lywsvip/MemProcFS
1
0
Fork 0
mirror of https://github.com/ufrisk/MemProcFS.git synced 2026-06-06 04:59:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Version 5.14.2

Browse Source
This commit is contained in:
Ulf Frisk
2025-01-25 18:33:09 +01:00
parent cb242c54a0
commit fcd7b16668
20 changed files with 45 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -248,3 +248,6 @@ v5.8
* Bug fixes.
* Linux clang compilation support.
* macOS support.
Latest:
* Bug fixes.

2
m_vmemd/m_vmemd.c
View File

@@ -316,7 +316,7 @@ fail:
* -- H
* -- pRegInfo
*/
EXPORTED_FUNCTION
__declspec(dllexport) EXPORTED_FUNCTION
VOID InitializeVmmPlugin(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_REGINFO pRegInfo)
{
if((pRegInfo->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRegInfo->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; }

4
m_vmemd/version.h
View File

@@ -3,8 +3,8 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 14
#define VERSION_REVISION 1
#define VERSION_BUILD 191
#define VERSION_REVISION 2
#define VERSION_BUILD 192
#define VER_FILE_DESCRIPTION_STR "MemProcFS : Plugin vmemd"
#define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

4
memprocfs/version.h
View File

@@ -3,8 +3,8 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 14
#define VERSION_REVISION 1
#define VERSION_BUILD 191
#define VERSION_REVISION 2
#define VERSION_BUILD 192
#define VER_FILE_DESCRIPTION_STR "MemProcFS"
#define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

6
vmm/fc.c
View File

@@ -1267,9 +1267,9 @@ VOID FcScanVirtmem_AddRangeUser(_In_ VMM_HANDLE H, _In_ PFCOB_SCAN_VIRTMEM_CONTE
PVMM_PROCESS pObProcess = NULL;
while((pObProcess = VmmProcessGetNext(H, pObProcess, 0))) {
if(H->fAbort) { goto fail; }
if(!pObProcess->fUserOnly) { continue; } // don't scan kernel processes
if(!pObProcess->win.vaPEB) { continue; } // don't scan special user-mode processes without PEB (such as MemCompression)
if(FcIsProcessSkip(H, pObProcess)) { continue; } // don't scan problematic processes
if(VmmProcess_IsKernelOnly(pObProcess)) { continue; } // don't scan kernel processes
if(!pObProcess->win.vaPEB) { continue; } // don't scan special user-mode processes without PEB (such as MemCompression)
if(FcIsProcessSkip(H, pObProcess)) { continue; } // don't scan problematic processes
FcScanVirtmem_AddRangeUserProcess(H, ctx, pObProcess);
}
fail:

2
vmm/modules/m_evil_apc1.c
View File

@@ -132,7 +132,7 @@ VOID MEvilAPC1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PVO
if(!f) { goto fail; }
// iterate over user-mode processes:
while((pObProcess = VmmProcessGetNext(H, pObProcess, 0))) {
if(!pObProcess->fUserOnly) { continue; }
if(VmmProcess_IsKernelOnly(pObProcess)) { continue; }
if(H->fAbort) { goto fail; }
if(VmmMap_GetThread(H, pObProcess, &pObThreadMap)) {
for(i = 0; i < pObThreadMap->cMap; i++) {

4
vmm/modules/m_evil_proc1.c
View File

@@ -160,7 +160,7 @@ VOID MEvilProc1_VadNoImageExecuteEntry(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pPro
for(iVadEx = 0; iVadEx < pObVadExMap->cMap; iVadEx++) {
peVadEx = pObVadExMap->pMap + iVadEx;
fPteA = peVadEx->flags & VADEXENTRY_FLAG_HARDWARE;
if(!fPteA && !MMVAD_IS_FLAG_X(peVad)) { continue; }
//if(!fPteA && !MMVAD_IS_FLAG_X(peVad)) { continue; }
if(fPteA && (peVadEx->flags & VADEXENTRY_FLAG_NX)) { continue; }
if(peVadEx->tp == VMM_PTE_TP_DEMANDZERO) { continue; }
if((fPteA && (peVadEx->flags & VADEXENTRY_FLAG_W)) || (!fPteA && MMVAD_IS_FLAG_W(peVad))) {
@@ -326,7 +326,7 @@ VOID MEvilProc1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PV
if(!(psObInjectedPE = ObSet_New(H))) { goto fail; }
while((pObProcess = VmmProcessGetNext(H, pObProcess, 0))) {
if(H->fAbort) { goto fail; }
if(pObProcess->dwState || !pObProcess->fUserOnly) { continue; }
if(pObProcess->dwState || VmmProcess_IsKernelOnly(pObProcess)) { continue; }
if(FcIsProcessSkip(H, pObProcess)) { continue; }
MEvilProc1_PePatched_VadImageExecuteNoProto(H, pObProcess);
// update result with execute pages in non image vads.

2
vmm/modules/m_evil_proc2.c
View File

@@ -160,7 +160,7 @@ VOID MEvilProc2_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PV
PVMM_PROCESS pObProcess = NULL;
while((pObProcess = VmmProcessGetNext(H, pObProcess, 0))) {
if(H->fAbort) { goto fail; }
if(pObProcess->dwState || !pObProcess->fUserOnly) { continue; }
if(pObProcess->dwState || VmmProcess_IsKernelOnly(pObProcess)) { continue; }
if(FcIsProcessSkip(H, pObProcess)) { continue; }
MEvilProc2_BadParent(H, pObProcess);
MEvilProc2_BadUser(H, pObProcess);

2
vmm/modules/m_evil_proc3.c
View File

@@ -95,7 +95,7 @@ VOID MEvilProc3_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PV
MEVILPROC3_TIMECHANGE TimeChange = { 0 };
while((pObProcess = VmmProcessGetNext(H, pObProcess, VMM_FLAG_PROCESS_TOKEN | VMM_FLAG_PROCESS_SHOW_TERMINATED))) {
if(H->fAbort) { goto fail; }
if(!pObProcess->fUserOnly) { continue; }
if(VmmProcess_IsKernelOnly(pObProcess)) { continue; }
if(FcIsProcessSkip(H, pObProcess)) { continue; }
MEvilProc3_SeDebugPrivilege(H, pObProcess);
MEvilProc3_TimeChange(H, pObProcess, &TimeChange);

2
vmm/modules/m_evil_thread1.c
View File

@@ -245,7 +245,7 @@ VOID MEvilThread1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_
// 2: scan user-mode processes for evil threads:
while((pObProcess = VmmProcessGetNext(H, pObProcess, VMM_FLAG_PROCESS_TOKEN))) {
if(H->fAbort) { goto fail; }
if(pObProcess->dwState || !pObProcess->fUserOnly) { continue; }
if(pObProcess->dwState || VmmProcess_IsKernelOnly(pObProcess)) { continue; }
if(FcIsProcessSkip(H, pObProcess)) { continue; }
if(VmmMap_GetThread(H, pObProcess, &pObThreadMap)) {
VmmMap_GetModule(H, pObProcess, 0, &ctx.pModuleMap);

4
vmm/version.h
View File

@@ -3,8 +3,8 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 14
#define VERSION_REVISION 1
#define VERSION_BUILD 191
#define VERSION_REVISION 2
#define VERSION_BUILD 192
#define VER_FILE_DESCRIPTION_STR "MemProcFS : Core"
#define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

10
vmm/vmm.c
View File

@@ -1298,6 +1298,16 @@ VOID VmmProcessTlbClear(_In_ VMM_HANDLE H)
Ob_DECREF(pt);
}
/*
* Query the process whether it's a kernel process or not.
* -- pProcess
* -- return = TRUE if a typical kernel-mode process, FALSE if typical user-mode process.
*/
BOOL VmmProcess_IsKernelOnly(_In_opt_ PVMM_PROCESS pProcess)
{
return pProcess && !pProcess->fUserOnly && (*(PQWORD)pProcess->szName != 0x78652e737361736c) && (*(PQWORD)pProcess->szName != 0x78652e7373727363);
}
/*
* Query process for its creation time.
* -- H

7
vmm/vmm.h
View File

@@ -2501,6 +2501,13 @@ PVMM_PROCESS VmmProcessCreateEntry(_In_ VMM_HANDLE H, _In_ BOOL fTotalRefresh, _
_Success_(return)
BOOL VmmProcessCreateTerminatedFakeEntry(_In_ VMM_HANDLE H, _In_ DWORD dwPID, _In_ DWORD dwPPID, _In_ QWORD ftCreate, _In_ QWORD ftExit, _In_reads_(15) LPSTR szShortName, _In_ LPSTR uszLongName);
/*
* Query the process whether it's a kernel process or not.
* -- pProcess
* -- return = TRUE if a typical kernel-mode process, FALSE if typical user-mode process.
*/
BOOL VmmProcess_IsKernelOnly(_In_opt_ PVMM_PROCESS pProcess);
/*
* Query process for its creation time.
* -- H

4
vmmpyc/version.h
View File

@@ -3,8 +3,8 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 14
#define VERSION_REVISION 1
#define VERSION_BUILD 191
#define VERSION_REVISION 2
#define VERSION_BUILD 192
#define VER_FILE_DESCRIPTION_STR "MemProcFS : Python API"
#define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

2
vmmrust/leechcore_example/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "leechcore_example"
version = "5.14.1"
version = "5.14.2"
edition = "2021"
publish = false

2
vmmrust/m_example_plugin/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "m_example_plugin"
version = "5.14.1"
version = "5.14.2"
edition = "2021"
publish = false

2
vmmrust/memprocfs/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "memprocfs"
version = "5.14.1"
version = "5.14.2"
edition = "2021"
description = "MemProcFS - Physical Memory Analysis Framework"
documentation = "https://docs.rs/memprocfs"

2
vmmrust/memprocfs_example/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "memprocfs_example"
version = "5.14.1"
version = "5.14.2"
edition = "2021"
publish = false

4
vmmsharp/vmmsharp/Properties/AssemblyInfo.cs
View File

@@ -32,5 +32,5 @@ using System.Runtime.Versioning;
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("5.14.1.191")]
[assembly: AssemblyFileVersion("5.14.1.191")]
[assembly: AssemblyVersion("5.14.2.192")]
[assembly: AssemblyFileVersion("5.14.2.192")]

2
vmmsharp/vmmsharp/vmmsharp.csproj
View File

@@ -109,7 +109,7 @@
<None Include="logo.png" Pack="true" Visible="true" PackagePath="" />
</ItemGroup>
<PropertyGroup>
<Version>5.14.1</Version>
<Version>5.14.2</Version>
<RepositoryUrl>https://github.com/ufrisk/MemProcFS</RepositoryUrl>
<RepositoryType>git</RepositoryType>
<PackageLicenseFile>LICENSE</PackageLicenseFile>