diff --git a/vmm/version.h b/vmm/version.h index 51ebae4..d3e7fae 100644 --- a/vmm/version.h +++ b/vmm/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 2 -#define VERSION_REVISION 10 -#define VERSION_BUILD 96 +#define VERSION_REVISION 11 +#define VERSION_BUILD 97 #define VER_FILE_DESCRIPTION_STR "MemProcFS : Core" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD diff --git a/vmm/vmm.c b/vmm/vmm.c index ab83da1..fe945c7 100644 --- a/vmm/vmm.c +++ b/vmm/vmm.c @@ -6,6 +6,7 @@ #include "vmm.h" #include "mm.h" +#include "mm_pfn.h" #include "pdb.h" #include "vmmheap.h" #include "vmmproc.h" @@ -1651,11 +1652,11 @@ VOID VmmClose(_In_ VMM_HANDLE H) VmmNet_Close(H); PDB_Close(H); Ob_DECREF_NULL(&H->vmm.pObVfsDumpContext); - Ob_DECREF_NULL(&H->vmm.pObPfnContext); Ob_DECREF_NULL(&H->vmm.pObCPROC); if(H->vmm.fnMemoryModel.pfnClose) { H->vmm.fnMemoryModel.pfnClose(H); } + MmPfn_Close(H); MmWin_PagingClose(H); VmmCacheClose(H, VMM_CACHE_TAG_PHYS); VmmCacheClose(H, VMM_CACHE_TAG_TLB); diff --git a/vmm/vmm.h b/vmm/vmm.h index 354ae37..b4245f6 100644 --- a/vmm/vmm.h +++ b/vmm/vmm.h @@ -1520,8 +1520,8 @@ typedef struct tdVMM_CONTEXT { VMM_KERNELINFO kernel; VMM_OFFSET offset; POB pObVfsDumpContext; - POB pObPfnContext; POB pObPdbContext; + PVOID pMmPfnContext; PMMWIN_CONTEXT pMmContext; PVOID pNetContext; PVMMOB_VMGLOBAL_CONTEXT pObVmGlobalContext; diff --git a/vmm/vmmdll.c b/vmm/vmmdll.c index a33b946..d7b1abc 100644 --- a/vmm/vmmdll.c +++ b/vmm/vmmdll.c @@ -42,6 +42,7 @@ #define OB_TAG_API_MAP_VAD_EX 'VADX' #define OB_TAG_API_MAP_VM 'VM ' #define OB_TAG_API_MODULE_FROM_NAME 'MODN' +#define OB_TAG_API_PROCESS_INFORMATION 'PNFO' #define OB_TAG_API_PROCESS_STRING 'PSTR' #define OB_TAG_API_SEARCH 'SRCH' #define OB_TAG_API_VFS_LIST_BLOB 'VFSB' @@ -1923,6 +1924,49 @@ BOOL VMMDLL_ProcessGetInformation(_In_ VMM_HANDLE H, _In_ DWORD dwPID, _Inout_op CALL_IMPLEMENTATION_VMM(H, STATISTICS_ID_VMMDLL_ProcessGetInformation, VMMDLL_ProcessGetInformation_Impl(H, dwPID, pProcessInformation, pcbProcessInformation)) } +_Success_(return) +BOOL VMMDLL_ProcessGetInformationAll_Impl(_In_ VMM_HANDLE H, _Out_ PVMMDLL_PROCESS_INFORMATION *ppProcInfoAll, _Out_ PDWORD pcProcInfo) +{ + DWORD i, cProcInfo = 0; + SIZE_T cbAlloc, cbProcInfo, cPIDs = 0; + PDWORD pdwPIDs = NULL; + PVMMDLL_PROCESS_INFORMATION pe, pProcInfoAll = NULL; + // 1: get pid-list + VmmProcessListPIDs(H, NULL, &cPIDs, VMM_FLAG_PROCESS_SHOW_TERMINATED); + if(!cPIDs) { goto fail; } + if(!(pdwPIDs = LocalAlloc(LMEM_ZEROINIT, cPIDs * sizeof(DWORD)))) { goto fail; } + VmmProcessListPIDs(H, pdwPIDs, &cPIDs, VMM_FLAG_PROCESS_SHOW_TERMINATED); + if(!cPIDs) { goto fail; } + cbAlloc = cPIDs * sizeof(VMMDLL_PROCESS_INFORMATION); + // 2: create and fill result array: + if(!