From 09dd33976c025df4c15fc9fd0d7e50e24d73cce4 Mon Sep 17 00:00:00 2001 From: Ulf Frisk Date: Sat, 16 Mar 2019 15:55:06 +0100 Subject: [PATCH] fix: python plugin deadlock issue. --- files/vmmpycplugin.dll | Bin 17920 -> 17920 bytes vmmpycplugin/leechcore.h | 25 ++++---- vmmpycplugin/version.h | 4 +- vmmpycplugin/vmmdll.h | 114 ++++++++++++++++++++++++++++++++++-- vmmpycplugin/vmmpycplugin.c | 22 +++++-- 5 files changed, 145 insertions(+), 20 deletions(-) diff --git a/files/vmmpycplugin.dll b/files/vmmpycplugin.dll index 4953de0c3f355b78a724af19b7c33a46e41cfbb4..036470e9e58f2cb9cb60cbb9523f8fc18d0b651a 100644 GIT binary patch delta 6907 zcmeHMi+2=Nn!nXaC7nmpokxW{I-~>Lkc1GL5G3K*fkY}p2LlF&0mOtPJQOjIjz(8c z2imwaMP?W-y0Yq=9A@;$%FHqbcX+tkm<(YRH9GDZ7a22-vMu-s=t!K^sr`Lb)zHD2 zzhJgFw|?LIesv$;y&XFD2%UR`y`BEVGs(-B9a?XSv?Xs{Hp$@aryek4t%4wr^$*X3ldosWJR=s zx)i5Mc|dP>mD3?BgL1be9idd|zd4VaA{6nHaUS6S|2D2zILr&ntXvpY%^hhIE0xoi5@h8~RZ4`YG8o?#^4Y;t4y`#bQu=C?vj`JDm%%?u za0))2kody-1yEu5uIKVXb|jbQKv6Cyf!<)Vvp`G4tGrni^hJhp0Pd=^nS7K{8C|Z! z1iZ44*g;vTDNv=~az~O|c#$tpa@dnJyTi^ptO4b;tn6`mK*=-DhJPK$yOS1_&459b z@*3voDs`$1DE~>rzB}t${CSA~#|4r2ZdJO#)uiddGCn=oEwu24dXUtrKL!?$~!IT85^v5RS2nuHdK^VwqKP4VZrCx%a2%mIrezU zp}P)&RO!nMTF&CPnT(yV$Mc2bB>x!wYr6g&T_5H6ysqf|p5lO}z%oO;DEpnd{d3>5 z->fU{j41rqa;y96kt%eD?GcA-_6}W<|2;+gUk@}QY2RKk*4~d%c~{pAVO+<4#Y>u^ zi z?nh}p;q^Ma!lPfRD$31_ZwV}kTA=;#Ri#I?_plb!a#>TPX+ei*#}%Sj#j4Wt65nQZ z7NtWmGbAg%{%&gQu)i)Nq4H!Q|XKygN|J~e0Izu2RUnXW{=t?D-<)(Ux2DE@m;pEHK9MND!%GoxqGSSgadhDrFUR0sM1#2&E4V` z7^i{74V1DRT-+g3xey=tnuN`|FwjZ5ZqYT0p$rCg>D)hk!^fx0Go6~jSEl^Cb;oQ- ztzAd)9uT+9=J~1lW!YK>mLx!UOEP0!q4vV?avW?AhkOo9%|)#cSk3{$H$y)l+Gq27 zQ>&78LQ<)|rHU0Z_-|9E3ugYO)V$&_PPg!_u{i&BkM62+mIvnFeG_A*_F3T#h#5|R zCM+i~7RDqWTCOW^}) z%~GST^NsT=r?o>zmHuMmo^;oQDTY@<_bP!V;!-+Hly`A1p`_b*AbqQok3(SPHC5UP zLY0y=_RI-n7Q&o3=%{VrlH~NaO-HW(LgT35Lr^4FBUKsa66P*s27eI-$aFD@gW}N= z-O>a47&HUok0GJ31L7`F^bG^zK7%@DroeZF5YV!lJO^S0x`JGnyA;dnX;1{cv5tro z=euQoLR3J29?g5oUk z72rQ<&}y+bAG8)H+c6`!dVG9Lk)R`Z5N->pxD?z*?*Nc8UM$ z=2tT-Og=X+&2mn@4chR1SaeuKHbh@X{6>xUwUvf0VG~LJT*x2HnpN??G?78ND&bXN zwHcKAiZ#XZ1$0-eHm}odP0?nYgjXOuExtINU(9l)emA75?f1(~qWe9qn0+?H^RpjK zzd*A}3#!j^D+a{TIsaSK~c@EsI=0oTVRd^CHR{lDmYm8Zh^2-L<=tX%%Ljv z$Mf|$3r$Kq|9Q>|)53UuH7C!qRU00!(}U|$JfCDQ&5E~@=X?gZlqxGRR30(hgJ!56insto*JtfnJN}1RN31(kmeRnsC&4NfR{6#JRPOZ55iBn2i3{m%TL(m^OOHMv zPH=Ja1b4}Z6Q%Wxc|iOC1Wp1L6wiaI{JPKKOADNF42Y+}Vw#}nck&GrCa*pM0qz)m z(Un?ty&8+{>xzY?>iS%xN3{1uO;V-3Z_?f#?XAnxH9AgvkHqo|6T19SVK?A5@-Vu_ zm<2wyd4uUrFRF;ScIG)Rwp6Bf>R_#P(eGNkirr;{QSIE{U1=M?p>oHEY^1jP2{xjt zm8WAgar+lu1>V>lW-J2Rl|I$=2YhW*Uqn)We0N@U?tUBqXFV%voyf|?