-
-
Notifications
You must be signed in to change notification settings - Fork 415
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
57 changed files
with
7,974 additions
and
4,296 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,7 +11,7 @@ | |
// (c) Ulf Frisk, 2018-2024 | ||
// Author: Ulf Frisk, [email protected] | ||
// | ||
// Header Version: 5.12 | ||
// Header Version: 5.13 | ||
// | ||
|
||
#include "leechcore.h" | ||
|
@@ -1031,6 +1031,46 @@ VOID VMMDLL_Scatter_CloseHandle(_In_opt_ _Post_ptr_invalid_ VMMDLL_SCATTER_HANDL | |
|
||
|
||
|
||
//----------------------------------------------------------------------------- | ||
// MEMORY CALLBACK FUNCTIONALITY: | ||
// Allows for advanced memory access statistics and the creation of specialized | ||
// custom memory views for physical memory or per-process virtual memory. | ||
// Callback functions may be registered to modify memory reads and/or writes. | ||
//----------------------------------------------------------------------------- | ||
|
||
typedef enum tdVMMDLL_MEM_CALLBACK_TP { | ||
VMMDLL_MEM_CALLBACK_READ_PHYSICAL_PRE = 1, | ||
VMMDLL_MEM_CALLBACK_READ_PHYSICAL_POST = 2, | ||
VMMDLL_MEM_CALLBACK_WRITE_PHYSICAL_PRE = 3, | ||
VMMDLL_MEM_CALLBACK_READ_VIRTUAL_PRE = 4, | ||
VMMDLL_MEM_CALLBACK_READ_VIRTUAL_POST = 5, | ||
VMMDLL_MEM_CALLBACK_WRITE_VIRTUAL_PRE = 6, | ||
} VMMDLL_MEM_CALLBACK_TP; | ||
|
||
/* | ||
* MEM callback function definition. | ||
* -- ctxUser = user context pointer. | ||
* -- dwPID = PID of target process, (DWORD)-1 for physical memory. | ||
* -- cpMEMs = count of pMEMs. | ||
* -- ppMEMs = array of pointers to MEM scatter read headers. | ||
*/ | ||
typedef VOID(*VMMDLL_MEM_CALLBACK_PFN)(_In_opt_ PVOID ctxUser, _In_ DWORD dwPID, _In_ DWORD cpMEMs, _In_ PPMEM_SCATTER ppMEMs); | ||
|
||
/* | ||
* Register or unregister am optional memory access callback function. | ||
* It's possible to have one callback function registered for each type. | ||
* To clear an already registered callback function specify NULL as pfnCB. | ||
* -- hVMM | ||
* -- tp = type of callback to register / unregister - VMMDLL_MEM_CALLBACK_*. | ||
* -- ctxUser = user context pointer to be passed to the callback function. | ||
* -- pfnCB = callback function to register / unregister. | ||
* -- return | ||
*/ | ||
EXPORTED_FUNCTION _Success_(return) | ||
BOOL VMMDLL_MemCallback(_In_ VMM_HANDLE hVMM, _In_ VMMDLL_MEM_CALLBACK_TP tp, _In_opt_ PVOID ctxUser, _In_opt_ VMMDLL_MEM_CALLBACK_PFN pfnCB); | ||
|
||
|
||
|
||
//----------------------------------------------------------------------------- | ||
// VMM PROCESS MAP FUNCTIONALITY BELOW: | ||
// Functionality for retrieving process related collections of items such as | ||
|
@@ -1048,6 +1088,7 @@ VOID VMMDLL_Scatter_CloseHandle(_In_opt_ _Post_ptr_invalid_ VMMDLL_SCATTER_HANDL | |
#define VMMDLL_MAP_HEAP_VERSION 4 | ||
#define VMMDLL_MAP_HEAPALLOC_VERSION 1 | ||
#define VMMDLL_MAP_THREAD_VERSION 4 | ||
#define VMMDLL_MAP_THREAD_CALLSTACK_VERSION 1 | ||
