Version 2.10

MemProcFS/vmmdll.h

@@ -4,7 +4,7 @@
 // (c) Ulf Frisk, 2018-2019
 // Author: Ulf Frisk, [email protected]
 //
-// Header Version: 2.9
+// Header Version: 2.10
 //
 
 #include <windows.h>
@@ -35,6 +35,8 @@ extern "C" {
 *              documentation for additional information.
 *    -norefresh = disable background refreshes (even if backing memory is
 *              volatile memory).
+*    -symbolserverdisable = disable symbol server until user change. This
+*              parameter will take precedence over registry settings.
 * -- argc
 * -- argv
 * -- return = success/fail
@@ -62,6 +64,12 @@ BOOL VMMDLL_Close();
 _Success_(return)
 BOOL VMMDLL_Refresh(_In_ DWORD dwReserved);
 
+/*
+* Free memory allocated by the VMMDLL.
+* -- pvMem
+*/
+VOID VMMDLL_MemFree(_Frees_ptr_opt_ PVOID pvMem);
+
 
 //-----------------------------------------------------------------------------
 // CONFIGURATION SETTINGS BELOW:
@@ -580,11 +588,11 @@ BOOL VMMDLL_ProcessGetInformation(_In_ DWORD dwPID, _Inout_opt_ PVMMDLL_PROCESS_
 * Retrieve a string value belonging to a process. The function allocates a new
 * string buffer and returns the requested string in it. The string is always
 * NULL terminated. On failure NULL is returned.
-* NB! CALLER IS RESPONSIBLE FOR LocalFree return value!
-* CALLER LocalFree: return
+* NB! CALLER IS RESPONSIBLE FOR VMMDLL_MemFree return value!
+* CALLER FREE: VMMDLL_MemFree(return)
 * -- dwPID
 * -- fOptionString = string value to retrieve as given by VMMDLL_PROCESS_INFORMATION_OPT_STRING_*
-* -- return - fail: NULL, success: the string - NB! must be LocalFree'd by caller!
+* -- return - fail: NULL, success: the string - NB! must be VMMDLL_MemFree'd by caller!
 */
 LPSTR VMMDLL_ProcessGetInformationString(_In_ DWORD dwPID, _In_ DWORD fOptionString);
 
@@ -640,6 +648,49 @@ ULONG64 VMMDLL_ProcessGetModuleBase(_In_ DWORD dwPID, _In_ LPSTR szModuleName);
 
 
 
+//-----------------------------------------------------------------------------
+// WINDOWS SPECIFIC DEBUGGING / SYMBOL FUNCTIONALITY BELOW:
+//-----------------------------------------------------------------------------
+
+/*
+* Retrieve a symbol virtual address given a module name and a symbol name.
+* NB! not all modules may exist - initially only module "nt" is available.
+* NB! if multiple modules have the same name the 1st to be added will be used.
+* -- szModule
+* -- szSymbolName
+* -- pvaSymbolAddress
+* -- return
+*/
+_Success_(return)
+BOOL VMMDLL_PdbSymbolAddress(_In_ LPSTR szModule, _In_ LPSTR szSymbolName, _Out_ PULONG64 pvaSymbolAddress);
+
+/*
+* Retrieve a type size given a module name and a type name.
+* NB! not all modules may exist - initially only module "nt" is available.
+* NB! if multiple modules have the same name the 1st to be added will be used.
+* -- szModule
+* -- szTypeName
+* -- pcbTypeSize
+* -- return
+*/
+_Success_(return)
+BOOL VMMDLL_PdbTypeSize(_In_ LPSTR szModule, _In_ LPSTR szTypeName, _Out_ PDWORD pcbTypeSize);
+
+/*
+* Locate the offset of a type child - typically a sub-item inside a struct.
+* NB! not all modules may exist - initially only module "nt" is available.
+* NB! if multiple modules have the same name the 1st to be added will be used.
+* -- szModule
+* -- szTypeName
+* -- wszTypeChildName
+* -- pcbTypeChildOffset
+* -- return
+*/
+_Success_(return)
+BOOL VMMDLL_PdbTypeChildOffset(_In_ LPSTR szModule, _In_ LPSTR szTypeName, _In_ LPWSTR wszTypeChildName, _Out_ PDWORD pcbTypeChildOffset);
+
+
+
 //-----------------------------------------------------------------------------
 // WINDOWS SPECIFIC REGISTRY FUNCTIONALITY BELOW:
 //-----------------------------------------------------------------------------
@@ -817,9 +868,9 @@ typedef struct tdVMMDLL_WIN_TCPIP {
 