@UKzCch}Mx z;kf;i4t^?cLh6jms_Ip$Ta}fYWTmzt{P9(OIqzlv=apKztl7Zr20mh7kAeM*bh}>} zxX-{21J@hqHL%pc3gZ?741pe=vA-CG6Bg@|3kLsKRm8$T+?S)D0z<#Y z@Ut2GR|fyKfzKHDxQ2ez6hjaRHpk$-H^?^`ywAYS8}vRSp`#&o&Kf*VAH8_a+9jKPo7&f}ZQXuPb9<9-^F3SnwkcEj6H~J89<(#2{Tg@Py%n}> z5LGS}7?C;MZuTK$JFdw(jNkFF+1%XdYjh%g{H`x$j0!`E+ugKbBc=yD9rPuOSJXRK zE!O7A!}AN$=F4L=HJYYwtZX$!Ts1~kr`a{|ZHTaGjHX`Gv_hu!uk}~2Md*ag5rZ7I zQ=a-HJj+i}4p==}cH4bT&YDU+hcU9%dJfUDdfl#prxd0&Zi1$RVt44VBYz|*Y0-K5 zW62)+etnFP31j_`(S#eanIs#6tN;^j$jV5@u!?(lSK&+{nIA8_mD`F6vW9W8&}A^+ zY+~l-sVs!+-r-cn9^}i5(rO+@Hu<(#X8Wjsnd?j0WoYPLdzj=1cq31qB-8w$zaH(E zMR}&-sr-$i>>}#Y6X~+Ph|zDiqiDsr?o-g~JWriE(Z9tI_uv;xKN|5_#Ujh`{m7If z)SKe!u>TNpFZ$KKqU?vJ)=bG=JTPk1L+&e+;>!H^%Z9 zy9bSS1wE%gpN-;$I1`I2HPxk9_iD!3f0ajJY(AW1==WJ zsG}bh5Amt<^h-IyQfOudpNwWh>%@pmn#X@Nt;oL@f9i-l=?gIR1@-4u5vlp^(l&lnooDIG#D&7jn3Lxvz?c%kVzAC=1B>VqQ`@iqg zK9|U$fv+_9o%OG{&0i}#+UyIAjY?q3Sha70zJb+fO2)Ap9e z<~G**!%~a5uiPUH@yhb?v7`EN>ZIdTaQ7Z6zeDg-k#Du(??@=NKG4_7B^e~8L$D#7hBgG6uo^84n(%hCQP2&*98^^^%H8#fs#RJ)dkA$@hJujl>RQmz^_A-E z>`a^jkP|LJ+Y36nMn>09s;iXl#xjN)VB{8C@T#POd{M zL+vDNMUz1j{sY=7&{Rp>6Hp33dw`8-t)QEMN71Mj6TXh(=>t6oT<1WU0o?%P{(NKv zWOl$LLvus^KCpHY?j4}(fZw83fhNpz>YY^q?=a{F-~oev5;$nk zgdZEUKMca=(wzxi23-K$h1P)%2#*@&h5>2#0q@ef>*32?Fba`HlZh>_k#tq q1hJHruo=Bso~8)7qw*h3;|dPC5AHg+_u%L+Y)@xC-J4N$QTRXYGd&6b delta 6468 zcmeHLi+fb%ng7m^lT1h^liLZC8yRpCLda#vMG|gK$b}OKG=;dEs$hVKKxvFHX|rtG z8649x9%di#t9{_ntt_PbfE(MCpjOoGw8@fGXl;E~jjWg0x^*zv4K9U<%Guxhoih;V z{s+6?^StwWZ{Pd9=exY$Ipg0i`S(i){JxW0=RJERuIYM|bl>^wlaTu!QuWI~zRAG8 zhnn>-g?^2GUEnHV@A#Tw@90$Zzd(N_PQ88#*wI<5UlrJ7;`7%@z7qGIz>dzz$4_^#aN3BYzNH%MVp_o zV(^m{jI|z|lbz902}z1tfo{eemV-3Zxj`WciB31`k{MEz(`Q zQSPw)!O55!81~$&>iIw6FUb2O8~4O!F8-H1#0^e12T6do6X>Ms=lkHkgpo zDCD!v+N7@RGE_?pm8wN_<$nInIG1GMPsU|R$N6({CHBX18LN1`N&Bs;jp@oxekty2 zQW0NmJ!$!hmFw2L+CSxply77#uYp3f4JU1=NjrxykzR#=81IsH z^7xt0ZEl1K(|0qMXS1TY90NzW3<8^j9j-!=NVE1@eb5`7$`{aGS2j@}ZA!(E8?gYt zx{Ji$sajK^uDrsX32v#Me>K6GGeh|GyIQaZv@@!<-{k?PR-B9cQs$wA<&`yXsMpS7 zjXt75wGr(Nn)XLBZ^U1U_8xu6e85>a=wT( z{c7-(>j*TuGDiNI?b0$V^c6fv4Yrp3iEvQD1axveF|p;R!b2W~hX{bBtZ62vUk25f z7jZ`Xx}q6AegB(}^~D(B^Pu75=l9x*7Jiw5Xd^>9ni>j;sndp3J-oH1vbOuG8i+{V zh4wrT+iK5y6i>z&AFz3|lMxB-Ef`c+{u?2hL-IujW2cj2_+3eg?-u)6!#-@-r*%AO z7>@mw;jl1Zha%oI|3?h}C;!TSyJ5H|YVh62twmUR>A7x=wFm}miFS0+m7_v1AE$u? zP5uQ6k*XQ16X>xrZ<-ovq zHu8K?1G+PKYqG28zo4%OtD3nbw2;_K*tb8T{j0s~I!-%f@323SA5Fev!_T2*6DQ9Z zO$}TuM3V0=W-QQ?%)CAo=cig6ZC$xaBZh4K$bxpdDiRPUsS!Ku1p3fP3f@N*ps89{ zo>m@DEXq?gD74?=tP6h>300$*f#E`w$1izLO69!+pX)lFkCr z)0p!6n3R#acFI)^*7c}#?&KX;N!ej21AelFWaTr=TQIQCkiLJ7$E7Z{{H&Zeq`qQ* zxEfk}?#@5$k4^2XcU1?LZCJ#ZrMoJ!6)_|6 zutd~&#)7$xi?}ypYVy5$sp7M(Mipx2gPv z^bV!guz8c3wKJl6qqL-Ow~{|Q&g>N*YLjRoCeq=ey@dj=D^I5I-Abn`U`Jr>tgh?; zgPJeI(bLE*j5Tr6ofYA7hRe4FH(ul!nnw)}f||1msj4XOSi7(l@_9HQ(+W}t<-Rh* z(*yoEEFJf)WbCFsU$d<$g(27+jnj~yvhinT)oe?l zaM<0ddKKGVzE%toGq_=hPEp{R)SZkHzTS?kx^Xq7A&59^wDX6~A^VyNbkOrZ#jZL> z@_fh_+T)-M$tB=LoXD|@e6?elbeRVoZ(E+R@s7+&2!}J5rv4NY-}~#AXkzX4L;K{X z7xIrXYb+fL`P?j5K_je@Z(-A66D1@1T9O|WvUhiRcmjt=d8~-<%&MxHpoI+5I|qIW z?a3zR{?wjgdmpw>?a9q9w>?FyI4S=C%IQ`4cmhscs`SG8?Fciptql`zg*XEqTMo_hXjNln!yKhvyv9i!}+A0gMC^wkB{Z87!*Uw&Du>$K`8yJ=9 zgYqJ<6LIyLTneW5lkUvDA2Iu+eXq_^+S#rIc*VdgrG)=%c9~-w8^M11PwBfmN96PZ zBl?J(RKTZZyGzIOQCdf>Bl2rtQ1)3+{tdX=D??6iT42;UB0mpN7KT&#{BQCK?l}Sl zuIwSRMhnpMPs2ygzbt;=6Tjo)cSS7eE5+}1p>Ya6Rs6y@`7MB8WzC zKH@CNy?jmA&w1{qMN_qpBPpn;kFBAC?c8u-jHk?*oqF(+t~YB9UE1B-RBcUrq+yEJ z&iU8Dfje6y-_}~>jyCEMz}__RV-sUcd*KSho@(M1Q~!>MXG|P0@rNevG0|b-Iuk1m z^s$rXKt_1RHk$)HV&W7gK72!%14Lu} z$dm_e)1NctF%v($&HiUIq0=Vzn`ps1E43UGi%nDseV~n|qRT|TiT_~YaTA|6@l_Mg zn|Rqos|Uf*93BCz$ix*UwwZXq#P0$N8QPm>raMdn>8OPZnO_1PSit=Jp9=2gLDyRe z&1^f{%)y=I&0FB35sAoxHvzV?uC8R84k^^H!bnIAU|F6A3Km)p%A zhi>l;U61)~37_p9o4lJ`$Q5&5&L|u!b-TB0eGu~s*-CQVx>i?PT~;kQxo=h8L%M2y zurO_z=N3zou&B4_T114FTXn*(jek&>=4*#VBp?QC6_zgO#xb3xyC_j(IgZ?rU3>QI z>DY{1*(Bb1M6$cQTU<@GVx*~CboYpO3@>Ci{8|k^tD)<}An4p`I3`2cH3I|p7z0N? z>q{RnWcs|{kAck@M4I?FV5zY}rVbY>V?EG0C}Cr!D@jM^-pfCjUm-EB6skK++^&Pef(vCA>`g zjYwQxkk?4#crZ@p9afeiEnqVzt>dxbn64S^7I)Mp#%nENPP}@b0{y!g>88wgEST#{ zuQ3uhf>-BZ5XqSZGE=-yNQ!hoifzHtV7M+E84 z!zbiq?BCEY9;{xB`p{`W&Xm3wUSAWkdskF%F#z%9s^)1Ispc^wjUFX5<L@X0$C`0Swl(zMSbgym>kEOYQ}Oo9P1zp6Z8%`5c)xr;0ZMl zTWnMWPcDut_!i*9AP0Caa2Q0DlJH%WwjAikft{#L?clqB$9zs?1fdW30caHbhd{?1 zBPiho&=~X=fg9!`2>5nj;vLX|CoBWeV6DK1Ouh?v!sPpb<0en|7nAo*fpNNw&V*Ga zUkyA2axO7&)YKEcWAcRg`9`9JK!&nPdx-EbXbQ +// PMEM (use att_winpmem_64.sys in directory of executable) +// PMEM:// // // TOTALMELTDOWN : read/write - requires a Windows 7 system vulnerable to the // "Total Meltdown" vulnerability - CVE-2018-1038. @@ -110,7 +111,7 @@ // (c) Ulf Frisk, 2018-2019 // Author: Ulf Frisk, pcileech@frizk.net // -// Header Version: 1.0 +// Header Version: 1.1.0 // #ifndef __LEECHCORE_H__ #define __LEECHCORE_H__ @@ -151,6 +152,7 @@ typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64; #define _Printf_format_string_ #define _Inout_updates_bytes_(x) #define _In_reads_(cbDataIn) +#define _Out_writes_opt_(x) #define _Success_(return) #endif /* LINUX */ @@ -227,7 +229,10 @@ typedef struct tdLEECHCORE_PAGESTAT_MINIMAL { } LEECHCORE_PAGESTAT_MINIMAL, *PLEECHCORE_PAGESTAT_MINIMAL; /* -* Open a connection to the target device. +* Open a connection to the target device. The LeechCore initialization may fail +* if the underlying device cannot be opened or if the LeechCore is already +* initialized. If already initialized please connect with device EXISTING or +* call LeechCore_Close() before opening a new device. * -- pInformation * -- result */ @@ -455,9 +460,9 @@ DLLEXPORT BOOL LeechCore_CommandData( _In_ ULONG64 fOption, _In_reads_(cbDataIn) PBYTE pbDataIn, _In_ DWORD cbDataIn, - _Out_writes_(cbDataOut) PBYTE pbDataOut, + _Out_writes_opt_(cbDataOut) PBYTE pbDataOut, _In_ DWORD cbDataOut, - _Out_ PDWORD pcbDataOut + _Out_opt_ PDWORD pcbDataOut ); #ifdef __cplusplus diff --git a/vmmpycplugin/version.h b/vmmpycplugin/version.h index 0c049c3..997bede 100644 --- a/vmmpycplugin/version.h +++ b/vmmpycplugin/version.h @@ -2,8 +2,8 @@ #define STRINGIZE(s) STRINGIZE2(s) #define VERSION_MAJOR 2 -#define VERSION_MINOR 0 -#define VERSION_REVISION 0 +#define VERSION_MINOR 2 +#define VERSION_REVISION 1 #define VERSION_BUILD 0 #define VER_FILE_DESCRIPTION_STR "The Memory Process File System : Python Plugin Manager" diff --git a/vmmpycplugin/vmmdll.h b/vmmpycplugin/vmmdll.h index 353159a..6b1e71b 100644 --- a/vmmpycplugin/vmmdll.h +++ b/vmmpycplugin/vmmdll.h @@ -4,7 +4,7 @@ // (c) Ulf Frisk, 2018-2019 // Author: Ulf Frisk, pcileech@frizk.net // -// Header Version: 2.0 +// Header Version: 2.2 // #include @@ -26,13 +26,15 @@ extern "C" { * about the parameters please see github wiki for Memory Process File System * and LeechCore. THIS IS THE PREFERED WAY OF INITIALIZING VMM.DLL * Important parameters are: -* -vdll = show printf style outputs) +* -printf = show printf style outputs) * -v -vv -vvv = extra verbosity levels) * -device = device as on format for LeechCore - please see leechcore.h or * Github documentation for additional information. Some values * are: , fpga, usb3380, hvsavedstate, totalmeltdown, pmem * -remote = remote LeechCore instance - please see leechcore.h or Github * documentation for additional information. +* -norefresh = disable background refreshes (even if backing memory is +* volatile memory). * -- argc * -- argv * -- return = success/fail @@ -48,6 +50,17 @@ BOOL VMMDLL_Initialize(_In_ DWORD argc, _In_ LPSTR argv[]); _Success_(return) BOOL VMMDLL_Close(); +/* +* Perform a force refresh of all internal caches including: +* - process listings +* - memory cache +* - page table cache +* WARNING: function may take some time to execute! +* -- dwReserved = reserved future use - must be zero +* -- return = sucess/fail +*/ +_Success_(return) +BOOL VMMDLL_Refresh(_In_ DWORD dwReserved); //----------------------------------------------------------------------------- @@ -289,7 +302,7 @@ typedef struct tdVMMDLL_PLUGIN_REGINFO { * -- ppMEMs = array of scatter read headers. * -- cpMEMs = count of ppDMAs. * -- pcpDMAsRead = optional count of number of successfully read ppDMAs. -* -- flags = optional flags as given by VMM_FLAG_* +* -- flags = optional flags as given by VMMDLL_FLAG_* * -- return = the number of successfully read items. */ DWORD VMMDLL_MemReadScatter(_In_ DWORD dwPID, _Inout_ PPMEM_IO_SCATTER_HEADER ppMEMs, _In_ DWORD cpMEMs, _In_ DWORD flags); @@ -322,13 +335,25 @@ BOOL VMMDLL_MemRead(_In_ DWORD dwPID, _In_ ULONG64 qwVA, _Out_ PBYTE pb, _In_ DW * -- pb * -- cb * -- pcbRead -* -- flags = flags as in VMM_FLAG_* +* -- flags = flags as in VMMDLL_FLAG_* * -- return = success/fail. NB! reads may report as success even if 0 bytes are * read - it's recommended to verify pcbReadOpt parameter. */ _Success_(return) BOOL VMMDLL_MemReadEx(_In_ DWORD dwPID, _In_ ULONG64 qwVA, _Out_ PBYTE pb, _In_ DWORD cb, _Out_opt_ PDWORD pcbReadOpt, _In_ ULONG64 flags); +/* +* Prefetch a number of addresses (specified in the pA array) into the memory +* cache. This function is to be used to batch larger known reads into local +* cache before making multiple smaller reads - which will then happen from +* the cache. Function exists for performance reasons. +* -- dwPID = PID of target process, (DWORD)-1 for physical memory. +* -- pPrefetchAddresses = array of addresses to read into cache. +* -- cPrefetchAddresses +*/ +_Success_(return) +BOOL VMMDLL_MemPrefetchPages(_In_ DWORD dwPID, _In_reads_(cPrefetchAddresses) PULONG64 pPrefetchAddresses, _In_ DWORD cPrefetchAddresses); + /* * Write a contigious arbitrary amount of memory. Please note some virtual memory * such as pages of executables (such as DLLs) may be shared between different @@ -527,6 +552,87 @@ BOOL VMMDLL_ProcessGetEAT(_In_ DWORD dwPID, _In_ LPSTR szModule, _Out_opt_ PVMMD _Success_(return) BOOL VMMDLL_ProcessGetIAT(_In_ DWORD dwPID, _In_ LPSTR szModule, _Out_opt_ PVMMDLL_IAT_ENTRY pData, _In_ DWORD cData, _Out_ PDWORD pcData); +/* +* Retrieve the virtual address of a given function inside a process/module. +* -- dwPID +* -- szModuleName +* -- szFunctionName +* -- return = virtual address of function, zero on fail. +*/ +ULONG64 VMMDLL_ProcessGetProcAddress(_In_ DWORD dwPID, _In_ LPSTR szModuleName, _In_ LPSTR szFunctionName); + +/* +* Retrieve the base address of a given module. +* -- dwPID +* -- szModuleName +* -- return = virtual address of module base, zero on fail. +*/ +ULONG64 VMMDLL_ProcessGetModuleBase(_In_ DWORD dwPID, _In_ LPSTR