#define VMMDLL_MAP_HANDLE_VERSION 3 | ||
#define VMMDLL_MAP_POOL_VERSION 2 | ||
#define VMMDLL_MAP_KOBJECT_VERSION 1 | ||
|
@@ -1316,6 +1357,18 @@ typedef struct tdVMMDLL_MAP_THREADENTRY { | |
QWORD vaWin32StartAddress; | ||
} VMMDLL_MAP_THREADENTRY, *PVMMDLL_MAP_THREADENTRY; | ||
|
||
typedef struct tdVMMDLL_MAP_THREAD_CALLSTACKENTRY { | ||
DWORD i; | ||
BOOL fRegPresent; | ||
QWORD vaRetAddr; | ||
QWORD vaRSP; | ||
QWORD vaBaseSP; | ||
DWORD _FutureUse1; | ||
DWORD cbDisplacement; | ||
union { LPSTR uszModule; LPWSTR wszModule; }; // U/W dependant | ||
union { LPSTR uszFunction; LPWSTR wszFunction; }; // U/W dependant | ||
} VMMDLL_MAP_THREAD_CALLSTACKENTRY, *PVMMDLL_MAP_THREAD_CALLSTACKENTRY; | ||
|
||
typedef struct tdVMMDLL_MAP_HANDLEENTRY { | ||
QWORD vaObject; | ||
DWORD dwHandle; | ||
|
@@ -1580,6 +1633,19 @@ typedef struct tdVMMDLL_MAP_THREAD { | |
VMMDLL_MAP_THREADENTRY pMap[]; // map entries. | ||
} VMMDLL_MAP_THREAD, *PVMMDLL_MAP_THREAD; | ||
|
||
typedef struct tdVMMDLL_MAP_THREAD_CALLSTACK { | ||
DWORD dwVersion; // VMMDLL_MAP_THREAD_CALLSTACK_VERSION | ||
DWORD _Reserved1[6]; | ||
DWORD dwPID; | ||
DWORD dwTID; | ||
DWORD cbText; | ||
union { LPSTR uszText; LPWSTR wszText; }; // U/W dependant | ||
PBYTE pbMultiText; // multi-str pointed into by VMM_MAP_EATENTRY.[wszFunction|wszModule] | ||
DWORD cbMultiText; | ||
DWORD cMap; | ||
VMMDLL_MAP_THREAD_CALLSTACKENTRY pMap[0]; | ||
} VMMDLL_MAP_THREAD_CALLSTACK, *PVMMDLL_MAP_THREAD_CALLSTACK; | ||
|
||
typedef struct tdVMMDLL_MAP_HANDLE { | ||
DWORD dwVersion; // VMMDLL_MAP_HANDLE_VERSION | ||
DWORD _Reserved1[5]; | ||
|
@@ -1811,6 +1877,24 @@ _Success_(return) BOOL VMMDLL_Map_GetHeapAlloc(_In_ VMM_HANDLE hVMM, _In_ DWORD | |
EXPORTED_FUNCTION | ||
_Success_(return) BOOL VMMDLL_Map_GetThread(_In_ VMM_HANDLE hVMM, _In_ DWORD dwPID, _Out_ PVMMDLL_MAP_THREAD *ppThreadMap); | ||
|
||
/* | ||
* Retrieve the thread callstack for a specific thread. | ||
* Callstack retrieval is: | ||
* - supported for x64 user-mode threads. | ||
* - a best-effort operation and may not always succeed. | ||
* - may download a large amounts of pdb symbol data from Microsoft. | ||
* CALLER FREE: VMMDLL_MemFree(*ppThreadCallstack) | ||
* -- hVMM | ||
* -- dwPID | ||
* -- dwTID | ||
* -- flags = 0, VMMDLL_FLAG_NOCACHE or VMM_FLAG_FORCECACHE_READ | ||
* -- ppThreadCallstack | ||
* -- return | ||
*/ | ||
EXPORTED_FUNCTION | ||
_Success_(return) BOOL VMMDLL_Map_GetThread_CallstackU(_In_ VMM_HANDLE hVMM, _In_ DWORD dwPID, _In_ DWORD dwTID, _In_ DWORD flags, _Out_ PVMMDLL_MAP_THREAD_CALLSTACK *ppThreadCallstack); | ||
_Success_(return) BOOL VMMDLL_Map_GetThread_CallstackW(_In_ VMM_HANDLE hVMM, _In_ DWORD dwPID, _In_ DWORD dwTID, _In_ DWORD flags, _Out_ PVMMDLL_MAP_THREAD_CALLSTACK *ppThreadCallstack); | ||
|
||
/* | ||
* Retrieve the handles for the specified process. | ||
* Entries returned are sorted on VMMDLL_MAP_HANDLEENTRY.dwHandle | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.