From a07e137a2aeb9bd49b8e7da929e4c5a2e2ee7244 Mon Sep 17 00:00:00 2001 From: ufrisk Date: Wed, 14 Dec 2022 23:25:53 +0100 Subject: [PATCH] Version 5.2.11 --- includes/lib32/vmm.lib | Bin 28208 -> 28490 bytes includes/lib64/vmm.lib | Bin 27660 -> 27936 bytes includes/libarm64/vmm.lib | Bin 27660 -> 27936 bytes includes/vmmdll.h | 16 +++++ m_vmemd/version.h | 4 +- memprocfs/version.h | 4 +- vmm/mm_pfn.c | 136 ++++++++++++++++++++++++-------------- vmm/mm_pfn.h | 7 +- vmm/statistics.h | 2 + vmm/vmmdll.h | 2 +- 10 files changed, 112 insertions(+), 59 deletions(-) diff --git a/includes/lib32/vmm.lib b/includes/lib32/vmm.lib index 64c7598eb3f351c7809e6dd1967b735372e71f2f..cddc5bf45c5cd5ffedc07cb46583508631145c3c 100644 GIT binary patch delta 2736 zcmbu&nWCih=j^1Mfuxkhl*T9H^!0mBSP>cMQAcX6q+Oomngcgp#y~Mits7aA+kz! z5K)*>_{WKafJNaiLk_;Pioj{qA!t(AA7Y{4h^P{m@Bodas*{M&WKhi_LUXI?3?g{Y zE<21Ue5&yF5eZ#Is$+=YomRN9F&R$B4T-k%L^2$E8`QZ}IF&lsj)8=Fy<+>T$f4n= z!b(K4enjEAVn-v9YyuJL52$7k!8R^SkllGukzdERJnuugCB7$p$qTNCyJB0|H5fygY z2_1u~c|>qMr|7_9g}zSJB}9nhqRS2uryHAwm+-bGLqsKEqHD5QSXgiUGk_9d|EKBD9}jtSWCjB z4#Egtj~&O{xE15UZOplhmXnV3w2w5TrDXcXQX1sDrnaa1X*UhfUfM&&R79=RMorXA zE!0VFa$%|M9_3RZ?dR{AvNre7F6yN|ic*Z?)I}Z&P>{MQL|*cd zpTZQOCA9RvC;$KF&iWtb9(!l4Tl*hBf;4vIB=h~$%(1SV+d9!WmRYRH$VZUC_xsFmcR~V$U6ZvGd}@ zJW506r$)B_}d|yX5r-CX|4zx`A*0oZ3$~djYs_nJf2oT^=A{j+NSu z=sadXX|w8Dj{%BjROdBtKyq;KfEiY*9NEl&%3)mD(6HR}Si0IGECu74#Y_jnriTN-eit+4Z)rBn=1{W2Mr5UCBdUQ^j4~v)qw@ z^Q>gst}B}Wl=2i^=|w(IWyLzXnMY>E2<$JgLAGPMVs=t?mFbGE14=OmQY!de1ngy{ zf`7ZpHWjT2;u#mw&aFX5S*iRLU7-^wbn^TQPwDFS0|EC~scuwPAIfWLv;|GGlB+pr zk(C;TgE)x>@)ZOfXC?oNuAhqtSYRFDzrGDYM_9=p8N>g8&;-r}04;$H%{huH7^8ij{1M@k+s$Bkp^4KQZGr*g)R0S;C z`P0q^*6jce(oHYt(hlrn9q$0*JAsqD&SLvTw(pat3z(xLZGf4(X=Odu3XHNnVo)z| z05i0?5;#l-4z!0#s)6H_$g_Xo1_qls394!VEWAEQGi+yZ=U$_XIxe6VczYL+RsxJs ze<|>g^)5Hf^DJ`Trc87Y_HEdpx)OsI(nVz)!{#vl57BD?GoZ%eeyM~2FAw@o|ngRlKnJy;S*hchB& zL$ghr37z`P%Ct0)jy2b6FI_1)r}~wtyDL_Px+}Hmsp0$aywxh1J<;-~Zikk4C}~zDZA`qTx>(F5@yf$#u8vzPZ}r$C zb2As_)X93)3O#WaN$a(luJx7QP>;2u z&ypag`y8e#+x)*(S#Ka)FWdb#&GL=xTPe(Z64IX_<9>&BE&J73mGm+38J5pjZp%Y| zf_!;xn2hz?45e#VuFGJ*_2mJFF?G|-f>l21x5(;PO)~0pWOYHb>FZgy9;+7&av1xj z1i3O`GbMcg>SeXIA!b9d@$$#k92p%nYdJftOX{44C3z@OW(O;^Ti%n?D%s6sJ1QaTn>VQN&&lyB2+;E<;Xc)gmbu_EBAv=oO5Q&gqYq& ztug(zF0pDXv9_xyCK}T;X}ok`Nr~m8Tkb7v)spGhAd+11}b|ld16T zl*VRVJtq>hpGl3^bafmj=zS*jY#0H8Tudt3VYttvVu!9I6HtoJ>PiOy#X8sUGE?Cs zl(kz7x0zJJl~C4(>ehb@P!GzU<=)YHF0HbrUsuFCR915}lr_8~WgRD=l;-GG*@2)B zm{fQ}x0-jV6izj4V$!-QUBLpNU;+2P;B{S%1qj;9B*!#eH76JJ9+PT)hO10+ZZmw% zBuAgl3AU*{$G~&jsdG#hZ~%cG^}(f3IuZ?gnAFLc2W@3i*K)%ElUlM32bt6wY2buf z6%M4dRT$1Qsd9y`Y8J3UeN^`AswRM-UMA&V)HN0HX{MFW8}2dh$+=}ECl`feO#fbC zSC`z1o+Fu2<`5o3y0hZtL{_3IFvH|g%1jwdF-vh)s_aj(NFXbg?L--LMo4RRlDv|d zATMP(u4~X{z=h@ET@h%>JL+WiArXw!E;s!F9r<#C$Jnosn6T@x5cDhMc zK4_;Ym4i)^kIQtNI2cG5KH8T6xa6n$*^lA>o`Y?I`Knq`}?89&4pbYls!QH>f@q6!;Oj|SAD4h~K?6Iob{45T3) z3$X}KW2+oZNXctMJ37#b0J^Xdjc9@wKKRiL7u@im1+AEZssBCr|37xh|1kE+-zUbK zzWc_6oqUvX%KY8;>Ewy5pUs!i#we|?_VJZ;F4RgHtxghqUcM}!w(nBnVR6s z7kt+?*4VWEb=GNzV@>x`SSbot2AxiAOU;!ls#0uJ!lgIbB-yoA)A_s32MO}$+Bx#e z+Dg-aWppS-ymhl>Bz3y9mMs%^MU-je-CY-wWV9|pcGTG;$9r4us%w>U*X4;hQ6}rG z+Qh4?ugqi7Dy8)u=GT%hf04x2dW6W6h&l4RdYk!e`N>c+Yh}S&tQ0j=XrX6T{vnk$ zn;d8eXgf#qhT_?>%gjc?9 zJFf9L{Hj*O<2D_ABlAM41ibSk&TBKhwzuNZe7WU~lM|tuyy`7Cjm*9ERgzTt66CSh zZg!3Q<_inYZRBt>Lt|x=&#vw3s~%R@YmyPB8qoEmK$x!ayG^!d)ln#Urn3&K=tb2ndf5SC8~LaOmB!X zzx3v@;P!X2Zb_dbN$Dop)^0T~EqQBLjT8vh6XYIi=@*v%L)E%in;tt?oEY%}c}NXs1mZtDXNR3;S(m ozqXKx1AS-ZW?-J|4%oHy{%=21&)yd44kSc4;jq~3qHSqASZjPF7B#V>R6{eFcEUs@{hoVw`d9zx zl$p={-SfNWp7T5Bo@MCcs6*GIj;symerHvx{^zp*xCgAB0&-)3wd;VqAwxc&DeDeJ ze91^v5fvst$?rF;cLTanM)FP=d?kS5-D&U-h5`Q|(8dWB-&+QM8uQe)JK{DYwUx(C0Y-9gCAy1@RGn>T;$Vt< zTLf3=rsirx6ARICj3#R4E+~y_B2F?=xGo1!YCkk={uEG(sv^!ZQZZMm%V4Ckrz7?; zDh~~IC!myEHEiK_E5$R0k{;%%e7P=+a&Et3|G=<0nguAk44b$kx+9EK%E@)FG13Np z2BjdyP`C-uaW@NTV<6%(BW-!tP;ij_5AypLOdIM40NvM&RL7!}`lk#o?ud>%8ZHN4b14K;W9fby~pEj$-W{(ZxS3T}0Ucydcd zR+^U2l|RMK9(f~nY<4(z)qj4(eE_Cb12MV$iLM2PScD}XIJ6G60^?8%u%Gwg$Gr4%(3@0L$(JdK z6CEJ81Gq@p)xhH>V4Is0Qgt&2Vfz4$@_tPtaFTNBfDdbdPdD=ySOlDC&Fu@E9 zcA*cY;!UYry%pQB4d2BMJdYgIp&m7;MHAd`p%D#mA{#64ES6&lmLdzw@El&0Zx*Dl z4HovbBP$jrn|aa`WGKTj zaya9sR(0&`yZj5B-$_|%Z+mLLT%w)Du&z{biBX?aDrad`V{wC*K8PeET zr5(>Lc$CgAoAoXS=gpBzjdtyLR^VfmEz+|uG`Xy2PMp87fSF>L#9^B+Z#Pxi_U<2h zpn8??>ⅇDU#{7o8SM9_vS*0a?h6ut5uG)?TrEc6A|Jb~)3MD5n>j%cCdlW$GV`iiTmO+D5j zzwGd9vrgW;pjuvu?euG}4z7Hd!j?~d(AlX4Y;s+FalbrZtGM4Wp?bDSQ^0Rsv_Jmu zscf}#=E)_=ve2b@`gx)w=nw?hl}1@Eat&@JbC;^d|7 zdTskp&W))|kIEd4H_KP-HnaEAq)LXEOp@*%hn9Kw`+BCAnQrU6(D^BK!nU%wJ4?SU z)gin27uOmuu((j7ShFlLn)iYnFN`%$RsUfkRgN>ethd(uV(!U{8S+eToXo^OBd2=H YOmFVqbx&UEO|!V*tgOuL=+MFS)$A58hm)$XaT;typ8! z`U=T!yRAlDHO4k8Ev6XPnr0Psjj_6FYOUJVXV$8#n+@60HS21>=gy?rr2jN2$!ETE zesgBdnKLt&Z8yg4yESegqd#NrTNdA+D;U6IAZ-h<@F0+J9e6w2aEM7+NroLvDlruA z1C*S}x~wrCr)-zbH3}&1TAgbn+vFMSR~w)yO6NY!4&+JGHEm;E`AXMZ5BQv8QsW_= z(*h`s$-0K4fa2Vxb4}!cWD7E^VJiK1xgopNaEwVM2?pLp36**b7noGXi}|c)D!eI;aGFVFnY!}HK&IN19nh7J0zT`Qlzlc+w%j@cr zdtuXLPN>>6}Anu=9#yjE#?2CXCbUTlO@|Yj9 zo631SF&B7`ES13f^tyxBTLFAXo@%Zr_3=%8N?UkLy|roW{p`>VJnZCby_^KabN~b7 z$J%OI*u~jXY74NJLRxttdPt>hTyDxN<743`cYry{Tt^r9c=EZ-8~C^$(PNGofIyfL zf_LB#6N2#rKlDjlbY*%sdhmVpVio2h6)RAQGL)kNwWvciYT)2>=O6`dAQ>}}gjtx4 zH?dj{N5^Nip&cFQgcn^{iF!1^4G)^oj7B)&LJL|k4u1bV`2Rn4{Qofa@XeSg(|5m^ zz~LA1N6p{;o`#R4ygNg#)`w~jW?i_F#D&U{t1Du~o|P@LE5l4RgBQ=fAtx(+AD{1A zTUlw-#y$&vK7)O8**8o+O$m_)tU5P*?;BOkGpfN-Mq7WjXf&Rcd|zd#s!E%G;M!SLDKIKQvM$Udsnu4~Kf>SrJX)SrPm^C% zmzmOc29CswyJo6fOqd|8#p&WK4K>NU-21U|wI*8D*4RU^`S-r77xAgfD|3vD)mXJP z&oiG)=KxkIs_ig;v32B+v1~1ezq|^bCV#HAng6-{hhN9BR_v>VOMYFccJRLGP6BH- z*;D7$?(P5E?I^bFGO4~vtEd=1VqvR9ep26NTF`y-%Or6(OqZdcAgRn+AlZ#!{>k$m zd?vRV;^pPs0Qp&iP5YoQ{L(C*R4#WKR+%aW2F}cq%Z*dy%ZBk{3DRU;qt*PQNcStX zq$@a)n8Y|4V=ed#|GR1pD}A*HN!2u2=`7N+x6ityrsR;5&L;nlDz!_p!!=d1U3P8z z%|(Bi#zWO2E~m-zPRw5u#Ot0e5pJ8wa%Ao|GvuB-LXHGzvfW)`I`cu@<5(&4M9WLJ z-JF~F_fr<0ThHMp1%ykt$F803Tl=}XUW0t%acVnX{_>e>HOiY!PVIKZ@mmpWIpya~ zZY}NXk1wj0OI|g(L(YA)|5*%MZuK}$&YLRhn~P0>A$2dJC9fq^YG;PX(foATniZ-& z-L(I?INa0_{>d}-uv$66Ju{=_*R9r& zLn)WfsduPN4YVjCMxxrR{=Fw&jL7Y_I5{=NBm-?$b3xA^o~d3PJac49l!P{C%7nU5 z^KWyeUQt)mIoxT}#@!qK+QNQ4 q?APXht?&Fzx$B)SJG^%7@c7p*t9P$gR(Yd?tKhKN<}~vk;lBZ7gU6}> delta 2690 zcmbW%ZBSI#83*t`on7RzM5Bl-1VI4_7(`;wpn`}Z!t%1bFDxv(%lpEL)+%*c!1K-;uw;uwiIPLfVLNrpPp#@5tMt!)`J#%daY#-uh#4EBHS-RY-(=#-h? zeeQYgx#v9R+_Mb*CFIbhkRxjY*^gu`(f>T*0B!)Qr-1A*VC^~}XULGtXUe)mL7y>F zc~GedP;&bW>z#mZl#$%y22UZNxOW=70|CH00JLyI#q+wso5(!1>1BUNM=8aSBZ>&L3z;IjI@O-)g?1h@%=&ljLL+; zRtG4B7Y$pv-O83(Lt!`bRFbX>poH76*xoU04rKw#F2g47i0%j@6>)Oi^Nh5CpFzos zH{@>ubllB++Sn0vfswYJG2|U&|AYMgdDDiP{eW(Uk*ZmgQZv`!;Ew3HQx2+Y3A)5c zwS7U{iCXGR3_8Y0K2EN5Zwfli7~rLgCtJ6dQJFIMJbZzAxMCfP>7ll`Ag-WInKrbu zARQ-Zr;eN;?m`Duykw|kp*rsJs!Cp}>I{|F_<(XU3{5;2O76#o4W-=bQgLM$j;u1J z&y(Lq&KWr#`I|X`?5zL%h<5{+S`CC{^C!9%7-A9Oxxk@yz-LN1VB$D^%sJNsqcra3 znczZqG7fn8E*J7T+ljp2!}}{#)C!!Uqb?w#8L%=AH33iYK5&;8KL;J7f-=5Lv7G1t zIqkq%%BTSDHUPa&PDmAv9E9xyG|Kxm^}x%NSq;2b1zg?CUtj_7HXYppB-8!HKtD}T zoej8H$ilZGfLT85W+T0XE1-AyFq8xAqS#Hq5lSuso~KhAfcQKf=6n`P9UFlQbY?4X zkojraUjxk00E?N+Sngm^)WR=yiTY|;1SNI?$2tQXz{df*fzuS;1?;6M@-Uy=!+|KS zjT6u`wY2jc%IRPc^b&WcuaZSm9an#iF@v8jlUw{TKUFD<=09hIVh${bz)qN8MmTn1 zH;Tj^U%h%8wxbtc#|}J0t-;jHYlh${j z6J7A38$Ix&5l!&Gix#xPg=VOOfOo%h{q+4YuIeg@B z@^cn-?B#f5v`WbKs3bWV6*DrN8NE#M>LSf)>+gK|kX)`!Vz+SFUuVeqFWs)QYqmYpmsNISFgs6nIBeRPjVC5jn9bL-!s<~myiY!;w`m2IKYXsT1$y?;28U(&^vORhW@ZaaVvkrPCmYHl=11MU zu6h;n>&Xuz;w8mtGZ#-3T~Ck@=OP)mSmc<~X6Z;>cvf{Q;;V01qGfSJn1nalv~%Ch zn@D87SX_-h?eGsi|62lEHhH5dMuwM}WP*Jbe6wq2DYGSdw!W!C>kq7&OlGE(nI6lN zcaD$7u~o*gmqtWMj;mC=(3@~;33KK0tgBPId_McvschLLqHagnPm`})iLxV1 zlc8pt_T=D^TWNe=$>;HMWsWAXZky>>Z)N;Trka!FdnuaQcFQv#{rr~N;A*vqlo&aY z!bNy&mca65m(&*5==nsc^{$b_C6Sh&oQNJ%h1D{DKE*1No?`R&zy0*2RnB{&q{3US ziT$hFR`zhnD_*y@Vc*;_wXAxX*V1FT_uS8JtJxa(_Pe3+^5d2=^XzLW7ZN1U5+j~a zlPqX0x163kd436dHR`=0nGcoyt)<#)hX(YKo8-@}Zf*B))*sb8F3E3mYmfA1or__s zSzc}PYIiQ4zNuPniEQ_3PgpPBjc3avkF~dJZ@%!?_th8o%1yQ^e{}DL>e(U<9bU`u z0++tUt(^Jq55`G?eT{6(jkJ8Lads@0z1o-$NnIo*oyF!iOGl@d%F0fwe3}&|Z*`Vw z<74TQ>OgeJysn;znWof_RI5{+qK6m7$Y7VpVKQY{ay0Ws2HoqVL2E}NtSpWb4 diff --git a/includes/vmmdll.h b/includes/vmmdll.h index a5c4184..fced1b5 100644 --- a/includes/vmmdll.h +++ b/includes/vmmdll.h @@ -1981,6 +1981,22 @@ BOOL VMMDLL_ProcessGetInformation( _In_ PSIZE_T pcbProcessInformation ); +/* +* Retrieve various information from all processes (including terminated). +* CALLER FREE : VMMDLL_MemFree(*ppProcessInformationAll) +* -- hVMM +* -- ptr to receive result array of pcProcessInformation items on success. +* Must be free'd with VMMDLL_MemFree(). +* -- ptr to DWORD to receive number of items processes on success. +* -- return = success/fail. +*/ +EXPORTED_FUNCTION _Success_(return) +BOOL VMMDLL_ProcessGetInformationAll( + _In_ VMM_HANDLE hVMM, + _Out_ PVMMDLL_PROCESS_INFORMATION *ppProcessInformationAll, + _Out_ PDWORD pcProcessInformation +); + #define VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_KERNEL 1 #define VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_USER_IMAGE 2 #define VMMDLL_PROCESS_INFORMATION_OPT_STRING_CMDLINE 3 diff --git a/m_vmemd/version.h b/m_vmemd/version.h index c4d7a40..75ce483 100644 --- a/m_vmemd/version.h +++ b/m_vmemd/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 2 -#define VERSION_REVISION 10 -#define VERSION_BUILD 96 +#define VERSION_REVISION 11 +#define VERSION_BUILD 97 #define VER_FILE_DESCRIPTION_STR "MemProcFS : Plugin vmemd" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD diff --git a/memprocfs/version.h b/memprocfs/version.h index f91f510..3e3ba4a 100644 --- a/memprocfs/version.h +++ b/memprocfs/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 2 -#define VERSION_REVISION 10 -#define VERSION_BUILD 96 +#define VERSION_REVISION 11 +#define VERSION_BUILD 97 #define VER_FILE_DESCRIPTION_STR "MemProcFS" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD diff --git a/vmm/mm_pfn.c b/vmm/mm_pfn.c index 129206e..7b1cec1 100644 --- a/vmm/mm_pfn.c +++ b/vmm/mm_pfn.c @@ -9,10 +9,10 @@ #include "pdb.h" #include "util.h" -typedef struct tdOB_MMPFN_CONTEXT { - OB ObHdr; +typedef struct tdMMPFN_CONTEXT { + BOOL fValid; + SRWLOCK LockSRW; QWORD vaPfnDatabase; - CRITICAL_SECTION Lock; POB_CONTAINER pObCProcTableDTB; struct { WORD cb; @@ -23,30 +23,34 @@ typedef struct tdOB_MMPFN_CONTEXT { WORD ou4; } _MMPFN; DWORD iPfnMax; -} OB_MMPFN_CONTEXT, *POB_MMPFN_CONTEXT; +} MMPFN_CONTEXT, *PMMPFN_CONTEXT; #define MMPFN_PFN_TO_VA(ctx, i) (ctx->vaPfnDatabase + (QWORD)i * ctx->_MMPFN.cb) -VOID MmPfn_CallbackCleanup_ObContext(POB_MMPFN_CONTEXT ctx) +VOID MmPfn_Close(_In_ VMM_HANDLE H) { + PMMPFN_CONTEXT ctx = (PMMPFN_CONTEXT)H->vmm.pMmPfnContext; + if(!ctx) { return; } + H->vmm.pMmPfnContext = NULL; Ob_DECREF(ctx->pObCProcTableDTB); - DeleteCriticalSection(&ctx->Lock); + LocalFree(ctx); } VOID MmPfn_Refresh(_In_ VMM_HANDLE H) { - POB_MMPFN_CONTEXT ctx = (POB_MMPFN_CONTEXT)H->vmm.pObPfnContext; + PMMPFN_CONTEXT ctx = (PMMPFN_CONTEXT)H->vmm.pMmPfnContext; if(!ctx) { return; } ObContainer_SetOb(ctx->pObCProcTableDTB, NULL); } -_Success_(return) -BOOL MmPfn_Initialize_X64_Static(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pSystemProcess, _In_ POB_MMPFN_CONTEXT ctx) +VOID MmPfn_InitializeContext_StaticX64(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pSystemProcess, _In_ PMMPFN_CONTEXT ctx) { - DWORD i, j, dwVersionBuild = H->vmm.kernel.dwVersionBuild; + DWORD iPte, iPfnSystem, dwVersionBuild = H->vmm.kernel.dwVersionBuild; + QWORD vaPteSystem, paDtbSystem, vaDtbSystem; + POB_SET psvaOb = NULL; PVMMOB_MAP_PTE pObMapPte = NULL; - PVMM_MAP_PTEENTRY pe1, pe2; - if(dwVersionBuild < 6000) { return FALSE; } + if(dwVersionBuild < 6000) { return; } + // 1: static offsets ctx->vaPfnDatabase = 0xFFFFFA8000000000; ctx->_MMPFN.oOriginalPte = 0x020; ctx->_MMPFN.oPteAddress = 0x010; @@ -60,50 +64,80 @@ BOOL MmPfn_Initialize_X64_Static(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pSystemPro ctx->_MMPFN.ou2 = 0x018; ctx->_MMPFN.ou3 = 0x020; } - if(dwVersionBuild < 14393) { return TRUE; } - // search for MmPfnDatabase virtual address on 14393+ - if(VmmMap_GetPte(H, pSystemProcess, &pObMapPte, FALSE) && pObMapPte->cMap) { - for(i = pObMapPte->cMap; i; i--) { - pe1 = pObMapPte->pMap + i; - if(pe1->cPages > 0x10000000) { - for(j = i; j; j--) { - pe2 = pObMapPte->pMap + j; - if((pe1->vaBase & 0xfffffff000000000) != (pe2->vaBase & 0xfffffff000000000)) { break; } - if((pe2->vaBase & 0x0000000fffffffff) == 0) { - ctx->vaPfnDatabase = pe2->vaBase; - Ob_DECREF(pObMapPte); - return TRUE; - } - } + if(dwVersionBuild < 14393) { + ctx->fValid = TRUE; + return; + } + // 2: MmPfnDatabase virtual address is randomized on 14393+ + // Search for candidates amongst PTEs starting at 4GB boundaries: + // Verify candidates by using known kernel PML4 PFN as oracle: + if(!VmmMap_GetPte(H, pSystemProcess, &pObMapPte, FALSE)) { goto fail; } + if(!(psvaOb = ObSet_New(H))) { goto fail; } + // 2.1: search for candidates starting 4GB boundaries: + iPfnSystem = (DWORD)(H->vmm.kernel.paDTB >> 12); + for(iPte = 0; iPte < pObMapPte->cMap; iPte++) { + if(!(DWORD)pObMapPte->pMap[iPte].vaBase) { + ObSet_Push(psvaOb, pObMapPte->pMap[iPte].vaBase + iPfnSystem * ctx->_MMPFN.cb); + } + } + // 2.2: verify candidate is correct by using kernel PML4 PTE as oracle: + VmmCachePrefetchPages3(H, pSystemProcess, psvaOb, ctx->_MMPFN.cb, 0); + while((vaPteSystem = ObSet_Pop(psvaOb))) { + if(VmmRead(H, pSystemProcess, vaPteSystem + ctx->_MMPFN.oPteAddress, (PBYTE)&vaDtbSystem, 8) && VMM_KADDR64_8(vaDtbSystem)) { + vaDtbSystem = vaDtbSystem & ~0xfff; + if(VmmVirt2Phys(H, pSystemProcess, vaDtbSystem, &paDtbSystem) && (paDtbSystem == pSystemProcess->paDTB)) { + ctx->vaPfnDatabase = vaPteSystem - iPfnSystem * ctx->_MMPFN.cb; + ctx->fValid = TRUE; + break; } } } +fail: Ob_DECREF(pObMapPte); - return FALSE; + Ob_DECREF(psvaOb); } -VOID MmPfn_Initialize(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pSystemProcess) +VOID MmPfn_InitializeContext(_In_ VMM_HANDLE H) { - BOOL f; - POB_MMPFN_CONTEXT ctx; - if(!(ctx = Ob_AllocEx(H, OB_TAG_PFN_CONTEXT, LMEM_ZEROINIT, sizeof(OB_MMPFN_CONTEXT), (OB_CLEANUP_CB)MmPfn_CallbackCleanup_ObContext, NULL))) { return; } - InitializeCriticalSection(&ctx->Lock); - ctx->pObCProcTableDTB = ObContainer_New(); - f = PDB_GetSymbolPTR(H, PDB_HANDLE_KERNEL, "MmPfnDatabase", pSystemProcess, &ctx->vaPfnDatabase) && + PMMPFN_CONTEXT ctx = NULL; + PVMM_PROCESS pObSystemProcess = NULL; + if(!(pObSystemProcess = VmmProcessGet(H, 4))) { goto fail; } + if(!(ctx = LocalAlloc(LMEM_ZEROINIT, sizeof(MMPFN_CONTEXT)))) { goto fail; } + if(!(ctx->pObCProcTableDTB = ObContainer_New())) { goto fail; } + ctx->iPfnMax = (DWORD)(H->dev.paMax >> 12); + ctx->fValid = PDB_GetSymbolPTR(H, PDB_HANDLE_KERNEL, "MmPfnDatabase", pObSystemProcess, &ctx->vaPfnDatabase) && PDB_GetTypeSizeShort(H, PDB_HANDLE_KERNEL, "_MMPFN", &ctx->_MMPFN.cb) && PDB_GetTypeChildOffsetShort(H, PDB_HANDLE_KERNEL, "_MMPFN", "OriginalPte", &ctx->_MMPFN.oOriginalPte) && PDB_GetTypeChildOffsetShort(H, PDB_HANDLE_KERNEL, "_MMPFN", "PteAddress", &ctx->_MMPFN.oPteAddress) && PDB_GetTypeChildOffsetShort(H, PDB_HANDLE_KERNEL, "_MMPFN", "u2", &ctx->_MMPFN.ou2) && PDB_GetTypeChildOffsetShort(H, PDB_HANDLE_KERNEL, "_MMPFN", "u3", &ctx->_MMPFN.ou3) && PDB_GetTypeChildOffsetShort(H, PDB_HANDLE_KERNEL, "_MMPFN", "u4", &ctx->_MMPFN.ou4); - if(!f && (H->vmm.tpMemoryModel == VMM_MEMORYMODEL_X64)) { - f = MmPfn_Initialize_X64_Static(H, pSystemProcess, ctx); + if(!ctx->fValid && (H->vmm.tpMemoryModel == VMM_MEMORYMODEL_X64)) { + MmPfn_InitializeContext_StaticX64(H, pObSystemProcess, ctx); } - if(f && ctx->pObCProcTableDTB) { - ctx->iPfnMax = (DWORD)(H->dev.paMax >> 12); - H->vmm.pObPfnContext = Ob_INCREF(ctx); + H->vmm.pMmPfnContext = ctx; +fail: + Ob_DECREF(pObSystemProcess); + if(ctx && (ctx != H->vmm.pMmPfnContext)) { + Ob_DECREF(ctx->pObCProcTableDTB); + LocalFree(ctx); } - Ob_DECREF(ctx); +} + +_Success_(return != NULL) +PMMPFN_CONTEXT MmPfn_GetContext(_In_ VMM_HANDLE H) +{ + PMMPFN_CONTEXT ctx; + static SRWLOCK LockSRW = SRWLOCK_INIT; + if(!H->vmm.pMmPfnContext) { + AcquireSRWLockExclusive(&LockSRW); + if(!H->vmm.pMmPfnContext) { + MmPfn_InitializeContext(H); + } + ReleaseSRWLockExclusive(&LockSRW); + } + ctx = (PMMPFN_CONTEXT)H->vmm.pMmPfnContext; + return (ctx && ctx->fValid) ? ctx : NULL; } /* @@ -113,7 +147,7 @@ VOID MmPfn_Initialize(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pSystemProcess) * -- ctx * -- return */ -POB_MAP MmPfn_ProcDTB_Create(_In_ VMM_HANDLE H, _In_ POB_MMPFN_CONTEXT ctx) +POB_MAP MmPfn_ProcDTB_Create(_In_ VMM_HANDLE H, _In_ PMMPFN_CONTEXT ctx) { POB_MAP pmOb = NULL; PVMM_PROCESS pObProcess = NULL; @@ -135,23 +169,23 @@ POB_MAP MmPfn_ProcDTB_Create(_In_ VMM_HANDLE H, _In_ POB_MMPFN_CONTEXT ctx) * -- ctx * -- return */ -DWORD MmPfn_GetPidFromDTB(_In_ VMM_HANDLE H, _In_ POB_MMPFN_CONTEXT ctx, _In_ PVMM_PROCESS pSystemProcess, _In_ QWORD qwPfnDTB) +DWORD MmPfn_GetPidFromDTB(_In_ VMM_HANDLE H, _In_ PMMPFN_CONTEXT ctx, _In_ PVMM_PROCESS pSystemProcess, _In_ QWORD qwPfnDTB) { DWORD dwPID = 0; POB_MAP pmObDtbPfn2Pid = NULL; if(!(pmObDtbPfn2Pid = ObContainer_GetOb(ctx->pObCProcTableDTB))) { - EnterCriticalSection(&ctx->Lock); + AcquireSRWLockExclusive(&ctx->LockSRW); if(!(pmObDtbPfn2Pid = ObContainer_GetOb(ctx->pObCProcTableDTB))) { pmObDtbPfn2Pid = MmPfn_ProcDTB_Create(H, ctx); } - LeaveCriticalSection(&ctx->Lock); + ReleaseSRWLockExclusive(&ctx->LockSRW); } dwPID = 0x7fffffff & (DWORD)(SIZE_T)ObMap_GetByKey(pmObDtbPfn2Pid, qwPfnDTB); Ob_DECREF(pmObDtbPfn2Pid); return dwPID; } -VOID MmPfn_Map_GetPfn_GetVaX64(_In_ VMM_HANDLE H, _In_ POB_MMPFN_CONTEXT ctx, _In_ PVMM_PROCESS pSystemProcess, _In_ POB_SET psPte, _In_ POB_SET psPrefetch, _In_ BYTE iPML) +VOID MmPfn_Map_GetPfn_GetVaX64(_In_ VMM_HANDLE H, _In_ PMMPFN_CONTEXT ctx, _In_ PVMM_PROCESS pSystemProcess, _In_ POB_SET psPte, _In_ POB_SET psPrefetch, _In_ BYTE iPML) { BOOL f; BYTE tp, pbPfn[0x30]; @@ -222,7 +256,7 @@ restart_new_pml_level: } } -VOID MmPfn_Map_GetPfn_GetVaX86PAE(_In_ VMM_HANDLE H, _In_ POB_MMPFN_CONTEXT ctx, _In_ PVMM_PROCESS pSystemProcess, _In_ POB_SET psPte, _In_ POB_SET psPrefetch, _In_ BYTE iPML) +VOID MmPfn_Map_GetPfn_GetVaX86PAE(_In_ VMM_HANDLE H, _In_ PMMPFN_CONTEXT ctx, _In_ PVMM_PROCESS pSystemProcess, _In_ POB_SET psPte, _In_ POB_SET psPrefetch, _In_ BYTE iPML) { BOOL f; BYTE tp, pbPfn[0x30]; @@ -268,7 +302,7 @@ VOID MmPfn_Map_GetPfn_GetVaX86PAE(_In_ VMM_HANDLE H, _In_ POB_MMPFN_CONTEXT ctx, } } -VOID MmPfn_Map_GetPfn_GetVaX86(_In_ VMM_HANDLE H, _In_ POB_MMPFN_CONTEXT ctx, _In_ PVMM_PROCESS pSystemProcess, _In_ POB_SET psPte, _In_ POB_SET psPrefetch) +VOID MmPfn_Map_GetPfn_GetVaX86(_In_ VMM_HANDLE H, _In_ PMMPFN_CONTEXT ctx, _In_ PVMM_PROCESS pSystemProcess, _In_ POB_SET psPte, _In_ POB_SET psPrefetch) { BOOL f; BYTE tp, pbPfn[0x30]; @@ -316,7 +350,7 @@ VOID MmPfn_Map_GetPfn_GetVaX86(_In_ VMM_HANDLE H, _In_ POB_MMPFN_CONTEXT ctx, _I _Success_(return) BOOL MmPfn_Map_GetPfnScatter(_In_ VMM_HANDLE H, _In_ POB_SET psPfn, _Out_ PMMPFNOB_MAP *ppObPfnMap, _In_ BOOL fExtended) { - POB_MMPFN_CONTEXT ctx = (POB_MMPFN_CONTEXT)H->vmm.pObPfnContext; + PMMPFN_CONTEXT ctx; BOOL f32 = H->vmm.f32; BYTE pbPfn[0x30] = { 0 }; PVMM_PROCESS pObSystemProcess = NULL; @@ -329,14 +363,14 @@ BOOL MmPfn_Map_GetPfnScatter(_In_ VMM_HANDLE H, _In_ POB_SET psPfn, _Out_ PMMPFN QWORD va; BYTE pb[0x1000]; } PageCache; - if(!ctx) { goto fail; } // initialization - PageCache.va = 0; + if(!