lywsvip/MemProcFS
1
0
Fork 0
mirror of https://github.com/ufrisk/MemProcFS.git synced 2026-06-03 01:02:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Version 5.2.11

Browse Source
This commit is contained in:
ufrisk
2022-12-14 23:15:50 +01:00
parent b3ca411470
commit 9bb85a67b3
9 changed files with 100 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
vmm/version.h
View File

@@ -3,8 +3,8 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 2
#define VERSION_REVISION 10
#define VERSION_BUILD 96
#define VERSION_REVISION 11
#define VERSION_BUILD 97
#define VER_FILE_DESCRIPTION_STR "MemProcFS : Core"
#define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

3
vmm/vmm.c
View File

@@ -6,6 +6,7 @@
#include "vmm.h"
#include "mm.h"
#include "mm_pfn.h"
#include "pdb.h"
#include "vmmheap.h"
#include "vmmproc.h"
@@ -1651,11 +1652,11 @@ VOID VmmClose(_In_ VMM_HANDLE H)
VmmNet_Close(H);
PDB_Close(H);
Ob_DECREF_NULL(&H->vmm.pObVfsDumpContext);
Ob_DECREF_NULL(&H->vmm.pObPfnContext);
Ob_DECREF_NULL(&H->vmm.pObCPROC);
if(H->vmm.fnMemoryModel.pfnClose) {
H->vmm.fnMemoryModel.pfnClose(H);
}
MmPfn_Close(H);
MmWin_PagingClose(H);
VmmCacheClose(H, VMM_CACHE_TAG_PHYS);
VmmCacheClose(H, VMM_CACHE_TAG_TLB);

2
vmm/vmm.h
View File

@@ -1520,8 +1520,8 @@ typedef struct tdVMM_CONTEXT {
VMM_KERNELINFO kernel;
VMM_OFFSET offset;
POB pObVfsDumpContext;
POB pObPfnContext;
POB pObPdbContext;
PVOID pMmPfnContext;
PMMWIN_CONTEXT pMmContext;
PVOID pNetContext;
PVMMOB_VMGLOBAL_CONTEXT pObVmGlobalContext;

44
vmm/vmmdll.c
View File

@@ -42,6 +42,7 @@
#define OB_TAG_API_MAP_VAD_EX 'VADX'
#define OB_TAG_API_MAP_VM 'VM '
#define OB_TAG_API_MODULE_FROM_NAME 'MODN'
#define OB_TAG_API_PROCESS_INFORMATION 'PNFO'
#define OB_TAG_API_PROCESS_STRING 'PSTR'
#define OB_TAG_API_SEARCH 'SRCH'
#define OB_TAG_API_VFS_LIST_BLOB 'VFSB'
@@ -1923,6 +1924,49 @@ BOOL VMMDLL_ProcessGetInformation(_In_ VMM_HANDLE H, _In_ DWORD dwPID, _Inout_op
CALL_IMPLEMENTATION_VMM(H, STATISTICS_ID_VMMDLL_ProcessGetInformation, VMMDLL_ProcessGetInformation_Impl(H, dwPID, pProcessInformation, pcbProcessInformation))
}
_Success_(return)
BOOL VMMDLL_ProcessGetInformationAll_Impl(_In_ VMM_HANDLE H, _Out_ PVMMDLL_PROCESS_INFORMATION *ppProcInfoAll, _Out_ PDWORD pcProcInfo)
{
DWORD i, cProcInfo = 0;
SIZE_T cbAlloc, cbProcInfo, cPIDs = 0;
PDWORD pdwPIDs = NULL;
PVMMDLL_PROCESS_INFORMATION pe, pProcInfoAll = NULL;
// 1: get pid-list
VmmProcessListPIDs(H, NULL, &cPIDs, VMM_FLAG_PROCESS_SHOW_TERMINATED);
if(!cPIDs) { goto fail; }
if(!(pdwPIDs = LocalAlloc(LMEM_ZEROINIT, cPIDs * sizeof(DWORD)))) { goto fail; }
VmmProcessListPIDs(H, pdwPIDs, &cPIDs, VMM_FLAG_PROCESS_SHOW_TERMINATED);
if(!cPIDs) { goto fail; }
cbAlloc = cPIDs * sizeof(VMMDLL_PROCESS_INFORMATION);
// 2: create and fill result array:
if(!(pProcInfoAll = VmmDllCore_MemAllocExternal(H, OB_TAG_API_PROCESS_INFORMATION, cbAlloc, cbAlloc))) { goto fail; }
for(i = 0; i < cPIDs; i++) {
pe = pProcInfoAll + cProcInfo;
pe->magic = VMMDLL_PROCESS_INFORMATION_MAGIC;
pe->wVersion = VMMDLL_PROCESS_INFORMATION_VERSION;
cbProcInfo = sizeof(VMMDLL_PROCESS_INFORMATION);
if(VMMDLL_ProcessGetInformation_Impl(H, pdwPIDs[i], pe, &cbProcInfo)) {
cProcInfo++;
}
}
*pcProcInfo = cProcInfo;
*ppProcInfoAll = pProcInfoAll;
LocalFree(pdwPIDs);
return TRUE;
fail:
*pcProcInfo = 0;
*ppProcInfoAll = NULL;
VmmDllCore_MemFreeExternal(pProcInfoAll);
LocalFree(pdwPIDs);
return FALSE;
}
_Success_(return)
BOOL VMMDLL_ProcessGetInformationAll(_In_ VMM_HANDLE H, _Out_ PVMMDLL_PROCESS_INFORMATION *ppProcessInformationAll, _Out_ PDWORD pcProcessInformation)
{
CALL_IMPLEMENTATION_VMM(H, STATISTICS_ID_VMMDLL_ProcessGetInformationAll, VMMDLL_ProcessGetInformationAll_Impl(H, ppProcessInformationAll, pcProcessInformation))
}
BOOL VMMDLL_ProcessGetInformationString_Impl_CallbackCriteria(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _In_ PVOID ctx)
{
return !pProcess->pObPersistent->UserProcessParams.fProcessed;