szModuleName); + + + +//----------------------------------------------------------------------------- +// WINDOWS SPECIFIC UTILITY FUNCTIONS BELOW: +//----------------------------------------------------------------------------- + +typedef struct tdVMMDLL_WIN_THUNKINFO_IAT { + BOOL fValid; + BOOL f32; // if TRUE fn is a 32-bit/4-byte entry, otherwise 64-bit/8-byte entry. + ULONG64 vaThunk; // address of import address table 'thunk'. + ULONG64 vaFunction; // value if import address table 'thunk' == address of imported function. + ULONG64 vaNameModule; // address of name string for imported module. + ULONG64 vaNameFunction; // address of name string for imported function. +} VMMDLL_WIN_THUNKINFO_IAT, *PVMMDLL_WIN_THUNKINFO_IAT; + +typedef struct tdVMMDLL_WIN_THUNKINFO_EAT { + BOOL fValid; + DWORD valueThunk; // value of export address table 'thunk'. + ULONG64 vaThunk; // address of import address table 'thunk'. + ULONG64 vaNameFunction; // address of name string for exported function. + ULONG64 vaFunction; // address of exported function (module base + value parameter). +} VMMDLL_WIN_THUNKINFO_EAT, *PVMMDLL_WIN_THUNKINFO_EAT; + +/* +* Retrieve information about the import address table IAT thunk for an imported +* function. This includes the virtual address of the IAT thunk which is useful +* for hooking. +* -- dwPID +* -- szModuleName +* -- szImportModuleName +* -- szImportFunctionName +* -- pThunkIAT +* -- return +*/ +_Success_(return) +BOOL VMMDLL_WinGetThunkInfoIAT(_In_ DWORD dwPID, _In_ LPSTR szModuleName, _In_ LPSTR szImportModuleName, _In_ LPSTR szImportFunctionName, _Out_ PVMMDLL_WIN_THUNKINFO_IAT pThunkInfoIAT); + +/* +* Retrieve information about the export address table EAT thunk for an exported +* function. This includes the virtual address of the EAT thunk which is useful +* for hooking. +* -- dwPID +* -- szModuleName +* -- pThunkEAT +* -- return +*/ +_Success_(return) +BOOL VMMDLL_WinGetThunkInfoEAT(_In_ DWORD dwPID, _In_ LPSTR szModuleName, _In_ LPSTR szExportFunctionName, _Out_ PVMMDLL_WIN_THUNKINFO_EAT pThunkInfoEAT); + +/* +* Decompress compressed memory page stored in the MemCompression process. +* -- vaCompressedData = virtual address in 'MemCompression' to decompress. +* -- cbCompressedData = length of compressed data in 'MemCompression' to decompress (or zero for auto-detect). +* -- pbDecompressedPage +* -- pcbCompressedData = optional ptr to receive length of compressed buffer. +* -- return +*/ +_Success_(return) +BOOL VMMDLL_WinMemCompression_DecompressPage( + _In_ ULONG64 vaCompressedData, + _In_opt_ DWORD cbCompressedData, + _Out_writes_(4096) PBYTE pbDecompressedPage, + _Out_opt_ PDWORD pcbCompressedData +); //----------------------------------------------------------------------------- diff --git a/vmmpycplugin/vmmpycplugin.c b/vmmpycplugin/vmmpycplugin.c index b90542b..a65dbb1 100644 --- a/vmmpycplugin/vmmpycplugin.c +++ b/vmmpycplugin/vmmpycplugin.c @@ -279,7 +279,7 @@ VOID VmmPyPlugin_UpdateVerbosity() } } -#define PYTHON_PATH_MAX 4*MAX_PATH +#define PYTHON_PATH_MAX 7*MAX_PATH #define PYTHON_PATH_DELIMITER L";" BOOL VmmPyPlugin_PythonInitialize(_In_ HMODULE hDllPython) { @@ -299,14 +299,26 @@ BOOL VmmPyPlugin_PythonInitialize(_In_ HMODULE hDllPython) wcscat_s(wszPathPython, PYTHON_PATH_MAX, PYTHON_PATH_DELIMITER); wcscat_s(wszPathPython, PYTHON_PATH_MAX, wszPathBasePython); wcscat_s(wszPathPython, PYTHON_PATH_MAX, L"python36.zip"); - // 2.3: python lib + // 2.3: python dlls + wcscat_s(wszPathPython, PYTHON_PATH_MAX, PYTHON_PATH_DELIMITER); + wcscat_s(wszPathPython, PYTHON_PATH_MAX, wszPathBasePython); + wcscat_s(wszPathPython, PYTHON_PATH_MAX, L"DLLs\\"); + // 2.4: python lib wcscat_s(wszPathPython, PYTHON_PATH_MAX, PYTHON_PATH_DELIMITER); wcscat_s(wszPathPython, PYTHON_PATH_MAX, wszPathBasePython); wcscat_s(wszPathPython, PYTHON_PATH_MAX, L"Lib\\"); - // 2.4: .exe location of this process + // 2.5: python lib\site-packages (python pip) + wcscat_s(wszPathPython, PYTHON_PATH_MAX, PYTHON_PATH_DELIMITER); + wcscat_s(wszPathPython, PYTHON_PATH_MAX, wszPathBasePython); + wcscat_s(wszPathPython, PYTHON_PATH_MAX, L"Lib\\site-packages\\"); + // 2.6: .exe location of this process wcscat_s(wszPathPython, PYTHON_PATH_MAX, PYTHON_PATH_DELIMITER); wcscat_s(wszPathPython, PYTHON_PATH_MAX, wszPathBaseExe); - // 3: Initialize Embedded Python. + // 2.7: pylib relative to this process + wcscat_s(wszPathPython, PYTHON_PATH_MAX, PYTHON_PATH_DELIMITER); + wcscat_s(wszPathPython, PYTHON_PATH_MAX, wszPathBaseExe); + wcscat_s(wszPathPython, PYTHON_PATH_MAX, L"pylib\\"); + // 3: Initialize (Embedded) Python. Py_SetProgramName(L"VmmPyPluginManager"); Py_SetPath(wszPathPython); if(ctxPY2C->fVerboseExtra) { @@ -314,6 +326,7 @@ BOOL VmmPyPlugin_PythonInitialize(_In_ HMODULE hDllPython) } PY2C_InitializeModuleVMMPYCC(); Py_Initialize(); + PyEval_InitThreads(); // 4: Import VmmPyPlugin library/file to start the python part of the plugin manager. pName = PyUnicode_DecodeFSDefault("vmmpyplugin"); if(!pName) { goto fail; } @@ -322,6 +335,7 @@ BOOL VmmPyPlugin_PythonInitialize(_In_ HMODULE hDllPython) // 5: Cleanups Py_DECREF(pName); Py_DECREF(pModule); + PyEval_ReleaseLock(); return TRUE; fail: if(pName) { Py_DECREF(pName); }