From a1a517924c02f1003a9544681be6c4e2c03dced0 Mon Sep 17 00:00:00 2001
From: ufrisk <github_ufrisk@frizk.net>
Date: Fri, 17 Feb 2023 21:47:53 +0100
Subject: [PATCH] Version 5.3.2

---
 vmmjava/VmmExample.java                       |  22 ++--
 vmmjava/vmm/IVmm.java                         |  97 +++++++++++++++--
 vmmjava/vmm/IVmmModule.java                   |  16 +++
 vmmjava/vmm/IVmmProcess.java                  |   6 +-
 vmmjava/vmm/entry/VmmMap_ModuleExport.java    |   3 +-
 vmmjava/vmm/entry/Vmm_ModuleExDebugInfo.java  |  20 ++++
 .../vmm/entry/Vmm_ModuleExVersionInfo.java    |  24 +++++
 vmmjava/vmm/internal/VmmImpl.java             | 102 +++++++++++++++---
 vmmjava/vmm/internal/VmmNative.java           |  77 ++++++++++---
 9 files changed, 320 insertions(+), 47 deletions(-)
 create mode 100644 vmmjava/vmm/entry/Vmm_ModuleExDebugInfo.java
 create mode 100644 vmmjava/vmm/entry/Vmm_ModuleExVersionInfo.java

diff --git a/vmmjava/VmmExample.java b/vmmjava/VmmExample.java
index 971d5e4..9e074aa 100644
--- a/vmmjava/VmmExample.java
+++ b/vmmjava/VmmExample.java
@@ -13,11 +13,11 @@ public class VmmExample {
 
 	public static void main(String[] args) {	
 		// Initialize VMM.DLL
-		// arguments are as they are given on the command line.
-		// also required is to specify the path to the native MemProcFS files
-		// important! remember to close the vmm object after use to free up native resources!
+		// Arguments are as they are given on the command line.
+		// Also required is to specify the path to the native MemProcFS files.
+		// Important! remember to close the vmm object after use to free up native resources!
 		String strPathToNativeBinaries = "C:\\Github\\MemProcFS-dev\\files";
-		String[] argv = {"-printf", "-device", "c:\\dumps\\WIN7-X64-SP1-1.pmem"};
+		String[] argv = {"-device", "c:\\dumps\\WIN7-X64-SP1-1.pmem", "-printf", "-v"};
 		IVmm vmm = IVmm.initializeVmm(strPathToNativeBinaries, argv);
 
 		// Get/Set option
@@ -51,7 +51,7 @@ public class VmmExample {
 		List<VmmMap_NetEntry> maps_net = vmm.mapNet();
 		List<VmmMap_UserEntry> maps_users = vmm.mapUser();
 		List<VmmMap_ServiceEntry> maps_services = vmm.mapService();
-		VmmMap_PoolMap maps_pool = vmm.mapPool();
+		VmmMap_PoolMap maps_pool = vmm.mapPool(true);			// retrieve big pool entries only (faster). 
 		
 		// get kernel info
 		IVmmProcess processKernel1 = vmm.kernelProcess();
@@ -74,12 +74,18 @@ public class VmmExample {
 		List<VmmMap_VadExEntry> procmaps_VADex = processExplorer.mapVadEx(0, 0x100);
 		
 		// get module
-		List<IVmmModule> moduleExplorerAll = processExplorer.moduleGetAll();
-		IVmmModule moduleExplorerKernel32 = processExplorer.moduleGet("kernel32.dll");
+		List<IVmmModule> moduleExplorerAll = processExplorer.moduleGetAll(false);				// retrieve without extended debug/version info.
+		IVmmModule moduleExplorerKernel32 = processExplorer.moduleGet("kernel32.dll", true);	// retrieve with extended debug/version info.
 		
 		// get some module info (additional info exists - check interface for more!)
 		String strModuleKernel32Full = moduleExplorerKernel32.getNameFull();
 		
+		// get debug info and version info of kernel32.
+		// This requires that the module have been initialized with isExtendedInfo = true,
+		// but the call may still fail and return null if required memory is unreadable.
+		Vmm_ModuleExDebugInfo moduleExplorerKernel32_DebugInfo = moduleExplorerKernel32.getExDebugInfo();
+		Vmm_ModuleExVersionInfo moduleExplorerKernel32_VersionInfo = moduleExplorerKernel32.getExVersionInfo();
+		
 		// get module maps for kernel32:
 		List<VmmMap_ModuleDataDirectory> moduleKernel32_DataDirectory = moduleExplorerKernel32.mapDataDirectory();
 		List<VmmMap_ModuleExport> moduleKernel32_Export =  moduleExplorerKernel32.mapExport();
@@ -91,7 +97,7 @@ public class VmmExample {
 		IVmmPdb pdbKernel32 = moduleExplorerKernel32.getPdb();
 		long vaGetProcAddress = pdbKernel32.getSymbolAddress("GetProcAddress");
 		int cbEprocess = pdbKernel.getTypeSize("_EPROCESS");
-		int oEprocessToken = pdbKernel.getTypeChildOffset("_EPROCESS", "Token");
+		int oEprocessToken = pdbKernel.getTypeChildOffset("_EPROCESS", "Token");	
 		
 		// registry
 		List<IVmmRegHive> reghives = vmm.regHive();
diff --git a/vmmjava/vmm/IVmm.java b/vmmjava/vmm/IVmm.java
index 5856a1f..22de1ed 100644
--- a/vmmjava/vmm/IVmm.java
+++ b/vmmjava/vmm/IVmm.java
@@ -73,20 +73,77 @@ public interface IVmm
 	public static final long OPT_CONFIG_VMM_VERSION_REVISION 	= 0x2000000B00000000L;
 	public static final long OPT_CONFIG_STATISTICS_FUNCTIONCALL = 0x2000000C00000000L;
 	public static final long OPT_CONFIG_IS_PAGING_ENABLED 		= 0x2000000D00000000L;
+
 	
+	
+	/**
+	 * Retrieve the OS kernel major version.
+	 */
 	public static final long OPT_WIN_VERSION_MAJOR 				= 0x2000010100000000L;
+	
+	/**
+	 * Retrieve the OS kernel minor version.
+	 */
 	public static final long OPT_WIN_VERSION_MINOR 				= 0x2000010200000000L;
+	
+	/**
+	 * Retrieve the OS kernel build.
+	 */
 	public static final long OPT_WIN_VERSION_BUILD 				= 0x2000010300000000L;
+	
+	/**
+	 * Retrieve the MemProcFS generated system id.
+	 */
 	public static final long OPT_WIN_SYSTEM_UNIQUE_ID 			= 0x2000010400000000L;
 	
+	
+	
+	/**
+	 * Forensic mode.
+	 */
 	public static final long OPT_FORENSIC_MODE 					= 0x2000020100000000L;
 	
-	public static final long OPT_REFRESH_ALL 					= 0x2001ffff00000000L;
-	public static final long OPT_REFRESH_FREQ_MEM 				= 0x2001000200000000L;
-	public static final long OPT_REFRESH_FREQ_TLB 				= 0x2001000400000000L;
-	public static final long OPT_REFRESH_FREQ_FAST 				= 0x2001040000000000L;
-	public static final long OPT_REFRESH_FREQ_MEDIUM 			= 0x2001000100000000L;
-	public static final long OPT_REFRESH_FREQ_SLOW 				= 0x2001001000000000L;
+	
+	
+	/**
+	 * Total refresh.
+	 */
+	public static final long VMMDLL_OPT_REFRESH_ALL             = 0x2001ffff00000000L;
+	
+	/**
+	 * Refresh total memory caches.
+	 */
+	public static final long VMMDLL_OPT_REFRESH_FREQ_MEM        = 0x2001100000000000L;
+	
+	/**
+	 * Refresh partial (1/3) memory caches.
+	 */
+	public static final long VMMDLL_OPT_REFRESH_FREQ_MEM_PARTIAL= 0x2001000200000000L;
+	
+	/**
+	 * Refresh completely page table caches.
+	 */
+	public static final long VMMDLL_OPT_REFRESH_FREQ_TLB        = 0x2001080000000000L;
+	
+	/**
+	 * Refresh partial (1/3) of page table caches.
+	 */
+	public static final long VMMDLL_OPT_REFRESH_FREQ_TLB_PARTIAL= 0x2001000400000000L;
+	
+	/**
+	 * Refresh fast frequency (minor refresh).
+	 */
+	public static final long VMMDLL_OPT_REFRESH_FREQ_FAST       = 0x2001040000000000L;
+	
+	/**
+	 * Refresh medium frequency (medium refresh).
+	 */
+	public static final long VMMDLL_OPT_REFRESH_FREQ_MEDIUM     = 0x2001000100000000L;
+	
+	/**
+	 * Refresh slow frequency (maximum refresh).
+	 */
+	public static final long VMMDLL_OPT_REFRESH_FREQ_SLOW       = 0x2001001000000000L;
 	
 	/**
 	 * Get a device specific option value. Please see defines OPT_* for information
@@ -114,12 +171,37 @@ public interface IVmm
 	//     WITH CALL TO InitializePlugins(). 
 	//-----------------------------------------------------------------------------
 	
+	/**
+	 * List entries in a virtual directory in the virtual file system.
+	 * @param path
+	 * @return
+	 */
 	public List<Vmm_VfsListEntry> vfsList(String path);
 	
+	/**
+	 * Read a file in the virtual file system.
+	 * @param file
+	 * @param offset
+	 * @param size
+	 * @return
+	 */
 	public byte[] vfsRead(String file, long offset, int size);
 	
+	/**
+	 * Read a file as a String in the virtual file system.
+	 * @param file
+	 * @param offset
+	 * @param size
+	 * @return
+	 */
 	public String vfsReadString(String file, long offset, int size);
 	
+	/**
+	 * Write to a file in the virtual file system.
+	 * @param file
+	 * @param data
+	 * @param offset
+	 */
 	public void vfsWrite(String file, byte[] data, long offset);
 	
 	
@@ -261,9 +343,10 @@ public interface IVmm
 	
 	/**
 	 * Retrieve pool allocations sorted by virtual address and pool tag.
+	 * @param isBigPoolOnly true=only show entries from bigpool, false=show all entries.
 	 * @return
 	 */
-	public VmmMap_PoolMap mapPool();
+	public VmmMap_PoolMap mapPool(boolean isBigPoolOnly);
 	
 	
 	
diff --git a/vmmjava/vmm/IVmmModule.java b/vmmjava/vmm/IVmmModule.java
index 4bc34e9..e266d5c 100644
--- a/vmmjava/vmm/IVmmModule.java
+++ b/vmmjava/vmm/IVmmModule.java
@@ -94,6 +94,22 @@ public interface IVmmModule
 	 * @return
 	 */
 	public IVmmPdb getPdb();
+
+	/**
+	 * Retrieve debug directory information. The debug directory info requires
+	 * that the module has been initialized with <b>isExtendedInfo</b> but may
+	 * still fail if memory is unreadable - in which case null is returned.
+	 * @return
+	 */	
+	public Vmm_ModuleExDebugInfo getExDebugInfo();
+	
+	/**
+	 * Retrieve PE version info. The PE version info requires that the module
+	 * has been initialized with <b>isExtendedInfo</b> but may still fail if
+	 * memory is unreadable - in which case null is returned.
+	 * @return
+	 */	
+	public Vmm_ModuleExVersionInfo getExVersionInfo();
 	
 	
 	
diff --git a/vmmjava/vmm/IVmmProcess.java b/vmmjava/vmm/IVmmProcess.java
index e1cb9de..16f5c4d 100644
--- a/vmmjava/vmm/IVmmProcess.java
+++ b/vmmjava/vmm/IVmmProcess.java
@@ -200,20 +200,20 @@ public interface IVmmProcess
 	 * @param va
 	 * @return
 	 */
-	public IVmmModule moduleGet(long va);
+	public IVmmModule moduleGet(long va, boolean isExtendedInfo);
 	
 	/**
 	 * Retrieve a module by its name.
 	 * @param name
 	 * @return
 	 */
-	public IVmmModule moduleGet(String name);
+	public IVmmModule moduleGet(String name, boolean isExtendedInfo);
 	
 	/**
 	 * Retrieve all modules loaded into the process.
 	 * @return
 	 */
-	public List<IVmmModule> moduleGetAll();
+	public List<IVmmModule> moduleGetAll(boolean isExtendedInfo);
 	
 	
 	
diff --git a/vmmjava/vmm/entry/VmmMap_ModuleExport.java b/vmmjava/vmm/entry/VmmMap_ModuleExport.java
index a828805..13f593f 100644
--- a/vmmjava/vmm/entry/VmmMap_ModuleExport.java
+++ b/vmmjava/vmm/entry/VmmMap_ModuleExport.java
@@ -8,13 +8,14 @@ import java.io.Serializable;
  */
 public class VmmMap_ModuleExport implements Serializable
 {
-	private static final long serialVersionUID = -7123227183229190306L;
+	private static final long serialVersionUID = -7123227183229190307L;
 	public long vaFunction;
 	public int dwOrdinal;
 	public int oFunctionsArray;
 	public int oNamesArray;
 	public String uszModule;
 	public String uszFunction;
+	public String uszForwardedFunction;
 	
 	public String toString() {
 		return "VmmMap_ModuleExport:" + uszModule + "!" + uszFunction;
diff --git a/vmmjava/vmm/entry/Vmm_ModuleExDebugInfo.java b/vmmjava/vmm/entry/Vmm_ModuleExDebugInfo.java
new file mode 100644
index 0000000..c07641c
--- /dev/null
+++ b/vmmjava/vmm/entry/Vmm_ModuleExDebugInfo.java
@@ -0,0 +1,20 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class Vmm_ModuleExDebugInfo implements Serializable {
+
+	private static final long serialVersionUID = -7875377132222488703L;
+	public int dwAge;
+	public byte[] GuidBytes;
+	public String Guid;
+	public String PdbFilename;
+
+	public String toString() {
+		return "Vmm_ModuleExDebugInfo";
+	}
+}
diff --git a/vmmjava/vmm/entry/Vmm_ModuleExVersionInfo.java b/vmmjava/vmm/entry/Vmm_ModuleExVersionInfo.java
new file mode 100644
index 0000000..7e2cfe1
--- /dev/null
+++ b/vmmjava/vmm/entry/Vmm_ModuleExVersionInfo.java
@@ -0,0 +1,24 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class Vmm_ModuleExVersionInfo implements Serializable {
+	
+	private static final long serialVersionUID = -9023423751540659830L;
+	public String CompanyName;
+	public String FileDescription;
+	public String FileVersion;
+	public String InternalName;
+	public String LegalCopyright;
+	public String OriginalFilename;
+	public String ProductName;
+	public String ProductVersion;
+	
+	public String toString() {
+		return "Vmm_ModuleExVersionInfo";
+	}
+}
diff --git a/vmmjava/vmm/internal/VmmImpl.java b/vmmjava/vmm/internal/VmmImpl.java
index d28bb69..0da7413 100644
--- a/vmmjava/vmm/internal/VmmImpl.java
+++ b/vmmjava/vmm/internal/VmmImpl.java
@@ -36,11 +36,22 @@ public class VmmImpl implements IVmm
 	
 	private VmmImpl(String vmmNativeLibraryPath, String argv[])
 	{
-			System.setProperty("jna.library.path", vmmNativeLibraryPath);
-			hVMM = VmmNative.INSTANCE.VMMDLL_Initialize(argv.length, argv);
-			if(hVMM == null) { throw new VmmException("Vmm Init: failed in native code."); }
-			VmmNative.INSTANCE.VMMDLL_InitializePlugins(hVMM);
-			this.vmmNativeLibraryPath = vmmNativeLibraryPath;
+		String[] argv_new = null;
+		if(argv.length < 2) {
+			throw new VmmException("Vmm Init: failed - too few arguments.");
+		}
+		if(argv[0].equals("") || argv[0].equals("-printf")) {
+			argv_new = argv;
+		} else {
+			argv_new = new String[argv.length + 1];
+			argv_new[0] = "";
+			System.arraycopy(argv, 0, argv_new, 1, argv.length);
+		}
+		System.setProperty("jna.library.path", vmmNativeLibraryPath);
+		hVMM = VmmNative.INSTANCE.VMMDLL_Initialize(argv_new.length, argv_new);
+		if(hVMM == null) { throw new VmmException("Vmm Init: failed in native code."); }
+		VmmNative.INSTANCE.VMMDLL_InitializePlugins(hVMM);
+		this.vmmNativeLibraryPath = vmmNativeLibraryPath;
 	}
 	
 	public static IVmm Initialize(String vmmNativeLibraryPath, String argv[])
@@ -537,10 +548,11 @@ public class VmmImpl implements IVmm
 		return result;
 	}
 	
-	public VmmMap_PoolMap mapPool()
+	public VmmMap_PoolMap mapPool(boolean isBigPoolOnly)
 	{
+		int flags = isBigPoolOnly ? VmmNative.VMMDLL_POOLMAP_FLAG_BIG : VmmNative.VMMDLL_POOLMAP_FLAG_ALL;
 		PointerByReference pptr = new PointerByReference();
-		boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetPool(hVMM, pptr, VmmNative.VMMDLL_POOLMAP_FLAG_ALL);
+		boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetPool(hVMM, pptr, flags);
 		if(!f) { throw new VmmException(); }
 		VmmNative.VMMDLL_MAP_POOL pMap = new VmmNative.VMMDLL_MAP_POOL(pptr.getValue());
 		// process result:
@@ -943,8 +955,8 @@ public class VmmImpl implements IVmm
 			return Native.toString(info.szSID);
 		}
 
-		public IVmmModule moduleGet(long va) {
-			for(IVmmModule m : moduleGetAll()) {
+		public IVmmModule moduleGet(long va, boolean isExtendedInfo) {
+			for(IVmmModule m : moduleGetAll(isExtendedInfo)) {
 				if((va >= m.getVaBase()) && (va <= m.getVaBase() + m.getSize())) {
 					return m;
 				}
@@ -952,24 +964,48 @@ public class VmmImpl implements IVmm
 			return null;
 		}
 
-		public IVmmModule moduleGet(String name) {
+		public IVmmModule moduleGet(String name, boolean isExtendedInfo) {
+			int flags = VmmNative.VMMDLL_MODULE_FLAG_NORMAL;
+			if(isExtendedInfo) {
+				flags = VmmNative.VMMDLL_MODULE_FLAG_DEBUGINFO + VmmNative.VMMDLL_MODULE_FLAG_VERSIONINFO;
+			}
 			PointerByReference pptr = new PointerByReference();
-			boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetModuleFromNameU(hVMM, pid, name, pptr);
+			boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetModuleFromNameU(hVMM, pid, name, pptr, flags);
 			if(!f) { throw new VmmException(); }
 			VmmNative.VMMDLL_MAP_MODULEENTRY pEntry = new VmmNative.VMMDLL_MAP_MODULEENTRY(pptr.getValue());
+			VmmNative.VMMDLL_MAP_MODULEENTRY_DEBUGINFO pDebugEntry = null;
+			if(pEntry.pExDebugInfo != 0) {
+				pDebugEntry = new VmmNative.VMMDLL_MAP_MODULEENTRY_DEBUGINFO(new PointerByReference(new Pointer(pEntry.pExDebugInfo)).getValue());
+			}
+			VmmNative.VMMDLL_MAP_MODULEENTRY_VERSIONINFO pVersionEntry = null;
+			if(pEntry.pExVersionInfo != 0) {
+				pVersionEntry = new VmmNative.VMMDLL_MAP_MODULEENTRY_VERSIONINFO(new PointerByReference(new Pointer(pEntry.pExVersionInfo)).getValue());
+			}
 			VmmNative.INSTANCE.VMMDLL_MemFree(pptr.getValue());
-			return new VmmImpl.VmmModuleImpl(this, pEntry);
+			return new VmmImpl.VmmModuleImpl(this, pEntry, pDebugEntry, pVersionEntry);
 		}
 
-		public List<IVmmModule> moduleGetAll() {
+		public List<IVmmModule> moduleGetAll(boolean isExtendedInfo) {
+			int flags = VmmNative.VMMDLL_MODULE_FLAG_NORMAL;
+			if(isExtendedInfo) {
+				flags = VmmNative.VMMDLL_MODULE_FLAG_DEBUGINFO + VmmNative.VMMDLL_MODULE_FLAG_VERSIONINFO;
+			}
 			PointerByReference pptr = new PointerByReference();
-			boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetModuleU(hVMM, pid, pptr);
+			boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetModuleU(hVMM, pid, pptr, flags);
 			if(!f) { throw new VmmException(); }
 			VmmNative.VMMDLL_MAP_MODULE pMap = new VmmNative.VMMDLL_MAP_MODULE(pptr.getValue());
 			// process result:
 			ArrayList<IVmmModule> result = new ArrayList<IVmmModule>();
 			for(VmmNative.VMMDLL_MAP_MODULEENTRY n : pMap.pMap) {
-				result.add(new VmmImpl.VmmModuleImpl(this, n));
+				VmmNative.VMMDLL_MAP_MODULEENTRY_DEBUGINFO pDebugEntry = null;
+				if(n.pExDebugInfo != 0) {
+					pDebugEntry = new VmmNative.VMMDLL_MAP_MODULEENTRY_DEBUGINFO(new PointerByReference(new Pointer(n.pExDebugInfo)).getValue());
+				}
+				VmmNative.VMMDLL_MAP_MODULEENTRY_VERSIONINFO pVersionEntry = null;
+				if(n.pExVersionInfo != 0) {
+					pVersionEntry = new VmmNative.VMMDLL_MAP_MODULEENTRY_VERSIONINFO(new PointerByReference(new Pointer(n.pExVersionInfo)).getValue());
+				}
+				result.add(new VmmImpl.VmmModuleImpl(this, n, pDebugEntry, pVersionEntry));
 			}
 			VmmNative.INSTANCE.VMMDLL_MemFree(pptr.getValue());
 			return result;
@@ -1026,9 +1062,14 @@ public class VmmImpl implements IVmm
 		private IVmmProcess process;
 		private int pid;
 		private VmmNative.VMMDLL_MAP_MODULEENTRY module;
+		private VmmNative.VMMDLL_MAP_MODULEENTRY_DEBUGINFO debug;
+		private VmmNative.VMMDLL_MAP_MODULEENTRY_VERSIONINFO version;
 		
-		private VmmModuleImpl(IVmmProcess process, VmmNative.VMMDLL_MAP_MODULEENTRY module) {
+		
+		private VmmModuleImpl(IVmmProcess process, VmmNative.VMMDLL_MAP_MODULEENTRY module, VmmNative.VMMDLL_MAP_MODULEENTRY_DEBUGINFO debug, VmmNative.VMMDLL_MAP_MODULEENTRY_VERSIONINFO version) {
 			this.module = module;
+			this.debug = debug;
+			this.version = version;
 			this.process = process;
 			this.pid = process.getPID();
 		}
@@ -1081,7 +1122,35 @@ public class VmmImpl implements IVmm
 		public int getCountIAT() {
 			return module.cIAT;
 		}
+			
+		public Vmm_ModuleExDebugInfo getExDebugInfo() {
+			if(debug == null) {
+				return null;
+			}
+			Vmm_ModuleExDebugInfo n = new Vmm_ModuleExDebugInfo();
+			n.dwAge = debug.dwAge;
+			n.Guid = debug.uszGuid;
+			n.GuidBytes = debug.Guid;
+			n.PdbFilename = debug.uszPdbFilename;
+			return n;
+		}
 		
+		public Vmm_ModuleExVersionInfo getExVersionInfo() {
+			if(version == null) {
+				return null;
+			}
+			Vmm_ModuleExVersionInfo n = new Vmm_ModuleExVersionInfo();
+			n.CompanyName = version.uszCompanyName;
+			n.FileDescription = version.uszFileDescription;
+			n.FileVersion = version.uszFileVersion;
+			n.InternalName = version.uszInternalName;
+			n.LegalCopyright = version.uszLegalCopyright;
+			n.OriginalFilename = version.uszOriginalFilename;
+			n.ProductName = version.uszProductName;
+			n.ProductVersion = version.uszProductVersion;
+			return n;
+		}
+
 		public long getProcAddress(String szFunctionName) {
 			return VmmNative.INSTANCE.VMMDLL_ProcessGetProcAddressU(hVMM, pid, module.uszText, szFunctionName);
 		}
@@ -1147,6 +1216,7 @@ public class VmmImpl implements IVmm
 				e.oFunctionsArray = n.oFunctionsArray;
 				e.oNamesArray = n.oNamesArray;
 				e.uszFunction = n.uszFunction;
+				e.uszForwardedFunction = n.uszForwardedFunction;
 				e.uszModule = module.uszText;
 				result.add(e);
 			}
diff --git a/vmmjava/vmm/internal/VmmNative.java b/vmmjava/vmm/internal/VmmNative.java
index 252ee48..2a7b9a8 100644
--- a/vmmjava/vmm/internal/VmmNative.java
+++ b/vmmjava/vmm/internal/VmmNative.java
@@ -22,14 +22,14 @@ interface VmmNative extends Library {
 	static final int VMMDLL_MAP_PTE_VERSION 		= 2;
 	static final int VMMDLL_MAP_VAD_VERSION 		= 6;
 	static final int VMMDLL_MAP_VADEX_VERSION 		= 3;
-	static final int VMMDLL_MAP_MODULE_VERSION 		= 5;
+	static final int VMMDLL_MAP_MODULE_VERSION 		= 6;
 	static final int VMMDLL_MAP_UNLOADEDMODULE_VERSION = 2;
-	static final int VMMDLL_MAP_EAT_VERSION 		= 2;
+	static final int VMMDLL_MAP_EAT_VERSION 		= 3;
 	static final int VMMDLL_MAP_IAT_VERSION 		= 2;
 	static final int VMMDLL_MAP_HEAP_VERSION 		= 4;
 	static final int VMMDLL_MAP_HEAPALLOC_VERSION 	= 1;
 	static final int VMMDLL_MAP_THREAD_VERSION 		= 4;
-	static final int VMMDLL_MAP_HANDLE_VERSION 		= 2;
+	static final int VMMDLL_MAP_HANDLE_VERSION 		= 3;
 	static final int VMMDLL_MAP_POOL_VERSION 		= 2;
 	static final int VMMDLL_MAP_NET_VERSION 		= 3;
 	static final int VMMDLL_MAP_PHYSMEM_VERSION 	= 2;
@@ -318,7 +318,7 @@ interface VmmNative extends Library {
 		public int _FutureUse2;
 		public int dwPID;
 		public byte[] dwPoolTag = new byte[4];
-		public int[] _FutureUse = new int[5];
+		public int[] _FutureUse = new int[7];
 		public String uszType;
 	}
 	
@@ -660,9 +660,58 @@ interface VmmNative extends Library {
 	boolean VMMDLL_ProcessGetInformation(Pointer hVMM, int dwPID, VMMDLL_PROCESS_INFORMATION pProcessInformation, LongByReference pcbProcessInformation);
 	Pointer VMMDLL_ProcessGetInformationString(Pointer hVMM, int dwPID, int fOptionString);
 	
-
 	
-	@Structure.FieldOrder({"vaBase", "vaEntry", "cbImageSize", "fWoW64", "uszText", "_Reserved3", "_Reserved4", "uszFullName", "tp", "cbFileSizeRaw", "cSection", "cEAT", "cIAT", "_Reserved2", "_Reserved1"})
+	
+	static final int VMMDLL_MODULE_FLAG_NORMAL           	= 0;
+	static final int VMMDLL_MODULE_FLAG_DEBUGINFO        	= 1;
+	static final int VMMDLL_MODULE_FLAG_VERSIONINFO      	= 2;
+	
+	@Structure.FieldOrder({"dwAge", "_Reserved", "Guid", "uszGuid", "uszPdbFilename"})
+	class VMMDLL_MAP_MODULEENTRY_DEBUGINFO extends Structure {
+		public int dwAge;
+		public int _Reserved;
+		public byte[] Guid = new byte[16];
+		public String uszGuid;
+		public String uszPdbFilename;
+		
+		
+		public VMMDLL_MAP_MODULEENTRY_DEBUGINFO()
+		{
+			super();
+		}
+		
+		VMMDLL_MAP_MODULEENTRY_DEBUGINFO(Pointer p)
+		{
+			super(p);
+			read();
+		}
+	}
+	
+	@Structure.FieldOrder({"uszCompanyName", "uszFileDescription", "uszFileVersion", "uszInternalName", "uszLegalCopyright", "uszOriginalFilename", "uszProductName", "uszProductVersion"})
+	class VMMDLL_MAP_MODULEENTRY_VERSIONINFO extends Structure {
+		public String uszCompanyName;
+		public String uszFileDescription;
+		public String uszFileVersion;
+		public String uszInternalName;
+		public String uszLegalCopyright;
+		public String uszOriginalFilename;
+		public String uszProductName;
+		public String uszProductVersion;
+		
+		
+		public VMMDLL_MAP_MODULEENTRY_VERSIONINFO()
+		{
+			super();
+		}
+		
+		VMMDLL_MAP_MODULEENTRY_VERSIONINFO(Pointer p)
+		{
+			super(p);
+			read();
+		}
+	}
+	
+	@Structure.FieldOrder({"vaBase", "vaEntry", "cbImageSize", "fWoW64", "uszText", "_Reserved3", "_Reserved4", "uszFullName", "tp", "cbFileSizeRaw", "cSection", "cEAT", "cIAT", "_Reserved2", "_Reserved1", "pExDebugInfo", "pExVersionInfo"})
 	class VMMDLL_MAP_MODULEENTRY extends Structure {
 		public long vaBase;
 		public long vaEntry;
@@ -678,7 +727,9 @@ interface VmmNative extends Library {
 		public int cEAT;
 		public int cIAT;
 		public int _Reserved2;
-		public long[] _Reserved1 = new long[2];
+		public long[] _Reserved1 = new long[3];
+		public long pExDebugInfo;
+		public long pExVersionInfo;
 		
 		public VMMDLL_MAP_MODULEENTRY()
 		{
@@ -712,8 +763,8 @@ interface VmmNative extends Library {
 		}
 	}
 	
-	boolean VMMDLL_Map_GetModuleU(Pointer hVMM, int dwPID, PointerByReference ppModuleMap);
-	boolean VMMDLL_Map_GetModuleFromNameU(Pointer hVMM, int dwPID, String uszModuleName, PointerByReference ppModuleMapEntry);
+	boolean VMMDLL_Map_GetModuleU(Pointer hVMM, int dwPID, PointerByReference ppModuleMap, int flags);
+	boolean VMMDLL_Map_GetModuleFromNameU(Pointer hVMM, int dwPID, String uszModuleName, PointerByReference ppModuleMapEntry, int flags);
 	
 	
 	
@@ -721,7 +772,7 @@ interface VmmNative extends Library {
 	
 	
 	
-	@Structure.FieldOrder({"vaFunction", "dwOrdinal", "oFunctionsArray", "oNamesArray", "_FutureUse1", "uszFunction"})
+	@Structure.FieldOrder({"vaFunction", "dwOrdinal", "oFunctionsArray", "oNamesArray", "_FutureUse1", "uszFunction", "uszForwardedFunction"})
 	class VMMDLL_MAP_EATENTRY extends Structure {
 		public long vaFunction;
 		public int dwOrdinal;
@@ -729,15 +780,17 @@ interface VmmNative extends Library {
 		public int oNamesArray;
 		public int _FutureUse1;
 		public String uszFunction;
+		public String uszForwardedFunction;
 	}
 	
-	@Structure.FieldOrder({"dwVersion", "dwOrdinalBase", "cNumberOfNames", "cNumberOfFunctions", "_Reserved1", "vaModuleBase", "vaAddressOfFunctions", "vaAddressOfNames", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+	@Structure.FieldOrder({"dwVersion", "dwOrdinalBase", "cNumberOfNames", "cNumberOfFunctions", "cNumberOfForwardedFunctions", "_Reserved1", "vaModuleBase", "vaAddressOfFunctions", "vaAddressOfNames", "pbMultiText", "cbMultiText", "cMap", "pMap"})
 	class VMMDLL_MAP_EAT extends Structure {
 		public int dwVersion;
 		public int dwOrdinalBase;
 		public int cNumberOfNames;
 		public int cNumberOfFunctions;
-		public int[] _Reserved1 = new int[4];
+		public int cNumberOfForwardedFunctions;
+		public int[] _Reserved1 = new int[3];
 		public long vaModuleBase;
 		public long vaAddressOfFunctions;
 		public long vaAddressOfNames;