Version 5.15.4

m_vmemd/version.h

@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               15
-#define VERSION_REVISION            3
-#define VERSION_BUILD               207
+#define VERSION_REVISION            4
+#define VERSION_BUILD               208
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Plugin vmemd"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

memprocfs/version.h

@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               15
-#define VERSION_REVISION            3
-#define VERSION_BUILD               207
+#define VERSION_REVISION            4
+#define VERSION_BUILD               208
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

vmm/mm/mm_vad.c

@@ -6,6 +6,7 @@
 
 #include "mm.h"
 #include "../util.h"
+#include "../charutil.h"
 
 #define MMVAD_POOLTAG_VAD               'Vad '
 #define MMVAD_POOLTAG_VADF              'VadF'
@@ -760,7 +761,7 @@ VOID MmVad_Spider_DoWork(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pSystemProcess, _I
     }
     // 2: allocate and retrieve objects required for processing
     if(!(pmObVad = Ob_AllocEx(H, OB_TAG_MAP_VAD, LMEM_ZEROINIT, sizeof(VMMOB_MAP_VAD) + cVads * sizeof(VMM_MAP_VADENTRY), MmVad_MemMapVad_CloseObCallback, NULL))) { goto fail; }
-    if((cVads == 0) && (pProcess->dwPID != 4)) {    // No VADs
+    if((cVads == 0) && (pProcess->dwPID != 4) && !CharUtil_StrCmpAny(CharUtil_StrEquals, pProcess->szName, FALSE, 2, "MemCompression", "Registry")) {    // No VADs
         VmmLog(H, MID_VMM, LOGLEVEL_VERBOSE, "NO VAD FOR PROCESS - PID: %i STATE: %i NAME: %s", pProcess->dwPID, pProcess->dwState, pProcess->szName);
         pProcess->Map.pObVad = Ob_INCREF(pmObVad);
         goto fail;

vmm/version.h

@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               15
-#define VERSION_REVISION            3
-#define VERSION_BUILD               207
+#define VERSION_REVISION            4
+#define VERSION_BUILD               208
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Core"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