(pProcInfoAll = VmmDllCore_MemAllocExternal(H, OB_TAG_API_PROCESS_INFORMATION, cbAlloc, cbAlloc))) { goto fail; } + for(i = 0; i < cPIDs; i++) { + pe = pProcInfoAll + cProcInfo; + pe->magic = VMMDLL_PROCESS_INFORMATION_MAGIC; + pe->wVersion = VMMDLL_PROCESS_INFORMATION_VERSION; + cbProcInfo = sizeof(VMMDLL_PROCESS_INFORMATION); + if(VMMDLL_ProcessGetInformation_Impl(H, pdwPIDs[i], pe, &cbProcInfo)) { + cProcInfo++; + } + } + *pcProcInfo = cProcInfo; + *ppProcInfoAll = pProcInfoAll; + LocalFree(pdwPIDs); + return TRUE; +fail: + *pcProcInfo = 0; + *ppProcInfoAll = NULL; + VmmDllCore_MemFreeExternal(pProcInfoAll); + LocalFree(pdwPIDs); + return FALSE; +} + +_Success_(return) +BOOL VMMDLL_ProcessGetInformationAll(_In_ VMM_HANDLE H, _Out_ PVMMDLL_PROCESS_INFORMATION *ppProcessInformationAll, _Out_ PDWORD pcProcessInformation) +{ + CALL_IMPLEMENTATION_VMM(H, STATISTICS_ID_VMMDLL_ProcessGetInformationAll, VMMDLL_ProcessGetInformationAll_Impl(H, ppProcessInformationAll, pcProcessInformation)) +} + BOOL VMMDLL_ProcessGetInformationString_Impl_CallbackCriteria(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _In_ PVOID ctx) { return !pProcess->pObPersistent->UserProcessParams.fProcessed; diff --git a/vmm/vmmdll.def b/vmm/vmmdll.def index 687bcb0..59fbea1 100644 --- a/vmm/vmmdll.def +++ b/vmm/vmmdll.def @@ -85,6 +85,7 @@ EXPORTS VMMDLL_Map_GetHandleU VMMDLL_Map_GetHandleW VMMDLL_ProcessGetInformation + VMMDLL_ProcessGetInformationAll VMMDLL_ProcessGetInformationString VMMDLL_ProcessGetDirectoriesU diff --git a/vmm/vmmdll.h b/vmm/vmmdll.h index a5c4184..63ade6e 100644 --- a/vmm/vmmdll.h +++ b/vmm/vmmdll.h @@ -1981,6 +1981,22 @@ BOOL VMMDLL_ProcessGetInformation( _In_ PSIZE_T pcbProcessInformation ); +/* +* Retrieve various information from all processes (including terminated). +* CALLER FREE : VMMDLL_MemFree(*ppProcessInformationAll) +* -- hVMM +* -- ptr to receive result array of pcProcessInformation items on success. +* Must be free'd with VMMDLL_MemFree(). +* -- ptr to DWORD to receive number of items processes on success. +* -- return = success/fail. +*/ +_Success_(return) +BOOL VMMDLL_ProcessGetInformationAll( + _In_ VMM_HANDLE hVMM, + _Out_ PVMMDLL_PROCESS_INFORMATION *ppProcessInformationAll, + _Out_ PDWORD pcProcessInformation +); + #define VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_KERNEL 1 #define VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_USER_IMAGE 2 #define VMMDLL_PROCESS_INFORMATION_OPT_STRING_CMDLINE 3 diff --git a/vmm/vmmwininit.c b/vmm/vmmwininit.c index 70a0ea1..68a752f 100644 --- a/vmm/vmmwininit.c +++ b/vmm/vmmwininit.c @@ -8,7 +8,6 @@ #include "vmm.h" #include "mm.h" -#include "mm_pfn.h" #include "pe.h" #include "pdb.h" #include "util.h" @@ -160,7 +159,6 @@ VOID