1
vmm/vmmdll.def
View File

@@ -85,6 +85,7 @@ EXPORTS
VMMDLL_Map_GetHandleU
VMMDLL_Map_GetHandleW
VMMDLL_ProcessGetInformation
VMMDLL_ProcessGetInformationAll
VMMDLL_ProcessGetInformationString
VMMDLL_ProcessGetDirectoriesU

16
vmm/vmmdll.h
View File

@@ -1981,6 +1981,22 @@ BOOL VMMDLL_ProcessGetInformation(
_In_ PSIZE_T pcbProcessInformation
);
/*
* Retrieve various information from all processes (including terminated).
* CALLER FREE : VMMDLL_MemFree(*ppProcessInformationAll)
* -- hVMM
* -- ptr to receive result array of pcProcessInformation items on success.
* Must be free'd with VMMDLL_MemFree().
* -- ptr to DWORD to receive number of items processes on success.
* -- return = success/fail.
*/
_Success_(return)
BOOL VMMDLL_ProcessGetInformationAll(
_In_ VMM_HANDLE hVMM,
_Out_ PVMMDLL_PROCESS_INFORMATION *ppProcessInformationAll,
_Out_ PDWORD pcProcessInformation
);
#define VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_KERNEL 1
#define VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_USER_IMAGE 2
#define VMMDLL_PROCESS_INFORMATION_OPT_STRING_CMDLINE 3

2
vmm/vmmwininit.c
View File

@@ -8,7 +8,6 @@
#include "vmm.h"
#include "mm.h"
#include "mm_pfn.h"
#include "pe.h"
#include "pdb.h"
#include "util.h"
@@ -160,7 +159,6 @@ VOID VmmWinInit_TryInitializeKernelOptionalValues(_In_ VMM_HANDLE H)
if(!H->vmm.kernel.opt.vaPfnDatabase) {
PDB_GetSymbolPTR(H, PDB_HANDLE_KERNEL, "MmPfnDatabase", pObSystemProcess, &H->vmm.kernel.opt.vaPfnDatabase);
}
MmPfn_Initialize(H, pObSystemProcess);
// PsLoadedModuleListExp
if(!H->vmm.kernel.opt.vaPsLoadedModuleListExp) {
PDB_GetSymbolAddress(H, PDB_HANDLE_KERNEL, "PsLoadedModuleList", &H->vmm.kernel.opt.vaPsLoadedModuleListExp);

32
vmm_example/vmmdll_example.c
View File

@@ -327,6 +327,38 @@ int main(_In_ int argc, _In_ char* argv[])
return 1;
}
// Retrieve process information such as: name of the process, PML4 (DTB),
// PML4-USER (if exists) and Process State from _all_ processes.
// Active processes will have ProcessState = 0.
printf("------------------------------------------------------------\n");
printf("# Get Process Information from ALL PROCESSES. \n");
ShowKeyPress();
DWORD cProcessInformation = 0;
PVMMDLL_PROCESS_INFORMATION pProcessInformationEntry, pProcessInformationAll = NULL;
printf("CALL: VMMDLL_ProcessGetInformationAll\n");
result = VMMDLL_ProcessGetInformationAll(hVMM, &pProcessInformationAll, &cProcessInformation);
if(result) {
// print results upon success:
printf("SUCCESS: VMMDLL_ProcessGetInformationAll\n");
for(i = 0; i < cProcessInformation; i++) {
pProcessInformationEntry = &pProcessInformationAll[i];
printf(" --------------------------------------\n");
printf(" Name = %s\n", pProcessInformationEntry->szName);
printf(" LongName = %s\n", pProcessInformationEntry->szNameLong);
printf(" PageDirectoryBase = 0x%016llx\n", pProcessInformationEntry->paDTB);
printf(" PageDirectoryBaseUser = 0x%016llx\n", pProcessInformationEntry->paDTB_UserOpt);
printf(" ProcessState = 0x%08x\n", pProcessInformationEntry->dwState);
printf(" PID = 0x%08x\n", pProcessInformationEntry->dwPID);
printf(" ParentPID = 0x%08x\n", pProcessInformationEntry->dwPPID);
}
// free function allocated memory:
VMMDLL_MemFree(pProcessInformationAll);
} else {
printf("FAIL: VMMDLL_ProcessGetInformationAll\n");
return 1;
}
// Retrieve the memory map from the page table. This function also tries to
// make additional parsing to identify modules and tag the memory map with

4
vmmpyc/version.h
View File

@@ -3,8 +3,8 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 2
#define VERSION_REVISION 10
#define VERSION_BUILD 96
#define VERSION_REVISION 11
#define VERSION_BUILD 97
#define VER_FILE_DESCRIPTION_STR "MemProcFS : Python API"
#define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD