diff --git a/MemProcFS.sln b/MemProcFS.sln
index eb96ca4..b5cc75c 100644
--- a/MemProcFS.sln
+++ b/MemProcFS.sln
@@ -48,6 +48,55 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "leechcore", "..\LeechCore\l
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "vmmsharp", "vmmsharp\vmmsharp.csproj", "{3CDF36DD-2B04-4876-B4BF-29FED2386E6A}"
EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "vmmjava", "vmmjava", "{1390A2F3-1ECE-4A66-8B60-6FDCB599BE63}"
+ ProjectSection(SolutionItems) = preProject
+ vmmjava\VmmExample.java = vmmjava\VmmExample.java
+ EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "vmm", "vmm", "{F64725D0-147F-43D1-95AE-FDE1E8C1EDCD}"
+ ProjectSection(SolutionItems) = preProject
+ vmmjava\vmm\IVmm.java = vmmjava\vmm\IVmm.java
+ vmmjava\vmm\IVmmMemScatterMemory.java = vmmjava\vmm\IVmmMemScatterMemory.java
+ vmmjava\vmm\IVmmModule.java = vmmjava\vmm\IVmmModule.java
+ vmmjava\vmm\IVmmPdb.java = vmmjava\vmm\IVmmPdb.java
+ vmmjava\vmm\IVmmProcess.java = vmmjava\vmm\IVmmProcess.java
+ vmmjava\vmm\IVmmRegHive.java = vmmjava\vmm\IVmmRegHive.java
+ vmmjava\vmm\IVmmRegKey.java = vmmjava\vmm\IVmmRegKey.java
+ vmmjava\vmm\IVmmRegValue.java = vmmjava\vmm\IVmmRegValue.java
+ vmmjava\vmm\VmmException.java = vmmjava\vmm\VmmException.java
+ EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "entry", "entry", "{D65E9BD1-4BB8-4418-BC41-82884843D377}"
+ ProjectSection(SolutionItems) = preProject
+ vmmjava\vmm\entry\VmmMap_HandleEntry.java = vmmjava\vmm\entry\VmmMap_HandleEntry.java
+ vmmjava\vmm\entry\VmmMap_HeapAllocEntry.java = vmmjava\vmm\entry\VmmMap_HeapAllocEntry.java
+ vmmjava\vmm\entry\VmmMap_HeapEntry.java = vmmjava\vmm\entry\VmmMap_HeapEntry.java
+ vmmjava\vmm\entry\VmmMap_HeapMap.java = vmmjava\vmm\entry\VmmMap_HeapMap.java
+ vmmjava\vmm\entry\VmmMap_HeapSegmentEntry.java = vmmjava\vmm\entry\VmmMap_HeapSegmentEntry.java
+ vmmjava\vmm\entry\VmmMap_MemMapEntry.java = vmmjava\vmm\entry\VmmMap_MemMapEntry.java
+ vmmjava\vmm\entry\VmmMap_ModuleDataDirectory.java = vmmjava\vmm\entry\VmmMap_ModuleDataDirectory.java
+ vmmjava\vmm\entry\VmmMap_ModuleExport.java = vmmjava\vmm\entry\VmmMap_ModuleExport.java
+ vmmjava\vmm\entry\VmmMap_ModuleImport.java = vmmjava\vmm\entry\VmmMap_ModuleImport.java
+ vmmjava\vmm\entry\VmmMap_ModuleSection.java = vmmjava\vmm\entry\VmmMap_ModuleSection.java
+ vmmjava\vmm\entry\VmmMap_NetEntry.java = vmmjava\vmm\entry\VmmMap_NetEntry.java
+ vmmjava\vmm\entry\VmmMap_PoolEntry.java = vmmjava\vmm\entry\VmmMap_PoolEntry.java
+ vmmjava\vmm\entry\VmmMap_PoolMap.java = vmmjava\vmm\entry\VmmMap_PoolMap.java
+ vmmjava\vmm\entry\VmmMap_PteEntry.java = vmmjava\vmm\entry\VmmMap_PteEntry.java
+ vmmjava\vmm\entry\VmmMap_ServiceEntry.java = vmmjava\vmm\entry\VmmMap_ServiceEntry.java
+ vmmjava\vmm\entry\VmmMap_ThreadEntry.java = vmmjava\vmm\entry\VmmMap_ThreadEntry.java
+ vmmjava\vmm\entry\VmmMap_UnloadedModuleEntry.java = vmmjava\vmm\entry\VmmMap_UnloadedModuleEntry.java
+ vmmjava\vmm\entry\VmmMap_UserEntry.java = vmmjava\vmm\entry\VmmMap_UserEntry.java
+ vmmjava\vmm\entry\VmmMap_VadEntry.java = vmmjava\vmm\entry\VmmMap_VadEntry.java
+ vmmjava\vmm\entry\VmmMap_VadExEntry.java = vmmjava\vmm\entry\VmmMap_VadExEntry.java
+ vmmjava\vmm\entry\Vmm_VfsListEntry.java = vmmjava\vmm\entry\Vmm_VfsListEntry.java
+ EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "internal", "internal", "{A8744524-49F8-4CAA-BD85-7C1EACA1164F}"
+ ProjectSection(SolutionItems) = preProject
+ vmmjava\vmm\internal\VmmImpl.java = vmmjava\vmm\internal\VmmImpl.java
+ vmmjava\vmm\internal\VmmNative.java = vmmjava\vmm\internal\VmmNative.java
+ EndProjectSection
+EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
@@ -113,6 +162,9 @@ Global
GlobalSection(NestedProjects) = preSolution
{7BEEEE90-F2CC-4ADD-BA8B-82599E3D1408} = {50E46B01-0786-4222-B8C8-8D1612DA8A3B}
{A8B68178-FE06-42E2-80C9-2C936973B5FA} = {50E46B01-0786-4222-B8C8-8D1612DA8A3B}
+ {F64725D0-147F-43D1-95AE-FDE1E8C1EDCD} = {1390A2F3-1ECE-4A66-8B60-6FDCB599BE63}
+ {D65E9BD1-4BB8-4418-BC41-82884843D377} = {F64725D0-147F-43D1-95AE-FDE1E8C1EDCD}
+ {A8744524-49F8-4CAA-BD85-7C1EACA1164F} = {F64725D0-147F-43D1-95AE-FDE1E8C1EDCD}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {CE6C3AA7-477A-4329-B4E3-5F219ACF4063}
diff --git a/README.md b/README.md
index ebdff89..d2fa245 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@ Use your favorite tools to analyze memory - use your favorite hex editors, your
-Include MemProcFS in your C/C++, C# or Python programming projects! Everything in MemProcFS is exposed via an easy-to-use API for use in your own projects! The Plugin friendly architecture allows users to easily extend MemProcFS with native C .DLL plugins or Python .py plugins - providing additional analysis capabilities!
+Include MemProcFS in your [C/C++](https://github.com/ufrisk/MemProcFS/wiki/API_C), [C#](https://github.com/ufrisk/MemProcFS/wiki/API_CSharp), [Java](https://github.com/ufrisk/MemProcFS/wiki/API_Java) or [Python](https://github.com/ufrisk/MemProcFS/wiki/API_Python) programming projects! Everything in MemProcFS is exposed via an easy-to-use API for use in your own projects! The Plugin friendly architecture allows users to easily extend MemProcFS with native C .DLL plugins or Python .py plugins - providing additional analysis capabilities!
MemProcFS is available on Python pip. Just type `pip install memprocfs` and you're ready to go! Please see the [Python API documentation](https://github.com/ufrisk/MemProcFS/wiki/API_Python) and the [YouTube demo](https://youtu.be/pLFU1lxBNM0) for examples and usage!
@@ -29,9 +29,9 @@ No matter if you have no prior knowledge of memory analysis or are an advanced u
-Extensive Python, C# and C/C++ API:
+Extensive Python, Java, C# and C/C++ API:
===============================
-Everything in MemProcFS is exposed as APIs. APIs exist for both C/C++ `vmmdll.h`, C# `vmmsharp.cs` and Python `memprocfs.py`. The file system itself is made available virtually via the API without the need to mount it. SIt is possible to read both virtual process memory as well as physical memory! The example below shows reading 0x20 bytes from physical address 0x1000:
+Everything in MemProcFS is exposed as APIs. APIs exist for both C/C++ `vmmdll.h`, C# `vmmsharp.cs`, Java and Python `memprocfs.py`. The file system itself is made available virtually via the API without the need to mount it. SIt is possible to read both virtual process memory as well as physical memory! The example below shows reading 0x20 bytes from physical address 0x1000:
```
>>> import memprocfs
>>> vmm = memprocfs.Vmm(['-device', 'c:/temp/win10_memdump.raw'])
@@ -48,8 +48,6 @@ Installing:
===========
Get the latest [binaries, modules and configuration files](https://github.com/ufrisk/MemProcFS/releases/latest) from the latest release. Alternatively clone the repository and build from source.
-MemProcFS is dependent on the [LeechCore project](https://github.com/ufrisk/LeechCore) for memory acquisition. The necessary _leechcore.dll_ / _leechcore.so_ file is already pre-built and included together with the pre-built binaries.
-
## Windows
Mounting the file system requires the Dokany file system library to be installed. Please download and install the latest version of Dokany version 2 at: https://github.com/dokan-dev/dokany/releases/latest It is recommended to download and install the DokanSetup_redist version.
@@ -93,24 +91,9 @@ Building:
Detailed build instructions may be found in the [Wiki](https://github.com/ufrisk/MemProcFS/wiki) in the [Building](https://github.com/ufrisk/MemProcFS/wiki/Dev_Building) section.
-Current Limitations & Future Development:
-=========================================
-MemProcFS is currently limited to analyzing Windows (32-bit and 64-bit XP to 10) memory dumps.
-
-Some features are missing in Linux version (compressed windows memory and offline symbols). This both limits and degrades the analysis on Linux systems. These features are planned for future versions.
-
-Please find some ideas for possible future expansions of the memory process file system listed below. This is a list of ideas - not a list of features that will be implemented. Even though some items are put as prioritized there is no guarantee that they will be implemented in a timely fashion.
-
-### Prioritized items:
-- More/new plugins.
-
-### Other items:
-- Hash lookup of executable memory pages in DB.
-- Forensic mode more analysis tasks.
-
License:
========
-The project source code is released under: GNU Affero General Public License v3.0. Some bundled dependencies and plugins are released under GPLv3. Some bundled Microsoft redistributable binaries are released under separate licenses. Alternative licensing may be possible.
+The project source code is released under: GNU Affero General Public License v3.0. Some bundled dependencies and plugins are released under GPLv3. Some bundled Microsoft redistributable binaries are released under separate licenses. Alternative closed-source licensing may be possible upon request.
Contributing:
=============
@@ -314,4 +297,6 @@ v1.1-v2.10
* [Web history](https://github.com/ufrisk/MemProcFS/wiki/FS_Web) plugin.
Latest:
+* Bug fixes.
+* [Java API](https://github.com/ufrisk/MemProcFS/wiki/API_Java).
* Additional info in [token/sid-all.txt](https://github.com/ufrisk/MemProcFS/wiki/FS_Process_Token).
diff --git a/vmmjava/VmmExample.java b/vmmjava/VmmExample.java
new file mode 100644
index 0000000..9f85a27
--- /dev/null
+++ b/vmmjava/VmmExample.java
@@ -0,0 +1,109 @@
+import vmm.*;
+import vmm.entry.*;
+import vmm.internal.VmmImpl;
+
+import java.util.*;
+
+/**
+ * MemProcFS example code how use the Java wrapper API for the native library.
+ * More functionality exists, please check the interfaces for more information.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmExample {
+
+ public static void main(String[] args) {
+ // Initialize VMM.DLL
+ // arguments are as they are given on the command line.
+ // also required is to specify the path to the native MemProcFS files
+ // important! remember to close the vmm object after use to free up native resources!
+ String strPathToNativeBinaries = "C:\\Github\\MemProcFS-dev\\files";
+ String[] argv = {"-printf", "-device", "c:\\dumps\\WIN7-X64-SP1-1.pmem"};
+ IVmm vmm = IVmm.initializeVmm(strPathToNativeBinaries, argv);
+
+ // Get/Set option
+ vmm.setConfig(VmmImpl.OPT_CORE_PRINTF_ENABLE, 1);
+ long build = vmm.getConfig(VmmImpl.OPT_WIN_VERSION_BUILD);
+
+ // VFS init / list / read / write
+ List vfs_directory_listing = vmm.vfsList("\\sys\\");
+ byte[] vfs_build_bytes = vmm.vfsRead("\\sys\\version-build.txt", 0, 10);
+ String vfs_build_string = vmm.vfsReadString("\\sys\\version-build.txt", 0, 10);
+ //vmm.vfsWrite("\\memory.pmem", vfs_build_bytes, 0);
+
+ // physical memory prefetch/read/write
+ long[] physmem_prefetch = {0x1000, 0x10000, 0x20000};
+ vmm.memPrefetchPages(physmem_prefetch);
+ byte[] physmem_read = vmm.memRead(0x1000, 0x100);
+ //vmm.memWrite(0x400, physmem_read);
+
+ // physical memory scatter efficient read/write
+ IVmmMemScatterMemory physMemScatter = vmm.memScatterInitialize(IVmm.FLAG_ZEROPAD_ON_FAIL);
+ physMemScatter.prepare(0x1000, 0x100);
+ physMemScatter.prepare(0x2000, 8);
+ physMemScatter.execute();
+ byte[] physmem_readscatter1 = physMemScatter.read(0x1000, 0x100);
+ byte[] physmem_readscatter2 = physMemScatter.read(0x2004, 4);
+ byte[] physmem_readscatter3 = physMemScatter.read(0x2000, 8);
+ physMemScatter.close();
+
+ // get core maps
+ List maps_physmemmap = vmm.mapPhysicalMemory();
+ List maps_net = vmm.mapNet();
+ List maps_users = vmm.mapUser();
+ List maps_services = vmm.mapService();
+ VmmMap_PoolMap maps_pool = vmm.mapPool();
+
+ // get kernel info
+ IVmmProcess processKernel1 = vmm.kernelProcess();
+ IVmmPdb kernelPdb = vmm.kernelPdb();
+ int kernelBuildNumber = vmm.kernelBuildNumber();
+
+ // get processes
+ IVmmProcess processKernel2 = vmm.processGet(4);
+ IVmmProcess processExplorer = vmm.processGet("explorer.exe");
+ List processAll = vmm.processGetAll();
+
+ // get process maps
+ VmmMap_HeapMap procmaps_heap = processExplorer.mapHeap();
+ List procmaps_heapalloc = processExplorer.mapHeapAlloc(0);
+ List procmaps_handle = processExplorer.mapHandle();
+ List procmaps_PTEs = processExplorer.mapPte();
+ List procmaps_threads = processExplorer.mapThread();
+ List procmaps_unloadedmodules = processExplorer.mapUnloadedModule();
+ List procmaps_VADs = processExplorer.mapVad();
+ List procmaps_VADex = processExplorer.mapVadEx(0, 0x100);
+
+ // get module
+ List moduleExplorerAll = processExplorer.moduleGetAll();
+ IVmmModule moduleExplorerKernel32 = processExplorer.moduleGet("kernel32.dll");
+
+ // get some module info (additional info exists - check interface for more!)
+ String strModuleKernel32Full = moduleExplorerKernel32.getNameFull();
+
+ // get module maps for kernel32:
+ List moduleKernel32_DataDirectory = moduleExplorerKernel32.mapDataDirectory();
+ List moduleKernel32_Export = moduleExplorerKernel32.mapExport();
+ List moduleKernel32_Import = moduleExplorerKernel32.mapImport();
+ List moduleKernel32_Section = moduleExplorerKernel32.mapSection();
+
+ // pdb debug symbols for kernel and kernel32
+ IVmmPdb pdbKernel = vmm.kernelPdb();
+ IVmmPdb pdbKernel32 = moduleExplorerKernel32.getPdb();
+ long vaGetProcAddress = pdbKernel32.getSymbolAddress("GetProcAddress");
+ int cbEprocess = pdbKernel.getTypeSize("_EPROCESS");
+ int oEprocessToken = pdbKernel.getTypeChildOffset("_EPROCESS", "Token");
+
+ // registry
+ List reghives = vmm.regHive();
+ IVmmRegHive reghive = reghives.get(0);
+ IVmmRegKey regkey1 = reghive.getKeyRoot();
+ IVmmRegKey regkey2 = vmm.regKey("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
+ IVmmRegKey regkey3 = regkey2.getKeyParent();
+ Map regvalues = regkey2.getValues();
+ IVmmRegValue regvalue = vmm.regValue("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\VBoxTray");
+
+ vmm.close();
+ }
+
+}
diff --git a/vmmjava/vmm/IVmm.java b/vmmjava/vmm/IVmm.java
new file mode 100644
index 0000000..5856a1f
--- /dev/null
+++ b/vmmjava/vmm/IVmm.java
@@ -0,0 +1,294 @@
+package vmm;
+
+import java.util.List;
+
+import vmm.entry.*;
+
+/**
+ * The main MemProcFS implementation for Java.
+ * MemProcFS for Java requires JNA - https://github.com/java-native-access/jna which must be on the classpath.
+ * Check out the example code to get started! https://github.com/ufrisk/MemProcFS/
+ * MemProcFS currently only allow for one concurrent analysis instance. When the native code supports more instances the Java API will also support it without any API changes.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public interface IVmm
+{
+
+ //-----------------------------------------------------------------------------
+ // CORE FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Initialize a new MemProcFS instance (only if no previous active instance exists).
+ * @param vmmNativeLibraryPath path to vmm.dll / vmm.so native binaries, ex: "C:\\Program FIles\\MemProcFS".
+ * @param argv VMM/MemProcFS initialization arguments.
+ * @return
+ */
+ public static IVmm initializeVmm(String vmmNativeLibraryPath, String argv[])
+ {
+ return vmm.internal.VmmImpl.Initialize(vmmNativeLibraryPath, argv);
+ }
+
+ /**
+ * Check whether the current VMM instance is active/valid or not.
+ * @return
+ */
+ public boolean isValid();
+
+ /**
+ * Retrieve the native library path set at initialization time.
+ * @return
+ */
+ public String getNativeLibraryPath();
+
+ /**
+ * Close the active instance of MemProcFS
+ */
+ public void close();
+
+
+
+ //-----------------------------------------------------------------------------
+ // CONFIGURATION SETTINGS BELOW:
+ //-----------------------------------------------------------------------------
+
+ public static final long OPT_CORE_PRINTF_ENABLE = 0x4000000100000000L;
+ public static final long OPT_CORE_VERBOSE = 0x4000000200000000L;
+ public static final long OPT_CORE_VERBOSE_EXTRA = 0x4000000300000000L;
+ public static final long OPT_CORE_VERBOSE_EXTRA_TLP = 0x4000000400000000L;
+ public static final long OPT_CORE_MAX_NATIVE_ADDRESS = 0x4000000800000000L;
+
+ public static final long OPT_CORE_SYSTEM = 0x2000000100000000L;
+ public static final long OPT_CORE_MEMORYMODEL = 0x2000000200000000L;
+
+ public static final long OPT_CONFIG_IS_REFRESH_ENABLED = 0x2000000300000000L;
+ public static final long OPT_CONFIG_TICK_PERIOD = 0x2000000400000000L;
+ public static final long OPT_CONFIG_READCACHE_TICKS = 0x2000000500000000L;
+ public static final long OPT_CONFIG_TLBCACHE_TICKS = 0x2000000600000000L;
+ public static final long OPT_CONFIG_PROCCACHE_TICKS_PARTIAL = 0x2000000700000000L;
+ public static final long OPT_CONFIG_PROCCACHE_TICKS_TOTAL = 0x2000000800000000L;
+ public static final long OPT_CONFIG_VMM_VERSION_MAJOR = 0x2000000900000000L;
+ public static final long OPT_CONFIG_VMM_VERSION_MINOR = 0x2000000A00000000L;
+ public static final long OPT_CONFIG_VMM_VERSION_REVISION = 0x2000000B00000000L;
+ public static final long OPT_CONFIG_STATISTICS_FUNCTIONCALL = 0x2000000C00000000L;
+ public static final long OPT_CONFIG_IS_PAGING_ENABLED = 0x2000000D00000000L;
+
+ public static final long OPT_WIN_VERSION_MAJOR = 0x2000010100000000L;
+ public static final long OPT_WIN_VERSION_MINOR = 0x2000010200000000L;
+ public static final long OPT_WIN_VERSION_BUILD = 0x2000010300000000L;
+ public static final long OPT_WIN_SYSTEM_UNIQUE_ID = 0x2000010400000000L;
+
+ public static final long OPT_FORENSIC_MODE = 0x2000020100000000L;
+
+ public static final long OPT_REFRESH_ALL = 0x2001ffff00000000L;
+ public static final long OPT_REFRESH_FREQ_MEM = 0x2001000200000000L;
+ public static final long OPT_REFRESH_FREQ_TLB = 0x2001000400000000L;
+ public static final long OPT_REFRESH_FREQ_FAST = 0x2001040000000000L;
+ public static final long OPT_REFRESH_FREQ_MEDIUM = 0x2001000100000000L;
+ public static final long OPT_REFRESH_FREQ_SLOW = 0x2001001000000000L;
+
+ /**
+ * Get a device specific option value. Please see defines OPT_* for information
+ * about valid option values. Please note that option values may overlap between
+ * different device types with different meanings.
+ * @param fOption
+ * @return
+ */
+ public long getConfig(long fOption);
+
+ /**
+ * Set a device specific option value. Please see defines OPT_* for information
+ * about valid option values. Please note that option values may overlap between
+ * different device types with different meanings.
+ * @param fOption
+ * @param qw
+ */
+ public void setConfig(long fOption, long qw);
+
+
+
+ //-----------------------------------------------------------------------------
+ // VFS - VIRTUAL FILE SYSTEM FUNCTIONALITY BELOW:
+ // NB! VFS FUNCTIONALITY REQUIRES PLUGINS TO BE INITIALIZED
+ // WITH CALL TO InitializePlugins().
+ //-----------------------------------------------------------------------------
+
+ public List vfsList(String path);
+
+ public byte[] vfsRead(String file, long offset, int size);
+
+ public String vfsReadString(String file, long offset, int size);
+
+ public void vfsWrite(String file, byte[] data, long offset);
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM PHYSICAL MEMORY FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ public static int FLAG_NOCACHE = 0x0001;
+ public static int FLAG_ZEROPAD_ON_FAIL = 0x0002;
+ public static int FLAG_FORCECACHE_READ = 0x0008;
+ public static int FLAG_NOPAGING = 0x0010;
+ public static int FLAG_NOPAGING_IO = 0x0020;
+ public static int FLAG_NOCACHEPUT = 0x0100;
+ public static int FLAG_CACHE_RECENT_ONLY = 0x0200;
+ public static int FLAG_NO_PREDICTIVE_READ = 0x0400;
+ public static int FLAG_FORCECACHE_READ_DISABLE = 0x0800;
+
+ /**
+ * Read a single chunk of memory.
+ * @param pa physical address to read.
+ * @param size number of bytes to read.
+ * @return
+ */
+ public byte[] memRead(long pa, int size);
+
+ /**
+ * Read a single chunk of memory with the given flags
+ * @param pa physical address to read.
+ * @param size number of bytes to read.
+ * @param flags flags as specified by IVmm.FLAG_*
+ * @return
+ */
+ public byte[] memRead(long pa, int size, int flags);
+
+ /**
+ * Write data to the memory. NB! writing may fail silently.
+ * If important it's recommended to verify a write with a subsequent read.
+ * @param pa physical address to read.
+ * @param data data to write.
+ */
+ public void memWrite(long pa, byte[] data);
+
+ /**
+ * Prefetch a number of addresses into the internal memory cache.
+ * This is used to achieve faster subsequent reading speeds.
+ * @param pas array of physical addresses to prefetch.
+ */
+ public void memPrefetchPages(long[] pas);
+
+ /**
+ * Create a new IVmmMemScatter object used for efficient reading and writing.
+ * Upon completion it's recommended to call Close() to free native resources.
+ * @param flags flags as specified by IVmm.FLAG_*
+ * @return IVmmMemScatter object used for scatter reading.
+ */
+ public IVmmMemScatterMemory memScatterInitialize(int flags);
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM PROCESS FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Retrieve a process by its pid.
+ * @param pid
+ * @return
+ */
+ public IVmmProcess processGet(int pid);
+
+ /**
+ * Retrieve a process by its name. If multiple processes exists with same
+ * it's undefined which one will be returned.
+ * @param name
+ * @return
+ */
+ public IVmmProcess processGet(String name);
+
+ /**
+ * Retrieve all processes in the system
+ * @return
+ */
+ public List processGetAll();
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM KERNEL FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Retrieve the kernel process.
+ * @return
+ */
+ public IVmmProcess kernelProcess();
+
+ /**
+ * Retrieve the kernel debug symbols.
+ * @return
+ */
+ public IVmmPdb kernelPdb();
+
+ /**
+ * Retrieve the kernel build number.
+ * @return
+ */
+ public int kernelBuildNumber();
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM MAP FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Retrieve the system physical memory map.
+ * @return
+ */
+ public List mapPhysicalMemory();
+
+ /**
+ * Retrieve network info.
+ * @return
+ */
+ public List mapNet();
+
+ /**
+ * Retrieve users.
+ * @return
+ */
+ public List mapUser();
+
+ /**
+ * Retrieve services.
+ * @return
+ */
+ public List mapService();
+
+ /**
+ * Retrieve pool allocations sorted by virtual address and pool tag.
+ * @return
+ */
+ public VmmMap_PoolMap mapPool();
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM REGISTRY FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Enumerate all the hives in the system and return them in a list.
+ * @return
+ */
+ public List regHive();
+
+ /**
+ * Retrieve a registry key by its full path.
+ * @param strFullPath
+ * @return
+ */
+ public IVmmRegKey regKey(String strFullPath);
+
+ /**
+ * Retrieve a registry value by its full path.
+ * @param strFullPath
+ * @return
+ */
+ public IVmmRegValue regValue(String strFullPath);
+
+}
diff --git a/vmmjava/vmm/IVmmMemScatterMemory.java b/vmmjava/vmm/IVmmMemScatterMemory.java
new file mode 100644
index 0000000..b76190b
--- /dev/null
+++ b/vmmjava/vmm/IVmmMemScatterMemory.java
@@ -0,0 +1,60 @@
+package vmm;
+
+/**
+ * Interface to simplify efficient scattered read/write from the underlying API.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public interface IVmmMemScatterMemory
+{
+
+ /**
+ * Retrieve the object validity. Will turn to false after Close().
+ * @return
+ */
+ public boolean isValid();
+
+ /**
+ * Retrieve the flags.
+ * @return
+ */
+ public int getFlags();
+
+ /**
+ * Prepare memory for reading. Read memory after a successful call to Execute()
+ * @param va
+ * @param size
+ */
+ void prepare(long va, int size);
+
+ /**
+ * Prepare memory for writing. Memory will hopefully be written after a call to Execute()
+ * @param va
+ * @param data
+ */
+ void prepareWrite(long va, byte[] data);
+
+ /**
+ * Execute memory read/write operations queued by previous calls to Prepare()/PrepareWrite()
+ */
+ void execute();
+
+ /**
+ * Clear the IVmmMemScatter for new calls to Prepare()/PrepareWrite()
+ */
+ void clear();
+
+ /**
+ * Read scatter data previously prepared by Prepare() after an Execute() call.
+ * @param va
+ * @param size
+ * @return
+ */
+ byte[] read(long va, int size);
+
+ /**
+ * Close the IVmmMemScatter object and clean up native resources.
+ */
+ void close();
+
+}
diff --git a/vmmjava/vmm/IVmmModule.java b/vmmjava/vmm/IVmmModule.java
new file mode 100644
index 0000000..4bc34e9
--- /dev/null
+++ b/vmmjava/vmm/IVmmModule.java
@@ -0,0 +1,128 @@
+package vmm;
+
+import java.util.List;
+
+import vmm.entry.*;
+
+/**
+ * Interface representing a module (loaded dll).
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public interface IVmmModule
+{
+
+ //-----------------------------------------------------------------------------
+ // MODULE CORE FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Retrieve the process object of this module object.
+ * @return
+ */
+ public IVmmProcess getProcess();
+
+ /**
+ * Retrieve the module name.
+ * @return
+ */
+ public String getName();
+
+ /**
+ * Retrieve the full/long module name.
+ * @return
+ */
+ public String getNameFull();
+
+ /**
+ * Retrieve the module base address.
+ * @return
+ */
+ public long getVaBase();
+
+ /**
+ * Retieve the module entry point address.
+ * @return
+ */
+ public long getVaEntry();
+
+ /**
+ * Retrieve the size of the module (in virtual memory).
+ * @return
+ */
+ public int getSize();
+
+ /**
+ * Retrieve the file size (raw size) of the module.
+ * @return
+ */
+ public int getSizeFile();
+
+ /**
+ * Check whether the module is a WoW64 module or not (32-bit module in 64-bit os).
+ * @return
+ */
+ public boolean isWow64();
+
+ /**
+ * Retrieve the module section count.
+ * @return
+ */
+ public int getCountSection();
+
+ /**
+ * Retrieve the export address table (EAT) count.
+ * @return
+ */
+ public int getCountEAT();
+
+ /**
+ * Retrieve the import address table (IAT) count.
+ * @return
+ */
+ public int getCountIAT();
+
+ /**
+ * Retrieve the function address of the specified function.
+ * @param szFunctionName
+ * @return
+ */
+ public long getProcAddress(String szFunctionName);
+
+ /**
+ * Retrieve pdb debug symbols for the specific module.
+ * @return
+ */
+ public IVmmPdb getPdb();
+
+
+
+ //-----------------------------------------------------------------------------
+ // MODULE MAP FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Retrieve the data directories.
+ * @return
+ */
+ public List mapDataDirectory();
+
+ /**
+ * Retrieve exported symbols from the export address table (EAT).
+ * @return
+ */
+ public List mapExport();
+
+ /**
+ * Retrieve imported symbols from the import address table (IAT).
+ * @return
+ */
+ public List mapImport();
+
+ /**
+ * Retrieve module sections.
+ * @return
+ */
+ public List mapSection();
+
+}
diff --git a/vmmjava/vmm/IVmmPdb.java b/vmmjava/vmm/IVmmPdb.java
new file mode 100644
index 0000000..30a155f
--- /dev/null
+++ b/vmmjava/vmm/IVmmPdb.java
@@ -0,0 +1,46 @@
+package vmm;
+
+/**
+ * Interface representing debug symbols for a specific module.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public interface IVmmPdb
+{
+
+ /**
+ * Retrieve the module name of the PDB debug symbols.
+ * @return
+ */
+ public String getModuleName();
+
+ /**
+ * Retrieve the address of the given symbol.
+ * @param strSymbol
+ * @return
+ */
+ public long getSymbolAddress(String strSymbol);
+
+ /**
+ * Retrieve the symbol name given symbol virtual address or offset.
+ * @param vaSymbolOrOffset
+ * @return
+ */
+ public String getSymbolName(long vaSymbolOrOffset);
+
+ /**
+ * Retrieve the symbol type child offset.
+ * @param strTypeName
+ * @param strChild
+ * @return
+ */
+ public int getTypeChildOffset(String strTypeName, String strChild);
+
+ /**
+ * Retrieve a type size.
+ * @param strTypeName
+ * @return
+ */
+ public int getTypeSize(String strTypeName);
+
+}
diff --git a/vmmjava/vmm/IVmmProcess.java b/vmmjava/vmm/IVmmProcess.java
new file mode 100644
index 0000000..e1cb9de
--- /dev/null
+++ b/vmmjava/vmm/IVmmProcess.java
@@ -0,0 +1,275 @@
+package vmm;
+
+import java.util.List;
+
+import vmm.entry.*;
+
+/**
+ * Interface representing a process.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public interface IVmmProcess
+{
+
+ //-----------------------------------------------------------------------------
+ // PROCESS CORE FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Retrieve the PID of this process object.
+ * @return
+ */
+ public int getPID();
+
+ /**
+ * Retrieve the parent process id (PPID).
+ * @return
+ */
+ public int getPPID();
+
+ /**
+ * Retrieve the virtual address of the EPROCESS struct.
+ * @return
+ */
+ public long getEPROCESS();
+
+ /**
+ * Get the kernel directory table base (default).
+ * @return
+ */
+ public long getDTB();
+
+ /**
+ * Get the user mode directory table base (if exists).
+ * @return
+ */
+ public long getDTBUser();
+
+ /**
+ * Get the process state.
+ * @return
+ */
+ public int getState();
+
+ /**
+ * Get the virtual address of the PEB.
+ * @return
+ */
+ public long getPEB();
+
+ /**
+ * Get the virtual address of the 32-bit PEB in WoW64 processes.
+ * @return
+ */
+ public int getPEB32();
+
+ /**
+ * Check whether the process is a Wow64 process.
+ * @return
+ */
+ public boolean isWow64();
+
+ /**
+ * Check whether the process is a user-mode or kernel-mode process.
+ * @return
+ */
+ public boolean isUserMode();
+
+ /**
+ * Get the short process name.
+ * @return
+ */
+ public String getName();
+
+ /**
+ * Get the full process name.
+ * @return
+ */
+ public String getNameFull();
+
+ /**
+ * Get the process command line.
+ * @return
+ */
+ public String getCmdLine();
+
+ /**
+ * Get the user mode process path.
+ * @return
+ */
+ public String getPathUser();
+
+ /**
+ * Get the kernel mode process path.
+ * @return
+ */
+ public String getPathKernel();
+
+ /**
+ * Get the memory model.
+ * @return
+ */
+ public int getTpMemoryModel();
+
+ /**
+ * Get the system type.
+ * @return
+ */
+ public int getTpSystem();
+
+ /**
+ * Get the LUID from the process token.
+ * @return
+ */
+ public long GetLUID();
+
+ /**
+ * Get the SesssionID from the process token.
+ * @return
+ */
+ public int GetSessionID();
+
+ /**
+ * Get the SID from the process token.
+ * @return
+ */
+ public String getSID();
+
+
+
+ //-----------------------------------------------------------------------------
+ // PROCESS VIRTUAL MEMORY FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Read a single chunk of memory.
+ * @param va virtual address to read.
+ * @param size number of bytes to read.
+ * @return
+ */
+ public byte[] memRead(long va, int size);
+
+ /**
+ * Read a single chunk of memory with the given flags
+ * @param va virtual address to read.
+ * @param size number of bytes to read.
+ * @param flags flags as specified by IVmm.FLAG_*
+ * @return
+ */
+ public byte[] memRead(long va, int size, int flags);
+
+ /**
+ * Write data to the memory. NB! writing may fail silently.
+ * If important it's recommended to verify a write with a subsequent read.
+ * @param va virtual address to read.
+ * @param data data to write.
+ */
+ public void memWrite(long va, byte[] data);
+
+ /**
+ * Prefetch a number of addresses into the internal memory cache.
+ * This is used to achieve faster subsequent reading speeds.
+ * @param vas array of virtual addresses to prefetch.
+ */
+ public void memPrefetchPages(long[] vas);
+
+ /**
+ * Create a new IVmmMemScatter object used for efficient reading and writing.
+ * Upon completion it's recommended to call Close() to free native resources.
+ * @param flags flags as specified by IVmm.FLAG_*
+ * @return IVmmMemScatter object used for scatter reading.
+ */
+ public IVmmMemScatterMemory memScatterInitialize(int flags);
+
+ /**
+ * Try translating a virtual memory address to a physical memory address.
+ * @param va
+ * @return
+ */
+ public long memVirtualToPhysical(long va);
+
+
+
+ //-----------------------------------------------------------------------------
+ // PROCESS MODULE FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Retrieve a module by its virtual address.
+ * @param va
+ * @return
+ */
+ public IVmmModule moduleGet(long va);
+
+ /**
+ * Retrieve a module by its name.
+ * @param name
+ * @return
+ */
+ public IVmmModule moduleGet(String name);
+
+ /**
+ * Retrieve all modules loaded into the process.
+ * @return
+ */
+ public List moduleGetAll();
+
+
+
+ //-----------------------------------------------------------------------------
+ // PROCESS MAP FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ /**
+ * Retrieve handles.
+ * @return
+ */
+ public List mapHandle();
+
+ /**
+ * Retrieve heap allocations given a heap address or heap number.
+ * @param qwHeapNumOrAddress
+ * @return
+ */
+ public List mapHeapAlloc(long qwHeapNumOrAddress);
+
+ /**
+ * Retrieve the process heaps.
+ * @return
+ */
+ public VmmMap_HeapMap mapHeap();
+
+ /**
+ * Retrieve the process PTEs.
+ * @return
+ */
+ public List mapPte();
+
+ /**
+ * Retrieve the process threads.
+ * @return
+ */
+ public List mapThread();
+
+ /**
+ * Retrieve the process unloaded modules.
+ * @return
+ */
+ public List mapUnloadedModule();
+
+ /**
+ * Retrieve the process VADs.
+ * @return
+ */
+ public List mapVad();
+
+ /**
+ * Retrieve extended VAD information given a starting page offset (oPage) and number of pages (cPage).
+ * @param oPage
+ * @param cPage
+ * @return
+ */
+ public List mapVadEx(int oPage, int cPage);
+
+}
diff --git a/vmmjava/vmm/IVmmRegHive.java b/vmmjava/vmm/IVmmRegHive.java
new file mode 100644
index 0000000..22b2820
--- /dev/null
+++ b/vmmjava/vmm/IVmmRegHive.java
@@ -0,0 +1,86 @@
+package vmm;
+
+/**
+ * Interface representing a registry hive.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public interface IVmmRegHive
+{
+
+ /**
+ * Retrieve the registry hive full name.
+ * @return
+ */
+ public String getName();
+
+ /**
+ * Retrieve the registry hive short name.
+ * @return
+ */
+ public String getNameShort();
+
+ /**
+ * Retrieve the registry hive path.
+ * @return
+ */
+ public String getPath();
+
+ /**
+ * Retrieve the registry hive size.
+ * @return
+ */
+ public int getSize();
+
+ /**
+ * Retrieve the base address of the registry hive.
+ * @return
+ */
+ public long getVaHive();
+
+ /**
+ * Retrieve the address of the registry base block.
+ * @return
+ */
+ public long getVaBaseBlock();
+
+ /**
+ * Retrieve the registry hive root key.
+ * @return
+ */
+ public IVmmRegKey getKeyRoot();
+
+ /**
+ * Retrieve the virtual registry hive orphan key.
+ * The orphan key is populated by registry entries of which it's not
+ * possible to determine their parents.
+ * @return
+ */
+ public IVmmRegKey getKeyOrphan();
+
+ /**
+ * Read registry memory.
+ * @param ra the address from the registry base to read.
+ * @param size the number of bytes to read.
+ * @return
+ */
+ public byte[] memRead(int ra, int size);
+
+ /**
+ * Read registry memory.
+ * @param ra the address from the registry base to read.
+ * @param size the number of bytes to read.
+ * @param flags IVmm.FLAG_*
+ * @return
+ */
+ public byte[] memRead(int ra, int size, int flags);
+
+ /**
+ * Write data to the registry if possible.
+ * NB! this is dangerous and not recommended!
+ * @param ra
+ * @param data
+ */
+ public void memWrite(int ra, byte[] data);
+
+}
diff --git a/vmmjava/vmm/IVmmRegKey.java b/vmmjava/vmm/IVmmRegKey.java
new file mode 100644
index 0000000..5a24607
--- /dev/null
+++ b/vmmjava/vmm/IVmmRegKey.java
@@ -0,0 +1,49 @@
+package vmm;
+
+import java.util.Map;
+
+/**
+ * Interface representing a registry key.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public interface IVmmRegKey
+{
+
+ /**
+ * Retrieve the registry key name.
+ * @return
+ */
+ public String getName();
+
+ /**
+ * Retrieve the registry key path.
+ * @return
+ */
+ public String getPath();
+
+ /**
+ * Retrieve the parent key.
+ * @return
+ */
+ public IVmmRegKey getKeyParent();
+
+ /**
+ * Retrieve the child keys.
+ * @return
+ */
+ public Map getKeyChild();
+
+ /**
+ * Retrieve the values.
+ * @return
+ */
+ public Map getValues();
+
+ /**
+ * Retrieve the last write time.
+ * @return
+ */
+ public long getTime();
+
+}
diff --git a/vmmjava/vmm/IVmmRegValue.java b/vmmjava/vmm/IVmmRegValue.java
new file mode 100644
index 0000000..63ee019
--- /dev/null
+++ b/vmmjava/vmm/IVmmRegValue.java
@@ -0,0 +1,53 @@
+package vmm;
+
+/**
+ * Interface representing a registry value.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public interface IVmmRegValue
+{
+
+ /**
+ * Retrieve the registry key name.
+ * @return
+ */
+ public String getName();
+
+ /**
+ * Retrieve the registry type.
+ * @return
+ */
+ public int getType();
+
+ /**
+ * Retrieve the raw registry value.
+ * @return
+ */
+ public byte[] getValue();
+
+ /**
+ * Retrieve a DWORD value.
+ * @return
+ */
+ public int getValueAsDword();
+
+ /**
+ * Retrieve the registry value as a String.
+ * @return
+ */
+ public String getValueAsString();
+
+ /**
+ * Retrieve the registry key path.
+ * @return
+ */
+ public String getPath();
+
+ /**
+ * Retrieve the parent key.
+ * @return
+ */
+ public IVmmRegKey getKeyParent();
+
+}
diff --git a/vmmjava/vmm/VmmException.java b/vmmjava/vmm/VmmException.java
new file mode 100644
index 0000000..5d21a07
--- /dev/null
+++ b/vmmjava/vmm/VmmException.java
@@ -0,0 +1,21 @@
+package vmm;
+
+/**
+ * Runtime Exception used to indicate exceptions from the underlying native API.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmException extends RuntimeException
+{
+
+ private static final long serialVersionUID = 3361783299853681520L;
+
+ public VmmException() {
+ super("Native call to vmm failed!");
+ }
+
+ public VmmException(String errorMessage) {
+ super(errorMessage);
+ }
+
+}
diff --git a/vmmjava/vmm/entry/VmmMap_HandleEntry.java b/vmmjava/vmm/entry/VmmMap_HandleEntry.java
new file mode 100644
index 0000000..df4e3bb
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_HandleEntry.java
@@ -0,0 +1,27 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_HandleEntry implements Serializable
+{
+ private static final long serialVersionUID = 7952416272217348610L;
+ public long vaObject;
+ public int dwHandle;
+ public int _dwGrantedAccess_iType;
+ public long qwHandleCount;
+ public long qwPointerCount;
+ public long vaObjectCreateInfo;
+ public long vaSecurityDescriptor;
+ public String name;
+ public int dwPID;
+ public String tag;
+ public String type;
+
+ public String toString() {
+ return "VmmMap_HandleEntry:'" + name + "'";
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_HeapAllocEntry.java b/vmmjava/vmm/entry/VmmMap_HeapAllocEntry.java
new file mode 100644
index 0000000..47c7857
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_HeapAllocEntry.java
@@ -0,0 +1,19 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_HeapAllocEntry implements Serializable
+{
+ private static final long serialVersionUID = 7660027547435390129L;
+ public long va;
+ public int cb;
+ public int tp;
+
+ public String toString() {
+ return "VmmMap_HeapAllocEntry:" + Long.toHexString(va) + ":" + Long.toHexString(cb);
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_HeapEntry.java b/vmmjava/vmm/entry/VmmMap_HeapEntry.java
new file mode 100644
index 0000000..6456133
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_HeapEntry.java
@@ -0,0 +1,21 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_HeapEntry implements Serializable
+{
+ private static final long serialVersionUID = -2916075662335391903L;
+ public long va;
+ public int tp;
+ public boolean f32;
+ public int iHeap;
+ public int dwHeapNum;
+
+ public String toString() {
+ return "VmmMap_HeapEntry:" + String.valueOf(iHeap) + ":" + Long.toHexString(va);
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_HeapMap.java b/vmmjava/vmm/entry/VmmMap_HeapMap.java
new file mode 100644
index 0000000..325889e
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_HeapMap.java
@@ -0,0 +1,19 @@
+package vmm.entry;
+
+import java.io.Serializable;
+import java.util.List;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_HeapMap implements Serializable
+{
+ private static final long serialVersionUID = 2532269971476991139L;
+ public List heaps;
+ public List segments;
+
+ public String toString() {
+ return "VmmMap_HeapMap";
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_HeapSegmentEntry.java b/vmmjava/vmm/entry/VmmMap_HeapSegmentEntry.java
new file mode 100644
index 0000000..01739c0
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_HeapSegmentEntry.java
@@ -0,0 +1,20 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_HeapSegmentEntry implements Serializable
+{
+ private static final long serialVersionUID = 5620134579124403952L;
+ public long va;
+ public int cb;
+ public short tp;
+ public short iHeap;
+
+ public String toString() {
+ return "VmmMap_HeapSegmentEntry:" + String.valueOf(iHeap) + ":" + Long.toHexString(va) + ":" + Long.toHexString(cb);
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_MemMapEntry.java b/vmmjava/vmm/entry/VmmMap_MemMapEntry.java
new file mode 100644
index 0000000..b14906e
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_MemMapEntry.java
@@ -0,0 +1,18 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_MemMapEntry implements Serializable
+{
+ private static final long serialVersionUID = 862616981396566108L;
+ public long pa;
+ public long cb;
+
+ public String toString() {
+ return "VmmMap_MemMapEntry:" + Long.toHexString(pa) + ":" + Long.toHexString(cb);
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_ModuleDataDirectory.java b/vmmjava/vmm/entry/VmmMap_ModuleDataDirectory.java
new file mode 100644
index 0000000..4ae6172
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_ModuleDataDirectory.java
@@ -0,0 +1,20 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_ModuleDataDirectory implements Serializable
+{
+ private static final long serialVersionUID = -603939752974235784L;
+ public long RealVirtualAddress;
+ public int VirtualAddress;
+ public int Size;
+ public String name;
+
+ public String toString() {
+ return "VmmMap_ModuleDataDirectory:" + name;
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_ModuleExport.java b/vmmjava/vmm/entry/VmmMap_ModuleExport.java
new file mode 100644
index 0000000..a828805
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_ModuleExport.java
@@ -0,0 +1,22 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_ModuleExport implements Serializable
+{
+ private static final long serialVersionUID = -7123227183229190306L;
+ public long vaFunction;
+ public int dwOrdinal;
+ public int oFunctionsArray;
+ public int oNamesArray;
+ public String uszModule;
+ public String uszFunction;
+
+ public String toString() {
+ return "VmmMap_ModuleExport:" + uszModule + "!" + uszFunction;
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_ModuleImport.java b/vmmjava/vmm/entry/VmmMap_ModuleImport.java
new file mode 100644
index 0000000..65743d4
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_ModuleImport.java
@@ -0,0 +1,26 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_ModuleImport implements Serializable
+{
+ private static final long serialVersionUID = -3945880871638085047L;
+ public long vaFunction;
+ public String uszFunction;
+ public String uszModule;
+ // Thunk
+ public boolean f32;
+ public short wHint;
+ public int rvaFirstThunk;
+ public int rvaOriginalFirstThunk;
+ public int rvaNameModule;
+ public int rvaNameFunction;
+
+ public String toString() {
+ return "VmmMap_ModuleImport:" + uszModule + "!" + uszFunction;
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_ModuleSection.java b/vmmjava/vmm/entry/VmmMap_ModuleSection.java
new file mode 100644
index 0000000..a545094
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_ModuleSection.java
@@ -0,0 +1,26 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_ModuleSection implements Serializable
+{
+ private static final long serialVersionUID = -8748153308397838653L;
+ public String name;
+ public int MiscVirtualSize;
+ public int VirtualAddress;
+ public int SizeOfRawData;
+ public int PointerToRawData;
+ public int PointerToRelocations;
+ public int PointerToLinenumbers;
+ public short NumberOfRelocations;
+ public short NumberOfLinenumbers;
+ public int Characteristics;
+
+ public String toString() {
+ return "VmmMap_ModuleSection:" + name;
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_NetEntry.java b/vmmjava/vmm/entry/VmmMap_NetEntry.java
new file mode 100644
index 0000000..a666c89
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_NetEntry.java
@@ -0,0 +1,29 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_NetEntry implements Serializable
+{
+ private static final long serialVersionUID = 5333048748531523686L;
+ public String str;
+ public int dwPid;
+ public int dwState;
+ public short AF;
+ public long vaObj;
+ public long ftTime;
+ public int dwPoolTag;
+ public boolean srcValid;
+ public boolean dstValid;
+ public short srcPort;
+ public short dstPort;
+ public String srcStr;
+ public String dstStr;
+
+ public String toString() {
+ return "VmmMap_NetEntry:'" + str + "'";
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_PoolEntry.java b/vmmjava/vmm/entry/VmmMap_PoolEntry.java
new file mode 100644
index 0000000..7f320be
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_PoolEntry.java
@@ -0,0 +1,22 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_PoolEntry implements Serializable
+{
+ private static final long serialVersionUID = 6028663064101019000L;
+ public long va;
+ public int cb;
+ public String tag;
+ public boolean fAlloc;
+ public byte tpPool;
+ public byte tpSS;
+
+ public String toString() {
+ return "VmmMap_PoolEntry:" + tag + ":" + String.valueOf(va);
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_PoolMap.java b/vmmjava/vmm/entry/VmmMap_PoolMap.java
new file mode 100644
index 0000000..320d72e
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_PoolMap.java
@@ -0,0 +1,19 @@
+package vmm.entry;
+
+import java.util.Map;
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_PoolMap implements Serializable
+{
+ private static final long serialVersionUID = -2515154533742691192L;
+ public Map> tag;
+ public Map va;
+
+ public String toString() {
+ return "VmmMap_PoolMap";
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_PteEntry.java b/vmmjava/vmm/entry/VmmMap_PteEntry.java
new file mode 100644
index 0000000..39a04d4
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_PteEntry.java
@@ -0,0 +1,22 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_PteEntry implements Serializable
+{
+ private static final long serialVersionUID = -7463671464805453585L;
+ public long vaBase;
+ public long cPages;
+ public long fPage;
+ public boolean fWow64;
+ public String strDescription;
+ public int cSoftware;
+
+ public String toString() {
+ return "VmmMap_PteEntry:" + Long.toHexString(vaBase) + ":" + Long.toHexString(cPages);
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_ServiceEntry.java b/vmmjava/vmm/entry/VmmMap_ServiceEntry.java
new file mode 100644
index 0000000..8d1802c
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_ServiceEntry.java
@@ -0,0 +1,33 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_ServiceEntry implements Serializable
+{
+ private static final long serialVersionUID = 1274183168020644036L;
+ public int dwServiceType;
+ public int dwCurrentState;
+ public int dwControlsAccepted;
+ public int dwWin32ExitCode;
+ public int dwServiceSpecificExitCode;
+ public int dwCheckPoint;
+ public int dwWaitHint;
+ public long vaObj;
+ public int dwOrdinal;
+ public int dwStartType;
+ public String uszServiceName;
+ public String uszDisplayName;
+ public String uszPath;
+ public String uszUserTp;
+ public String uszUserAcct;
+ public String uszImagePath;
+ public int dwPID;
+
+ public String toString() {
+ return "VmmMap_ServiceEntry:" + uszServiceName;
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_ThreadEntry.java b/vmmjava/vmm/entry/VmmMap_ThreadEntry.java
new file mode 100644
index 0000000..e039551
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_ThreadEntry.java
@@ -0,0 +1,40 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_ThreadEntry implements Serializable
+{
+ private static final long serialVersionUID = -8162285678132928371L;
+ public int dwTID;
+ public int dwPID;
+ public int dwExitStatus;
+ public byte bState;
+ public byte bRunning;
+ public byte bPriority;
+ public byte bBasePriority;
+ public long vaETHREAD;
+ public long vaTeb;
+ public long ftCreateTime;
+ public long ftExitTime;
+ public long vaStartAddress;
+ public long vaStackBaseUser;
+ public long vaStackLimitUser;
+ public long vaStackBaseKernel;
+ public long vaStackLimitKernel;
+ public long vaTrapFrame;
+ public long vaRIP;
+ public long vaRSP;
+ public long qwAffinity;
+ public int dwUserTime;
+ public int dwKernelTime;
+ public byte bSuspendCount;
+ public byte bWaitReason;
+
+ public String toString() {
+ return "VmmMap_ThreadEntry:" + String.valueOf(dwTID);
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_UnloadedModuleEntry.java b/vmmjava/vmm/entry/VmmMap_UnloadedModuleEntry.java
new file mode 100644
index 0000000..cc7d5a3
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_UnloadedModuleEntry.java
@@ -0,0 +1,23 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_UnloadedModuleEntry implements Serializable
+{
+ private static final long serialVersionUID = 2432835898565494177L;
+ public long vaBase;
+ public long cbImageSize;
+ public boolean fWow64;
+ public String strModuleName;
+ public int dwCheckSum;
+ public int dwTimeDateStamp;
+ public long ftUnload;
+
+ public String toString() {
+ return "VmmMap_UnloadedModuleEntry:" + strModuleName;
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_UserEntry.java b/vmmjava/vmm/entry/VmmMap_UserEntry.java
new file mode 100644
index 0000000..10648b4
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_UserEntry.java
@@ -0,0 +1,19 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_UserEntry implements Serializable
+{
+ private static final long serialVersionUID = -7758667727787190877L;
+ public String user;
+ public String SID;
+ public long vaRegHive;
+
+ public String toString() {
+ return "VmmMap_UserEntry:" + user;
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_VadEntry.java b/vmmjava/vmm/entry/VmmMap_VadEntry.java
new file mode 100644
index 0000000..d97449b
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_VadEntry.java
@@ -0,0 +1,29 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_VadEntry implements Serializable
+{
+ private static final long serialVersionUID = -4829077937239905960L;
+ public long vaStart;
+ public long vaEnd;
+ public long vaVad;
+ public int dw0;
+ public int dw1;
+ public int dwu2;
+ public int cbPrototypePte;
+ public long vaPrototypePte;
+ public long vaSubsection;
+ public String uszText;
+ public long vaFileObject;
+ public int cVadExPages;
+ public int cVadExPagesBase;
+
+ public String toString() {
+ return "VmmMap_VadEntry:" + Long.toHexString(vaStart) + ":" + Long.toHexString(vaEnd);
+ }
+}
diff --git a/vmmjava/vmm/entry/VmmMap_VadExEntry.java b/vmmjava/vmm/entry/VmmMap_VadExEntry.java
new file mode 100644
index 0000000..0db264d
--- /dev/null
+++ b/vmmjava/vmm/entry/VmmMap_VadExEntry.java
@@ -0,0 +1,25 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmMap_VadExEntry implements Serializable
+{
+ private static final long serialVersionUID = -2942891920206162419L;
+ public int tp;
+ public int iPML;
+ public long va;
+ public long pa;
+ public long pte;
+ public int proto_tp;
+ public long proto_pa;
+ public long proto_pte;
+ public long vaVadBase;
+
+ public String toString() {
+ return "VmmMap_VadExEntry:" + Long.toHexString(va);
+ }
+}
diff --git a/vmmjava/vmm/entry/Vmm_VfsListEntry.java b/vmmjava/vmm/entry/Vmm_VfsListEntry.java
new file mode 100644
index 0000000..435f333
--- /dev/null
+++ b/vmmjava/vmm/entry/Vmm_VfsListEntry.java
@@ -0,0 +1,19 @@
+package vmm.entry;
+
+import java.io.Serializable;
+
+/**
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class Vmm_VfsListEntry implements Serializable
+{
+ private static final long serialVersionUID = -2708452659192929578L;
+ public String name;
+ public boolean isFile;
+ public long size;
+
+ public String toString() {
+ return "Vmm_VfsListEntry:" + name;
+ }
+}
diff --git a/vmmjava/vmm/internal/VmmImpl.java b/vmmjava/vmm/internal/VmmImpl.java
new file mode 100644
index 0000000..2f7332e
--- /dev/null
+++ b/vmmjava/vmm/internal/VmmImpl.java
@@ -0,0 +1,1449 @@
+package vmm.internal;
+
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import com.sun.jna.*;
+import com.sun.jna.ptr.*;
+
+import vmm.*;
+import vmm.entry.*;
+import vmm.internal.VmmNative.VMMDLL_REGISTRY_HIVE_INFORMATION;
+
+/**
+ * JNA native code wrapper for MemProcFS.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+public class VmmImpl implements IVmm
+{
+
+ //-----------------------------------------------------------------------------
+ // INITIALIZATION FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ private static final Object objLock = new Object();
+ private static String vmmNativeLibraryPath = null;
+ private static VmmImpl vmmActive = null;
+
+ /*
+ * Do not allow direct class instantiation from outside.
+ */
+ private VmmImpl()
+ {
+ }
+
+ public static IVmm Initialize(String vmmNativeLibraryPath, String argv[])
+ {
+ synchronized(objLock) {
+ if(vmmActive != null) {
+ throw new VmmException("vmm already initialized - close before re-initialize!");
+ }
+ System.setProperty("jna.library.path", vmmNativeLibraryPath);
+ boolean f = VmmNative.INSTANCE.VMMDLL_Initialize(argv.length, argv);
+ if(!f) { throw new VmmException("Vmm Init: failed in native code."); }
+ VmmNative.INSTANCE.VMMDLL_InitializePlugins();
+ VmmImpl.vmmNativeLibraryPath = vmmNativeLibraryPath;
+ VmmImpl.vmmActive = new VmmImpl();
+ }
+ return VmmImpl.vmmActive;
+ }
+
+ public boolean isValid() {
+ return vmmActive != null;
+ }
+
+ public String getNativeLibraryPath() {
+ return vmmNativeLibraryPath;
+ }
+
+ public void close()
+ {
+ synchronized(objLock) {
+ if(vmmActive != null) {
+ VmmNative.INSTANCE.VMMDLL_Close();
+ vmmActive = null;
+ }
+ }
+ }
+
+ /*
+ * Always close native implementation upon finalization.
+ */
+ @Override
+ public void finalize()
+ {
+ try {
+ this.close();
+ } catch (Exception e) {}
+ }
+
+ /*
+ * Custom toString() method.
+ */
+ @Override
+ public String toString()
+ {
+ return (vmmActive != null) ? "Vmm" : "VmmNotValid";
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // CONFIGURATION SETTINGS BELOW:
+ //-----------------------------------------------------------------------------
+
+ public long getConfig(long fOption)
+ {
+ LongByReference pqw = new LongByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_ConfigGet(fOption, pqw);
+ if(!f) { throw new VmmException(); }
+ return pqw.getValue();
+ }
+
+ public void setConfig(long fOption, long qw)
+ {
+ boolean f = VmmNative.INSTANCE.VMMDLL_ConfigSet(fOption, qw);
+ if(!f) { throw new VmmException(); }
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // INTERNAL UTILITY FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ private static byte[] _utilStringToCString(String s)
+ {
+ byte[] bjava = s.getBytes(StandardCharsets.UTF_8);
+ byte[] bc = new byte[bjava.length+1];
+ System.arraycopy(bjava, 0, bc, 0, bjava.length);
+ return bc;
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // VFS - VIRTUAL FILE SYSTEM FUNCTIONALITY BELOW:
+ // NB! VFS FUNCTIONALITY REQUIRES PLUGINS TO BE INITIALIZED
+ // WITH CALL TO InitializePlugins().
+ //-----------------------------------------------------------------------------
+
+ public List vfsList(String path)
+ {
+ ArrayList result = new ArrayList();
+ VmmNative.VMMDLL_VFS_FILELIST2 vfs = new VmmNative.VMMDLL_VFS_FILELIST2();
+ vfs.dwVersion = VmmNative.VMMDLL_VFS_FILELIST_VERSION;
+ vfs.h = 0;
+ vfs.pfnAddFile = new VmmNative.VMMDLL_VFS_FILELIST2.CB_FILE() {
+ @Override
+ public void invoke(long h, String uszName, long cb, Pointer pExInfo) {
+ Vmm_VfsListEntry e = new Vmm_VfsListEntry();
+ e.name = uszName;
+ e.isFile = true;
+ e.size = cb;
+ result.add(e);
+ }
+ };
+ vfs.pfnAddDirectory = new VmmNative.VMMDLL_VFS_FILELIST2.CB_DIRECTORY() {
+ @Override
+ public void invoke(long h, String uszName, Pointer pExInfo) {
+ Vmm_VfsListEntry e = new Vmm_VfsListEntry();
+ e.name = uszName;
+ e.isFile = false;
+ e.size = 0;
+ result.add(e);
+ }
+ };
+ boolean f = VmmNative.INSTANCE.VMMDLL_VfsListU(_utilStringToCString(path), vfs);
+ if(!f) { throw new VmmException(); }
+ return result;
+ }
+
+ public byte[] vfsRead(String file, long offset, int size)
+ {
+ IntByReference pcbRead = new IntByReference();
+ Pointer pb = new Memory(size);
+ VmmNative.INSTANCE.VMMDLL_VfsReadU(_utilStringToCString(file), pb, size, pcbRead, offset);
+ if(0 == pcbRead.getValue()) { throw new VmmException(); }
+ size = Math.min(size, pcbRead.getValue());
+ byte[] result = new byte[size];
+ pb.read(0, result, 0, size);
+ return result;
+ }
+
+ public String vfsReadString(String file, long offset, int size)
+ {
+ byte[] data = vfsRead(file, offset, size);
+ return new String(data, StandardCharsets.UTF_8);
+ }
+
+ public void vfsWrite(String file, byte[] data, long offset)
+ {
+ IntByReference pcbWrite = new IntByReference();
+ Pointer pb = new Memory(data.length);
+ pb.write(0, data, 0, data.length);
+ VmmNative.INSTANCE.VMMDLL_VfsWriteU(_utilStringToCString(file), pb, data.length, pcbWrite, offset);
+ if(0 == pcbWrite.getValue()) { throw new VmmException(); }
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // INTERNAL VMM MEMORY FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ private class VmmMemScatterMemoryImpl implements IVmmMemScatterMemory {
+ private final Object objLock = new Object();
+ private Pointer hS;
+ private int pid;
+ private int flags;
+
+ private VmmMemScatterMemoryImpl(Pointer hS, int pid, int flags) {
+ this.hS = hS;
+ this.pid = pid;
+ this.flags = flags;
+ }
+
+ @Override
+ public String toString()
+ {
+ if(pid == -1) {
+ return "VmmScatterMemory:Physical";
+ } else {
+ return "VmmScatterMemory:Virtual:" + String.valueOf(pid);
+ }
+ }
+
+ public boolean isValid() {
+ return this.hS != null;
+ }
+
+ public int getFlags() {
+ return this.flags;
+ }
+
+ public void prepare(long va, int size) {
+ if(this.hS == null) { throw new VmmException(); }
+ boolean f = VmmNative.INSTANCE.VMMDLL_Scatter_Prepare(hS, va, size);
+ if(!f) { throw new VmmException(); }
+ }
+
+ public void prepareWrite(long va, byte[] data) {
+ if(this.hS == null) { throw new VmmException(); }
+ Pointer pb = new Memory(data.length);
+ pb.write(0, data, 0, data.length);
+ boolean f = VmmNative.INSTANCE.VMMDLL_Scatter_PrepareWrite(pb, va, pb, data.length);
+ if(!f) { throw new VmmException(); }
+ }
+
+ public void execute() {
+ if(this.hS == null) { throw new VmmException(); }
+ boolean f = VmmNative.INSTANCE.VMMDLL_Scatter_Execute(hS);
+ if(!f) { throw new VmmException(); }
+ }
+
+ public void clear() {
+ if(this.hS == null) { throw new VmmException(); }
+ boolean f = VmmNative.INSTANCE.VMMDLL_Scatter_Clear(hS, pid, flags);
+ if(!f) { throw new VmmException(); }
+ }
+
+ public byte[] read(long va, int size) {
+ if(this.hS == null) { throw new VmmException(); }
+ IntByReference pcbRead = new IntByReference();
+ Pointer pb = new Memory(size);
+ boolean f = VmmNative.INSTANCE.VMMDLL_Scatter_Read(hS, va, size, pb, pcbRead);
+ if(!f) { throw new VmmException(); }
+ size = Math.min(size, pcbRead.getValue());
+ byte[] result = new byte[size];
+ pb.read(0, result, 0, size);
+ return result;
+ }
+
+ public void close() {
+ synchronized(objLock) {
+ if(this.hS != null) {
+ VmmNative.INSTANCE.VMMDLL_Scatter_CloseHandle(hS);
+ this.hS = null;
+ this.pid = 0;
+ this.flags = 0;
+ }
+ }
+ }
+
+ @Override
+ public void finalize()
+ {
+ try {
+ this.close();
+ } catch (Exception e) {}
+ }
+ }
+
+ public byte[] _memRead(int pid, long va, int size)
+ {
+ return _memRead(pid, va, size, 0);
+ }
+
+ public byte[] _memRead(int pid, long va, int size, int flags)
+ {
+ IntByReference pcbRead = new IntByReference();
+ Pointer pb = new Memory(size);
+ boolean f = VmmNative.INSTANCE.VMMDLL_MemReadEx(pid, va, pb, size, pcbRead, flags);
+ if(!f) { throw new VmmException(); }
+ size = Math.min(size, pcbRead.getValue());
+ byte[] result = new byte[size];
+ pb.read(0, result, 0, size);
+ return result;
+ }
+
+ public void _memWrite(int pid, long va, byte[] data)
+ {
+ Pointer pb = new Memory(data.length);
+ pb.write(0, data, 0, data.length);
+ boolean f = VmmNative.INSTANCE.VMMDLL_MemWrite(pid, va, pb, data.length);
+ if(!f) { throw new VmmException(); }
+ }
+
+ public void _memPrefetchPages(int pid, long[] vas)
+ {
+ boolean f = VmmNative.INSTANCE.VMMDLL_MemPrefetchPages(pid, vas, vas.length);
+ if(!f) { throw new VmmException(); }
+ }
+
+ public long _memVirtualToPhysical(int pid, long va)
+ {
+ LongByReference pa = new LongByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_MemVirt2Phys(pid, va, pa);
+ if(!f) { throw new VmmException(); }
+ return pa.getValue();
+ }
+
+ public IVmmMemScatterMemory _memScatterInitialize(int pid, int flags)
+ {
+ Pointer hS = VmmNative.INSTANCE.VMMDLL_Scatter_Initialize(pid, flags);
+ if(hS == null) { throw new VmmException(); }
+ return new VmmMemScatterMemoryImpl(hS, pid, flags);
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM PHYSICAL MEMORY FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ public byte[] memRead(long pa, int size)
+ {
+ return _memRead(-1, pa, size);
+ }
+
+ public byte[] memRead(long pa, int size, int flags) {
+ return _memRead(-1, pa, size, flags);
+ }
+
+ public void memWrite(long pa, byte[] data)
+ {
+ _memWrite(-1, pa, data);
+ }
+
+ public void memPrefetchPages(long[] pas)
+ {
+ _memPrefetchPages(-1, pas);
+ }
+
+ public IVmmMemScatterMemory memScatterInitialize(int flags) {
+ return _memScatterInitialize(-1, flags);
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM INTERNAL PDB/DEBUG FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ private class VmmPdbImpl implements IVmmPdb
+ {
+ private String pdbName;
+
+ private VmmPdbImpl(int dwPID, long vaModuleBase) {
+ byte[] szModuleName = new byte[VmmNative.MAX_PATH];
+ boolean f = VmmNative.INSTANCE.VMMDLL_PdbLoad(dwPID, vaModuleBase, szModuleName);
+ if(!f) { throw new VmmException(); }
+ this.pdbName = Native.toString(szModuleName);
+ }
+
+ private VmmPdbImpl(String pdbName) {
+ this.pdbName = pdbName;
+ }
+
+ @Override
+ public String toString() {
+ return "VmmPdb:" + pdbName;
+ }
+
+ public String getModuleName() {
+ return pdbName;
+ }
+
+ public long getSymbolAddress(String strSymbol) {
+ LongByReference pvaSymbolAddress = new LongByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_PdbSymbolAddress(pdbName, strSymbol, pvaSymbolAddress);
+ if(!f) { throw new VmmException(); }
+ return pvaSymbolAddress.getValue();
+ }
+
+ public String getSymbolName(long vaSymbolOrOffset) {
+ IntByReference pdwSymbolDisplacement = new IntByReference();
+ byte[] szSymbolName = new byte[VmmNative.MAX_PATH];
+ boolean f = VmmNative.INSTANCE.VMMDLL_PdbSymbolName(pdbName, vaSymbolOrOffset, szSymbolName, pdwSymbolDisplacement);
+ if(!f) { throw new VmmException(); }
+ return Native.toString(szSymbolName);
+ }
+
+ public int getTypeChildOffset(String strTypeName, String strChild) {
+ IntByReference pcbTypeChildOffset = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_PdbTypeChildOffset(pdbName, strTypeName, strChild, pcbTypeChildOffset);
+ if(!f) { throw new VmmException(); }
+ return pcbTypeChildOffset.getValue();
+ }
+
+ public int getTypeSize(String strTypeName) {
+ IntByReference pcbTypeSize = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_PdbTypeSize(pdbName, strTypeName, pcbTypeSize);
+ if(!f) { throw new VmmException(); }
+ return pcbTypeSize.getValue();
+ }
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM KERNEL FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ public IVmmProcess kernelProcess()
+ {
+ return new VmmProcessImpl(4);
+ }
+
+ public IVmmPdb kernelPdb()
+ {
+ return new VmmPdbImpl("nt");
+ }
+
+ public int kernelBuildNumber()
+ {
+ return (int)getConfig(OPT_WIN_VERSION_BUILD);
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM MAP FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ public List mapPhysicalMemory()
+ {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetPhysMem(null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetPhysMem(ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_PHYSMEM pMap = new VmmNative.VMMDLL_MAP_PHYSMEM(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_PHYSMEM_ENTRY n : pMap.pMap) {
+ VmmMap_MemMapEntry e = new VmmMap_MemMapEntry();
+ e.pa = n.pa;
+ e.cb = n.cb;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapNet()
+ {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetNetU(null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetNetU(ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_NET pMap = new VmmNative.VMMDLL_MAP_NET(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_NETENTRY n : pMap.pMap) {
+ VmmMap_NetEntry e = new VmmMap_NetEntry();
+ e.str = n.uszText;
+ e.dwPid = n.dwPID;
+ e.dwState = n.dwState;
+ e.AF = n.AF;
+ e.vaObj = n.vaObj;
+ e.ftTime = n.ftTime;
+ e.dwPoolTag = n.dwPoolTag;
+ e.srcValid = n.Src.fValid;
+ e.dstValid = n.Dst.fValid;
+ e.srcPort = n.Src.port;
+ e.dstPort = n.Dst.port;
+ e.srcStr = n.Src.uszText;
+ e.dstStr = n.Dst.uszText;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapUser()
+ {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetUsersU(null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetUsersU(ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_USER pMap = new VmmNative.VMMDLL_MAP_USER(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_USERENTRY n : pMap.pMap) {
+ VmmMap_UserEntry e = new VmmMap_UserEntry();
+ e.user = n.uszText;
+ e.SID = n.uszSID;
+ e.vaRegHive = n.vaRegHive;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapService()
+ {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetServicesU(null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetServicesU(ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_SERVICE pMap = new VmmNative.VMMDLL_MAP_SERVICE(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_SERVICEENTRY n : pMap.pMap) {
+ VmmMap_ServiceEntry e = new VmmMap_ServiceEntry();
+ e.vaObj = n.vaObj;
+ e.dwOrdinal = n.dwOrdinal;
+ e.dwStartType = n.dwStartType;
+ e.uszServiceName = n.uszServiceName;
+ e.uszDisplayName = n.uszDisplayName;
+ e.uszPath = n.uszPath;
+ e.uszUserTp = n.uszUserTp;
+ e.uszUserAcct = n.uszUserAcct;
+ e.uszImagePath = n.uszImagePath;
+ e.dwPID = n.dwPID;
+ e.dwServiceType = n.ServiceStatus.dwServiceType;
+ e.dwCurrentState = n.ServiceStatus.dwCurrentState;
+ e.dwControlsAccepted = n.ServiceStatus.dwControlsAccepted;
+ e.dwWin32ExitCode = n.ServiceStatus.dwWin32ExitCode;
+ e.dwServiceSpecificExitCode = n.ServiceStatus.dwServiceSpecificExitCode;
+ e.dwCheckPoint = n.ServiceStatus.dwCheckPoint;
+ e.dwWaitHint = n.ServiceStatus.dwWaitHint;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public VmmMap_PoolMap mapPool()
+ {
+ PointerByReference pptr = new PointerByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetPoolEx(pptr, VmmNative.VMMDLL_POOLMAP_FLAG_ALL);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_POOL pMap = new VmmNative.VMMDLL_MAP_POOL(pptr.getValue());
+ // process result:
+ VmmMap_PoolMap result = new VmmMap_PoolMap();
+ result.tag = new HashMap>();
+ result.va = new HashMap();
+ Map tagMap;
+ for(VmmNative.VMMDLL_MAP_POOLENTRY n : pMap.pMap) {
+ VmmMap_PoolEntry e = new VmmMap_PoolEntry();
+ e.va = n.va;
+ e.cb = n.cb;
+ e.fAlloc = (n.fAlloc != 0);
+ e.tpPool = n.tpPool;
+ e.tpSS = n.tpSS;
+ e.tag = Native.toString(n.tag);
+ result.va.put(e.va, e);
+ tagMap = result.tag.get(e.tag);
+ if(tagMap == null) {
+ tagMap = new HashMap();
+ result.tag.put(e.tag, tagMap);
+ }
+ tagMap.put(e.va, e);
+ }
+ VmmNative.INSTANCE.VMMDLL_MemFree(pptr.getValue());
+ return result;
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // PROCESS INTERNAL FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ private class VmmProcessImpl implements IVmmProcess
+ {
+ private int pid;
+ private VmmNative.VMMDLL_PROCESS_INFORMATION info;
+
+ private VmmProcessImpl(int pid) {
+ this.pid = pid;
+ this.info = null;
+ }
+
+ /*
+ * Ensure process information is loaded
+ */
+ private void ensure() {
+ if(this.info == null) {
+ IntByReference pcbInfo = new IntByReference();
+ VmmNative.VMMDLL_PROCESS_INFORMATION pInfo = new VmmNative.VMMDLL_PROCESS_INFORMATION();
+ pcbInfo.setValue(Native.getNativeSize(VmmNative.VMMDLL_PROCESS_INFORMATION.class, pInfo));
+ pInfo.magic = VmmNative.MMDLL_PROCESS_INFORMATION_MAGIC;
+ pInfo.wVersion = VmmNative.VMMDLL_PROCESS_INFORMATION_VERSION;
+ boolean f = VmmNative.INSTANCE.VMMDLL_ProcessGetInformation(pid, pInfo, pcbInfo);
+ if(!f) { throw new VmmException(); }
+ if(pInfo.wVersion != VmmNative.VMMDLL_PROCESS_INFORMATION_VERSION) { throw new VmmException("Bad Version"); }
+ this.info = pInfo;
+ }
+ }
+
+ @Override
+ public String toString() {
+ return "VmmProcess:" + String.valueOf(pid);
+ }
+
+ public int getPID() {
+ return pid;
+ }
+
+ public byte[] memRead(long va, int size) {
+ return _memRead(pid, va, size);
+ }
+
+ public byte[] memRead(long va, int size, int flags) {
+ return _memRead(pid, va, size, flags);
+ }
+
+ public void memWrite(long va, byte[] data) {
+ _memWrite(pid, va, data);
+ }
+
+ public void memPrefetchPages(long[] vas) {
+ _memPrefetchPages(pid, vas);
+ }
+
+ public IVmmMemScatterMemory memScatterInitialize(int flags) {
+ return _memScatterInitialize(pid, flags);
+ }
+
+ public long memVirtualToPhysical(long va) {
+ return _memVirtualToPhysical(pid, va);
+ }
+
+ public List mapHandle() {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetHandleU(pid, null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetHandleU(pid, ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_HANDLE pMap = new VmmNative.VMMDLL_MAP_HANDLE(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_HANDLEENTRY n : pMap.pMap) {
+ VmmMap_HandleEntry e = new VmmMap_HandleEntry();
+ e.vaObject = n.vaObject;
+ e.dwHandle = n.dwHandle;
+ e._dwGrantedAccess_iType = n._dwGrantedAccess_iType;
+ e.qwHandleCount = n.qwHandleCount;
+ e.qwPointerCount = n.qwPointerCount;
+ e.vaObjectCreateInfo = n.vaObjectCreateInfo;
+ e.vaSecurityDescriptor = n.vaSecurityDescriptor;
+ e.name = n.uszText;
+ e.dwPID = n.dwPID;
+ e.tag = Native.toString(n.dwPoolTag);
+ e.type = n.uszType;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapHeapAlloc(long qwHeapNumOrAddress) {
+ PointerByReference pptr = new PointerByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetHeapAllocEx(pid, qwHeapNumOrAddress, pptr);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_HEAPALLOC pMap = new VmmNative.VMMDLL_MAP_HEAPALLOC(pptr.getValue());
+ // process result:
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_HEAPALLOCENTRY n : pMap.pMap) {
+ VmmMap_HeapAllocEntry e = new VmmMap_HeapAllocEntry();
+ e.va = n.va;
+ e.cb = n.cb;
+ e.tp = n.tp;
+ result.add(e);
+ }
+ VmmNative.INSTANCE.VMMDLL_MemFree(pptr.getValue());
+ return result;
+ }
+
+ public VmmMap_HeapMap mapHeap() {
+ PointerByReference pptr = new PointerByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetHeapEx(pid, pptr);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_HEAP pMap = new VmmNative.VMMDLL_MAP_HEAP(pptr.getValue());
+ // process result:
+ VmmMap_HeapMap result = new VmmMap_HeapMap();
+ result.heaps = new ArrayList();
+ result.segments = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_HEAPENTRY n : pMap.pMap) {
+ VmmMap_HeapEntry e = new VmmMap_HeapEntry();
+ e.va = n.va;
+ e.tp = n.tp;
+ e.f32 = n.f32;
+ e.iHeap = n.iHeap;
+ e.dwHeapNum = n.dwHeapNum;
+ result.heaps.add(e);
+ }
+ for(VmmNative.VMMDLL_MAP_HEAP_SEGMENTENTRY n : pMap.pSegments) {
+ VmmMap_HeapSegmentEntry e = new VmmMap_HeapSegmentEntry();
+ e.va = n.va;
+ e.cb = n.cb;
+ e.tp = n.tp;
+ e.iHeap = n.iHeap;
+ result.segments.add(e);
+ }
+ VmmNative.INSTANCE.VMMDLL_MemFree(pptr.getValue());
+ return result;
+ }
+
+ public List mapPte() {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetPteU(pid, null, pcbMap, true);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetPteU(pid, ptr, pcbMap, true);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_PTE pMap = new VmmNative.VMMDLL_MAP_PTE(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_PTEENTRY n : pMap.pMap) {
+ VmmMap_PteEntry e = new VmmMap_PteEntry();
+ e.vaBase = n.vaBase;
+ e.cPages = n.cPages;
+ e.fPage = n.fPage;
+ e.fWow64 = n.fWow64;
+ e.strDescription = n.uszText;
+ e.cSoftware = n.cSoftware;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapThread() {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetThread(pid, null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetThread(pid, ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_THREAD pMap = new VmmNative.VMMDLL_MAP_THREAD(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_THREADENTRY n : pMap.pMap) {
+ VmmMap_ThreadEntry e = new VmmMap_ThreadEntry();
+ e.dwTID = n.dwTID;
+ e.dwPID = n.dwPID;
+ e.dwExitStatus = n.dwExitStatus;
+ e.bState = n.bState;
+ e.bRunning = n.bRunning;
+ e.bPriority = n.bPriority;
+ e.bBasePriority = n.bBasePriority;
+ e.vaETHREAD = n.vaETHREAD;
+ e.vaTeb = n.vaTeb;
+ e.ftCreateTime = n.ftCreateTime;
+ e.ftExitTime = n.ftExitTime;
+ e.vaStartAddress = n.vaStartAddress;
+ e.vaStackBaseUser = n.vaStackBaseUser;
+ e.vaStackLimitUser = n.vaStackLimitUser;
+ e.vaStackBaseKernel = n.vaStackBaseKernel;
+ e.vaStackLimitKernel = n.vaStackLimitKernel;
+ e.vaTrapFrame = n.vaTrapFrame;
+ e.vaRIP = n.vaRIP;
+ e.vaRSP = n.vaRSP;
+ e.qwAffinity = n.qwAffinity;
+ e.dwUserTime = n.dwUserTime;
+ e.dwKernelTime = n.dwKernelTime;
+ e.bSuspendCount = n.bSuspendCount;
+ e.bWaitReason = n.bWaitReason;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapUnloadedModule() {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetUnloadedModuleU(pid, null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetUnloadedModuleU(pid, ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_UNLOADEDMODULE pMap = new VmmNative.VMMDLL_MAP_UNLOADEDMODULE(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_UNLOADEDMODULEENTRY n : pMap.pMap) {
+ VmmMap_UnloadedModuleEntry e = new VmmMap_UnloadedModuleEntry();
+ e.vaBase = n.vaBase;
+ e.cbImageSize = n.cbImageSize;
+ e.fWow64 = n.fWow64;
+ e.strModuleName = n.uszText;
+ e.dwCheckSum = n.dwCheckSum;
+ e.dwTimeDateStamp = n.dwTimeDateStamp;
+ e.ftUnload = n.ftUnload;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapVad() {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetVadU(pid, null, pcbMap, true);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetVadU(pid, ptr, pcbMap, true);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_VAD pMap = new VmmNative.VMMDLL_MAP_VAD(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_VADENTRY n : pMap.pMap) {
+ VmmMap_VadEntry e = new VmmMap_VadEntry();
+ e.vaStart = n.vaStart;
+ e.vaEnd = n.vaEnd;
+ e.vaVad = n.vaVad;
+ e.dw0 = n.dw0;
+ e.dw1 = n.dw1;
+ e.dwu2 = n.dwu2;
+ e.cbPrototypePte = n.cbPrototypePte;
+ e.vaPrototypePte = n.vaPrototypePte;
+ e.vaSubsection = n.vaSubsection;
+ e.uszText = n.uszText;
+ e.vaFileObject = n.vaFileObject;
+ e.cVadExPages = n.cVadExPages;
+ e.cVadExPagesBase = n.cVadExPagesBase;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapVadEx(int oPage, int cPage) {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetVadEx(pid, null, pcbMap, oPage, cPage);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetVadEx(pid, ptr, pcbMap, oPage, cPage);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_VADEX pMap = new VmmNative.VMMDLL_MAP_VADEX(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_VADEXENTRY n : pMap.pMap) {
+ VmmMap_VadExEntry e = new VmmMap_VadExEntry();
+ e.tp = n.tp;
+ e.iPML = n.iPML;
+ e.va = n.va;
+ e.pa = n.pa;
+ e.pte = n.pte;
+ e.proto_tp = n.proto_tp;
+ e.proto_pa = n.proto_pa;
+ e.proto_pte = n.proto_pte;
+ e.vaVadBase = n.vaVadBase;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public int getPPID() {
+ ensure();
+ return info.dwPPID;
+ }
+
+ public long getEPROCESS() {
+ ensure();
+ return info.vaEPROCESS;
+ }
+
+ public long getDTB() {
+ ensure();
+ return info.paDTB;
+ }
+
+ public long getDTBUser() {
+ ensure();
+ return info.paDTB_UserOpt;
+ }
+
+ public int getState() {
+ ensure();
+ return info.dwState;
+ }
+
+ public long getPEB() {
+ ensure();
+ return info.vaPEB;
+ }
+
+ public int getPEB32() {
+ ensure();
+ return info.vaPEB32;
+ }
+
+ public boolean isWow64() {
+ ensure();
+ return info.fWow64;
+ }
+
+ public boolean isUserMode() {
+ ensure();
+ return info.fUserOnly;
+ }
+
+ public String getName() {
+ ensure();
+ return Native.toString(info.szName);
+ }
+
+ public String getNameFull() {
+ ensure();
+ return Native.toString(info.szNameLong);
+ }
+
+ public String getPathUser() {
+ return VmmNative.INSTANCE.VMMDLL_ProcessGetInformationString(pid, VmmNative.VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_USER_IMAGE);
+ }
+
+ public String getCmdLine() {
+ return VmmNative.INSTANCE.VMMDLL_ProcessGetInformationString(pid, VmmNative.VMMDLL_PROCESS_INFORMATION_OPT_STRING_CMDLINE);
+ }
+
+ public String getPathKernel() {
+ return VmmNative.INSTANCE.VMMDLL_ProcessGetInformationString(pid, VmmNative.VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_KERNEL);
+ }
+
+ public int getTpMemoryModel() {
+ ensure();
+ return info.tpMemoryModel;
+ }
+
+ public int getTpSystem() {
+ ensure();
+ return info.tpSystem;
+ }
+
+ public long GetLUID() {
+ ensure();
+ return info.qwLUID;
+ }
+
+ public int GetSessionID() {
+ ensure();
+ return info.dwSessionId;
+ }
+
+ public String getSID() {
+ return Native.toString(info.szSID);
+ }
+
+ public IVmmModule moduleGet(long va) {
+ for(IVmmModule m : moduleGetAll()) {
+ if((va >= m.getVaBase()) && (va <= m.getVaBase() + m.getSize())) {
+ return m;
+ }
+ }
+ return null;
+ }
+
+ public IVmmModule moduleGet(String name) {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetModuleFromNameU(pid, name, null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetModuleFromNameU(pid, name, ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_MODULEENTRY pEntry = new VmmNative.VMMDLL_MAP_MODULEENTRY(ptr);
+ return new VmmImpl.VmmModuleImpl(this, pEntry);
+ }
+
+ public List moduleGetAll() {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetModuleU(pid, null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetModuleU(pid, ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_MODULE pMap = new VmmNative.VMMDLL_MAP_MODULE(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_MODULEENTRY n : pMap.pMap) {
+ result.add(new VmmImpl.VmmModuleImpl(this, n));
+ }
+ return result;
+ }
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // VMM PROCESS FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ public IVmmProcess processGet(int pid)
+ {
+ VmmProcessImpl p = new VmmProcessImpl(pid);
+ p.ensure();
+ return p;
+ }
+
+ public IVmmProcess processGet(String name)
+ {
+ IntByReference pdwPID = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_PidGetFromName(_utilStringToCString(name), pdwPID);
+ if(!f) { throw new VmmException(); }
+ return new VmmProcessImpl(pdwPID.getValue());
+ }
+
+ public List processGetAll()
+ {
+ LongByReference pcPIDs = new LongByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_PidList(null, pcPIDs);
+ if(!f) { throw new VmmException(); }
+ int[] pids = new int[(int)pcPIDs.getValue()];
+ f = VmmNative.INSTANCE.VMMDLL_PidList(pids, pcPIDs);
+ if(!f) { throw new VmmException(); }
+ // process result:
+ ArrayList result = new ArrayList();
+ for(int pid : pids) {
+ if(pid != 0) {
+ result.add(new VmmProcessImpl(pid));
+ }
+ }
+ return result;
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // MODULE INTERNAL FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ private class VmmModuleImpl implements IVmmModule
+ {
+ private IVmmProcess process;
+ private int pid;
+ private VmmNative.VMMDLL_MAP_MODULEENTRY module;
+
+ private VmmModuleImpl(IVmmProcess process, VmmNative.VMMDLL_MAP_MODULEENTRY module) {
+ this.module = module;
+ this.process = process;
+ this.pid = process.getPID();
+ }
+
+ @Override
+ public String toString() {
+ return "VmmModule:" + String.valueOf(pid) + ":" + module.uszText;
+ }
+
+ public IVmmProcess getProcess() {
+ return process;
+ }
+
+ public String getName() {
+ return module.uszText;
+ }
+
+ public String getNameFull() {
+ return module.uszFullName;
+ }
+
+ public long getVaBase() {
+ return module.vaBase;
+ }
+
+ public long getVaEntry() {
+ return module.vaEntry;
+ }
+
+ public int getSize() {
+ return module.cbImageSize;
+ }
+
+ public int getSizeFile() {
+ return module.cbFileSizeRaw;
+ }
+
+ public boolean isWow64() {
+ return module.fWoW64;
+ }
+
+ public int getCountSection() {
+ return module.cSection;
+ }
+
+ public int getCountEAT() {
+ return module.cEAT;
+ }
+
+ public int getCountIAT() {
+ return module.cIAT;
+ }
+
+ public long getProcAddress(String szFunctionName) {
+ return VmmNative.INSTANCE.VMMDLL_ProcessGetProcAddressU(pid, module.uszText, szFunctionName);
+ }
+
+ @Override
+ public List mapDataDirectory() {
+ final String[] DIRECTORIES = { "EXPORT", "IMPORT", "RESOURCE", "EXCEPTION", "SECURITY", "BASERELOC", "DEBUG", "ARCHITECTURE", "GLOBALPTR", "TLS", "LOAD_CONFIG", "BOUND_IMPORT", "IAT", "DELAY_IMPORT", "COM_DESCRIPTOR", "RESERVED" };
+ IntByReference pcData = new IntByReference();
+ VmmNative.IMAGE_DATA_DIRECTORY[] aData = new VmmNative.IMAGE_DATA_DIRECTORY[16];
+ boolean f = VmmNative.INSTANCE.VMMDLL_ProcessGetDirectoriesU(pid, module.uszText, aData, 16, pcData);
+ if(!f) { throw new VmmException(); }
+ // process result:
+ ArrayList result = new ArrayList();
+ for(int i = 0; i < 16; i++) {
+ VmmNative.IMAGE_DATA_DIRECTORY n = aData[i];
+ VmmMap_ModuleDataDirectory e = new VmmMap_ModuleDataDirectory();
+ e.RealVirtualAddress = n.VirtualAddress + module.vaBase;
+ e.VirtualAddress = n.VirtualAddress;
+ e.Size = n.Size;
+ e.name = DIRECTORIES[i];
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapSection() {
+ IntByReference pcData = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_ProcessGetSectionsU(pid, module.uszText, null, 0, pcData);
+ if(!f) { throw new VmmException(); }
+ int cData = pcData.getValue();
+ VmmNative.IMAGE_SECTION_HEADER[] aData = new VmmNative.IMAGE_SECTION_HEADER[cData];
+ f = VmmNative.INSTANCE.VMMDLL_ProcessGetSectionsU(pid, module.uszText, aData, cData, pcData);
+ if(!f) { throw new VmmException(); }
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.IMAGE_SECTION_HEADER n : aData) {
+ VmmMap_ModuleSection e = new VmmMap_ModuleSection();
+ e.name = Native.toString(n.name);
+ e.MiscVirtualSize = n.MiscVirtualSize;
+ e.VirtualAddress = n.VirtualAddress;
+ e.SizeOfRawData = n.SizeOfRawData;
+ e.PointerToRawData = n.PointerToRawData;
+ e.PointerToRelocations = n.PointerToRelocations;
+ e.PointerToLinenumbers = n.PointerToLinenumbers;
+ e.NumberOfRelocations = n.NumberOfRelocations;
+ e.NumberOfLinenumbers = n.NumberOfLinenumbers;
+ e.Characteristics = n.Characteristics;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapExport() {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetEATU(pid, module.uszText, null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetEATU(pid, module.uszText, ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_EAT pMap = new VmmNative.VMMDLL_MAP_EAT(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_EATENTRY n : pMap.pMap) {
+ VmmMap_ModuleExport e = new VmmMap_ModuleExport();
+ e.vaFunction = n.vaFunction;
+ e.dwOrdinal = n.dwOrdinal;
+ e.oFunctionsArray = n.oFunctionsArray;
+ e.oNamesArray = n.oNamesArray;
+ e.uszFunction = n.uszFunction;
+ e.uszModule = module.uszText;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public List mapImport() {
+ IntByReference pcbMap = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_Map_GetIATU(pid, module.uszText, null, pcbMap);
+ if(!f) { throw new VmmException(); }
+ Pointer ptr = new Memory(pcbMap.getValue());
+ f = VmmNative.INSTANCE.VMMDLL_Map_GetIATU(pid, module.uszText, ptr, pcbMap);
+ if(!f) { throw new VmmException(); }
+ VmmNative.VMMDLL_MAP_IAT pMap = new VmmNative.VMMDLL_MAP_IAT(ptr);
+ // process result:
+ ArrayList result = new ArrayList();
+ for(VmmNative.VMMDLL_MAP_IATENTRY n : pMap.pMap) {
+ VmmMap_ModuleImport e = new VmmMap_ModuleImport();
+ e.vaFunction = n.vaFunction;
+ e.uszFunction = n.uszFunction;
+ e.uszModule = n.uszModule;
+ e.f32 = n.f32;
+ e.wHint = n.wHint;
+ e.rvaFirstThunk = n.rvaFirstThunk;
+ e.rvaOriginalFirstThunk = n.rvaOriginalFirstThunk;
+ e.rvaNameModule = n.rvaNameModule;
+ e.rvaNameFunction = n.rvaNameFunction;
+ result.add(e);
+ }
+ return result;
+ }
+
+ public IVmmPdb getPdb() {
+ return new VmmImpl.VmmPdbImpl(pid, module.vaBase);
+ }
+ }
+
+
+
+ //-----------------------------------------------------------------------------
+ // REGISTRY INTERNAL FUNCTIONALITY BELOW:
+ //-----------------------------------------------------------------------------
+
+ private class VmmRegHiveImpl implements IVmmRegHive {
+ private VmmNative.VMMDLL_REGISTRY_HIVE_INFORMATION hive;
+
+ VmmRegHiveImpl(VmmNative.VMMDLL_REGISTRY_HIVE_INFORMATION hive)
+ {
+ this.hive = hive;
+ }
+
+ @Override
+ public String toString() {
+ return String.format("VmmRegHive:0x%016x", hive.vaCMHIVE);
+ }
+
+ public String getName() {
+ return Native.toString(hive.uszName);
+ }
+
+ public String getNameShort() {
+ return Native.toString(hive.uszNameShort);
+ }
+
+ public String getPath() {
+ return Native.toString(hive.uszHiveRootPath);
+ }
+
+ public int getSize() {
+ return hive.cbLength;
+ }
+
+ public long getVaHive() {
+ return hive.vaCMHIVE;
+ }
+
+ public long getVaBaseBlock() {
+ return hive.vaHBASE_BLOCK;
+ }
+
+ public byte[] memRead(int ra, int size) {
+ return memRead(ra, size, 0);
+ }
+
+ public byte[] memRead(int ra, int size, int flags) {
+ IntByReference pcbRead = new IntByReference();
+ Pointer pb = new Memory(size);
+ boolean f = VmmNative.INSTANCE.VMMDLL_WinReg_HiveReadEx(hive.vaCMHIVE, ra, pb, size, pcbRead, flags);
+ if(!f) { throw new VmmException(); }
+ size = Math.min(size, pcbRead.getValue());
+ byte[] result = new byte[size];
+ pb.read(0, result, 0, size);
+ return result;
+ }
+
+ public void memWrite(int ra, byte[] data) {
+ boolean f = VmmNative.INSTANCE.VMMDLL_WinReg_HiveWrite(hive.vaCMHIVE, ra, data, data.length);
+ if(!f) { throw new VmmException(); }
+ }
+
+ public IVmmRegKey getKeyRoot() {
+ String strKeyPath = String.format("0x%016x\\ROOT", hive.vaCMHIVE);
+ return new VmmRegKeyImpl(strKeyPath);
+ }
+
+ public IVmmRegKey getKeyOrphan() {
+ String strKeyPath = String.format("0x%016llx\\ORPHAN", hive.vaCMHIVE);
+ return new VmmRegKeyImpl(strKeyPath);
+ }
+ }
+
+ private class VmmRegKeyImpl implements IVmmRegKey {
+ private String strPath;
+ private String strName;
+
+ private VmmRegKeyImpl(String strPath)
+ {
+ strName = strPath.substring(strPath.lastIndexOf('\\') + 1);
+ this.strPath = strPath;
+ }
+
+ @Override
+ public String toString() {
+ return "VmmRegKey:" + strName;
+ }
+
+ public String getName() {
+ return strName;
+ }
+
+ public String getPath() {
+ return strPath;
+ }
+
+ public IVmmRegKey getKeyParent() {
+ int i = strPath.lastIndexOf('\\');
+ String strParent = strPath.substring(0, i);
+ if(-1 == strParent.indexOf('\\')) {
+ return null;
+ }
+ return new VmmRegKeyImpl(strParent);
+ }
+
+ public Map getKeyChild() {
+ int i = 0;
+ byte[] lpName = new byte[VmmNative.MAX_PATH];
+ IntByReference lpcchName = new IntByReference(VmmNative.MAX_PATH);
+ HashMap result = new HashMap();
+ while(VmmNative.INSTANCE.VMMDLL_WinReg_EnumKeyExU(strPath, i, lpName, lpcchName, null)) {
+ String strName = Native.toString(lpName);
+ result.put(strName, new VmmRegKeyImpl(strPath + "\\" + strName));
+ i++;
+ }
+ return result;
+ }
+
+ public Map getValues() {
+ int i = 0;
+ byte[] lpValueName = new byte[VmmNative.MAX_PATH];
+ IntByReference lpcchValueName = new IntByReference(VmmNative.MAX_PATH);
+ IntByReference lpType = new IntByReference();
+ HashMap result = new HashMap();
+ while(VmmNative.INSTANCE.VMMDLL_WinReg_EnumValueU(strPath, i, lpValueName, lpcchValueName, lpType, null, null)) {
+ String strName = Native.toString(lpValueName);
+ result.put(strName, new VmmRegValueImpl(strPath + "\\" + strName, lpType.getValue()));
+ i++;
+ }
+ return result;
+ }
+
+ public long getTime() {
+ IntByReference cch = new IntByReference();
+ LongByReference lpftLastWriteTime = new LongByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_WinReg_EnumKeyExU(strPath, -1, null, cch, lpftLastWriteTime);
+ if(!f) { throw new VmmException(); }
+ return lpftLastWriteTime.getValue();
+ }
+ }
+
+ private class VmmRegValueImpl implements IVmmRegValue {
+ private String strPath;
+ private String strName;
+ private int dwType;
+
+ private VmmRegValueImpl(String strPath, int dwType)
+ {
+ this.strName = strPath.substring(strPath.lastIndexOf('\\') + 1);
+ this.strPath = strPath;
+ this.dwType = dwType;
+ }
+
+ @Override
+ public String toString() {
+ return "VmmRegValue:" + strName;
+ }
+
+ public String getName() {
+ return strName;
+ }
+
+ public byte[] getValue() {
+ IntByReference lpType = new IntByReference();
+ IntByReference lpcbData = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_WinReg_QueryValueExU(strPath, lpType, null, lpcbData);
+ if(!f) { throw new VmmException(); }
+ byte[] data = new byte[lpcbData.getValue()];
+ f = VmmNative.INSTANCE.VMMDLL_WinReg_QueryValueExU(strPath, lpType, data, lpcbData);
+ if(!f) { throw new VmmException(); }
+ return data;
+ }
+
+ public String getValueAsString() {
+ return Native.toString(getValue(), "UTF-16LE");
+ }
+
+ public String getPath() {
+ return strPath;
+ }
+
+ public IVmmRegKey getKeyParent() {
+ int i = strPath.lastIndexOf('\\');
+ String strParent = strPath.substring(0, i);
+ if(-1 == strParent.indexOf('\\')) {
+ return null;
+ }
+ return new VmmRegKeyImpl(strParent);
+ }
+
+ public int getValueAsDword() {
+ byte[] v = getValue();
+ if(v.length != 4) {
+ throw new VmmException("VmmRegValue not DWORD-sized (4)");
+ }
+ return java.nio.ByteBuffer.wrap(v).order(java.nio.ByteOrder.LITTLE_ENDIAN).getInt();
+ }
+
+ public int getType() {
+ return dwType;
+ }
+
+ }
+
+ public List regHive() {
+ IntByReference pcHives = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_WinReg_HiveList(null, 0, pcHives);
+ if(!f) { throw new VmmException(); }
+ int cHives = pcHives.getValue();
+ VMMDLL_REGISTRY_HIVE_INFORMATION[] pHives = new VMMDLL_REGISTRY_HIVE_INFORMATION[cHives];
+ f = VmmNative.INSTANCE.VMMDLL_WinReg_HiveList(pHives, cHives, pcHives);
+ if(!f) { throw new VmmException(); }
+ cHives = pcHives.getValue();
+ ArrayList result = new ArrayList();
+ for(VMMDLL_REGISTRY_HIVE_INFORMATION pHive : pHives) {
+ result.add(new VmmRegHiveImpl(pHive));
+ }
+ return result;
+ }
+
+ public IVmmRegKey regKey(String strFullPath) {
+ IntByReference lpcchName = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_WinReg_EnumKeyExU(strFullPath, -1, null, lpcchName, null);
+ if(!f) { return null; }
+ return new VmmRegKeyImpl(strFullPath);
+ }
+
+ public IVmmRegValue regValue(String strFullPath) {
+ IntByReference lpType = new IntByReference();
+ IntByReference lpcbData = new IntByReference();
+ boolean f = VmmNative.INSTANCE.VMMDLL_WinReg_QueryValueExU(strFullPath, lpType, null, lpcbData);
+ if(!f) { return null; }
+ return new VmmRegValueImpl(strFullPath, lpType.getValue());
+ }
+}
diff --git a/vmmjava/vmm/internal/VmmNative.java b/vmmjava/vmm/internal/VmmNative.java
new file mode 100644
index 0000000..367f128
--- /dev/null
+++ b/vmmjava/vmm/internal/VmmNative.java
@@ -0,0 +1,861 @@
+package vmm.internal;
+
+import com.sun.jna.*;
+import com.sun.jna.ptr.*;
+
+import vmm.VmmException;
+
+/**
+ * JNA native code wrapper for MemProcFS.
+ * @see https://github.com/ufrisk/MemProcFS
+ * @author Ulf Frisk - pcileech@frizk.net
+ */
+interface VmmNative extends Library {
+ static final int MAX_PATH = 260;
+
+ static final int VMMDLL_VFS_FILELIST_VERSION = 2;
+ static final long MMDLL_PROCESS_INFORMATION_MAGIC = 0xc0ffee663df9301eL;
+ static final short VMMDLL_PROCESS_INFORMATION_VERSION = 7;
+ static final long VMMDLL_REGISTRY_HIVE_INFORMATION_MAGIC = 0xc0ffee653df8d01eL;
+ static final short VMMDLL_REGISTRY_HIVE_INFORMATION_VERSION = 3;
+
+ static final int VMMDLL_MAP_PTE_VERSION = 2;
+ static final int VMMDLL_MAP_VAD_VERSION = 6;
+ static final int VMMDLL_MAP_VADEX_VERSION = 3;
+ static final int VMMDLL_MAP_MODULE_VERSION = 5;
+ static final int VMMDLL_MAP_UNLOADEDMODULE_VERSION = 2;
+ static final int VMMDLL_MAP_EAT_VERSION = 2;
+ static final int VMMDLL_MAP_IAT_VERSION = 2;
+ static final int VMMDLL_MAP_HEAP_VERSION = 4;
+ static final int VMMDLL_MAP_HEAPALLOC_VERSION = 1;
+ static final int VMMDLL_MAP_THREAD_VERSION = 4;
+ static final int VMMDLL_MAP_HANDLE_VERSION = 2;
+ static final int VMMDLL_MAP_POOL_VERSION = 2;
+ static final int VMMDLL_MAP_NET_VERSION = 3;
+ static final int VMMDLL_MAP_PHYSMEM_VERSION = 2;
+ static final int VMMDLL_MAP_USER_VERSION = 2;
+ static final int VMMDLL_MAP_SERVICE_VERSION = 3;
+
+ static final int VMMDLL_POOLMAP_FLAG_ALL = 0;
+ static final int VMMDLL_POOLMAP_FLAG_BIG = 1;
+
+
+
+ VmmNative INSTANCE = Native.load("vmm", VmmNative.class);
+
+
+
+ boolean VMMDLL_Initialize(int argc, String argv[]);
+ boolean VMMDLL_Close();
+ void VMMDLL_MemFree(Pointer pvMem);
+
+
+
+ boolean VMMDLL_ConfigGet(long fOption, LongByReference pqwValue);
+ boolean VMMDLL_ConfigSet(long fOption, long qwValue);
+
+
+
+ boolean VMMDLL_InitializePlugins();
+
+
+
+ @Structure.FieldOrder({"dwVersion", "pfnAddFile", "pfnAddDirectory", "h"})
+ class VMMDLL_VFS_FILELIST2 extends Structure {
+ public int dwVersion;
+ public CB_FILE pfnAddFile;
+ public CB_DIRECTORY pfnAddDirectory;
+ public long h;
+ interface CB_FILE extends Callback {
+ void invoke(long h, String uszName, long cb, Pointer pExInfo);
+ }
+ interface CB_DIRECTORY extends Callback {
+ void invoke(long h, String uszName, Pointer pExInfo);
+ }
+ }
+
+ boolean VMMDLL_VfsListU(byte[] uszPath, VMMDLL_VFS_FILELIST2 pFileList);
+ int VMMDLL_VfsReadU(byte[] uszFileName, Pointer pb, int cb, IntByReference pcbRead, long cbOffset);
+ int VMMDLL_VfsWriteU(byte[] uszFileName, Pointer pb, int cb, IntByReference pcbWrite, long cbOffset);
+
+
+
+ boolean VMMDLL_MemReadEx(int dwPID, long qwA, Pointer pb, int cb, IntByReference pcbReadOpt, int flags);
+ boolean VMMDLL_MemPrefetchPages(int dwPID, long[] pPrefetchAddresses, int cPrefetchAddresses);
+ boolean VMMDLL_MemWrite(int dwPID, long qwA, Pointer pb, int cb);
+ boolean VMMDLL_MemVirt2Phys(int dwPID, long qwVA, LongByReference pqwPA);
+
+
+
+ Pointer VMMDLL_Scatter_Initialize(int dwPID, int flags);
+ boolean VMMDLL_Scatter_Prepare(Pointer hS, long va, int cb);
+ boolean VMMDLL_Scatter_PrepareWrite(Pointer hS, long va, Pointer pb, int cb);
+ boolean VMMDLL_Scatter_Execute(Pointer hS);
+ boolean VMMDLL_Scatter_Read(Pointer hS, long va, int cb, Pointer pb, IntByReference pcbRead);
+ boolean VMMDLL_Scatter_Clear(Pointer hS, int pid, int flags);
+ void VMMDLL_Scatter_CloseHandle(Pointer hS);
+
+
+
+ boolean VMMDLL_PidGetFromName(byte[] szProcName, IntByReference pdwPID);
+ boolean VMMDLL_PidList(int[] pPIDs, LongByReference pcPIDs);
+
+
+
+
+ @Structure.FieldOrder({"pa", "cb"})
+ class VMMDLL_MAP_PHYSMEM_ENTRY extends Structure {
+ public long pa;
+ public long cb;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "cMap", "_Reserved2", "pMap"})
+ class VMMDLL_MAP_PHYSMEM extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[5];
+ public int cMap;
+ public int _Reserved2;
+ public VMMDLL_MAP_PHYSMEM_ENTRY[] pMap;
+
+ VMMDLL_MAP_PHYSMEM(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_PHYSMEM_ENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_PHYSMEM_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_PHYSMEM_ENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetPhysMem(Pointer pPhysMemMap, IntByReference pcbPhysMemMap);
+
+
+
+ @Structure.FieldOrder({"fValid", "_Reserved", "port", "pbAddr", "uszText"})
+ class VMMDLL_MAP_NETENTRY_SRCDST extends Structure {
+ public boolean fValid;
+ public short _Reserved;
+ public short port;
+ public byte[] pbAddr = new byte[16];
+ public String uszText;
+ }
+
+ @Structure.FieldOrder({"dwPID", "dwState", "_FutureUse3", "AF", "Src", "Dst", "vaObj", "ftTime", "dwPoolTag", "_FutureUse4", "uszText", "_FutureUse2"})
+ class VMMDLL_MAP_NETENTRY extends Structure {
+ public int dwPID;
+ public int dwState;
+ public short[] _FutureUse3 = new short[3];
+ public short AF;
+ public VMMDLL_MAP_NETENTRY_SRCDST Src;
+ public VMMDLL_MAP_NETENTRY_SRCDST Dst;
+ public long vaObj;
+ public long ftTime;
+ public int dwPoolTag;
+ public int _FutureUse4;
+ public String uszText;
+ public int[] _FutureUse2 = new int[4];
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_NET extends Structure {
+ public int dwVersion;
+ public int _Reserved1;
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_NETENTRY[] pMap;
+
+ VMMDLL_MAP_NET(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_NETENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_NET_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_NETENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetNetU(Pointer pNetMap, IntByReference pcbNetMap);
+
+
+
+ @Structure.FieldOrder({"_FutureUse1", "uszText", "vaRegHive", "uszSID", "_FutureUse2"})
+ class VMMDLL_MAP_USERENTRY extends Structure {
+ public int[] _FutureUse1 = new int[2];
+ public String uszText;
+ public long vaRegHive;
+ public String uszSID;
+ public int[] _FutureUse2 = new int[2];
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_USER extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[5];
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_USERENTRY[] pMap;
+
+ VMMDLL_MAP_USER(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_USERENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_USER_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_USERENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetUsersU(Pointer pUserMap, IntByReference pcbUserMap);
+
+
+
+ @Structure.FieldOrder({"dwServiceType", "dwCurrentState", "dwControlsAccepted", "dwWin32ExitCode", "dwServiceSpecificExitCode", "dwCheckPoint", "dwWaitHint"})
+ class SERVICE_STATUS extends Structure {
+ public int dwServiceType;
+ public int dwCurrentState;
+ public int dwControlsAccepted;
+ public int dwWin32ExitCode;
+ public int dwServiceSpecificExitCode;
+ public int dwCheckPoint;
+ public int dwWaitHint;
+ }
+
+ @Structure.FieldOrder({"vaObj", "dwOrdinal", "dwStartType", "ServiceStatus", "uszServiceName", "uszDisplayName", "uszPath", "uszUserTp", "uszUserAcct", "uszImagePath", "dwPID", "_FutureUse1", "_FutureUse2"})
+ class VMMDLL_MAP_SERVICEENTRY extends Structure {
+ public long vaObj;
+ public int dwOrdinal;
+ public int dwStartType;
+ public SERVICE_STATUS ServiceStatus;
+ public String uszServiceName;
+ public String uszDisplayName;
+ public String uszPath;
+ public String uszUserTp;
+ public String uszUserAcct;
+ public String uszImagePath;
+ public int dwPID;
+ public int _FutureUse1;
+ public long _FutureUse2;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_SERVICE extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[5];
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_SERVICEENTRY[] pMap;
+
+ VMMDLL_MAP_SERVICE(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_SERVICEENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_SERVICE_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_SERVICEENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetServicesU(Pointer pServiceMap, IntByReference pcbServiceMap);
+
+
+
+ @Structure.FieldOrder({"va", "tag", "fAlloc", "tpPool", "tpSS", "cb", "_Filler"})
+ class VMMDLL_MAP_POOLENTRY extends Structure {
+ public long va;
+ public byte[] tag = new byte[5];
+ public byte fAlloc;
+ public byte tpPool;
+ public byte tpSS;
+ public int cb;
+ public int _Filler;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "cbTotal", "piTag2Map", "pTag", "cTag", "cMap", "pMap"})
+ class VMMDLL_MAP_POOL extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[6];
+ public int cbTotal;
+ public Pointer piTag2Map;
+ public Pointer pTag;
+ public int cTag;
+ public int cMap;
+ public VMMDLL_MAP_POOLENTRY[] pMap;
+
+ VMMDLL_MAP_POOL(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_POOLENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_POOL_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_POOLENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetPoolEx(PointerByReference pServiceMap, int flags);
+
+
+
+ @Structure.FieldOrder({"vaObject", "dwHandle", "_dwGrantedAccess_iType", "qwHandleCount", "qwPointerCount", "vaObjectCreateInfo", "vaSecurityDescriptor", "uszText", "_FutureUse2", "dwPID", "dwPoolTag", "_FutureUse", "uszType"})
+ class VMMDLL_MAP_HANDLEENTRY extends Structure {
+ public long vaObject;
+ public int dwHandle;
+ public int _dwGrantedAccess_iType;
+ public long qwHandleCount;
+ public long qwPointerCount;
+ public long vaObjectCreateInfo;
+ public long vaSecurityDescriptor;
+ public String uszText;
+ public int _FutureUse2;
+ public int dwPID;
+ public byte[] dwPoolTag = new byte[4];
+ public int[] _FutureUse = new int[5];
+ public String uszType;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_HANDLE extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[5];
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_HANDLEENTRY[] pMap;
+
+ VMMDLL_MAP_HANDLE(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_HANDLEENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_HANDLE_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_HANDLEENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetHandleU(int dwPID, Pointer pHandleMap, IntByReference pcbHandleMap);
+
+
+
+
+ @Structure.FieldOrder({"va", "cb", "tp", "iHeap"})
+ class VMMDLL_MAP_HEAP_SEGMENTENTRY extends Structure {
+ public long va;
+ public int cb;
+ public short tp;
+ public short iHeap;
+ }
+
+ @Structure.FieldOrder({"va", "tp", "f32", "iHeap", "dwHeapNum"})
+ class VMMDLL_MAP_HEAPENTRY extends Structure {
+ public long va;
+ public int tp;
+ public boolean f32;
+ public int iHeap;
+ public int dwHeapNum;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "ptrSegments", "cSegments", "cMap", "pMap", "pSegments"})
+ class VMMDLL_MAP_HEAP extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[7];
+ public Pointer ptrSegments;
+ public int cSegments;
+ public int cMap;
+ public VMMDLL_MAP_HEAPENTRY[] pMap;
+ public VMMDLL_MAP_HEAP_SEGMENTENTRY[] pSegments;
+
+ VMMDLL_MAP_HEAP(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_HEAPENTRY[1];
+ pSegments = new VMMDLL_MAP_HEAP_SEGMENTENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_HEAP_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_HEAPENTRY[cMap];
+ pSegments = new VMMDLL_MAP_HEAP_SEGMENTENTRY[cSegments];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetHeapEx(int dwPID, PointerByReference ppHeapMap);
+
+
+
+ @Structure.FieldOrder({"va", "cb", "tp"})
+ class VMMDLL_MAP_HEAPALLOCENTRY extends Structure {
+ public long va;
+ public int cb;
+ public int tp;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "_Reserved2", "cMap", "pMap"})
+ class VMMDLL_MAP_HEAPALLOC extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[7];
+ public Pointer[] _Reserved2 = new Pointer[2];
+ public int cMap;
+ public VMMDLL_MAP_HEAPALLOCENTRY[] pMap;
+
+ VMMDLL_MAP_HEAPALLOC(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_HEAPALLOCENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_HEAPALLOC_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_HEAPALLOCENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetHeapAllocEx(int dwPID, long qwHeapNumOrAddress, PointerByReference ppHeapAllocMap);
+
+
+
+ @Structure.FieldOrder({"vaBase", "cPages", "fPage", "fWow64", "_FutureUse1", "uszText", "_Reserved1", "cSoftware"})
+ class VMMDLL_MAP_PTEENTRY extends Structure {
+ public long vaBase;
+ public long cPages;
+ public long fPage;
+ public boolean fWow64;
+ public int _FutureUse1;
+ public String uszText;
+ public int _Reserved1;
+ public int cSoftware;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_PTE extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[5];
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_PTEENTRY[] pMap;
+
+ VMMDLL_MAP_PTE(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_PTEENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_PTE_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_PTEENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetPteU(int dwPID, Pointer pPteMap, IntByReference pcbPteMap, boolean fIdentifyModules);
+
+
+
+ @Structure.FieldOrder({"dwTID", "dwPID", "dwExitStatus", "bState", "bRunning", "bPriority", "bBasePriority", "vaETHREAD", "vaTeb", "ftCreateTime", "ftExitTime", "vaStartAddress", "vaStackBaseUser", "vaStackLimitUser", "vaStackBaseKernel", "vaStackLimitKernel", "vaTrapFrame", "vaRIP", "vaRSP", "qwAffinity", "dwUserTime", "dwKernelTime", "bSuspendCount", "bWaitReason", "_FutureUse1", "_FutureUse2"})