VmmWinInit_TryInitializeKernelOptionalValues(_In_ VMM_HANDLE H) if(!H->vmm.kernel.opt.vaPfnDatabase) { PDB_GetSymbolPTR(H, PDB_HANDLE_KERNEL, "MmPfnDatabase", pObSystemProcess, &H->vmm.kernel.opt.vaPfnDatabase); } - MmPfn_Initialize(H, pObSystemProcess); // PsLoadedModuleListExp if(!H->vmm.kernel.opt.vaPsLoadedModuleListExp) { PDB_GetSymbolAddress(H, PDB_HANDLE_KERNEL, "PsLoadedModuleList", &H->vmm.kernel.opt.vaPsLoadedModuleListExp); diff --git a/vmm_example/vmmdll_example.c b/vmm_example/vmmdll_example.c index 2ae302a..a8e3a94 100644 --- a/vmm_example/vmmdll_example.c +++ b/vmm_example/vmmdll_example.c @@ -327,6 +327,38 @@ int main(_In_ int argc, _In_ char* argv[]) return 1; } + + // Retrieve process information such as: name of the process, PML4 (DTB), + // PML4-USER (if exists) and Process State from _all_ processes. + // Active processes will have ProcessState = 0. + printf("------------------------------------------------------------\n"); + printf("# Get Process Information from ALL PROCESSES. \n"); + ShowKeyPress(); + DWORD cProcessInformation = 0; + PVMMDLL_PROCESS_INFORMATION pProcessInformationEntry, pProcessInformationAll = NULL; + printf("CALL: VMMDLL_ProcessGetInformationAll\n"); + result = VMMDLL_ProcessGetInformationAll(hVMM, &pProcessInformationAll, &cProcessInformation); + if(result) { + // print results upon success: + printf("SUCCESS: VMMDLL_ProcessGetInformationAll\n"); + for(i = 0; i < cProcessInformation; i++) { + pProcessInformationEntry = &pProcessInformationAll[i]; + printf(" --------------------------------------\n"); + printf(" Name = %s\n", pProcessInformationEntry->szName); + printf(" LongName = %s\n", pProcessInformationEntry->szNameLong); + printf(" PageDirectoryBase = 0x%016llx\n", pProcessInformationEntry->paDTB); + printf(" PageDirectoryBaseUser = 0x%016llx\n", pProcessInformationEntry->paDTB_UserOpt); + printf(" ProcessState = 0x%08x\n", pProcessInformationEntry->dwState); + printf(" PID = 0x%08x\n", pProcessInformationEntry->dwPID); + printf(" ParentPID = 0x%08x\n", pProcessInformationEntry->dwPPID); + } + // free function allocated memory: + VMMDLL_MemFree(pProcessInformationAll); + } else { + printf("FAIL: VMMDLL_ProcessGetInformationAll\n"); + return 1; + } + // Retrieve the memory map from the page table. This function also tries to // make additional parsing to identify modules and tag the memory map with diff --git a/vmmpyc/version.h b/vmmpyc/version.h index 9575dd6..9e5bc71 100644 --- a/vmmpyc/version.h +++ b/vmmpyc/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 2 -#define VERSION_REVISION 10 -#define VERSION_BUILD 96 +#define VERSION_REVISION 11 +#define VERSION_BUILD 97 #define VER_FILE_DESCRIPTION_STR "MemProcFS : Python API" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD