From fcd7b16668f3e70ebb084b17d5ce06d0a0d335e9 Mon Sep 17 00:00:00 2001 From: Ulf Frisk Date: Sat, 25 Jan 2025 18:33:09 +0100 Subject: [PATCH] Version 5.14.2 --- README.md | 3 +++ m_vmemd/m_vmemd.c | 2 +- m_vmemd/version.h | 4 ++-- memprocfs/version.h | 4 ++-- vmm/fc.c | 6 +++--- vmm/modules/m_evil_apc1.c | 2 +- vmm/modules/m_evil_proc1.c | 4 ++-- vmm/modules/m_evil_proc2.c | 2 +- vmm/modules/m_evil_proc3.c | 2 +- vmm/modules/m_evil_thread1.c | 2 +- vmm/version.h | 4 ++-- vmm/vmm.c | 10 ++++++++++ vmm/vmm.h | 7 +++++++ vmmpyc/version.h | 4 ++-- vmmrust/leechcore_example/Cargo.toml | 2 +- vmmrust/m_example_plugin/Cargo.toml | 2 +- vmmrust/memprocfs/Cargo.toml | 2 +- vmmrust/memprocfs_example/Cargo.toml | 2 +- vmmsharp/vmmsharp/Properties/AssemblyInfo.cs | 4 ++-- vmmsharp/vmmsharp/vmmsharp.csproj | 2 +- 20 files changed, 45 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 8a8ade1..a6f59ea 100644 --- a/README.md +++ b/README.md @@ -248,3 +248,6 @@ v5.8 * Bug fixes. * Linux clang compilation support. * macOS support. + +Latest: +* Bug fixes. diff --git a/m_vmemd/m_vmemd.c b/m_vmemd/m_vmemd.c index 69e97e7..3768144 100644 --- a/m_vmemd/m_vmemd.c +++ b/m_vmemd/m_vmemd.c @@ -316,7 +316,7 @@ fail: * -- H * -- pRegInfo */ -EXPORTED_FUNCTION +__declspec(dllexport) EXPORTED_FUNCTION VOID InitializeVmmPlugin(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_REGINFO pRegInfo) { if((pRegInfo->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRegInfo->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; } diff --git a/m_vmemd/version.h b/m_vmemd/version.h index 8ccb135..9035711 100644 --- a/m_vmemd/version.h +++ b/m_vmemd/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 14 -#define VERSION_REVISION 1 -#define VERSION_BUILD 191 +#define VERSION_REVISION 2 +#define VERSION_BUILD 192 #define VER_FILE_DESCRIPTION_STR "MemProcFS : Plugin vmemd" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD diff --git a/memprocfs/version.h b/memprocfs/version.h index cbeeba3..6938975 100644 --- a/memprocfs/version.h +++ b/memprocfs/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 14 -#define VERSION_REVISION 1 -#define VERSION_BUILD 191 +#define VERSION_REVISION 2 +#define VERSION_BUILD 192 #define VER_FILE_DESCRIPTION_STR "MemProcFS" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD diff --git a/vmm/fc.c b/vmm/fc.c index bd62b36..02ae82e 100644 --- a/vmm/fc.c +++ b/vmm/fc.c @@ -1267,9 +1267,9 @@ VOID FcScanVirtmem_AddRangeUser(_In_ VMM_HANDLE H, _In_ PFCOB_SCAN_VIRTMEM_CONTE PVMM_PROCESS pObProcess = NULL; while((pObProcess = VmmProcessGetNext(H, pObProcess, 0))) { if(H->fAbort) { goto fail; } - if(!pObProcess->fUserOnly) { continue; } // don't scan kernel processes - if(!pObProcess->win.vaPEB) { continue; } // don't scan special user-mode processes without PEB (such as MemCompression) - if(FcIsProcessSkip(H, pObProcess)) { continue; } // don't scan problematic processes + if(VmmProcess_IsKernelOnly(pObProcess)) { continue; } // don't scan kernel processes + if(!pObProcess->win.vaPEB) { continue; } // don't scan special user-mode processes without PEB (such as MemCompression) + if(FcIsProcessSkip(H, pObProcess)) { continue; } // don't scan problematic processes FcScanVirtmem_AddRangeUserProcess(H, ctx, pObProcess); } fail: diff --git a/vmm/modules/m_evil_apc1.c b/vmm/modules/m_evil_apc1.c index d6a3d5b..7234cfd 100644 --- a/vmm/modules/m_evil_apc1.c +++ b/vmm/modules/m_evil_apc1.c @@ -132,7 +132,7 @@ VOID MEvilAPC1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PVO if(!f) { goto fail; } // iterate over user-mode processes: while((pObProcess = VmmProcessGetNext(H, pObProcess, 0))) { - if(!pObProcess->fUserOnly) { continue; } + if(VmmProcess_IsKernelOnly(pObProcess)) { continue; } if(H->fAbort) { goto fail; } if(VmmMap_GetThread(H, pObProcess, &pObThreadMap)) { for(i = 0; i < pObThreadMap->cMap; i++) { diff --git a/vmm/modules/m_evil_proc1.c b/vmm/modules/m_evil_proc1.c index 4b0a0be..46d8757 100644 --- a/vmm/modules/m_evil_proc1.c +++ b/vmm/modules/m_evil_proc1.c @@ -160,7 +160,7 @@ VOID MEvilProc1_VadNoImageExecuteEntry(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pPro for(iVadEx = 0; iVadEx < pObVadExMap->cMap; iVadEx++) { peVadEx = pObVadExMap->pMap + iVadEx; fPteA = peVadEx->flags & VADEXENTRY_FLAG_HARDWARE; - if(!fPteA && !MMVAD_IS_FLAG_X(peVad)) { continue; } + //if(!fPteA && !MMVAD_IS_FLAG_X(peVad)) { continue; } if(fPteA && (peVadEx->flags & VADEXENTRY_FLAG_NX)) { continue; } if(peVadEx->tp == VMM_PTE_TP_DEMANDZERO) { continue; } if((fPteA && (peVadEx->flags & VADEXENTRY_FLAG_W)) || (!fPteA && MMVAD_IS_FLAG_W(peVad))) { @@ -326,7 +326,7 @@ VOID MEvilProc1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PV if(!(psObInjectedPE = ObSet_New(H))) { goto fail; } while((pObProcess = VmmProcessGetNext(H, pObProcess, 0))) { if(H->fAbort) { goto fail; } - if(pObProcess->dwState || !pObProcess->fUserOnly) { continue; } + if(pObProcess->dwState || VmmProcess_IsKernelOnly(pObProcess)) { continue; } if(FcIsProcessSkip(H, pObProcess)) { continue; } MEvilProc1_PePatched_VadImageExecuteNoProto(H, pObProcess); // update result with execute pages in non image vads. diff --git a/vmm/modules/m_evil_proc2.c b/vmm/modules/m_evil_proc2.c index e0f5a46..d424239 100644 --- a/vmm/modules/m_evil_proc2.c +++ b/vmm/modules/m_evil_proc2.c @@ -160,7 +160,7 @@ VOID MEvilProc2_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PV PVMM_PROCESS pObProcess = NULL; while((pObProcess = VmmProcessGetNext(H, pObProcess, 0))) { if(H->fAbort) { goto fail; } - if(pObProcess->dwState || !pObProcess->fUserOnly) { continue; } + if(pObProcess->dwState || VmmProcess_IsKernelOnly(pObProcess)) { continue; } if(FcIsProcessSkip(H, pObProcess)) { continue; } MEvilProc2_BadParent(H, pObProcess); MEvilProc2_BadUser(H, pObProcess); diff --git a/vmm/modules/m_evil_proc3.c b/vmm/modules/m_evil_proc3.c index be4eac3..21a3f3c 100644 --- a/vmm/modules/m_evil_proc3.c +++ b/vmm/modules/m_evil_proc3.c @@ -95,7 +95,7 @@ VOID MEvilProc3_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PV MEVILPROC3_TIMECHANGE TimeChange = { 0 }; while((pObProcess = VmmProcessGetNext(H, pObProcess, VMM_FLAG_PROCESS_TOKEN | VMM_FLAG_PROCESS_SHOW_TERMINATED))) { if(H->fAbort) { goto fail; } - if(!pObProcess->fUserOnly) { continue; } + if(VmmProcess_IsKernelOnly(pObProcess)) { continue; } if(FcIsProcessSkip(H, pObProcess)) { continue; } MEvilProc3_SeDebugPrivilege(H, pObProcess); MEvilProc3_TimeChange(H, pObProcess, &TimeChange); diff --git a/vmm/modules/m_evil_thread1.c b/vmm/modules/m_evil_thread1.c index 70fc0b2..43c3748 100644 --- a/vmm/modules/m_evil_thread1.c +++ b/vmm/modules/m_evil_thread1.c @@ -245,7 +245,7 @@ VOID MEvilThread1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ // 2: scan user-mode processes for evil threads: while((pObProcess = VmmProcessGetNext(H, pObProcess, VMM_FLAG_PROCESS_TOKEN))) { if(H->fAbort) { goto fail; } - if(pObProcess->dwState || !pObProcess->fUserOnly) { continue; } + if(pObProcess->dwState || VmmProcess_IsKernelOnly(pObProcess)) { continue; } if(FcIsProcessSkip(H, pObProcess)) { continue; } if(VmmMap_GetThread(H, pObProcess, &pObThreadMap)) { VmmMap_GetModule(H, pObProcess, 0, &ctx.pModuleMap); diff --git a/vmm/version.h b/vmm/version.h index 9803727..74627e8 100644 --- a/vmm/version.h +++ b/vmm/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 14 -#define VERSION_REVISION 1 -#define VERSION_BUILD 191 +#define VERSION_REVISION 2 +#define VERSION_BUILD 192 #define VER_FILE_DESCRIPTION_STR "MemProcFS : Core" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD diff --git a/vmm/vmm.c b/vmm/vmm.c index 96303ab..bbf857c 100644 --- a/vmm/vmm.c +++ b/vmm/vmm.c @@ -1298,6 +1298,16 @@ VOID VmmProcessTlbClear(_In_ VMM_HANDLE H) Ob_DECREF(pt); } +/* +* Query the process whether it's a kernel process or not. +* -- pProcess +* -- return = TRUE if a typical kernel-mode process, FALSE if typical user-mode process. +*/ +BOOL VmmProcess_IsKernelOnly(_In_opt_ PVMM_PROCESS pProcess) +{ + return pProcess && !pProcess->fUserOnly && (*(PQWORD)pProcess->szName != 0x78652e737361736c) && (*(PQWORD)pProcess->szName != 0x78652e7373727363); +} + /* * Query process for its creation time. * -- H diff --git a/vmm/vmm.h b/vmm/vmm.h index 2f73c73..f3fa556 100644 --- a/vmm/vmm.h +++ b/vmm/vmm.h @@ -2501,6 +2501,13 @@ PVMM_PROCESS VmmProcessCreateEntry(_In_ VMM_HANDLE H, _In_ BOOL fTotalRefresh, _ _Success_(return) BOOL VmmProcessCreateTerminatedFakeEntry(_In_ VMM_HANDLE H, _In_ DWORD dwPID, _In_ DWORD dwPPID, _In_ QWORD ftCreate, _In_ QWORD ftExit, _In_reads_(15) LPSTR szShortName, _In_ LPSTR uszLongName); +/* +* Query the process whether it's a kernel process or not. +* -- pProcess +* -- return = TRUE if a typical kernel-mode process, FALSE if typical user-mode process. +*/ +BOOL VmmProcess_IsKernelOnly(_In_opt_ PVMM_PROCESS pProcess); + /* * Query process for its creation time. * -- H diff --git a/vmmpyc/version.h b/vmmpyc/version.h index 26a4e55..a38ec0f 100644 --- a/vmmpyc/version.h +++ b/vmmpyc/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 14 -#define VERSION_REVISION 1 -#define VERSION_BUILD 191 +#define VERSION_REVISION 2 +#define VERSION_BUILD 192 #define VER_FILE_DESCRIPTION_STR "MemProcFS : Python API" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD diff --git a/vmmrust/leechcore_example/Cargo.toml b/vmmrust/leechcore_example/Cargo.toml index 23ecf95..3c7de45 100644 --- a/vmmrust/leechcore_example/Cargo.toml +++ b/vmmrust/leechcore_example/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "leechcore_example" -version = "5.14.1" +version = "5.14.2" edition = "2021" publish = false diff --git a/vmmrust/m_example_plugin/Cargo.toml b/vmmrust/m_example_plugin/Cargo.toml index a7e8679..2cd0a33 100644 --- a/vmmrust/m_example_plugin/Cargo.toml +++ b/vmmrust/m_example_plugin/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "m_example_plugin" -version = "5.14.1" +version = "5.14.2" edition = "2021" publish = false diff --git a/vmmrust/memprocfs/Cargo.toml b/vmmrust/memprocfs/Cargo.toml index db7bc3a..b82bfdb 100644 --- a/vmmrust/memprocfs/Cargo.toml +++ b/vmmrust/memprocfs/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "memprocfs" -version = "5.14.1" +version = "5.14.2" edition = "2021" description = "MemProcFS - Physical Memory Analysis Framework" documentation = "https://docs.rs/memprocfs" diff --git a/vmmrust/memprocfs_example/Cargo.toml b/vmmrust/memprocfs_example/Cargo.toml index 81471da..643b709 100644 --- a/vmmrust/memprocfs_example/Cargo.toml +++ b/vmmrust/memprocfs_example/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "memprocfs_example" -version = "5.14.1" +version = "5.14.2" edition = "2021" publish = false diff --git a/vmmsharp/vmmsharp/Properties/AssemblyInfo.cs b/vmmsharp/vmmsharp/Properties/AssemblyInfo.cs index 7a5519b..694bcd4 100644 --- a/vmmsharp/vmmsharp/Properties/AssemblyInfo.cs +++ b/vmmsharp/vmmsharp/Properties/AssemblyInfo.cs @@ -32,5 +32,5 @@ using System.Runtime.Versioning; // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyVersion("5.14.1.191")] -[assembly: AssemblyFileVersion("5.14.1.191")] +[assembly: AssemblyVersion("5.14.2.192")] +[assembly: AssemblyFileVersion("5.14.2.192")] diff --git a/vmmsharp/vmmsharp/vmmsharp.csproj b/vmmsharp/vmmsharp/vmmsharp.csproj index e2c0b8d..94adfb9 100644 --- a/vmmsharp/vmmsharp/vmmsharp.csproj +++ b/vmmsharp/vmmsharp/vmmsharp.csproj @@ -109,7 +109,7 @@ - 5.14.1 + 5.14.2 https://github.com/ufrisk/MemProcFS git LICENSE