+ class VMMDLL_MAP_THREADENTRY extends Structure {
+ public int dwTID;
+ public int dwPID;
+ public int dwExitStatus;
+ public byte bState;
+ public byte bRunning;
+ public byte bPriority;
+ public byte bBasePriority;
+ public long vaETHREAD;
+ public long vaTeb;
+ public long ftCreateTime;
+ public long ftExitTime;
+ public long vaStartAddress;
+ public long vaStackBaseUser;
+ public long vaStackLimitUser;
+ public long vaStackBaseKernel;
+ public long vaStackLimitKernel;
+ public long vaTrapFrame;
+ public long vaRIP;
+ public long vaRSP;
+ public long qwAffinity;
+ public int dwUserTime;
+ public int dwKernelTime;
+ public byte bSuspendCount;
+ public byte bWaitReason;
+ public byte[] _FutureUse1 = new byte[2];
+ public int[] _FutureUse2 = new int[15];
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved", "cMap", "pMap"})
+ class VMMDLL_MAP_THREAD extends Structure {
+ public int dwVersion;
+ public int[] _Reserved = new int[8];
+ public int cMap;
+ public VMMDLL_MAP_THREADENTRY[] pMap;
+
+ VMMDLL_MAP_THREAD(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_THREADENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_THREAD_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_THREADENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetThread(int dwPID, Pointer pThreadMap, IntByReference pcbThreadMap);
+
+
+
+ @Structure.FieldOrder({"vaBase", "cbImageSize", "fWow64", "uszText", "_FutureUse1", "dwCheckSum", "dwTimeDateStamp", "ftUnload"})
+ class VMMDLL_MAP_UNLOADEDMODULEENTRY extends Structure {
+ public long vaBase;
+ public int cbImageSize;
+ public boolean fWow64;
+ public String uszText;
+ public int _FutureUse1;
+ public int dwCheckSum;
+ public int dwTimeDateStamp;
+ public long ftUnload;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_UNLOADEDMODULE extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[5];
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_UNLOADEDMODULEENTRY[] pMap;
+
+ VMMDLL_MAP_UNLOADEDMODULE(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_UNLOADEDMODULEENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_UNLOADEDMODULE_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_UNLOADEDMODULEENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetUnloadedModuleU(int dwPID, Pointer pUnloadedModuleMap, IntByReference pcbUnloadedModuleMap);
+
+
+
+ @Structure.FieldOrder({"vaStart", "vaEnd", "vaVad", "dw0", "dw1", "dwu2", "cbPrototypePte", "vaPrototypePte", "vaSubsection", "uszText", "_FutureUse1", "_Reserved1", "vaFileObject", "cVadExPages", "cVadExPagesBase", "_Reserved2"})
+ class VMMDLL_MAP_VADENTRY extends Structure {
+ public long vaStart;
+ public long vaEnd;
+ public long vaVad;
+ public int dw0;
+ public int dw1;
+ public int dwu2;
+ public int cbPrototypePte;
+ public long vaPrototypePte;
+ public long vaSubsection;
+ public String uszText;
+ public int _FutureUse1;
+ public int _Reserved1;
+ public long vaFileObject;
+ public int cVadExPages;
+ public int cVadExPagesBase;
+ public long _Reserved2;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "cPage", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_VAD extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[4];
+ public int cPage;
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_VADENTRY[] pMap;
+
+ VMMDLL_MAP_VAD(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_VADENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_VAD_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_VADENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetVadU(int dwPID, Pointer pVadMap, IntByReference pcbVadMap, boolean fIdentifyModules);
+
+
+
+ @Structure.FieldOrder({"tp", "iPML", "va", "pa", "pte", "_Reserved1", "proto_tp", "proto_pa", "proto_pte", "vaVadBase"})
+ class VMMDLL_MAP_VADEXENTRY extends Structure {
+ public int tp;
+ public int iPML;
+ public long va;
+ public long pa;
+ public long pte;
+ public int _Reserved1;
+ public int proto_tp;
+ public long proto_pa;
+ public long proto_pte;
+ public long vaVadBase;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "cMap", "pMap"})
+ class VMMDLL_MAP_VADEX extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[4];
+ public int cMap;
+ public VMMDLL_MAP_VADEXENTRY[] pMap;
+
+ VMMDLL_MAP_VADEX(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_VADEXENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_VADEX_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_VADEXENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetVadEx(int dwPID, Pointer pVadExMap, IntByReference pcbVadExMap, int oPage, int cPage);
+
+
+
+ static final int VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_KERNEL = 1;
+ static final int VMMDLL_PROCESS_INFORMATION_OPT_STRING_PATH_USER_IMAGE = 2;
+ static final int VMMDLL_PROCESS_INFORMATION_OPT_STRING_CMDLINE = 3;
+
+ @Structure.FieldOrder({"magic", "wVersion", "wSize", "tpMemoryModel", "tpSystem", "fUserOnly", "dwPID", "dwPPID", "dwState", "szName", "szNameLong", "paDTB", "paDTB_UserOpt", "vaEPROCESS", "vaPEB", "_Reserved1", "fWow64", "vaPEB32", "dwSessionId", "qwLUID", "szSID", "IntegrityLevel"})
+ class VMMDLL_PROCESS_INFORMATION extends Structure {
+ public long magic;
+ public short wVersion;
+ public short wSize;
+ public int tpMemoryModel;
+ public int tpSystem;
+ public boolean fUserOnly;
+ public int dwPID;
+ public int dwPPID;
+ public int dwState;
+ public byte[] szName = new byte[16];
+ public byte[] szNameLong = new byte[64];
+ public long paDTB;
+ public long paDTB_UserOpt;
+ // win below;
+ public long vaEPROCESS;
+ public long vaPEB;
+ public long _Reserved1;
+ public boolean fWow64;
+ public int vaPEB32;
+ public int dwSessionId;
+ public long qwLUID;
+ public byte[] szSID = new byte[MAX_PATH];
+ public int IntegrityLevel;
+ }
+
+ boolean VMMDLL_ProcessGetInformation(int dwPID, VMMDLL_PROCESS_INFORMATION pProcessInformation, IntByReference pcbProcessInformation);
+ String VMMDLL_ProcessGetInformationString(int dwPID, int fOptionString);
+
+
+
+ @Structure.FieldOrder({"vaBase", "vaEntry", "cbImageSize", "fWoW64", "uszText", "_Reserved3", "_Reserved4", "uszFullName", "tp", "cbFileSizeRaw", "cSection", "cEAT", "cIAT", "_Reserved2", "_Reserved1"})
+ class VMMDLL_MAP_MODULEENTRY extends Structure {
+ public long vaBase;
+ public long vaEntry;
+ public int cbImageSize;
+ public boolean fWoW64;
+ public String uszText;
+ public int _Reserved3;
+ public int _Reserved4;
+ public String uszFullName;
+ public int tp;
+ public int cbFileSizeRaw;
+ public int cSection;
+ public int cEAT;
+ public int cIAT;
+ public int _Reserved2;
+ public long[] _Reserved1 = new long[2];
+
+ public VMMDLL_MAP_MODULEENTRY()
+ {
+ super();
+ }
+
+ VMMDLL_MAP_MODULEENTRY(Pointer p)
+ {
+ super(p);
+ read();
+ }
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_MODULE extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[5];
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_MODULEENTRY[] pMap;
+
+ VMMDLL_MAP_MODULE(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_MODULEENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_MODULE_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_MODULEENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetModuleU(int dwPID, Pointer pModuleMap, IntByReference pcbModuleMap);
+ boolean VMMDLL_Map_GetModuleFromNameU(int dwPID, String uszModuleName, Pointer pModuleMapEntry, IntByReference pcbModuleMap);
+
+
+
+ long VMMDLL_ProcessGetProcAddressU(int dwPID, String uszModuleName, String szFunctionName);
+
+
+
+ @Structure.FieldOrder({"vaFunction", "dwOrdinal", "oFunctionsArray", "oNamesArray", "_FutureUse1", "uszFunction"})
+ class VMMDLL_MAP_EATENTRY extends Structure {
+ public long vaFunction;
+ public int dwOrdinal;
+ public int oFunctionsArray;
+ public int oNamesArray;
+ public int _FutureUse1;
+ public String uszFunction;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "dwOrdinalBase", "cNumberOfNames", "cNumberOfFunctions", "_Reserved1", "vaModuleBase", "vaAddressOfFunctions", "vaAddressOfNames", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_EAT extends Structure {
+ public int dwVersion;
+ public int dwOrdinalBase;
+ public int cNumberOfNames;
+ public int cNumberOfFunctions;
+ public int[] _Reserved1 = new int[4];
+ public long vaModuleBase;
+ public long vaAddressOfFunctions;
+ public long vaAddressOfNames;
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_EATENTRY[] pMap;
+
+ VMMDLL_MAP_EAT(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_EATENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_EAT_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_EATENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetEATU(int dwPID, String uszModuleName, Pointer pEatMap, IntByReference pcbEatMap);
+
+
+
+ @Structure.FieldOrder({"vaFunction", "uszFunction", "_FutureUse1", "_FutureUse2", "uszModule", "f32", "wHint", "_Reserved1", "rvaFirstThunk", "rvaOriginalFirstThunk", "rvaNameModule", "rvaNameFunction"})
+ class VMMDLL_MAP_IATENTRY extends Structure {
+ public long vaFunction;
+ public String uszFunction;
+ public int _FutureUse1;
+ public int _FutureUse2;
+ public String uszModule;
+ // Thunk
+ public boolean f32;
+ public short wHint;
+ public short _Reserved1;
+ public int rvaFirstThunk;
+ public int rvaOriginalFirstThunk;
+ public int rvaNameModule;
+ public int rvaNameFunction;
+ }
+
+ @Structure.FieldOrder({"dwVersion", "_Reserved1", "vaModuleBase", "pbMultiText", "cbMultiText", "cMap", "pMap"})
+ class VMMDLL_MAP_IAT extends Structure {
+ public int dwVersion;
+ public int[] _Reserved1 = new int[5];
+ public long vaModuleBase;
+ public Pointer pbMultiText;
+ public int cbMultiText;
+ public int cMap;
+ public VMMDLL_MAP_IATENTRY[] pMap;
+
+ VMMDLL_MAP_IAT(Pointer p)
+ {
+ super(p);
+ pMap = new VMMDLL_MAP_IATENTRY[1];
+ read();
+ if(dwVersion != VmmNative.VMMDLL_MAP_IAT_VERSION) { throw new VmmException("Bad Version"); }
+ pMap = new VMMDLL_MAP_IATENTRY[cMap];
+ read();
+ }
+ }
+
+ boolean VMMDLL_Map_GetIATU(int dwPID, String uszModuleName, Pointer pIatMap, IntByReference pcbIatMap);
+
+
+
+ @Structure.FieldOrder({"VirtualAddress", "Size"})
+ class IMAGE_DATA_DIRECTORY extends Structure {
+ public int VirtualAddress;
+ public int Size;
+ }
+
+ boolean VMMDLL_ProcessGetDirectoriesU(int dwPID, String uszModule, IMAGE_DATA_DIRECTORY[] pData, int cData, IntByReference pcData);
+
+
+
+ @Structure.FieldOrder({"name", "MiscVirtualSize", "VirtualAddress", "SizeOfRawData", "PointerToRawData", "PointerToRelocations", "PointerToLinenumbers", "NumberOfRelocations", "NumberOfLinenumbers", "Characteristics"})
+ class IMAGE_SECTION_HEADER extends Structure {
+ public byte[] name = new byte[8];
+ public int MiscVirtualSize;
+ public int VirtualAddress;
+ public int SizeOfRawData;
+ public int PointerToRawData;
+ public int PointerToRelocations;
+ public int PointerToLinenumbers;
+ public short NumberOfRelocations;
+ public short NumberOfLinenumbers;
+ public int Characteristics;
+ }
+
+ boolean VMMDLL_ProcessGetSectionsU(int dwPID, String uszModule, IMAGE_SECTION_HEADER[] pData, int cData, IntByReference pcData);
+
+
+
+ boolean VMMDLL_PdbLoad(int dwPID, long vaModuleBase, byte[] szModuleName);
+ boolean VMMDLL_PdbSymbolName(String szModule, long cbSymbolAddressOrOffset, byte[] szModuleName, IntByReference pdwSymbolDisplacement);
+ boolean VMMDLL_PdbSymbolAddress(String szModule, String szTypeName, LongByReference pcbTypeSize);
+ boolean VMMDLL_PdbTypeSize(String szModule, String szTypeName, IntByReference pcbTypeSize);
+ boolean VMMDLL_PdbTypeChildOffset(String szModule, String uszTypeName, String uszTypeChildName, IntByReference pdwSymbolDisplacement);
+
+
+
+ @Structure.FieldOrder({"magic", "wVersion", "wSize", "_FutureReserved1", "vaCMHIVE", "vaHBASE_BLOCK", "cbLength", "uszName", "uszNameShort", "uszHiveRootPath", "_FutureReserved"})
+ class VMMDLL_REGISTRY_HIVE_INFORMATION extends Structure {
+ public long magic;
+ public short wVersion;
+ public short wSize;
+ public byte[] _FutureReserved1 = new byte[0x14];
+ public long vaCMHIVE;
+ public long vaHBASE_BLOCK;
+ public int cbLength;
+ public byte[] uszName = new byte[128];
+ public byte[] uszNameShort = new byte[32 + 1];
+ public byte[] uszHiveRootPath = new byte[MAX_PATH];
+ public long[] _FutureReserved = new long[0x10];
+ }
+
+ boolean VMMDLL_WinReg_HiveList(VMMDLL_REGISTRY_HIVE_INFORMATION[] pHives, int cHives, IntByReference pcHives);
+ boolean VMMDLL_WinReg_HiveReadEx(long vaCMHive, int ra, Pointer ptr, int cb, IntByReference pcbReadOpt, long flags);
+ boolean VMMDLL_WinReg_HiveWrite(long vaCMHive, int ra, byte[] pb, int cb);
+ boolean VMMDLL_WinReg_EnumKeyExU(String uszFullPathKey, int dwIndex, byte[] lpName, IntByReference lpcchName, LongByReference lpftLastWriteTime);
+ boolean VMMDLL_WinReg_EnumValueU(String uszFullPathKey, int dwIndex, byte[] lpValueName, IntByReference lpcchValueName, IntByReference lpType, byte[] lpData, IntByReference lpcbData);
+ boolean VMMDLL_WinReg_QueryValueExU(String uszFullPathKeyValue, IntByReference lpType, byte[] lpData, IntByReference lpcbData);
+}