * after this function has been called. 100 | * -- H 101 | */ 102 | VOID VmmDllCore_Close(_In_opt_ _Post_ptr_invalid_ VMM_HANDLE H); 103 | 104 | #endif /* __VMMDLL_CORE_H__ */ 105 | -------------------------------------------------------------------------------- /vmm/vmmdll_remote.h: -------------------------------------------------------------------------------- 1 | // vmmdll_remote.h : definitions of remote library functionality: 2 | // proxying calls to a remote VMMDLL instance hosted by a LeechAgent. 3 | // 4 | // (c) Ulf Frisk, 2023-2025 5 | // Author: Ulf Frisk, pcileech@frizk.net 6 | // 7 | #ifndef __VMMDLL_REMOTE_H__ 8 | #define __VMMDLL_REMOTE_H__ 9 | #include "vmm.h" 10 | 11 | /* 12 | * Initialize a remote MemProcFS from user parameters. Upon success a VMM_HANDLE is returned. 13 | * -- argc 14 | * -- argv 15 | * -- ppLcErrorInfo 16 | * -- return 17 | */ 18 | _Success_(return != NULL) 19 | VMM_HANDLE VmmDllRemote_Initialize(_In_ DWORD argc, _In_ LPCSTR argv[], _Out_opt_ PPLC_CONFIG_ERRORINFO ppLcErrorInfo); 20 | 21 | /* 22 | * Close all remote VMM_HANDLE and clean up everything! 23 | * No remote VMM_HANDLE will be valid after this function has been called. 24 | */ 25 | VOID VmmDllRemote_CloseAll(); 26 | 27 | /* 28 | * Close a remote VMM_HANDLE and clean up everything! 29 | * The remote VMM_HANDLE will not be valid after this function has been called. 30 | * -- H 31 | */ 32 | VOID VmmDllRemote_Close(_In_opt_ _Post_ptr_invalid_ VMM_HANDLE H); 33 | 34 | /* 35 | * Remote VMMDLL_ConfigGet(). 36 | */ 37 | _Success_(return) 38 | BOOL VmmDllRemote_ConfigGet(_In_ VMM_HANDLE H, _In_ ULONG64 fOption, _Out_ PULONG64 pqwValue); 39 | 40 | /* 41 | * Remote VMMDLL_ConfigSet(). 42 | */ 43 | _Success_(return) 44 | BOOL VmmDllRemote_ConfigSet(_In_ VMM_HANDLE H, _In_ ULONG64 fOption, _In_ ULONG64 qwValue); 45 | 46 | /* 47 | * Remote VMMDLL_VfsListU(). 48 | */ 49 | _Success_(return) 50 | BOOL VmmDllRemote_VfsListU(_In_ VMM_HANDLE H, _In_ LPCSTR uszPath, _Inout_ PVMMDLL_VFS_FILELIST2 pFileList); 51 | 52 | /* 53 | * Remote VMMDLL_VfsReadU(). 54 | */ 55 | NTSTATUS VmmDllRemote_VfsReadU(_In_ VMM_HANDLE H, _In_ LPCSTR uszFileName, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ ULONG64 cbOffset); 56 | 57 | /* 58 | * Remote VMMDLL_VfsWriteU(). 59 | */ 60 | NTSTATUS VmmDllRemote_VfsWriteU(_In_ VMM_HANDLE H, _In_ LPCSTR uszFileName, _In_reads_(cb) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbWrite, _In_ ULONG64 cbOffset); 61 | 62 | #endif /* __VMMDLL_REMOTE_H__ */ 63 | -------------------------------------------------------------------------------- /vmm/vmmex.h: -------------------------------------------------------------------------------- 1 | // vmmex.h : MemProcFS extended functionality - full & light profiles. 2 | // 3 | // (c) Ulf Frisk, 2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifdef VMM_PROFILE_FULL 7 | #include "ex/vmmex.h" 8 | #else /* VMM_PROFILE_FULL */ 9 | 10 | #ifndef __VMMEX_LIGHT_H__ 11 | #define __VMMEX_LIGHT_H__ 12 | 13 | #include "vmm.h" 14 | 15 | /* 16 | * Perform additional verification of the config after the initial argument parsing. 17 | * -- H 18 | * -- return 19 | */ 20 | BOOL VmmEx_InitializeVerifyConfig(_In_ VMM_HANDLE H); 21 | 22 | /* 23 | * Print the copyright splash information at start-up. 24 | * -- H 25 | */ 26 | VOID VmmEx_InitializePrintSplashCopyright(_In_ VMM_HANDLE H); 27 | 28 | /* 29 | * Return the licensed-to string. 30 | * Caller LocalFree: return 31 | * -- return = the licensed-to string as a utf-8 string or NULL on error (no license). 32 | */ 33 | _Success_(return != NULL) 34 | LPSTR VmmEx_License_LicensedTo(); 35 | 36 | /* 37 | * Tries to locate the Directory Table Base by scanning a user-defined range. 38 | * -- H 39 | * -- return 40 | */ 41 | _Success_(return) 42 | BOOL VmmEx_DTB_FindValidate_UserDTBRange(_In_ VMM_HANDLE H); 43 | 44 | /* 45 | * Global variable 'g_pfnModulesExAllInternal' used by the plugin manager to load 46 | * 'extended' plugins. In the light implementation this only contains the single 47 | * placeholder module. 48 | */ 49 | extern VOID(*g_pfnModulesExAllInternal[1])(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_REGINFO pRegInfo); 50 | 51 | /* 52 | * License information. 53 | */ 54 | extern LPCSTR g_VmmEx_szLICENSE; 55 | extern DWORD g_VmmEx_cbLICENSE; 56 | 57 | #endif /* __VMMEX_LIGHT_H__ */ 58 | 59 | #endif /* VMM_PROFILE_FULL */ 60 | -------------------------------------------------------------------------------- /vmm/vmmheap.h: -------------------------------------------------------------------------------- 1 | // vmmheap.h : declarations of functionality related to user-mode process heaps. 2 | // 3 | // (c) Ulf Frisk, 2022-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | 7 | #ifndef __VMMHEAP_H__ 8 | #define __VMMHEAP_H__ 9 | #include "vmm.h" 10 | 11 | /* 12 | * Initialize the heap map containing information about the process heaps in the 13 | * specific process. This is performed by a PEB walk/scan of in-process memory 14 | * structures. This may be unreliable if a process is obfuscated or tampered. 15 | * -- H 16 | * -- pProcess 17 | * -- return 18 | */ 19 | BOOL VmmHeap_Initialize(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess); 20 | 21 | /* 22 | * Refresh any cached heap allocation maps. 23 | * -- H 24 | */ 25 | VOID VmmHeapAlloc_Refresh(_In_ VMM_HANDLE H); 26 | 27 | /* 28 | * Retrive the heap allocation map for the specific heap. 29 | * The map is cached up until a total process refresh is made (medium refresh). 30 | * CALLER DECREF: return 31 | * -- H 32 | * -- pProcess 33 | * -- vaHeap = va of heap or heap id. 34 | * -- return 35 | */ 36 | PVMMOB_MAP_HEAPALLOC VmmHeapAlloc_Initialize(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _In_opt_ QWORD vaHeap); 37 | 38 | #endif /* __VMMHEAP_H__ */ 39 | -------------------------------------------------------------------------------- /vmm/vmmnet.h: -------------------------------------------------------------------------------- 1 | // vmmnet.h : declarations of functionality related to the Windows networking. 2 | // 3 | // (c) Ulf Frisk, 2019-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | 7 | #ifndef __VMMNET_H__ 8 | #define __VMMNET_H__ 9 | #include "vmm.h" 10 | 11 | /* 12 | * Create a network connection map and assign to the global context upon success. 13 | * CALLER DECREF: return 14 | * -- H 15 | * -- return 16 | */ 17 | PVMMOB_MAP_NET VmmNet_Initialize(_In_ VMM_HANDLE H); 18 | 19 | /* 20 | * Refresh the network connection map. 21 | * -- H 22 | */ 23 | VOID VmmNet_Refresh(_In_ VMM_HANDLE H); 24 | 25 | /* 26 | * Close the networking functionality. 27 | * NB! Close() should only be called on vmm exit. To clear internal state plesae 28 | * use function: VmmNet_Refresh(). 29 | * -- H 30 | */ 31 | VOID VmmNet_Close(_In_ VMM_HANDLE H); 32 | 33 | #endif /* __VMMNET_H__ */ 34 | -------------------------------------------------------------------------------- /vmm/vmmproc.h: -------------------------------------------------------------------------------- 1 | // vmmproc.h : definitions related to operating system and process parsing of virtual memory 2 | // 3 | // (c) Ulf Frisk, 2018-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifndef __VMMPROC_H__ 7 | #define __VMMPROC_H__ 8 | #include "vmm.h" 9 | 10 | /* 11 | * Refresh functions refreshes aspects of MemProcFS at different intervals. 12 | * Frequency from frequent to less frequent is as: 13 | * 1. VmmProcRefresh_MEM() = refresh memory cache (except page tables). 14 | * 2. VmmProcRefresh_TLB() = refresh page table cache. 15 | * 3. VmmProcRefresh_Fast() = fast refresh incl. partial process refresh. 16 | * 4. VmmProcRefresh_Medium() = medium refresh incl. full process refresh. 17 | * 5. VmmProcRefresh_Slow() = slow refresh. 18 | * A slower more comprehensive refresh layer does not equal that the lower 19 | * faster refresh layers are run automatically - user has to refresh them too. 20 | */ 21 | _Success_(return) BOOL VmmProcRefresh_MEM(_In_ VMM_HANDLE H); 22 | _Success_(return) BOOL VmmProcRefresh_TLB(_In_ VMM_HANDLE H); 23 | _Success_(return) BOOL VmmProcRefresh_Fast(_In_ VMM_HANDLE H); 24 | _Success_(return) BOOL VmmProcRefresh_Medium(_In_ VMM_HANDLE H); 25 | _Success_(return) BOOL VmmProcRefresh_Slow(_In_ VMM_HANDLE H); 26 | 27 | /* 28 | * Tries to automatically identify the operating system given by the supplied 29 | * memory device (fpga hardware or file). If an operating system is successfully 30 | * identified a VMM_CONTEXT will be created and stored within the PCILEECH_CONTEXT. 31 | * If the VMM fails to identify an operating system FALSE is returned. 32 | * -- H 33 | * -- return 34 | */ 35 | BOOL VmmProcInitialize(_In_ VMM_HANDLE H); 36 | 37 | #endif /* __VMMPROC_H__ */ 38 | -------------------------------------------------------------------------------- /vmm/vmmuserconfig.h: -------------------------------------------------------------------------------- 1 | // vmmuserconfig.h : get/set options in a persistent user configuration. 2 | // 3 | // The user configuration is stored depending on operating system as follows: 4 | // - Windows: HKCU\Software\UlfFrisk\MemProcFS 5 | // - Linux: ~/.memprocfs 6 | // 7 | // (c) Ulf Frisk, 2023-2025 8 | // Author: Ulf Frisk, pcileech@frizk.net 9 | // 10 | #ifndef __VMMUSERCONFIG_H__ 11 | #define __VMMUSERCONFIG_H__ 12 | 13 | #include "oscompatibility.h" 14 | 15 | /* 16 | * Delete a key from the user configuration. 17 | */ 18 | VOID VmmUserConfig_Delete(_In_ LPCSTR szKey); 19 | 20 | /* 21 | * Retrieve a string value from the user configuration. 22 | * -- szKey 23 | * -- cbValue 24 | * -- szValue 25 | * -- return 26 | */ 27 | _Success_(return) 28 | BOOL VmmUserConfig_GetString(_In_ LPCSTR szKey, _In_ DWORD cbValue, _Out_writes_opt_(cbValue) LPSTR szValue); 29 | 30 | /* 31 | * Set a string value in the user configuration. 32 | * -- szKey 33 | * -- szValue 34 | * -- return 35 | */ 36 | _Success_(return) 37 | BOOL VmmUserConfig_SetString(_In_ LPCSTR szKey, _In_ LPCSTR szValue); 38 | 39 | /* 40 | * Check if a key exists in the user configuration. 41 | * -- szKey 42 | * -- return 43 | */ 44 | BOOL VmmUserConfig_Exists(_In_ LPCSTR szKey); 45 | 46 | /* 47 | * Retrieve a number value from the user configuration. 48 | * -- szKey 49 | * -- pdwValue 50 | * -- return 51 | */ 52 | _Success_(return) 53 | BOOL VmmUserConfig_GetNumber(_In_ LPCSTR szKey, _Out_opt_ PDWORD pdwValue); 54 | 55 | /* 56 | * Set a number value in the user configuration. 57 | * -- szKey 58 | * -- dwValue 59 | * -- return 60 | */ 61 | _Success_(return) 62 | BOOL VmmUserConfig_SetNumber(_In_ LPCSTR szKey, _In_ DWORD dwValue); 63 | 64 | #endif /* __VMMUSERCONFIG_H__ */ 65 | -------------------------------------------------------------------------------- /vmm/vmmvm.h: -------------------------------------------------------------------------------- 1 | // vmmvm.h : definitions related to virtual machine parsing functionality. 