(ctx = MmPfn_GetContext(H))) { goto fail; } if(!(cPfn = ObSet_Size(psPfn))) { goto fail; } if(!(pObSystemProcess = VmmProcessGet(H, 4))) { goto fail; } if(!(psObPrefetch = ObSet_New(H))) { goto fail; } if(!(pObPfnMap = Ob_AllocEx(H, OB_TAG_MAP_PFN, LMEM_ZEROINIT, sizeof(MMPFNOB_MAP) + cPfn * sizeof(MMPFN_MAP_ENTRY), NULL, NULL))) { goto fail; } pObPfnMap->cMap = cPfn; + PageCache.va = 0; if(fExtended) { if(!(psObEnrichAddress = ObSet_New(H))) { goto fail; } } diff --git a/vmm/mm_pfn.h b/vmm/mm_pfn.h index 8dbe3ad..02dabec 100644 --- a/vmm/mm_pfn.h +++ b/vmm/mm_pfn.h @@ -83,11 +83,12 @@ typedef struct tdMMPFNOB_MAP { } MMPFNOB_MAP, *PMMPFNOB_MAP; /* -* Initialize the PFN (page frame number) subsystem. +* Close / Shutdown the PFN subsystem. This function should never be called when +* there may be an active thread in the PFN subsystem. This function should only +* be called on shutdown. * -- H -* -- pSystemProcess */ -VOID MmPfn_Initialize(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pSystemProcess); +VOID MmPfn_Close(_In_ VMM_HANDLE H); /* * Refresh the PFN (page frame number) subsystem. diff --git a/vmm/statistics.h b/vmm/statistics.h index 797a530..51c674c 100644 --- a/vmm/statistics.h +++ b/vmm/statistics.h @@ -40,6 +40,7 @@ typedef enum tdSTATISTICS_ID { STATISTICS_ID_VMMDLL_PidList, STATISTICS_ID_VMMDLL_PidGetFromName, STATISTICS_ID_VMMDLL_ProcessGetInformation, + STATISTICS_ID_VMMDLL_ProcessGetInformationAll, STATISTICS_ID_VMMDLL_ProcessGetInformationString, STATISTICS_ID_VMMDLL_Log, STATISTICS_ID_VMMDLL_Map_GetPte, @@ -121,6 +122,7 @@ static LPCSTR STATISTICS_ID_STR[STATISTICS_ID_MAX] = { [STATISTICS_ID_VMMDLL_PidList] = "VMMDLL_PidList", [STATISTICS_ID_VMMDLL_PidGetFromName] = "VMMDLL_PidGetFromName", [STATISTICS_ID_VMMDLL_ProcessGetInformation] = "VMMDLL_ProcessGetInformation", + [STATISTICS_ID_VMMDLL_ProcessGetInformationAll] = "VMMDLL_ProcessGetInformationAll", [STATISTICS_ID_VMMDLL_ProcessGetInformationString] = "VMMDLL_ProcessGetInformationString", [STATISTICS_ID_VMMDLL_Log] = "VMMDLL_Log", [STATISTICS_ID_VMMDLL_Map_GetPte] = "VMMDLL_Map_GetPte", diff --git a/vmm/vmmdll.h b/vmm/vmmdll.h index 63ade6e..fced1b5 100644 --- a/vmm/vmmdll.h +++ b/vmm/vmmdll.h @@ -1990,7 +1990,7 @@ BOOL VMMDLL_ProcessGetInformation( * -- ptr to DWORD to receive number of items processes on success. * -- return = success/fail. */ -_Success_(return) +EXPORTED_FUNCTION _Success_(return) BOOL VMMDLL_ProcessGetInformationAll( _In_ VMM_HANDLE hVMM, _Out_ PVMMDLL_PROCESS_INFORMATION *ppProcessInformationAll,