 /*
 * Retrieve networking information about network connections related to Windows TCP/IP stack.
-* NB! CALLER IS RESPONSIBLE FOR LocalFree return value!
-* CALLER LocalFree: return
-* -- return - fail: NULL, success: a PVMMDLL_WIN_TCPIP struct scontaining the result - NB! Caller responsible for LocalFree!
+* NB! CALLER IS RESPONSIBLE FOR VMMDLL_MemFree return value!
+* CALLER FREE: VMMDLL_MemFree(return)
+* -- return - fail: NULL, success: a PVMMDLL_WIN_TCPIP struct scontaining the result - NB! Caller responsible for VMMDLL_MemFree!
 */
 PVMMDLL_WIN_TCPIP VMMDLL_WinNet_Get();
 

README.md

@@ -8,7 +8,7 @@ Analyze memory dump files, <b>live memory</b> via [DumpIt](https://www.comae.com
 
 It's even possible to connect to a remote LeechAgent memory acquisition agent over a secured connection - allowing for remote live memory incident response - even over higher latency low band-width connections!
 
-Use your favorite tools to analyze memory - use your favorite hex editors, your python and powershell scripts, your disassemblers - all will work trivally with the Memory Process File System by just reading and writing files!
+Use your favorite tools to analyze memory - use your favorite hex editors, your python and powershell scripts, WinDbg or your favorite disassemblers and debuggers - all will work trivally with the Memory Process File System by just reading and writing files!
 
 <p align="center"><img src="https://github.com/ufrisk/MemProcFS/wiki/resources/proc_base2.png" height="190"/><img src="https://github.com/ufrisk/MemProcFS/wiki/resources/pciescreamer.jpeg" height="190"/><img src="https://github.com/ufrisk/MemProcFS/wiki/resources/proc_modules.png" height="190"/></p>
 
@@ -85,7 +85,7 @@ Also check out my Microsoft BlueHatIL 2019 talk _Practical Uses for Hardware-ass
 
 Building:
 =========
-Pre-built binaries and other supporting files are found in the files folder. The Memory Process File System binaries are built with Visual Studio 2017. No binaries currently exists for Linux (future support - please see Current Limitations & Future Development below).
+Pre-built binaries and other supporting files are found in the files folder. The Memory Process File System binaries are built with Visual Studio. No binaries currently exists for Linux (future support - please see Current Limitations & Future Development below).
 
 Detailed build instructions may be found in the [Wiki](https://github.com/ufrisk/MemProcFS/wiki) in the [Building](https://github.com/ufrisk/MemProcFS/wiki/Dev_Building) section.
 
@@ -103,6 +103,10 @@ Please find some ideas for possible future expansions of the memory process file
 - Support for analyzing x64 Linux, macOS and UEFI memory dumps.
 - Hash lookup of executable memory pages in DB.
 
+License:
+======
+The project source code is released under GPLv3. Some bundled Microsoft redistributable binaries are released under separate licenses.
+
 Links:
 ======
 * Blog: http://blog.frizk.net
@@ -174,3 +178,8 @@ v2.9
 * Bug fixes and major internal refactorings.
 * Full Registry support - Explore the Windows registry in the file system or via the API.
 * NB! The v2.9 C/C++ API vfs (virtual file system) API is incompatible with earlier versions.
+
+v2.10
+* Dump file support - create a WinDbg compatible `memory.dmp` file in the root folder.
+* Early .pdb debugging subsystem with Microsoft symbol server integration.
+* Process create/terminate timestamps on process directories.

files/leechcore.h

@@ -126,7 +126,7 @@
 // (c) Ulf Frisk, 2018-2019
 // Author: Ulf Frisk, [email protected]
 //
-// Header Version: 1.3.0
+// Header Version: 1.4
 //
 #ifndef __LEECHCORE_H__
 #define __LEECHCORE_H__
@@ -155,6 +155,7 @@ typedef void                                *HANDLE, **PHANDLE;
 typedef uint32_t                            BOOL, *PBOOL;
 typedef uint8_t                             BYTE, *PBYTE;
 typedef char                                CHAR, *PCHAR, *PSTR, *LPSTR;
+typedef const CHAR                          *LPCSTR;
 typedef uint16_t                            WORD, *PWORD, USHORT, *PUSHORT;
 typedef uint32_t                            DWORD, *PDWORD;
 typedef long long unsigned int              QWORD, *PQWORD, ULONG64, *PULONG64;
@@ -173,6 +174,7 @@ typedef long long unsigned int              QWORD, *PQWORD, ULONG64, *PULONG64;
 #define _In_reads_(cbDataIn)
 #define _Out_writes_opt_(x)
 #define _Success_(return)
+#define _Frees_ptr_opt_
 #endif /* LINUX */
 
 //-----------------------------------------------------------------------------
@@ -308,9 +310,17 @@ DLLEXPORT VOID LeechCore_Close();
 #define LEECHCORE_FLAG_WRITE_RETRY          0x01
 #define LEECHCORE_FLAG_WRITE_VERIFY         0x02
 
+/*
+* Free memory allocated by the LeechCore.
+* -- pvMem
+* -- return
+*/
+DLLEXPORT VOID LeechCore_MemFree(_Frees_ptr_opt_ PVOID pvMem);
+
 /*
 * Allocate a scatter buffer containing empty 0x1000-sized ppMEMs with address
-* set to zero. Caller is responsible for calling LocalFree(ppMEMs).
+* set to zero. Caller is responsible for calling LeechCore_MemFree(ppMEMs).
+* CALLER FREE: LeechCore_MemFree(ppMEMs)
 * -- cMEMs
 * -- pppMEMs = pointer to receive ppMEMs on success.
 * -- return
@@ -422,6 +432,7 @@ DLLEXPORT BOOL LeechCore_Probe(_In_ QWORD pa, _In_ DWORD cPages, _Inout_updates_
 #define LEECHCORE_OPT_MEMORYINFO_OS_UPTIME              0x0200000e  // R
 #define LEECHCORE_OPT_MEMORYINFO_OS_KERNELBASE          0x0200000f  // R
 #define LEECHCORE_OPT_MEMORYINFO_OS_KERNELHINT          0x02000010  // R
+#define LEECHCORE_OPT_MEMORYINFO_OS_KdDebuggerDataBlock 0x02000011  // R
 
 #define LEECHCORE_OPT_FPGA_PROBE_MAXPAGES               0x03000001  // RW
 #define LEECHCORE_OPT_FPGA_RX_FLUSH_LIMIT               0x03000002  // RW
@@ -464,6 +475,7 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);
 
 #define LEECHCORE_COMMANDDATA_FPGA_WRITE_TLP            0x00000101  // R
 #define LEECHCORE_COMMANDDATA_FPGA_LISTEN_TLP           0x00000102  // R
+#define LEECHCORE_COMMANDDATA_FILE_DUMPHEADER_GET       0x00000201  // R
 #define LEECHCORE_COMMANDDATA_STATISTICS_GET            0x80000100  // R
 
 #define LEECHCORE_STATISTICS_MAGIC                      0xffff6550
@@ -478,7 +490,7 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);
 #define LEECHCORE_STATISTICS_ID_COMMANDSVC                    0x07
 #define LEECHCORE_STATISTICS_ID_MAX                           0x07
 
-static const LPSTR LEECHCORE_STATISTICS_NAME[] = {
+static LPCSTR LEECHCORE_STATISTICS_NAME[] = {
     "LeechCore_Open",
     "LeechCore_ReadScatter",
     "LeechCore_Write",