vmm/vmmyarautil.c

@@ -256,6 +256,10 @@ BOOL VmmYaraUtil_ParseSingleResultNext(
     PVMMOB_MAP_VAD pObVadMap = NULL;
     PVMM_PROCESS pObProcess = NULL;
     CHAR uszRuleMatchStringBuffer[MAX_PATH];
+    BOOL fRuleMatchStringBuffer;
+    BYTE ch;
+    DWORD k, maxk, pos, oP;
+    CHAR szPlain[0x100];
     // init:
     if(!ctx->pObEPC) {
         ctx->pObEPC = Ob_AllocEx(H, OB_TAG_YARA_PARSEHANDLE, 0, sizeof(VMMYARAUTILOB_ENTRYPARSECONTEXT), NULL, NULL);
@@ -432,7 +436,9 @@ BOOL VmmYaraUtil_ParseSingleResultNext(
                 va = peMatch->vaBase + (QWORD)peMatch->RuleMatch.Strings[i].cbMatchOffset[j];
                 uszRuleMatchStringBuffer[0] = 0;
                 CharUtil_ReplaceMultiple(uszRuleMatchStringBuffer, sizeof(uszRuleMatchStringBuffer), NULL, peMatch->RuleMatch.Strings[i].szString, NULL, -1, VMMYARAUTIL_TEXT_ALLOW, '_');
+                fRuleMatchStringBuffer = TRUE;
                 if(!uszRuleMatchStringBuffer[0]) {
+                    fRuleMatchStringBuffer = FALSE;
                     _snprintf_s(uszRuleMatchStringBuffer, sizeof(uszRuleMatchStringBuffer), _TRUNCATE, "string_%u", i);
                 }
                 o = _snprintf_s(hEPC->usz, _countof(hEPC->usz), _TRUNCATE, "[%s] %llx:\n", uszRuleMatchStringBuffer, va);
@@ -442,15 +448,15 @@ BOOL VmmYaraUtil_ParseSingleResultNext(
                     cbWrite = (DWORD)_countof(hEPC->usz) - o;
                     Util_FillHexAscii_WithAddress(pbBuffer, sizeof(pbBuffer), vaAlign, hEPC->usz + o, &cbWrite);
                 }
-                // build CSV preview from memory around match address
-                {
-                    DWORD pos = (DWORD)(va - vaAlign);
-                    DWORD k, maxk = 64;
-                    uszMatchPreview[0] = 0;
+                // build CSV preview from memory around match address (unless a matching string rule already exists)
+                uszMatchPreview[0] = 0;
+                if(!fRuleMatchStringBuffer) {
+                    maxk = 64;
+                    pos = (DWORD)(va - vaAlign);
                     if(cbRead > pos) {
                         maxk = min(maxk, cbRead - pos);
                         for(k = 0; k < maxk && k + 2 < _countof(uszMatchPreview); k++) {
-                            BYTE ch = pbBuffer[pos + k];
+                            ch = pbBuffer[pos + k];
                             uszMatchPreview[k] = (ch >= 0x20 && ch < 0x7f) ? (CHAR)ch : '.';
                         }
                         uszMatchPreview[k] = 0;
@@ -461,7 +467,7 @@ BOOL VmmYaraUtil_ParseSingleResultNext(
                     iMatchCSV++;
                     oMatchCSV += _snprintf_s(hEPC->uszMatchContextCSV + oMatchCSV, _countof(hEPC->uszMatchContextCSV) - oMatchCSV, _TRUNCATE,
                         ",%s,%llx",
-                        FcCsv_String(&hEPC->hCSV, uszMatchPreview),
+                        FcCsv_String(&hEPC->hCSV, (fRuleMatchStringBuffer ? uszRuleMatchStringBuffer : uszMatchPreview)),
                         va
                     );
                 }
@@ -477,7 +483,9 @@ BOOL VmmYaraUtil_ParseSingleResultNext(
                 va = peMatch->vaBase + (QWORD)peMatch->RuleMatch.Strings[i].cbMatchOffset[j];
                 uszRuleMatchStringBuffer[0] = 0;
                 CharUtil_ReplaceMultiple(uszRuleMatchStringBuffer, sizeof(uszRuleMatchStringBuffer), NULL, peMatch->RuleMatch.Strings[i].szString, NULL, -1, VMMYARAUTIL_TEXT_ALLOW, '_');
+                fRuleMatchStringBuffer = TRUE;
                 if(!uszRuleMatchStringBuffer[0]) {
+                    fRuleMatchStringBuffer = FALSE;
                     _snprintf_s(uszRuleMatchStringBuffer, sizeof(uszRuleMatchStringBuffer), _TRUNCATE, "string_%u", i);
                 }
                 // Read a small window from the file around the match offset for preview and hexdump.
@@ -491,11 +499,10 @@ BOOL VmmYaraUtil_ParseSingleResultNext(
                 o = _snprintf_s(hEPC->usz, _countof(hEPC->usz), _TRUNCATE, "[%s] %llx (FILE):\n", uszRuleMatchStringBuffer, va);
                 // Plain text (sanitize to printable)
                 {
-                    CHAR szPlain[0x100];
-                    DWORD k, oP = 0;
+                    oP = 0;
                     oP += _snprintf_s(szPlain + oP, _countof(szPlain) - oP, _TRUNCATE, "Plain: \"");
                     for(k = 0; k < sizeof(pbBufPlain) && oP + 4 < _countof(szPlain); k++) {
-                        BYTE ch = pbBufPlain[k];
+                        ch = pbBufPlain[k];
                         if(ch == '\0') { break; }
                         if(ch >= 0x20 && ch < 0x7f) {
                             szPlain[oP++] = (CHAR)ch;
@@ -514,10 +521,10 @@ BOOL VmmYaraUtil_ParseSingleResultNext(
                 }
                 // CSV preview from FILE bytes at match
                 {
-                    DWORD k, maxk = 64;
+                    maxk = 64;
                     uszMatchPreview[0] = 0;
                     for(k = 0; k < sizeof(pbBufPlain) && k < maxk && k + 2 < _countof(uszMatchPreview); k++) {
-                        BYTE ch = pbBufPlain[k];
+                        ch = pbBufPlain[k];
                         if(ch == '\0') { break; }
                         uszMatchPreview[k] = (ch >= 0x20 && ch < 0x7f) ? (CHAR)ch : '.';
                     }
@@ -528,7 +535,7 @@ BOOL VmmYaraUtil_ParseSingleResultNext(
                     iMatchCSV++;
                     oMatchCSV += _snprintf_s(hEPC->uszMatchContextCSV + oMatchCSV, _countof(hEPC->uszMatchContextCSV) - oMatchCSV, _TRUNCATE,
                         ",%s,%llx",
-                        FcCsv_String(&hEPC->hCSV, uszMatchPreview),
+                        FcCsv_String(&hEPC->hCSV, (fRuleMatchStringBuffer ? uszRuleMatchStringBuffer : uszMatchPreview)),
                         va
                     );
                 }

vmmpyc/version.h

@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               15
-#define VERSION_REVISION            3
-#define VERSION_BUILD               207
+#define VERSION_REVISION            4
+#define VERSION_BUILD               208
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Python API"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

vmmrust/leechcore_example/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "leechcore_example"
-version = "5.15.3"
+version = "5.15.4"
 edition = "2021"
 publish = false
 

vmmrust/m_example_plugin/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "m_example_plugin"
-version = "5.15.3"
+version = "5.15.4"
 edition = "2021"
 publish = false
 

vmmrust/memprocfs/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "memprocfs"
-version = "5.15.3"
+version = "5.15.4"
 edition = "2021"
 description = "MemProcFS - Physical Memory Analysis Framework"
 documentation = "https://docs.rs/memprocfs"

vmmrust/memprocfs_example/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "memprocfs_example"
-version = "5.15.3"
+version = "5.15.4"
 edition = "2021"
 publish = false
 

vmmsharp/vmmsharp/Properties/AssemblyInfo.cs

@@ -32,5 +32,5 @@ using System.Runtime.Versioning;
 // You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("5.15.3.207")]
-[assembly: AssemblyFileVersion("5.15.3.207")]
+[assembly: AssemblyVersion("5.15.4.208")]
+[assembly: AssemblyFileVersion("5.15.4.208")]

vmmsharp/vmmsharp/vmmsharp.csproj

@@ -109,7 +109,7 @@
 		<None Include="logo.png" Pack="true" Visible="true" PackagePath="" />
 	</ItemGroup>
     <PropertyGroup>
-        <Version>5.15.3</Version>
+        <Version>5.15.4</Version>
         <RepositoryUrl>https://github.com/ufrisk/MemProcFS</RepositoryUrl>
         <RepositoryType>git</RepositoryType>
         <PackageLicenseFile>LICENSE</PackageLicenseFile>