2 | // 3 | // (c) Ulf Frisk, 2022-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifndef __VMMVM_H__ 7 | #define __VMMVM_H__ 8 | #include "vmm.h" 9 | 10 | /* 11 | * Translate a virtual machine (VM) guest physical address (GPA) to: 12 | * (1) Physical Address (PA) _OR_ (2) Virtual Address (VA) in 'vmmem' process. 13 | * -- hVMM 14 | * -- HVM 15 | * -- qwGPA = guest physical address to translate. 16 | * -- pPA = translated physical address (if exists). 17 | * -- pVA = translated virtual address inside 'vmmem' process (if exists). 18 | * -- return = success/fail. 19 | */ 20 | _Success_(return) 21 | BOOL VmmVm_TranslateGPA(_In_ VMM_HANDLE H, _In_ VMMVM_HANDLE HVM, _In_ ULONG64 qwGPA, _Out_opt_ PULONG64 pPA, _Out_opt_ PULONG64 pVA); 22 | 23 | /* 24 | * Read guest physical address (GPA) memory. 25 | * -- H 26 | * -- HVM 27 | * -- pb 28 | * -- cb 29 | * -- pcbReadOpt 30 | */ 31 | VOID VmmVm_Read(_In_ VMM_HANDLE H, _In_ VMMVM_HANDLE HVM, _In_ QWORD qwA, _Out_writes_(cb) PBYTE pb, _In_ DWORD cb, _Out_opt_ PDWORD pcbReadOpt); 32 | 33 | /* 34 | * Write guest physical address (GPA) memory. 35 | * -- H 36 | * -- HVM 37 | * -- pb 38 | * -- cb 39 | * -- pcbWrite 40 | */ 41 | VOID VmmVm_Write(_In_ VMM_HANDLE H, _In_ VMMVM_HANDLE HVM, _In_ QWORD qwA, _In_ PBYTE pb, _In_ DWORD cb, _Out_opt_ PDWORD pcbWrite); 42 | 43 | /* 44 | * Scatter read guest physical address (GPA) memory. Non contiguous 4096-byte pages. 45 | * -- H 46 | * -- HVM 47 | * -- ppMEMsGPA 48 | * -- cpMEMsGPA 49 | */ 50 | VOID VmmVm_ReadScatterGPA(_In_ VMM_HANDLE H, _In_ VMMVM_HANDLE HVM, _Inout_ PPMEM_SCATTER ppMEMsGPA, _In_ DWORD cpMEMsGPA); 51 | 52 | /* 53 | * Scatter write guest physical address (GPA) memory. Non contiguous 4096-byte pages. 54 | * -- H 55 | * -- HVM 56 | * -- ppMEMsGPA 57 | * -- cpMEMsGPA 58 | */ 59 | VOID VmmVm_WriteScatterGPA(_In_ VMM_HANDLE H, _In_ VMMVM_HANDLE HVM, _Inout_ PPMEM_SCATTER ppMEMsGPA, _In_ DWORD cpMEMsGPA); 60 | 61 | /* 62 | * Retrieve the VMM_HANDLE handle for a VMMVM_HANDLE. 63 | * Also increase the VMM_HANDLE refcount. 64 | * This is not allowed on physical memory only VMs. 65 | * NB! The returned VMM_HANDLE is not "reserved". 66 | * NB! The returned VMM_HANDLE must be closed by VMMDLL_Close(). 67 | * -- H 68 | * -- HVM 69 | * -- return 70 | */ 71 | _Success_(return != NULL) 72 | VMM_HANDLE VmmVm_RetrieveNewVmmHandle(_In_ VMM_HANDLE H, _In_ VMMVM_HANDLE HVM); 73 | 74 | /* 75 | * Cleanup the VM sub-system. This should ideally be done on Vmm Close(). 76 | * -- H 77 | */ 78 | VOID VmmVm_Close(_In_ VMM_HANDLE H); 79 | 80 | /* 81 | * Refresh the VM sub-system. 82 | * VM refresh should be called after pool map refresh. 83 | * -- H 84 | */ 85 | VOID VmmVm_Refresh(_In_ VMM_HANDLE H); 86 | 87 | /* 88 | * Create a VM map and assign it to the global context upon success. 89 | * CALLER DECREF: return 90 | * -- H 91 | * -- return 92 | */ 93 | PVMMOB_MAP_VM VmmVm_Initialize(_In_ VMM_HANDLE H); 94 | 95 | #endif /* __VMMVM_H__ */ 96 | -------------------------------------------------------------------------------- /vmm/vmmwininit.h: -------------------------------------------------------------------------------- 1 | // vmmwininit.h : declarations of detection mechanisms for Windows operating 2 | // systems. Contains functions for detecting DTB and Memory Model 3 | // as well as the Windows kernel base and core functionality. 4 | // 5 | // (c) Ulf Frisk, 2018-2025 6 | // Author: Ulf Frisk, pcileech@frizk.net 7 | // 8 | 9 | #ifndef __VMMWININIT_H__ 10 | #define __VMMWININIT_H__ 11 | #include "vmm.h" 12 | 13 | /* 14 | * Try initialize not yet initialized values in the optional windows kernel 15 | * context H->vmm.kernel.opt 16 | * This function should be run once the system is fully up and running. 17 | * This is a best-effort function, uninitialized values will remain zero. 18 | * -- H 19 | */ 20 | VOID VmmWinInit_TryInitializeKernelOptionalValues(_In_ VMM_HANDLE H); 21 | 22 | /* 23 | * Try initialize the VMM from scratch with new WINDOWS support. 24 | * -- H 25 | * -- paDTB 26 | * -- return 27 | */ 28 | _Success_(return) 29 | BOOL VmmWinInit_TryInitialize(_In_ VMM_HANDLE H, _In_opt_ QWORD paDTB); 30 | 31 | #endif /* __VMMWININIT_H__ */ 32 | -------------------------------------------------------------------------------- /vmm/vmmwinpool.h: -------------------------------------------------------------------------------- 1 | // vmmwinpool.h : declarations of functionality related to kernel pools. 2 | // 3 | // (c) Ulf Frisk, 2021-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | 7 | #ifndef __VMMWINPOOL_H__ 8 | #define __VMMWINPOOL_H__ 9 | #include "vmm.h" 10 | 11 | /* 12 | * Refresh the Pool sub-system. 13 | * -- H 14 | */ 15 | VOID VmmWinPool_Refresh(_In_ VMM_HANDLE H); 16 | 17 | /* 18 | * Create an pool map and assign to the global vmm context upon success. 19 | * CALLER DECREF: return 20 | * -- H 21 | * -- fAll = TRUE: retrieve all pools; FALSE: retrieve big page pool only. 22 | * -- return 23 | */ 24 | PVMMOB_MAP_POOL VmmWinPool_Initialize(_In_ VMM_HANDLE H, _In_ BOOL fAll); 25 | 26 | #endif /* __VMMWINPOOL_H__ */ 27 | -------------------------------------------------------------------------------- /vmm/vmmwinsvc.h: -------------------------------------------------------------------------------- 1 | // vmmwinsvc.h : definitions related to Windows service manager (SCM). 2 | // 3 | // (c) Ulf Frisk, 2020-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #include "vmm.h" 7 | 8 | /* 9 | * Create a service map and assign to the global context upon success. 10 | * CALLER DECREF: return 11 | * -- H 12 | * -- return 13 | */ 14 | PVMMOB_MAP_SERVICE VmmWinSvc_Initialize(_In_ VMM_HANDLE H); 15 | 16 | /* 17 | * Refresh the service map. 18 | * -- H 19 | */ 20 | VOID VmmWinSvc_Refresh(_In_ VMM_HANDLE H); 21 | -------------------------------------------------------------------------------- /vmm/vmmwinthread.h: -------------------------------------------------------------------------------- 1 | // vmmwinthread.h : definitions related to windows threading. 2 | // 3 | // (c) Ulf Frisk, 2024-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifndef __VMMWINTHREAD_H__ 7 | #define __VMMWINTHREAD_H__ 8 | #include "vmm.h" 9 | 10 | /* 11 | * Initialize the thread map for a specific process. 12 | * NB! The threading sub-system is dependent on pdb symbols and may take a small 13 | * amount of time before it's available after system startup. 14 | * -- H 15 | * -- pProcess 16 | * -- return 17 | */ 18 | _Success_(return) 19 | BOOL VmmWinThread_Initialize(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess); 20 | 21 | 22 | 23 | //----------------------------------------------------------------------------- 24 | // CallStack unwinding features for threads in memory dumps 25 | // 26 | // Contributed under BSD 0-Clause License (0BSD) 27 | // Author: MattCore71 28 | //----------------------------------------------------------------------------- 29 | 30 | /* 31 | * Refresh the callstack cache. 32 | * -- H 33 | */ 34 | VOID VmmWinThreadCs_Refresh(_In_ VMM_HANDLE H); 35 | 36 | /* 37 | * Retrieve the callstack for the specified thread. 38 | * Callback parsing is only supported for x64 user-mode threads. 39 | * Callback parsing is best-effort and is very resource intense since it may 40 | * download a large amounts of PDB symbol data from the Microsoft symbol server. 41 | * Use with caution! 42 | * CALLER DECREF: *ppObCS 43 | * -- H 44 | * -- pProcess 45 | * -- pThread 46 | * -- flags = VMM_FLAG_NOCACHE (do not use cache) 47 | * -- ppObCS 48 | * -- return 49 | */ 50 | _Success_(return) 51 | BOOL VmmWinThreadCs_GetCallstack(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _In_ PVMM_MAP_THREADENTRY pThread, _In_ DWORD flags, _Out_ PVMMOB_MAP_THREADCALLSTACK *ppObCS); 52 | 53 | #endif /* __VMMWIN_H__ */ 54 | -------------------------------------------------------------------------------- /vmm/vmmwork.h: -------------------------------------------------------------------------------- 1 | // vmmwork.h : declarations of the internal MemprocFS 'work' threading solution. 2 | // 3 | // (c) Ulf Frisk, 2022-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | 7 | #ifndef __VMMWORK_H__ 8 | #define __VMMWORK_H__ 9 | #include "vmm.h" 10 | 11 | /* 12 | * Initialize the VmmWork sub-system. This should only be done at handle init. 13 | * -- H 14 | * -- return 15 | */ 16 | _Success_(return) 17 | BOOL VmmWork_Initialize(_In_ VMM_HANDLE H); 18 | 19 | /* 20 | * Interrupt the VmmWork sub-system (exit threads pre-maturely). This is 21 | * usually done early in the cleanup process before VmmWork_Close() is called. 22 | * -- H 23 | */ 24 | VOID VmmWork_Interrupt(_In_ VMM_HANDLE H); 25 | 26 | /* 27 | * Close the VmmWork sub-system. Wait until all worker threads have exited. 28 | * -- H 29 | */ 30 | VOID VmmWork_Close(_In_ VMM_HANDLE H); 31 | 32 | #endif /* __VMMWORK_H__ */ 33 | -------------------------------------------------------------------------------- /vmm_example/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # NOTE! PACKAGE DEPENDENCY ON LeechCore: 3 | # The build script require leechcore.so built from the leechcore project 4 | # which is found at https://github.com/ufrisk/LeechCore to build. This 5 | # file is assumed to exist in either of the directories: 6 | # . (current), ../files, ../../LeechCore*/files 7 | # 8 | CC=gcc 9 | CFLAGS=-I. -I../includes -D LINUX -L. -l:leechcore.so -l:vmm.so -pthread 10 | #CFLAGS += -g -O0 11 | LDFLAGS=-Wl,-rpath,'$$ORIGIN' -ldl 12 | DEPS = 13 | OBJ = vmmdll_example.o 14 | 15 | %.o: %.c $(DEPS) 16 | $(CC) -c -o $@ $< $(CFLAGS) 17 | 18 | vmm_example: $(OBJ) 19 | cp ../files/leechcore.so . || cp ../../LeechCore*/files/leechcore.so . || true 20 | cp ../files/vmm.so . |true 21 | $(CC) -o $@ $^ $(CFLAGS) $(LDFLAGS) 22 | mv vmm_example ../files/ 23 | rm -f *.o || true 24 | rm -f */*.o || true 25 | rm -f *.so || true 26 | true 27 | 28 | clean: 29 | rm -f *.o || true 30 | rm -f *.so || true 31 | rm -f vmm_example || true 32 | -------------------------------------------------------------------------------- /vmm_example/Makefile.macos: -------------------------------------------------------------------------------- 1 | # 2 | # NOTE! PACKAGE DEPENDENCY ON LeechCore: 3 | # The build script require leechcore.so built from the leechcore project 4 | # which is found at https://github.com/ufrisk/LeechCore to build. This 5 | # file is assumed to exist in either of the directories: 6 | # . (current), ../files, ../../LeechCore*/files 7 | # 8 | CC=clang 9 | CFLAGS += -I. -I../includes -D MACOS -pthread 10 | #CFLAGS += -g -O0 11 | CFLAGS += -fPIC -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O1 12 | LDFLAGS += -ldl -L. ./leechcore.dylib ./vmm.dylib 13 | LDFLAGS += -Wl,-rpath,@loader_path 14 | DEPS = 15 | OBJ = vmmdll_example.o 16 | 17 | %.o: %.c $(DEPS) 18 | $(CC) -c -o $@ $< $(CFLAGS) 19 | 20 | vmm_example: $(OBJ) 21 | cp ../files/leechcore.dylib . || cp ../../LeechCore*/files/leechcore.dylib . || true 22 | cp ../files/vmm.dylib . |true 23 | $(CC) -o $@ $^ $(CFLAGS) $(LDFLAGS) 24 | mv vmm_example ../files/ 25 | rm -f *.o || true 26 | rm -f */*.o || true 27 | rm -f *.dylib || true 28 | true 29 | 30 | clean: 31 | rm -f *.o || true 32 | rm -f *.dylib || true 33 | rm -f vmm_example || true 34 | -------------------------------------------------------------------------------- /vmm_example/vmm_example.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {ea5de79f-3ba1-4511-acb3-bb763ac1b937} 18 | 19 | 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files\includes 28 | 29 | 30 | Header Files\includes 31 | 32 | 33 | 34 | 35 | Resource Files 36 | 37 | 38 | Resource Files 39 | 40 | 41 | -------------------------------------------------------------------------------- /vmm_example/vmm_example.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | WindowsLocalDebugger 5 | 6 | 7 | WindowsLocalDebugger 8 | 9 | 10 | WindowsLocalDebugger 11 | 12 | 13 | WindowsLocalDebugger 14 | 15 | 16 | WindowsLocalDebugger 17 | 18 | 19 | WindowsLocalDebugger 20 | 21 | -------------------------------------------------------------------------------- /vmmjava/leechcore/ILeechCoreBarCallback.java: -------------------------------------------------------------------------------- 1 | package leechcore; 2 | 3 | import leechcore.entry.LeechCoreBarRequest; 4 | 5 | /** 6 | * LeechCore PCIe BAR Callback Interface
7 | * Check out the example code to get started! https://github.com/ufrisk/LeechCore/
8 | * @see https://github.com/ufrisk/LeechCore 9 | * @author Ulf Frisk - pcileech@frizk.net 10 | */ 11 | public interface ILeechCoreBarCallback 12 | { 13 | /** 14 | * Callback function will be called when a PCIe BAR request arrives at the FPGA. 15 | * If it's a read then it should be replied to by calling req.readReply(); 16 | * @param req 17 | */ 18 | public void LeechCoreBarCallback(LeechCoreBarRequest req); 19 | } 20 | -------------------------------------------------------------------------------- /vmmjava/leechcore/ILeechCoreBarContext.java: -------------------------------------------------------------------------------- 1 | package leechcore; 2 | 3 | /** 4 | * LeechCore PCIe BAR Context Interface
5 | * The BAR callback is disabled when this interface is closed / cleaned up. 6 | * Check out the example code to get started! https://github.com/ufrisk/LeechCore/
7 | * @see https://github.com/ufrisk/LeechCore 8 | * @author Ulf Frisk - pcileech@frizk.net 9 | */ 10 | public interface ILeechCoreBarContext 11 | { 12 | /** 13 | * Close/Inactivate the BAR callback. 14 | */ 15 | public void close(); 16 | } 17 | -------------------------------------------------------------------------------- /vmmjava/leechcore/ILeechCoreBarReply.java: -------------------------------------------------------------------------------- 1 | package leechcore; 2 | 3 | /** 4 | * LeechCore PCIe BAR Read Reply Interface
5 | * Check out the example code to get started! https://github.com/ufrisk/LeechCore/
6 | * @see https://github.com/ufrisk/LeechCore 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public interface ILeechCoreBarReply 10 | { 11 | /** 12 | * Send a read reply back to the system. 13 | * Only use this to reply to PCIe BAR read requests. Not write requests! 14 | * @param data = data matching req.cbData in length. null == failed request / unsupported request (UR) reply. 15 | */ 16 | public void reply(byte[] data); 17 | } 18 | -------------------------------------------------------------------------------- /vmmjava/leechcore/ILeechCoreTlpCallback.java: -------------------------------------------------------------------------------- 1 | package leechcore; 2 | 3 | /** 4 | * LeechCore PCIe TLP Callback Interface
5 | * Check out the example code to get started! https://github.com/ufrisk/LeechCore/
6 | * @see https://github.com/ufrisk/LeechCore 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public interface ILeechCoreTlpCallback 10 | { 11 | /** 12 | * LeechCore TLP callback function. This function will be called when a 13 | * PCIe TLP arrives. Optionally write back a response TLP via LeechCore. 14 | * @param lc 15 | * @param tlpData 16 | * @param tlpInfo 17 | */ 18 | void LeechCoreTlpCallback(ILeechCore lc, byte[] tlpData, String tlpInfo); 19 | } 20 | -------------------------------------------------------------------------------- /vmmjava/leechcore/ILeechCoreTlpContext.java: -------------------------------------------------------------------------------- 1 | package leechcore; 2 | 3 | /** 4 | * LeechCore PCIe TLP Context Interface
5 | * The TLP callback is disabled when this interface is closed / cleaned up. 6 | * Check out the example code to get started! https://github.com/ufrisk/LeechCore/
7 | * @see https://github.com/ufrisk/LeechCore 8 | * @author Ulf Frisk - pcileech@frizk.net 9 | */ 10 | public interface ILeechCoreTlpContext 11 | { 12 | /** 13 | * Close/Inactivate the TLP callback. 14 | */ 15 | public void close(); 16 | } 17 | -------------------------------------------------------------------------------- /vmmjava/leechcore/LeechCoreException.java: -------------------------------------------------------------------------------- 1 | package leechcore; 2 | 3 | /** 4 | * Runtime Exception used to indicate exceptions from the underlying native API. 5 | * @see https://github.com/ufrisk/MemProcFS 6 | * @author Ulf Frisk - pcileech@frizk.net 7 | */ 8 | public class LeechCoreException extends RuntimeException 9 | { 10 | 11 | private static final long serialVersionUID = 3361783299857781520L; 12 | 13 | public LeechCoreException() { 14 | super("Native call to leechcore failed!"); 15 | } 16 | 17 | public LeechCoreException(String errorMessage) { 18 | super(errorMessage); 19 | } 20 | 21 | } 22 | -------------------------------------------------------------------------------- /vmmjava/leechcore/entry/LeechCoreBar.java: -------------------------------------------------------------------------------- 1 | package leechcore.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/LeechCore 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class LeechCoreBar implements Serializable 10 | { 11 | private static final long serialVersionUID = -8552459732654567239L; 12 | public boolean fValid; 13 | public boolean fIO; 14 | public boolean f64Bit; 15 | public boolean fPrefetchable; 16 | public int iBar; 17 | public long pa; 18 | public long cb; 19 | 20 | public String toString() { 21 | if(this.fValid) { 22 | return "LeechCoreBar:" + iBar + ":[" + Long.toHexString(pa) + "->" + Long.toHexString((pa + cb - 1)) + "]"; 23 | } else { 24 | return "LeechCoreBar:" + iBar + ":inactive"; 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /vmmjava/leechcore/entry/LeechCoreBarRequest.java: -------------------------------------------------------------------------------- 1 | package leechcore.entry; 2 | 3 | import leechcore.ILeechCoreBarReply; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/LeechCore 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class LeechCoreBarRequest 10 | { 11 | public ILeechCoreBarReply reply; 12 | public LeechCoreBar bar; 13 | public byte bTag; 14 | public byte bFirstBE; 15 | public byte bLastBE; 16 | public boolean is64Bit; 17 | public boolean isRead; 18 | public boolean isWrite; 19 | public int cbData; 20 | public long oData; 21 | public byte[] pbDataWrite; 22 | 23 | public String toString() { 24 | return "LeechCoreBarRequest"; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /vmmjava/vmm/IVmmMemScatterMemory.java: -------------------------------------------------------------------------------- 1 | package vmm; 2 | 3 | /** 4 | * Interface to simplify efficient scattered read/write from the underlying API. 5 | * @see https://github.com/ufrisk/MemProcFS 6 | * @author Ulf Frisk - pcileech@frizk.net 7 | */ 8 | public interface IVmmMemScatterMemory 9 | { 10 | 11 | /** 12 | * Retrieve the object validity. Will turn to false after Close(). 13 | * @return 14 | */ 15 | public boolean isValid(); 16 | 17 | /** 18 | * Retrieve the flags. 19 | * @return 20 | */ 21 | public int getFlags(); 22 | 23 | /** 24 | * Prepare memory for reading. Read memory after a successful call to Execute() 25 | * @param va 26 | * @param size 27 | */ 28 | void prepare(long va, int size); 29 | 30 | /** 31 | * Prepare memory for writing. Memory will hopefully be written after a call to Execute() 32 | * @param va 33 | * @param data 34 | */ 35 | void prepareWrite(long va, byte[] data); 36 | 37 | /** 38 | * Execute memory read/write operations queued by previous calls to Prepare()/PrepareWrite() 39 | */ 40 | void execute(); 41 | 42 | /** 43 | * Clear the IVmmMemScatter for new calls to Prepare()/PrepareWrite() 44 | */ 45 | void clear(); 46 | 47 | /** 48 | * Read scatter data previously prepared by Prepare() after an Execute() call. 49 | * @param va 50 | * @param size 51 | * @return 52 | */ 53 | byte[] read(long va, int size); 54 | 55 | /** 56 | * Close the IVmmMemScatter object and clean up native resources. 57 | */ 58 | void close(); 59 | 60 | } 61 | -------------------------------------------------------------------------------- /vmmjava/vmm/IVmmModule.java: -------------------------------------------------------------------------------- 1 | package vmm; 2 | 3 | import java.util.List; 4 | 5 | import vmm.entry.*; 6 | 7 | /** 8 | * Interface representing a module (loaded dll). 9 | * @see https://github.com/ufrisk/MemProcFS 10 | * @author Ulf Frisk - pcileech@frizk.net 11 | */ 12 | public interface IVmmModule 13 | { 14 | 15 | //----------------------------------------------------------------------------- 16 | // MODULE CORE FUNCTIONALITY BELOW: 17 | //----------------------------------------------------------------------------- 18 | 19 | /** 20 | * Retrieve the process object of this module object. 21 | * @return 22 | */ 23 | public IVmmProcess getProcess(); 24 | 25 | /** 26 | * Retrieve the module name. 27 | * @return 28 | */ 29 | public String getName(); 30 | 31 | /** 32 | * Retrieve the full/long module name. 33 | * @return 34 | */ 35 | public String getNameFull(); 36 | 37 | /** 38 | * Retrieve the module base address. 39 | * @return 40 | */ 41 | public long getVaBase(); 42 | 43 | /** 44 | * Retieve the module entry point address. 45 | * @return 46 | */ 47 | public long getVaEntry(); 48 | 49 | /** 50 | * Retrieve the size of the module (in virtual memory). 51 | * @return 52 | */ 53 | public int getSize(); 54 | 55 | /** 56 | * Retrieve the file size (raw size) of the module. 57 | * @return 58 | */ 59 | public int getSizeFile(); 60 | 61 | /** 62 | * Check whether the module is a WoW64 module or not (32-bit module in 64-bit os). 63 | * @return 64 | */ 65 | public boolean isWow64(); 66 | 67 | /** 68 | * Retrieve the module section count. 69 | * @return 70 | */ 71 | public int getCountSection(); 72 | 73 | /** 74 | * Retrieve the export address table (EAT) count. 75 | * @return 76 | */ 77 | public int getCountEAT(); 78 | 79 | /** 80 | * Retrieve the import address table (IAT) count. 81 | * @return 82 | */ 83 | public int getCountIAT(); 84 | 85 | /** 86 | * Retrieve the function address of the specified function. 87 | * @param szFunctionName 88 | * @return 89 | */ 90 | public long getProcAddress(String szFunctionName); 91 | 92 | /** 93 | * Retrieve pdb debug symbols for the specific module. 94 | * @return 95 | */ 96 | public IVmmPdb getPdb(); 97 | 98 | /** 99 | * Retrieve debug directory information. The debug directory info requires 100 | * that the module has been initialized with isExtendedInfo but may 101 | * still fail if memory is unreadable - in which case null is returned. 102 | * @return 103 | */ 104 | public Vmm_ModuleExDebugInfo getExDebugInfo(); 105 | 106 | /** 107 | * Retrieve PE version info. The PE version info requires that the module 108 | * has been initialized with isExtendedInfo but may still fail if 109 | * memory is unreadable - in which case null is returned. 110 | * @return 111 | */ 112 | public Vmm_ModuleExVersionInfo getExVersionInfo(); 113 | 114 | 115 | 116 | //----------------------------------------------------------------------------- 117 | // MODULE MAP FUNCTIONALITY BELOW: 118 | //----------------------------------------------------------------------------- 119 | 120 | /** 121 | * Retrieve the data directories. 122 | * @return 123 | */ 124 | public List mapDataDirectory(); 125 | 126 | /** 127 | * Retrieve exported symbols from the export address table (EAT). 128 | * @return 129 | */ 130 | public List mapExport(); 131 | 132 | /** 133 | * Retrieve imported symbols from the import address table (IAT). 134 | * @return 135 | */ 136 | public List mapImport(); 137 | 138 | /** 139 | * Retrieve module sections. 140 | * @return 141 | */ 142 | public List mapSection(); 143 | 144 | } 145 | -------------------------------------------------------------------------------- /vmmjava/vmm/IVmmPdb.java: -------------------------------------------------------------------------------- 1 | package vmm; 2 | 3 | /** 4 | * Interface representing debug symbols for a specific module. 5 | * @see https://github.com/ufrisk/MemProcFS 6 | * @author Ulf Frisk - pcileech@frizk.net 7 | */ 8 | public interface IVmmPdb 9 | { 10 | 11 | /** 12 | * Retrieve the module name of the PDB debug symbols. 13 | * @return 14 | */ 15 | public String getModuleName(); 16 | 17 | /** 18 | * Retrieve the address of the given symbol. 19 | * @param strSymbol 20 | * @return 21 | */ 22 | public long getSymbolAddress(String strSymbol); 23 | 24 | /** 25 | * Retrieve the symbol name given symbol virtual address or offset. 26 | * @param vaSymbolOrOffset 27 | * @return 28 | */ 29 | public String getSymbolName(long vaSymbolOrOffset); 30 | 31 | /** 32 | * Retrieve the symbol type child offset. 33 | * @param strTypeName 34 | * @param strChild 35 | * @return 36 | */ 37 | public int getTypeChildOffset(String strTypeName, String strChild); 38 | 39 | /** 40 | * Retrieve a type size. 41 | * @param strTypeName 42 | * @return 43 | */ 44 | public int getTypeSize(String strTypeName); 45 | 46 | } 47 | -------------------------------------------------------------------------------- /vmmjava/vmm/IVmmRegHive.java: -------------------------------------------------------------------------------- 1 | package vmm; 2 | 3 | /** 4 | * Interface representing a registry hive. 5 | * @see https://github.com/ufrisk/MemProcFS 6 | * @author Ulf Frisk - pcileech@frizk.net 7 | */ 8 | public interface IVmmRegHive 9 | { 10 | 11 | /** 12 | * Retrieve the registry hive full name. 13 | * @return 14 | */ 15 | public String getName(); 16 | 17 | /** 18 | * Retrieve the registry hive short name. 19 | * @return 20 | */ 21 | public String getNameShort(); 22 | 23 | /** 24 | * Retrieve the registry hive path. 25 | * @return 26 | */ 27 | public String getPath(); 28 | 29 | /** 30 | * Retrieve the registry hive size. 31 | * @return 32 | */ 33 | public int getSize(); 34 | 35 | /** 36 | * Retrieve the base address of the registry hive. 37 | * @return 38 | */ 39 | public long getVaHive(); 40 | 41 | /** 42 | * Retrieve the address of the registry base block. 43 | * @return 44 | */ 45 | public long getVaBaseBlock(); 46 | 47 | /** 48 | * Retrieve the registry hive root key. 49 | * @return 50 | */ 51 | public IVmmRegKey getKeyRoot(); 52 | 53 | /** 54 | * Retrieve the virtual registry hive orphan key. 55 | * The orphan key is populated by registry entries of which it's not 56 | * possible to determine their parents. 57 | * @return 58 | */ 59 | public IVmmRegKey getKeyOrphan(); 60 | 61 | /** 62 | * Read registry memory. 63 | * @param ra the address from the registry base to read. 64 | * @param size the number of bytes to read. 65 | * @return 66 | */ 67 | public byte[] memRead(int ra, int size); 68 | 69 | /** 70 | * Read registry memory. 71 | * @param ra the address from the registry base to read. 72 | * @param size the number of bytes to read. 73 | * @param flags IVmm.FLAG_* 74 | * @return 75 | */ 76 | public byte[] memRead(int ra, int size, int flags); 77 | 78 | /** 79 | * Write data to the registry if possible. 80 | * NB! this is dangerous and not recommended! 81 | * @param ra 82 | * @param data 83 | */ 84 | public void memWrite(int ra, byte[] data); 85 | 86 | } 87 | -------------------------------------------------------------------------------- /vmmjava/vmm/IVmmRegKey.java: -------------------------------------------------------------------------------- 1 | package vmm; 2 | 3 | import java.util.Map; 4 | 5 | /** 6 | * Interface representing a registry key. 7 | * @see https://github.com/ufrisk/MemProcFS 8 | * @author Ulf Frisk - pcileech@frizk.net 9 | */ 10 | public interface IVmmRegKey 11 | { 12 | 13 | /** 14 | * Retrieve the registry key name. 15 | * @return 16 | */ 17 | public String getName(); 18 | 19 | /** 20 | * Retrieve the registry key path. 21 | * @return 22 | */ 23 | public String getPath(); 24 | 25 | /** 26 | * Retrieve the parent key. 27 | * @return 28 | */ 29 | public IVmmRegKey getKeyParent(); 30 | 31 | /** 32 | * Retrieve the child keys. 33 | * @return 34 | */ 35 | public Map getKeyChild(); 36 | 37 | /** 38 | * Retrieve the values. 39 | * @return 40 | */ 41 | public Map getValues(); 42 | 43 | /** 44 | * Retrieve the last write time. 45 | * @return 46 | */ 47 | public long getTime(); 48 | 49 | } 50 | -------------------------------------------------------------------------------- /vmmjava/vmm/IVmmRegValue.java: -------------------------------------------------------------------------------- 1 | package vmm; 2 | 3 | /** 4 | * Interface representing a registry value. 5 | * @see https://github.com/ufrisk/MemProcFS 6 | * @author Ulf Frisk - pcileech@frizk.net 7 | */ 8 | public interface IVmmRegValue 9 | { 10 | 11 | /** 12 | * Retrieve the registry key name. 13 | * @return 14 | */ 15 | public String getName(); 16 | 17 | /** 18 | * Retrieve the registry type. 19 | * @return 20 | */ 21 | public int getType(); 22 | 23 | /** 24 | * Retrieve the raw registry value. 25 | * @return 26 | */ 27 | public byte[] getValue(); 28 | 29 | /** 30 | * Retrieve a DWORD value. 31 | * @return 32 | */ 33 | public int getValueAsDword(); 34 | 35 | /** 36 | * Retrieve the registry value as a String. 37 | * @return 38 | */ 39 | public String getValueAsString(); 40 | 41 | /** 42 | * Retrieve the registry key path. 43 | * @return 44 | */ 45 | public String getPath(); 46 | 47 | /** 48 | * Retrieve the parent key. 49 | * @return 50 | */ 51 | public IVmmRegKey getKeyParent(); 52 | 53 | } 54 | -------------------------------------------------------------------------------- /vmmjava/vmm/VmmException.java: -------------------------------------------------------------------------------- 1 | package vmm; 2 | 3 | /** 4 | * Runtime Exception used to indicate exceptions from the underlying native API. 5 | * @see https://github.com/ufrisk/MemProcFS 6 | * @author Ulf Frisk - pcileech@frizk.net 7 | */ 8 | public class VmmException extends RuntimeException 9 | { 10 | 11 | private static final long serialVersionUID = 3361783299853681520L; 12 | 13 | public VmmException() { 14 | super("Native call to vmm failed!"); 15 | } 16 | 17 | public VmmException(String errorMessage) { 18 | super(errorMessage); 19 | } 20 | 21 | public VmmException(String errorMessage, Throwable t) { 22 | super(errorMessage, t); 23 | } 24 | 25 | } 26 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_HandleEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_HandleEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = 7952416272217348610L; 12 | public long vaObject; 13 | public int dwHandle; 14 | public int _dwGrantedAccess_iType; 15 | public long qwHandleCount; 16 | public long qwPointerCount; 17 | public long vaObjectCreateInfo; 18 | public long vaSecurityDescriptor; 19 | public String name; 20 | public int dwPID; 21 | public String tag; 22 | public String type; 23 | 24 | public String toString() { 25 | return "VmmMap_HandleEntry:'" + name + "'"; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_HeapAllocEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_HeapAllocEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = 7660027547435390129L; 12 | public long va; 13 | public int cb; 14 | public int tp; 15 | 16 | public String toString() { 17 | return "VmmMap_HeapAllocEntry:" + Long.toHexString(va) + ":" + Long.toHexString(cb); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_HeapEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_HeapEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = -2916075662335391903L; 12 | public long va; 13 | public int tp; 14 | public boolean f32; 15 | public int iHeap; 16 | public int dwHeapNum; 17 | 18 | public String toString() { 19 | return "VmmMap_HeapEntry:" + String.valueOf(iHeap) + ":" + Long.toHexString(va); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_HeapMap.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | import java.util.List; 5 | 6 | /** 7 | * @see https://github.com/ufrisk/MemProcFS 8 | * @author Ulf Frisk - pcileech@frizk.net 9 | */ 10 | public class VmmMap_HeapMap implements Serializable 11 | { 12 | private static final long serialVersionUID = 2532269971476991139L; 13 | public List heaps; 14 | public List segments; 15 | 16 | public String toString() { 17 | return "VmmMap_HeapMap"; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_HeapSegmentEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_HeapSegmentEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = 5620134579124403952L; 12 | public long va; 13 | public int cb; 14 | public short tp; 15 | public short iHeap; 16 | 17 | public String toString() { 18 | return "VmmMap_HeapSegmentEntry:" + String.valueOf(iHeap) + ":" + Long.toHexString(va) + ":" + Long.toHexString(cb); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_MemMapEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_MemMapEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = 862616981396566108L; 12 | public long pa; 13 | public long cb; 14 | 15 | public String toString() { 16 | return "VmmMap_MemMapEntry:" + Long.toHexString(pa) + ":" + Long.toHexString(cb); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_ModuleDataDirectory.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_ModuleDataDirectory implements Serializable 10 | { 11 | private static final long serialVersionUID = -603939752974235784L; 12 | public long RealVirtualAddress; 13 | public int VirtualAddress; 14 | public int Size; 15 | public String name; 16 | 17 | public String toString() { 18 | return "VmmMap_ModuleDataDirectory:" + name; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_ModuleExport.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_ModuleExport implements Serializable 10 | { 11 | private static final long serialVersionUID = -7123227183229190307L; 12 | public long vaFunction; 13 | public int dwOrdinal; 14 | public int oFunctionsArray; 15 | public int oNamesArray; 16 | public String uszModule; 17 | public String uszFunction; 18 | public String uszForwardedFunction; 19 | 20 | public String toString() { 21 | return "VmmMap_ModuleExport:" + uszModule + "!" + uszFunction; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_ModuleImport.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_ModuleImport implements Serializable 10 | { 11 | private static final long serialVersionUID = -3945880871638085047L; 12 | public long vaFunction; 13 | public String uszFunction; 14 | public String uszModule; 15 | // Thunk 16 | public boolean f32; 17 | public short wHint; 18 | public int rvaFirstThunk; 19 | public int rvaOriginalFirstThunk; 20 | public int rvaNameModule; 21 | public int rvaNameFunction; 22 | 23 | public String toString() { 24 | return "VmmMap_ModuleImport:" + uszModule + "!" + uszFunction; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_ModuleSection.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_ModuleSection implements Serializable 10 | { 11 | private static final long serialVersionUID = -8748153308397838653L; 12 | public String name; 13 | public int MiscVirtualSize; 14 | public int VirtualAddress; 15 | public int SizeOfRawData; 16 | public int PointerToRawData; 17 | public int PointerToRelocations; 18 | public int PointerToLinenumbers; 19 | public short NumberOfRelocations; 20 | public short NumberOfLinenumbers; 21 | public int Characteristics; 22 | 23 | public String toString() { 24 | return "VmmMap_ModuleSection:" + name; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_NetEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_NetEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = 5333048748531523686L; 12 | public String str; 13 | public int dwPid; 14 | public int dwState; 15 | public short AF; 16 | public long vaObj; 17 | public long ftTime; 18 | public int dwPoolTag; 19 | public boolean srcValid; 20 | public boolean dstValid; 21 | public short srcPort; 22 | public short dstPort; 23 | public String srcStr; 24 | public String dstStr; 25 | 26 | public String toString() { 27 | return "VmmMap_NetEntry:'" + str + "'"; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_PoolEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_PoolEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = 6028663064101019000L; 12 | public long va; 13 | public int cb; 14 | public String tag; 15 | public boolean fAlloc; 16 | public byte tpPool; 17 | public byte tpSS; 18 | 19 | public String toString() { 20 | return "VmmMap_PoolEntry:" + tag + ":" + String.valueOf(va); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_PoolMap.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.util.Map; 4 | import java.io.Serializable; 5 | 6 | /** 7 | * @see https://github.com/ufrisk/MemProcFS 8 | * @author Ulf Frisk - pcileech@frizk.net 9 | */ 10 | public class VmmMap_PoolMap implements Serializable 11 | { 12 | private static final long serialVersionUID = -2515154533742691192L; 13 | public Map> tag; 14 | public Map va; 15 | 16 | public String toString() { 17 | return "VmmMap_PoolMap"; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_PteEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_PteEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = -7463671464805453585L; 12 | public long vaBase; 13 | public long cPages; 14 | public long fPage; 15 | public boolean fWow64; 16 | public String strDescription; 17 | public int cSoftware; 18 | 19 | public String toString() { 20 | return "VmmMap_PteEntry:" + Long.toHexString(vaBase) + ":" + Long.toHexString(cPages); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_ServiceEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_ServiceEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = 1274183168020644036L; 12 | public int dwServiceType; 13 | public int dwCurrentState; 14 | public int dwControlsAccepted; 15 | public int dwWin32ExitCode; 16 | public int dwServiceSpecificExitCode; 17 | public int dwCheckPoint; 18 | public int dwWaitHint; 19 | public long vaObj; 20 | public int dwOrdinal; 21 | public int dwStartType; 22 | public String uszServiceName; 23 | public String uszDisplayName; 24 | public String uszPath; 25 | public String uszUserTp; 26 | public String uszUserAcct; 27 | public String uszImagePath; 28 | public int dwPID; 29 | 30 | public String toString() { 31 | return "VmmMap_ServiceEntry:" + uszServiceName; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_ThreadEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_ThreadEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = -8162285678132928372L; 12 | public int dwTID; 13 | public int dwPID; 14 | public int dwExitStatus; 15 | public byte bState; 16 | public byte bRunning; 17 | public byte bPriority; 18 | public byte bBasePriority; 19 | public long vaETHREAD; 20 | public long vaTeb; 21 | public long ftCreateTime; 22 | public long ftExitTime; 23 | public long vaStartAddress; 24 | public long vaWin32StartAddress; 25 | public long vaStackBaseUser; 26 | public long vaStackLimitUser; 27 | public long vaStackBaseKernel; 28 | public long vaStackLimitKernel; 29 | public long vaTrapFrame; 30 | public long vaImpersonationToken; 31 | public long vaRIP; 32 | public long vaRSP; 33 | public long qwAffinity; 34 | public int dwUserTime; 35 | public int dwKernelTime; 36 | public byte bSuspendCount; 37 | public byte bWaitReason; 38 | 39 | public String toString() { 40 | return "VmmMap_ThreadEntry:" + String.valueOf(dwTID); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_UnloadedModuleEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_UnloadedModuleEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = 2432835898565494177L; 12 | public long vaBase; 13 | public long cbImageSize; 14 | public boolean fWow64; 15 | public String strModuleName; 16 | public int dwCheckSum; 17 | public int dwTimeDateStamp; 18 | public long ftUnload; 19 | 20 | public String toString() { 21 | return "VmmMap_UnloadedModuleEntry:" + strModuleName; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_UserEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_UserEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = -7758667727787190877L; 12 | public String user; 13 | public String SID; 14 | public long vaRegHive; 15 | 16 | public String toString() { 17 | return "VmmMap_UserEntry:" + user; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_VadEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_VadEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = -4829077937239905960L; 12 | public long vaStart; 13 | public long vaEnd; 14 | public long vaVad; 15 | public int dw0; 16 | public int dw1; 17 | public int dwu2; 18 | public int cbPrototypePte; 19 | public long vaPrototypePte; 20 | public long vaSubsection; 21 | public String uszText; 22 | public long vaFileObject; 23 | public int cVadExPages; 24 | public int cVadExPagesBase; 25 | 26 | public String toString() { 27 | return "VmmMap_VadEntry:" + Long.toHexString(vaStart) + ":" + Long.toHexString(vaEnd); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/VmmMap_VadExEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class VmmMap_VadExEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = -2942891920206162420L; 12 | public int tp; 13 | public int iPML; 14 | public int pteFlags; 15 | public long va; 16 | public long pa; 17 | public long pte; 18 | public int proto_tp; 19 | public long proto_pa; 20 | public long proto_pte; 21 | public long vaVadBase; 22 | 23 | public String toString() { 24 | return "VmmMap_VadExEntry:" + Long.toHexString(va); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/Vmm_ModuleExDebugInfo.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class Vmm_ModuleExDebugInfo implements Serializable { 10 | 11 | private static final long serialVersionUID = -7875377132222488703L; 12 | public int dwAge; 13 | public byte[] GuidBytes; 14 | public String Guid; 15 | public String PdbFilename; 16 | 17 | public String toString() { 18 | return "Vmm_ModuleExDebugInfo"; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/Vmm_ModuleExVersionInfo.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class Vmm_ModuleExVersionInfo implements Serializable { 10 | 11 | private static final long serialVersionUID = -9023423751540659830L; 12 | public String CompanyName; 13 | public String FileDescription; 14 | public String FileVersion; 15 | public String InternalName; 16 | public String LegalCopyright; 17 | public String OriginalFilename; 18 | public String ProductName; 19 | public String ProductVersion; 20 | 21 | public String toString() { 22 | return "Vmm_ModuleExVersionInfo"; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /vmmjava/vmm/entry/Vmm_VfsListEntry.java: -------------------------------------------------------------------------------- 1 | package vmm.entry; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * @see https://github.com/ufrisk/MemProcFS 7 | * @author Ulf Frisk - pcileech@frizk.net 8 | */ 9 | public class Vmm_VfsListEntry implements Serializable 10 | { 11 | private static final long serialVersionUID = -2708452659192929578L; 12 | public String name; 13 | public boolean isFile; 14 | public long size; 15 | 16 | public String toString() { 17 | return "Vmm_VfsListEntry:" + name; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vmmjava/vmm/internal/IVmmNativeEx.java: -------------------------------------------------------------------------------- 1 | package vmm.internal; 2 | 3 | /** 4 | * Project "Panama" Native Code wrapper for MemProcFS 5 | * @see https://github.com/ufrisk/MemProcFS 6 | * @author Ulf Frisk - pcileech@frizk.net 7 | */ 8 | interface IVmmNativeEx { 9 | public byte[] memRead(int pid, long va, int size, int flags); 10 | public void memWrite(int pid, long va, byte[] data); 11 | 12 | public Object scatterInitialize(int pid, int flags); 13 | public void scatterPrepare(Object scatterHandle, long va, int size); 14 | public void scatterPrepareWrite(Object scatterHandle, long va, byte[] data); 15 | public void scatterExecute(Object scatterHandle); 16 | public byte[] scatterRead(Object scatterHandle, long va, int size); 17 | public void scatterClear(Object scatterHandle, int pid, int flags); 18 | public void scatterClose(Object scatterHandle); 19 | } 20 | -------------------------------------------------------------------------------- /vmmjava/vmm/internal/JnaObjectMap.java: -------------------------------------------------------------------------------- 1 | package vmm.internal; 2 | 3 | import java.lang.ref.WeakReference; 4 | import java.util.*; 5 | 6 | public class JnaObjectMap { 7 | private int counter = 1; 8 | private static JnaObjectMap instance; 9 | private final Map> map = new HashMap<>(); 10 | 11 | public static synchronized JnaObjectMap getInstance() { 12 | if (instance == null) { 13 | instance = new JnaObjectMap(); 14 | } 15 | return instance; 16 | } 17 | 18 | public synchronized Integer put(Object obj) { 19 | Integer key = Integer.valueOf(counter++); 20 | map.put(key, new WeakReference<>(obj)); 21 | return key; 22 | } 23 | 24 | public synchronized Object get(Integer key) { 25 | WeakReference ref = map.get(key); 26 | if (ref != null) { 27 | return ref.get(); 28 | } 29 | return null; 30 | } 31 | 32 | public synchronized void remove(Integer key) { 33 | map.remove(key); 34 | } 35 | } -------------------------------------------------------------------------------- /vmmjava/vmm/internal/LeechCoreNative.java: -------------------------------------------------------------------------------- 1 | package vmm.internal; 2 | 3 | import com.sun.jna.*; 4 | import com.sun.jna.ptr.*; 5 | 6 | /** 7 | * JNA native code wrapper for LeechCore. 8 | * @see https://github.com/ufrisk/MemProcFS 9 | * @author Ulf Frisk - pcileech@frizk.net 10 | */ 11 | interface LeechCoreNative extends Library { 12 | static final int MAX_PATH = 260; 13 | 14 | static final int LC_CONFIG_VERSION = 0xc0fd0002; 15 | 16 | LeechCoreNative INSTANCE = Native.load("leechcore", LeechCoreNative.class); 17 | 18 | @Structure.FieldOrder({"dwVersion", "dwPrintfVerbosity", "szDevice", "szRemote", "pfn_printf_opt", "paMax", "fVolatile", "fWritable", "fRemote", "fRemoteDisableCompress", "szDeviceName"}) 19 | class LC_CONFIG extends Structure { 20 | public int dwVersion; 21 | public int dwPrintfVerbosity; 22 | public byte[] szDevice = new byte[MAX_PATH]; 23 | public byte[] szRemote = new byte[MAX_PATH]; 24 | public Pointer pfn_printf_opt; 25 | public long paMax; 26 | public boolean fVolatile; 27 | public boolean fWritable; 28 | public boolean fRemote; 29 | public boolean fRemoteDisableCompress; 30 | public byte[] szDeviceName = new byte[MAX_PATH]; 31 | } 32 | 33 | Pointer LcCreate(LC_CONFIG pLcCreateConfig); 34 | void LcClose(Pointer hLC); 35 | long LcMemFree(Pointer pvMem); 36 | boolean LcRead(Pointer hLC, long pa, int cb, byte[] pb); 37 | boolean LcWrite(Pointer hLC, long pa, int cb, byte[] pb); 38 | boolean LcGetOption(Pointer hLC, long fOption, LongByReference pqwValue); 39 | boolean LcSetOption(Pointer hLC, long fOption, long qwValue); 40 | boolean LcCommand(Pointer hLC, long fCommand, int cbDataIn, Pointer pbDataIn, PointerByReference ppbDataOut, IntByReference pcbDataOut); 41 | 42 | interface CALLBACK_BAR extends Callback { 43 | void invoke(LC_BAR_REQUEST req); 44 | } 45 | 46 | interface CALLBACK_TLP extends Callback { 47 | void invoke(int ctxNative, int cbTlp, Pointer pbTlp, int cbInfo, String szInfo); 48 | } 49 | 50 | @Structure.FieldOrder({"fValid", "fIO", "f64Bit", "fPrefetchable", "iBar", "_Filler0", "_Filler1", "_Filler2", "pa", "cb"}) 51 | class LC_BAR extends Structure { 52 | public boolean fValid; 53 | public boolean fIO; 54 | public boolean f64Bit; 55 | public boolean fPrefetchable; 56 | public int _Filler0; 57 | public int _Filler1; 58 | public int _Filler2; 59 | public int iBar; 60 | public long pa; 61 | public long cb; 62 | 63 | public LC_BAR(Pointer p) { 64 | super(p); 65 | read(); 66 | } 67 | } 68 | 69 | @Structure.FieldOrder({"bars"}) 70 | class LC_BAR_6 extends Structure { 71 | public LC_BAR[] bars; 72 | 73 | LC_BAR_6(Pointer p) 74 | { 75 | super(p); 76 | bars = new LC_BAR[6]; 77 | read(); 78 | } 79 | } 80 | 81 | @Structure.FieldOrder({"ctx", "pBar", "bTag", "bFirstBE", "bLastBE", "_Filler", "f64", "fRead", "fReadReply", "fWrite", "cbData", "oData", "pbData"}) 82 | class LC_BAR_REQUEST extends Structure { 83 | public Pointer ctx; 84 | public Pointer pBar; 85 | public byte bTag; 86 | public byte bFirstBE; 87 | public byte bLastBE; 88 | public byte _Filler; 89 | public boolean f64; 90 | public boolean fRead; 91 | public boolean fReadReply; 92 | public boolean fWrite; 93 | public int cbData; 94 | public long oData; 95 | public byte[] pbData = new byte[4096]; 96 | } 97 | } 98 | 99 | interface LeechCoreNativeEx extends Library 100 | { 101 | LeechCoreNativeEx INSTANCE = Native.load("leechcore", LeechCoreNativeEx.class); 102 | boolean LcCommand(Pointer hLC, long fCommand, int cbDataIn, Callback pbDataIn, PointerByReference ppbDataOut, IntByReference pcbDataOut); 103 | } 104 | -------------------------------------------------------------------------------- /vmmpyc/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | CFLAGS= -I. -I../includes -D LINUX -fPIC -fvisibility=hidden `pkg-config python3 --cflags` 3 | CFLAGS += -fPIE -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O1 4 | CFLAGS += -Wall -Wno-format-truncation -Wno-enum-compare -Wno-pointer-sign -Wno-multichar -Wno-unused-variable -Wno-unused-value 5 | CFLAGS += -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast -Wno-multichar 6 | ifeq ($(shell basename $(CC)),gcc) 7 | CFLAGS += -pie 8 | # DEBUG FLAGS BELOW 9 | # CFLAGS += -g -O0 -Wextra -Wno-unused-parameter -Wno-cast-function-type 10 | # DEBUG FLAGS ABOVE 11 | endif 12 | LDFLAGS += -L../files -Wl,-rpath,'$$ORIGIN' -g -ldl -shared -L. -l:vmm.so -Wl,-z,noexecstack `pkg-config python3 --libs` 13 | DEPS = 14 | OBJ = oscompatibility.o vmmpycplugin.o vmmpyc.o \ 15 | vmmpyc_maps.o vmmpyc_process.o vmmpyc_regvalue.o vmmpyc_virtualmemory.o \ 16 | vmmpyc_module.o vmmpyc_processmaps.o vmmpyc_scattermemory.o \ 17 | vmmpyc_vmm.o vmmpyc_modulemaps.o vmmpyc_reghive.o \ 18 | vmmpyc_util.o vmmpyc_pdb.o vmmpyc_regkey.o vmmpyc_vfs.o vmmpyc.o \ 19 | vmmpyc_kernel.o vmmpyc_physicalmemory.o vmmpyc_regmemory.o \ 20 | vmmpyc_search.o vmmpyc_virtualmachine.o vmmpyc_yara.o 21 | 22 | %.o: %.c $(DEPS) 23 | $(CC) -c -o $@ $< $(CFLAGS) 24 | 25 | vmmpyc: $(OBJ) 26 | $(CC) -o $@ $^ $(CFLAGS) -o vmmpyc.so $(LDFLAGS) 27 | mv vmmpyc.so ../files/ || true 28 | rm -f *.o || true 29 | rm -f *.so || true 30 | true 31 | 32 | clean: 33 | rm -f *.o || true 34 | rm -f *.so || true 35 | -------------------------------------------------------------------------------- /vmmpyc/oscompatibility.c: -------------------------------------------------------------------------------- 1 | // oscompatibility.c : VMM Windows/Linux compatibility layer. 2 | // 3 | // (c) Ulf Frisk, 2021-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #ifdef LINUX 7 | 8 | #include "vmmpyc.h" 9 | #include 10 | #include 11 | 12 | // ---------------------------------------------------------------------------- 13 | // LocalAlloc/LocalFree BELOW: 14 | // ---------------------------------------------------------------------------- 15 | 16 | HANDLE LocalAlloc(DWORD uFlags, SIZE_T uBytes) 17 | { 18 | HANDLE h = malloc(uBytes); 19 | if(h && (uFlags & LMEM_ZEROINIT)) { 20 | memset(h, 0, uBytes); 21 | } 22 | return h; 23 | } 24 | 25 | VOID LocalFree(HANDLE hMem) 26 | { 27 | free(hMem); 28 | } 29 | 30 | 31 | 32 | // ---------------------------------------------------------------------------- 33 | // OTHER FUNCTIONALITY BELOW: 34 | // ---------------------------------------------------------------------------- 35 | 36 | BOOL FileTimeToSystemTime(_In_ PFILETIME lpFileTime, _Out_ PSYSTEMTIME pSystemTime) 37 | { 38 | time_t tm = 0; 39 | struct tm t = { 0 }; 40 | if(*lpFileTime >= 116444736000000000ULL) { 41 | tm = (*lpFileTime - 116444736000000000ULL) / 10000000ULL; 42 | } 43 | gmtime_r(&tm, &t); 44 | pSystemTime->wYear = 1900 + t.tm_year; 45 | pSystemTime->wMonth = 1 + t.tm_mon; 46 | pSystemTime->wDayOfWeek = t.tm_wday; 47 | pSystemTime->wDay = t.tm_mday; 48 | pSystemTime->wHour = t.tm_hour; 49 | pSystemTime->wMinute = t.tm_min; 50 | pSystemTime->wSecond = t.tm_sec; 51 | pSystemTime->wMilliseconds = (*lpFileTime / 10000) % 1000; 52 | return TRUE; 53 | } 54 | 55 | DWORD GetModuleFileNameA(_In_opt_ HMODULE hModule, _Out_ LPSTR lpFilename, _In_ DWORD nSize) 56 | { 57 | struct link_map *lm = NULL; 58 | if(hModule) { 59 | dlinfo(hModule, RTLD_DI_LINKMAP, &lm); 60 | if(lm) { 61 | strncpy(lpFilename, lm->l_name, nSize); 62 | lpFilename[nSize - 1] = 0; 63 | return strlen(lpFilename); 64 | } 65 | } 66 | return readlink("/proc/self/exe", lpFilename, nSize); 67 | } 68 | 69 | 70 | 71 | // ---------------------------------------------------------------------------- 72 | // GENERAL HANDLES BELOW: 73 | // ---------------------------------------------------------------------------- 74 | 75 | #define OSCOMPATIBILITY_HANDLE_INTERNAL 0x35d91cca 76 | #define OSCOMPATIBILITY_HANDLE_TYPE_THREAD 2 77 | #define OSCOMPATIBILITY_HANDLE_TYPE_EVENT 3 78 | 79 | typedef struct tdHANDLE_INTERNAL { 80 | DWORD magic; 81 | DWORD type; 82 | } HANDLE_INTERNAL, *PHANDLE_INTERNAL; 83 | 84 | typedef struct tdHANDLE_INTERNAL_THREAD { 85 | DWORD magic; 86 | DWORD type; 87 | pthread_t thread; 88 | } HANDLE_INTERNAL_THREAD, *PHANDLE_INTERNAL_THREAD; 89 | 90 | BOOL CloseHandle(_In_ HANDLE hObject) 91 | { 92 | PHANDLE_INTERNAL hi = (PHANDLE_INTERNAL)hObject; 93 | if(hi->magic != OSCOMPATIBILITY_HANDLE_INTERNAL) { return FALSE; } 94 | switch(hi->type) { 95 | case OSCOMPATIBILITY_HANDLE_TYPE_THREAD: 96 | pthread_join(((PHANDLE_INTERNAL_THREAD)hi)->thread, NULL); 97 | break; 98 | default: 99 | break; 100 | } 101 | LocalFree(hi); 102 | return TRUE; 103 | } 104 | 105 | 106 | 107 | // ---------------------------------------------------------------------------- 108 | // THREAD FUNCTIONALITY: 109 | // ---------------------------------------------------------------------------- 110 | 111 | HANDLE CreateThread( 112 | PVOID lpThreadAttributes, 113 | SIZE_T dwStackSize, 114 | PVOID lpStartAddress, 115 | PVOID lpParameter, 116 | DWORD dwCreationFlags, 117 | PDWORD lpThreadId 118 | ) { 119 | PHANDLE_INTERNAL_THREAD ph; 120 | pthread_t thread; 121 | int status; 122 | status = pthread_create(&thread, NULL, lpStartAddress, lpParameter); 123 | if(status) { return NULL; } 124 | ph = malloc(sizeof(HANDLE_INTERNAL_THREAD)); 125 | if(!ph) { return NULL; } 126 | ph->magic = OSCOMPATIBILITY_HANDLE_INTERNAL; 127 | ph->type = OSCOMPATIBILITY_HANDLE_TYPE_THREAD; 128 | ph->thread = thread; 129 | return (HANDLE)ph; 130 | } 131 | 132 | #endif /* LINUX */ 133 | -------------------------------------------------------------------------------- /vmmpyc/version.h: -------------------------------------------------------------------------------- 1 | #define STRINGIZE2(s) #s 2 | #define STRINGIZE(s) STRINGIZE2(s) 3 | 4 | #define VERSION_MAJOR 5 5 | #define VERSION_MINOR 16 6 | #define VERSION_REVISION 7 7 | #define VERSION_BUILD 221 8 | 9 | #define VER_FILE_DESCRIPTION_STR "MemProcFS : Python API" 10 | #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD 11 | #define VER_FILE_VERSION_STR STRINGIZE(VERSION_MAJOR) \ 12 | "." STRINGIZE(VERSION_MINOR) \ 13 | "." STRINGIZE(VERSION_REVISION) \ 14 | "." STRINGIZE(VERSION_BUILD) \ 15 | 16 | #define VER_COMPANY_NAME_STR "" 17 | #define VER_PRODUCTNAME_STR "vmmpyc" 18 | #define VER_PRODUCT_VERSION VER_FILE_VERSION 19 | #define VER_PRODUCT_VERSION_STR VER_FILE_VERSION_STR 20 | #define VER_ORIGINAL_FILENAME_STR VER_PRODUCTNAME_STR ".dll" 21 | #define VER_INTERNAL_NAME_STR VER_ORIGINAL_FILENAME_STR 22 | #define VER_COPYRIGHT_STR "Copyright (c) Ulf Frisk 2018-2025" 23 | -------------------------------------------------------------------------------- /vmmpyc/vmmpyc.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/vmmpyc/vmmpyc.rc -------------------------------------------------------------------------------- /vmmpyc/vmmpyc.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {bfa25535-d9b8-480a-b50d-50d3a8b46bfb} 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files\includes 26 | 27 | 28 | Header Files\includes 29 | 30 | 31 | Header Files 32 | 33 | 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | Source Files 46 | 47 | 48 | Source Files 49 | 50 | 51 | Source Files 52 | 53 | 54 | Source Files 55 | 56 | 57 | Source Files 58 | 59 | 60 | Source Files 61 | 62 | 63 | Source Files 64 | 65 | 66 | Source Files 67 | 68 | 69 | Source Files 70 | 71 | 72 | Source Files 73 | 74 | 75 | Source Files 76 | 77 | 78 | Source Files 79 | 80 | 81 | Source Files 82 | 83 | 84 | Source Files 85 | 86 | 87 | Source Files 88 | 89 | 90 | Source Files 91 | 92 | 93 | Source Files 94 | 95 | 96 | Source Files 97 | 98 | 99 | Source Files 100 | 101 | 102 | Source Files 103 | 104 | 105 | 106 | 107 | Resource Files 108 | 109 | 110 | 111 | 112 | Resource Files 113 | 114 | 115 | -------------------------------------------------------------------------------- /vmmpyc/vmmpyc.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | WindowsLocalDebugger 5 | 6 | 7 | WindowsLocalDebugger 8 | 9 | 10 | WindowsLocalDebugger 11 | 12 | 13 | WindowsLocalDebugger 14 | 15 | -------------------------------------------------------------------------------- /vmmpyc/vmmpyc_kernel.c: -------------------------------------------------------------------------------- 1 | // vmmpyc_kernel.c : implementation of the kernel functionality for vmmpyc. 2 | // 3 | // (c) Ulf Frisk, 2021-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #include "vmmpyc.h" 7 | 8 | PyObject *g_pPyType_Kernel = NULL; 9 | 10 | // -> *PyLong 11 | static PyObject* 12 | VmmPycKernel_build(PyObj_Kernel *self, void *closure) 13 | { 14 | QWORD qwBuild = 0; 15 | VMMDLL_ConfigGet(self->pyVMM->hVMM, VMMDLL_OPT_WIN_VERSION_BUILD, &qwBuild); 16 | return PyLong_FromLongLong(qwBuild); 17 | } 18 | 19 | // -> *PyObj_Process 20 | static PyObject* 21 | VmmPycKernel_process(PyObj_Kernel *self, void *closure) 22 | { 23 | if(!self->fValid) { return PyErr_Format(PyExc_RuntimeError, "Kernel.process: Not initialized."); } 24 | return (PyObject*)VmmPycProcess_InitializeInternal(self->pyVMM, 4, FALSE); 25 | } 26 | 27 | //----------------------------------------------------------------------------- 28 | // VmmPycKernel INITIALIZATION AND CORE FUNCTIONALITY BELOW: 29 | //----------------------------------------------------------------------------- 30 | 31 | PyObj_Kernel* 32 | VmmPycKernel_InitializeInternal(_In_ PyObj_Vmm *pyVMM) 33 | { 34 | PyObj_Kernel *pyObjKernel; 35 | if(!(pyObjKernel = PyObject_New(PyObj_Kernel, (PyTypeObject*)g_pPyType_Kernel))) { return NULL; } 36 | Py_INCREF(pyVMM); pyObjKernel->pyVMM = pyVMM; 37 | pyObjKernel->fValid = TRUE; 38 | pyObjKernel->pyObjProcess = (PyObject*)VmmPycProcess_InitializeInternal(pyVMM, 4, FALSE); 39 | pyObjKernel->pyObjPdb = (PyObject*)VmmPycPdb_InitializeInternal2(pyVMM, "nt"); 40 | return pyObjKernel; 41 | } 42 | 43 | static PyObject* 44 | VmmPycKernel_repr(PyObj_Kernel *self) 45 | { 46 | return PyUnicode_FromFormat(self->fValid ? "Kernel" : "Kernel:NotValid"); 47 | } 48 | 49 | static int 50 | VmmPycKernel_init(PyObj_Kernel *self, PyObject *args, PyObject *kwds) 51 | { 52 | PyErr_SetString(PyExc_TypeError, "Kernel.init(): Not allowed."); 53 | return -1; 54 | } 55 | 56 | static void 57 | VmmPycKernel_dealloc(PyObj_Kernel *self) 58 | { 59 | self->fValid = FALSE; 60 | Py_XDECREF(self->pyObjProcess); 61 | Py_XDECREF(self->pyObjPdb); 62 | Py_XDECREF(self->pyVMM); 63 | PyObject_Del(self); 64 | } 65 | 66 | _Success_(return) 67 | BOOL VmmPycKernel_InitializeType(PyObject *pModule) 68 | { 69 | static PyMethodDef PyMethods[] = { 70 | {NULL, NULL, 0, NULL} 71 | }; 72 | static PyMemberDef PyMembers[] = { 73 | {"pdb", T_OBJECT, offsetof(PyObj_Kernel, pyObjPdb), READONLY, "pdb symbols"}, 74 | {NULL} 75 | }; 76 | static PyGetSetDef PyGetSet[] = { 77 | {"build", (getter)VmmPycKernel_build, (setter)NULL, "build number", NULL}, 78 | {"process", (getter)VmmPycKernel_process, (setter)NULL, "system process", NULL}, 79 | {NULL} 80 | }; 81 | static PyType_Slot PyTypeSlot[] = { 82 | {Py_tp_init, VmmPycKernel_init}, 83 | {Py_tp_dealloc, VmmPycKernel_dealloc}, 84 | {Py_tp_repr, VmmPycKernel_repr}, 85 | {Py_tp_methods, PyMethods}, 86 | {Py_tp_members, PyMembers}, 87 | {Py_tp_getset, PyGetSet}, 88 | {0, 0} 89 | }; 90 | static PyType_Spec PyTypeSpec = { 91 | .name = "vmmpyc.VmmKernel", 92 | .basicsize = sizeof(PyObj_Kernel), 93 | .itemsize = 0, 94 | .flags = Py_TPFLAGS_DEFAULT, 95 | .slots = PyTypeSlot, 96 | }; 97 | if((g_pPyType_Kernel = PyType_FromSpec(&PyTypeSpec))) { 98 | if(PyModule_AddObject(pModule, "VmmKernel", g_pPyType_Kernel) < 0) { 99 | Py_DECREF(g_pPyType_Kernel); 100 | g_pPyType_Kernel = NULL; 101 | } 102 | } 103 | return g_pPyType_Kernel ? TRUE : FALSE; 104 | } 105 | -------------------------------------------------------------------------------- /vmmpyc/vmmpyc_util.c: -------------------------------------------------------------------------------- 1 | // vmmpyc_util.c : various utility functions used. 2 | // 3 | // (c) Ulf Frisk, 2021-2025 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | #include "vmmpyc.h" 7 | 8 | VOID Util_FileTime2String(_In_ QWORD ft, _Out_writes_(24) LPSTR szTime) 9 | { 10 | SYSTEMTIME SystemTime; 11 | if(!ft || (ft > 0x0200000000000000)) { 12 | strcpy_s(szTime, 24, " ***"); 13 | return; 14 | } 15 | FileTimeToSystemTime((PFILETIME)&ft, &SystemTime); 16 | sprintf_s( 17 | szTime, 18 | 24, 19 | "%04i-%02i-%02i %02i:%02i:%02i UTC", 20 | SystemTime.wYear, 21 | SystemTime.wMonth, 22 | SystemTime.wDay, 23 | SystemTime.wHour, 24 | SystemTime.wMinute, 25 | SystemTime.wSecond 26 | ); 27 | } 28 | 29 | LPSTR Util_PathSplitLastU(_In_ LPSTR usz) 30 | { 31 | LPSTR uszResult = usz; 32 | CHAR ch; 33 | DWORD i = 0; 34 | while(TRUE) { 35 | ch = usz[i++]; 36 | if(ch == '\0') { 37 | return uszResult; 38 | } 39 | if(ch == '\\') { 40 | uszResult = usz + i; 41 | } 42 | } 43 | } 44 | 45 | /* 46 | * Split the string usz into two at the last (back)slash which is removed. 47 | * Ex: usz: XXX/YYY/ZZZ/AAA -> uszPath: XXX/YYY/ZZZ + return: AAA 48 | * -- usz = utf-8 or ascii string. 49 | * -- uszPath = buffer to receive result. 50 | * -- cbuPath = byte length of uszPath buffer 51 | * -- return 52 | */ 53 | LPSTR Util_PathSplitLastEx(_In_ LPSTR usz, _Out_writes_(cbuPath) LPSTR uszPath, _In_ DWORD cbuPath) 54 | { 55 | DWORD i, iSlash = -1; 56 | CHAR ch = -1; 57 | if(!cbuPath) { return NULL; } 58 | for(i = 0; ch && i < cbuPath; i++) { 59 | ch = usz[i]; 60 | uszPath[i] = ch; 61 | if((ch == '\\') || (ch == '/')) { 62 | iSlash = i; 63 | } 64 | } 65 | uszPath[cbuPath - 1] = 0; 66 | if(iSlash == 0xffffffff) { return NULL; } 67 | uszPath[iSlash] = 0; 68 | return uszPath + iSlash + 1; 69 | } 70 | 71 | int PyDict_SetItemDWORD_DECREF(PyObject *dp, DWORD key, PyObject *item) 72 | { 73 | PyObject *pyObjectKey = PyLong_FromUnsignedLong(key); 74 | int i = PyDict_SetItem(dp, pyObjectKey, item); 75 | Py_XDECREF(pyObjectKey); 76 | Py_XDECREF(item); 77 | return i; 78 | } 79 | 80 | int PyDict_SetItemQWORD_DECREF(PyObject *dp, QWORD key, PyObject *item) 81 | { 82 | PyObject *pyObjectKey = PyLong_FromUnsignedLongLong(key); 83 | int i = PyDict_SetItem(dp, pyObjectKey, item); 84 | Py_XDECREF(pyObjectKey); 85 | Py_XDECREF(item); 86 | return i; 87 | } 88 | 89 | int PyDict_SetItemString_DECREF(PyObject *dp, const char *key, PyObject *item) 90 | { 91 | int i = PyDict_SetItemString(dp, key, item); 92 | Py_XDECREF(item); 93 | return i; 94 | } 95 | 96 | int PyDict_SetItemUnicode_DECREF(PyObject *dp, PyObject *key_nodecref, PyObject *item) 97 | { 98 | int i = PyDict_SetItem(dp, key_nodecref, item); 99 | Py_XDECREF(item); 100 | return i; 101 | } 102 | 103 | int PyList_Append_DECREF(PyObject *dp, PyObject *item) 104 | { 105 | int i = PyList_Append(dp, item); 106 | Py_XDECREF(item); 107 | return i; 108 | } 109 | -------------------------------------------------------------------------------- /vmmrust/.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // Use IntelliSense to learn about possible attributes. 3 | // Hover to view descriptions of existing attributes. 4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "name": "VmmRust API BINARY EXAMPLE (Debug)", 9 | "type": "lldb", 10 | "request": "launch", 11 | "cargo": { 12 | "args": ["build", "--manifest-path", "${workspaceRoot}/memprocfs_example/Cargo.toml"] 13 | }, 14 | "program": "${workspaceRoot}/memprocfs_example/target/debug/memprocfs_example", 15 | "args": [], 16 | "cwd": "${workspaceRoot}", 17 | }, 18 | { 19 | "name": "VmmRust PLUGIN LIBRARY EXAMPLE (Debug)", 20 | "type": "lldb", 21 | "request": "launch", 22 | "preLaunchTask": "build_debug_m_example_plugin", 23 | "program": "${workspaceRoot}/../files/memprocfs", 24 | "args": ["-device", "Z:\\x64\\WIN10-X64-1909-18363-1.core"], 25 | "cwd": "${workspaceRoot}", 26 | } 27 | ] 28 | } 29 | -------------------------------------------------------------------------------- /vmmrust/.vscode/tasks.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "2.0.0", 3 | "tasks": [ 4 | { 5 | "label": "cargo_debug_m_example_plugin", 6 | "type": "shell", 7 | "command": "cargo", 8 | "args": ["build", "--manifest-path", "${workspaceRoot}/m_example_plugin/Cargo.toml"] 9 | }, 10 | { 11 | "label": "build_debug_m_example_plugin", 12 | "dependsOn": ["cargo_debug_m_example_plugin"], 13 | "type": "shell", 14 | "windows": { 15 | "command": "copy", // Could be any other shell command 16 | "args": ["${workspaceRoot}\\m_example_plugin\\target\\debug\\m_example_plugin.dll", "${workspaceRoot}\\..\\files\\plugins\\m_vmmrust_plugin.dll"], 17 | }, 18 | "linux": { 19 | "command": "cp", // Could be any other shell command 20 | "args": ["-f", "${workspaceRoot}/m_example_plugin/target/debug/libm_example_plugin.so", "${workspaceRoot}/../files/plugins/m_vmmrust_plugin.so", "/y"], 21 | } 22 | } 23 | ] 24 | } 25 | -------------------------------------------------------------------------------- /vmmrust/leechcore_example/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "leechcore_example" 3 | version = "5.16.7" 4 | edition = "2021" 5 | publish = false 6 | 7 | [dependencies] 8 | pretty-hex = "0.3.0" 9 | memprocfs = "*" 10 | # memprocfs = { path = "../memprocfs" } 11 | -------------------------------------------------------------------------------- /vmmrust/m_example_plugin/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "m_example_plugin" 3 | version = "5.16.7" 4 | edition = "2021" 5 | publish = false 6 | 7 | [lib] 8 | name = "m_example_plugin" 9 | path = "src/lib.rs" 10 | crate-type = ["cdylib"] 11 | 12 | [profile.release] 13 | codegen-units = 1 14 | opt-level = "z" 15 | panic = "abort" 16 | strip = true 17 | lto = true 18 | 19 | [dependencies] 20 | anyhow = "1.0" 21 | memprocfs = "*" 22 | # memprocfs = { path = "../memprocfs" } 23 | -------------------------------------------------------------------------------- /vmmrust/memprocfs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "memprocfs" 3 | version = "5.16.7" 4 | edition = "2021" 5 | description = "MemProcFS - Physical Memory Analysis Framework" 6 | documentation = "https://docs.rs/memprocfs" 7 | homepage = "https://github.com/ufrisk/MemProcFS" 8 | repository = "https://github.com/ufrisk/MemProcFS" 9 | categories = ["external-ffi-bindings"] 10 | keywords = ["memory", "forensics", "dma", "pcileech", "memprocfs"] 11 | readme = "README.md" 12 | license = "AGPL-3.0-or-later" 13 | 14 | [lib] 15 | name = "memprocfs" 16 | path = "src/lib_memprocfs.rs" 17 | 18 | [dependencies] 19 | anyhow = "1.0" 20 | libloading = "0.8" 21 | serde = { version = "1.0", features = ["derive"] } 22 | -------------------------------------------------------------------------------- /vmmrust/memprocfs_example/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "memprocfs_example" 3 | version = "5.16.7" 4 | edition = "2021" 5 | publish = false 6 | 7 | [dependencies] 8 | pretty-hex = "0.3.0" 9 | memprocfs = "*" 10 | # memprocfs = { path = "../memprocfs" } 11 | -------------------------------------------------------------------------------- /vmmrust/vmmrust.code-workspace: -------------------------------------------------------------------------------- 1 | { 2 | "folders": [ 3 | { 4 | "path": "." 5 | } 6 | ], 7 | "settings": {} 8 | } -------------------------------------------------------------------------------- /vmmsharp/example/vmmsharp_example.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Exe 5 | net8.0-windows 6 | enable 7 | enable 8 | vmmsharp_example.VmmsharpExample 9 | x64 10 | 11 | 12 | 13 | 0649;1701;1702 14 | 15 | 16 | 17 | 0649;1701;1702 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /vmmsharp/example_48/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /vmmsharp/example_48/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("vmmsharp_example_48")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("vmmsharp_example_48")] 13 | [assembly: AssemblyCopyright("Copyright © 2024")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("3f15d2ab-dc2f-4dbd-835f-4e3558d6d4ff")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | [assembly: AssemblyVersion("1.0.0.0")] 33 | [assembly: AssemblyFileVersion("1.0.0.0")] 34 | -------------------------------------------------------------------------------- /vmmsharp/example_48/vmmsharp_example_48.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {3F15D2AB-DC2F-4DBD-835F-4E3558D6D4FF} 8 | Exe 9 | vmmsharp_example_48 10 | vmmsharp_example_48 11 | v4.8 12 | 512 13 | true 14 | true 15 | publish\ 16 | true 17 | Disk 18 | false 19 | Foreground 20 | 7 21 | Days 22 | false 23 | false 24 | true 25 | 0 26 | 1.0.0.%2a 27 | false 28 | false 29 | true 30 | 31 | 32 | x64 33 | true 34 | full 35 | false 36 | bin\Debug\ 37 | DEBUG;TRACE 38 | prompt 39 | 4 40 | false 41 | 42 | 43 | AnyCPU 44 | pdbonly 45 | true 46 | bin\Release\ 47 | TRACE 48 | prompt 49 | 4 50 | 51 | 52 | vmmsharp_example.VmmsharpExample 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | False 74 | Microsoft .NET Framework 4.8 %28x86 and x64%29 75 | true 76 | 77 | 78 | False 79 | .NET Framework 3.5 SP1 80 | false 81 | 82 | 83 | 84 | 85 | {69afc11a-ac5c-4df5-8054-a1bc62e7631c} 86 | vmmsharp 87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /vmmsharp/example_48/vmmsharp_example_48.csproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | publish\ 5 | 6 | 7 | 8 | 9 | 10 | en-US 11 | false 12 | 13 | -------------------------------------------------------------------------------- /vmmsharp/vmmsharp/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /vmmsharp/vmmsharp/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/vmmsharp/vmmsharp/Properties/AssemblyInfo.cs -------------------------------------------------------------------------------- /vmmsharp/vmmsharp/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ufrisk/MemProcFS/9ac881522b2d446563b68d7f4dcd00e225f41886/vmmsharp/vmmsharp/logo.png -------------------------------------------------------------------------------- /vmmsharp/vmmsharp/vmmsharp.csproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | ..\..\ 5 | 6 | 7 | ..\..\ 8 | 9 | 10 | publish\ 11 | 12 | 13 | 14 | 15 | 16 | en-US 17 | false 18 | 19 | -------------------------------------------------------------------------------- /vmmsharp/vmmsharp/vmmsharp/VmmException.cs: -------------------------------------------------------------------------------- 1 | /* 2 | * C# API wrapper 'vmmsharp' for MemProcFS 'vmm.dll' and LeechCore 'leechcore.dll' APIs. 3 | * 4 | * Please see the example project in vmmsharp_example for additional information. 5 | * 6 | * Please consult the C/C++ header files vmmdll.h and leechcore.h for information about parameters and API usage. 7 | * 8 | * (c) Ulf Frisk, 2020-2025 9 | * Author: Ulf Frisk, pcileech@frizk.net 10 | * 11 | */ 12 | 13 | /* Contributions by imerzan (Frostchi) 14 | * BSD Zero Clause License 15 | * 16 | * Copyright (c) 2024 imerzan 17 | * 18 | * Permission to use, copy, modify, and/or distribute this software for any 19 | * purpose with or without fee is hereby granted. 20 | * 21 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH 22 | * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 23 | * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, 24 | * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 25 | * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 26 | * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 27 | * PERFORMANCE OF THIS SOFTWARE. 28 | */ 29 | 30 | using System; 31 | 32 | namespace Vmmsharp 33 | { 34 | /// 35 | /// Thrown when an exception occurs within Vmmsharp (MemProcFS). 36 | /// 37 | public class VmmException : Exception 38 | { 39 | public VmmException() 40 | { 41 | } 42 | 43 | public VmmException(string message) 44 | : base(message) 45 | { 46 | } 47 | 48 | public VmmException(string message, Exception inner) 49 | : base(message, inner) 50 | { 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /vmmsharp/vmmsharp/vmmsharp/VmmKernel.cs: -------------------------------------------------------------------------------- 1 | /* 2 | * C# API wrapper 'vmmsharp' for MemProcFS 'vmm.dll' and LeechCore 'leechcore.dll' APIs. 3 | * 4 | * Please see the example project in vmmsharp_example for additional information. 5 | * 6 | * Please consult the C/C++ header files vmmdll.h and leechcore.h for information about parameters and API usage. 7 | * 8 | * (c) Ulf Frisk, 2020-2025 9 | * Author: Ulf Frisk, pcileech@frizk.net 10 | * 11 | */ 12 | 13 | /* Contributions by imerzan (Frostchi) 14 | * BSD Zero Clause License 15 | * 16 | * Copyright (c) 2024 imerzan 17 | * 18 | * Permission to use, copy, modify, and/or distribute this software for any 19 | * purpose with or without fee is hereby granted. 20 | * 21 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH 22 | * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 23 | * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, 24 | * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 25 | * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 26 | * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 27 | * PERFORMANCE OF THIS SOFTWARE. 28 | */ 29 | 30 | namespace Vmmsharp 31 | { 32 | /// 33 | /// The kernel class gives easy access to: 34 | /// - The system process(pid 4). 35 | /// - Kernel build number. 36 | /// - Kernel debug symbols(nt). 37 | /// 38 | public class VmmKernel 39 | { 40 | #region Base Functionality 41 | 42 | protected readonly Vmm _hVmm; 43 | 44 | private VmmKernel() 45 | { 46 | ; 47 | } 48 | 49 | internal VmmKernel(Vmm hVmm) 50 | { 51 | this._hVmm = hVmm; 52 | } 53 | 54 | /// 55 | /// ToString override. 56 | /// 57 | public override string ToString() 58 | { 59 | return "VmmKernel"; 60 | } 61 | 62 | #endregion 63 | 64 | #region Specific Functionality 65 | 66 | /// 67 | /// The system process (PID 4). 68 | /// 69 | /// The system process (PID 4). 70 | public VmmProcess Process => new VmmProcess(_hVmm, 4); 71 | 72 | /// 73 | /// Build number of the current kernel / system. 74 | /// 75 | /// The build number of the kernel on success, 0 on fail. 76 | public uint Build => (uint)_hVmm.GetConfig(Vmm.CONFIG_OPT_WIN_VERSION_BUILD); 77 | 78 | /// 79 | /// Retrieve the VmmPdb object for the kernel "nt" debug symbols. 80 | /// 81 | /// 82 | public VmmPdb Pdb => new VmmPdb(_hVmm, "nt"); 83 | 84 | #endregion 85 | } 86 | } 87 | --------------------------------------------------------------------------------