mirror of
https://github.com/ufrisk/MemProcFS.git
synced 2026-06-01 16:19:42 +08:00
34 lines
1.3 KiB
C
34 lines
1.3 KiB
C
// m_fc_sys.c : general system forensic module.
|
|
//
|
|
// REQUIRE: FORENSIC SUB-SYSTEM INIT.
|
|
//
|
|
// NB! module generate forensic data only - no file system presence!
|
|
//
|
|
// (c) Ulf Frisk, 2022-2026
|
|
// Author: Ulf Frisk, pcileech@frizk.net
|
|
//
|
|
|
|
#include "modules.h"
|
|
|
|
PVOID MFcSys_FcInitialize(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
VOID MFcSys_FcLogCSV(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _In_ VMMDLL_CSV_HANDLE hCSV)
|
|
{
|
|
;
|
|
}
|
|
|
|
VOID M_FcSys_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI)
|
|
{
|
|
if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; }
|
|
if((pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_64) && (pRI->tpSystem != VMMDLL_SYSTEM_WINDOWS_32)) { return; }
|
|
strcpy_s(pRI->reg_info.uszPathName, 128, "\\forensic\\hidden\\sys"); // module name
|
|
pRI->reg_info.fRootModule = TRUE; // module shows in root directory
|
|
pRI->reg_info.fRootModuleHidden = TRUE; // module hidden by default
|
|
pRI->reg_fnfc.pfnInitialize = MFcSys_FcInitialize; // Forensic initialize function supported
|
|
pRI->reg_fnfc.pfnLogCSV = MFcSys_FcLogCSV; // CSV log function supported
|
|
pRI->pfnPluginManager_Register(H, pRI);
|
|
}
|