Version 2.9

MemProcFS/leechcore.h

@@ -126,7 +126,7 @@
 // (c) Ulf Frisk, 2018-2019
 // Author: Ulf Frisk, [email protected]
 //
-// Header Version: 1.2.0
+// Header Version: 1.3.0
 //
 #ifndef __LEECHCORE_H__
 #define __LEECHCORE_H__

MemProcFS/memprocfs.c

@@ -67,10 +67,11 @@ VOID MemProcFsCtrlHandler_TryShutdownThread(PVOID pv)
 */
 BOOL WINAPI MemProcFsCtrlHandler(DWORD fdwCtrlType)
 {
+	HANDLE hThread;
     if (fdwCtrlType == CTRL_C_EVENT) {
         printf("CTRL+C detected - shutting down ...\n");
-        CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MemProcFsCtrlHandler_TryShutdownThread, NULL, 0, NULL);
-        Sleep(500);
+        hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MemProcFsCtrlHandler_TryShutdownThread, NULL, 0, NULL);
+		if(hThread) { WaitForSingleObject(hThread, 500); }
         TerminateProcess(GetCurrentProcess(), 1);
         Sleep(1000);
         ExitProcess(1);

MemProcFS/version.h

@@ -2,7 +2,7 @@
 #define STRINGIZE(s) STRINGIZE2(s)
 
 #define VERSION_MAJOR               2
-#define VERSION_MINOR               7
+#define VERSION_MINOR               9
 #define VERSION_REVISION            0
 #define VERSION_BUILD               0
 

MemProcFS/vfs.c

@@ -60,7 +60,7 @@ VOID VfsFileList_Free(_Inout_ PVFS_FILELIST pFileList)
     }
 }
 
-VOID VfsFileList_AddDirectoryFileInternal(_Inout_ PVFS_FILELIST pFileList, _In_ DWORD dwFileAttributes, _In_ FILETIME ftCreationTime, _In_ FILETIME ftLastAccessTime, _In_ FILETIME ftLastWriteTime, _In_ DWORD nFileSizeHigh, _In_ DWORD nFileSizeLow, _In_ LPSTR szName)
+VOID VfsFileList_AddDirectoryFileInternal(_Inout_ PVFS_FILELIST pFileList, _In_ DWORD dwFileAttributes, _In_ FILETIME ftCreationTime, _In_ FILETIME ftLastAccessTime, _In_ FILETIME ftLastWriteTime, _In_ DWORD nFileSizeHigh, _In_ DWORD nFileSizeLow, _In_opt_ LPSTR szName, _In_opt_ LPWSTR wszName)
 {
     DWORD i = 0;
     PWIN32_FIND_DATAW pFindData;
@@ -84,43 +84,54 @@ VOID VfsFileList_AddDirectoryFileInternal(_Inout_ PVFS_FILELIST pFileList, _In_
     pFindData->ftLastWriteTime = ftLastWriteTime;
     pFindData->nFileSizeHigh = nFileSizeHigh;
     pFindData->nFileSizeLow = nFileSizeLow;
-    while(i < MAX_PATH && szName[i]) {
-        pFindData->cFileName[i] = szName[i];
-        i++;
+    if(szName) {
+        while(i < MAX_PATH && szName[i]) {
+            pFindData->cFileName[i] = szName[i];
+            i++;
+        }
+    } else if(wszName) {
+        while(i < MAX_PATH && wszName[i]) {
+            pFindData->cFileName[i] = wszName[i];
+            i++;
+        }
     }
-    pFindData->cFileName[i] = 0;
+    pFindData->cFileName[min(i, MAX_PATH - 1)] = 0;
 }
 
-VOID VfsFileList_AddFile(_Inout_ HANDLE hFileList, _In_ LPSTR szName, _In_ QWORD cb, _In_ PVOID pvReserved)
+VOID VfsFileList_AddFile(_Inout_ HANDLE hFileList, _In_opt_ LPSTR szName, _In_opt_ LPWSTR wszName, _In_ QWORD cb, _In_opt_ PVMMDLL_VFS_FILELIST_EXINFO pExInfo)
 {
     PVFS_FILELIST pFileList2 = (PVFS_FILELIST)hFileList;
+    BOOL fExInfo = pExInfo && (pExInfo->dwVersion == VMMDLL_VFS_FILELIST_EXINFO_VERSION);
     if(pFileList2 && (pFileList2->magic == VFS_CONFIG_FILELIST_MAGIC)) {
         VfsFileList_AddDirectoryFileInternal(
             pFileList2,
-            FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,
-            ctxVfs->ftDefaultTime,
-            ctxVfs->ftDefaultTime,
-            ctxVfs->ftDefaultTime,
+            FILE_ATTRIBUTE_NOT_CONTENT_INDEXED | ((fExInfo && pExInfo->fCompressed) ? FILE_ATTRIBUTE_COMPRESSED : 0),
+            (fExInfo && pExInfo->qwCreationTime) ? pExInfo->ftCreationTime : ctxVfs->ftDefaultTime,
+            (fExInfo && pExInfo->qwLastAccessTime) ? pExInfo->ftLastAccessTime : ctxVfs->ftDefaultTime,
+            (fExInfo && pExInfo->qwLastWriteTime) ? pExInfo->ftLastWriteTime : ctxVfs->ftDefaultTime,
             (DWORD)(cb >> 32),
             (DWORD)cb,
-            szName
+            szName,
+            wszName
         );
     }
 }
 
-VOID VfsFileList_AddDirectory(_Inout_ HANDLE hFileList, _In_ LPSTR szName, _In_ PVOID pvReserved)
+VOID VfsFileList_AddDirectory(_Inout_ HANDLE hFileList, _In_ LPSTR szName, _In_opt_ LPWSTR wszName, _In_opt_ PVMMDLL_VFS_FILELIST_EXINFO pExInfo)
 {
     PVFS_FILELIST pFileList2 = (PVFS_FILELIST)hFileList;
+    BOOL fExInfo = pExInfo && (pExInfo->dwVersion == VMMDLL_VFS_FILELIST_EXINFO_VERSION);
     if(pFileList2 && (pFileList2->magic == VFS_CONFIG_FILELIST_MAGIC)) {
         VfsFileList_AddDirectoryFileInternal(
             pFileList2,
-            FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,
-            ctxVfs->ftDefaultTime,
-            ctxVfs->ftDefaultTime,
-            ctxVfs->ftDefaultTime,
+            FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_NOT_CONTENT_INDEXED | ((fExInfo && pExInfo->fCompressed) ? FILE_ATTRIBUTE_COMPRESSED : 0),
+            (fExInfo && pExInfo->qwCreationTime) ? pExInfo->ftCreationTime : ctxVfs->ftDefaultTime,
+            (fExInfo && pExInfo->qwLastAccessTime) ? pExInfo->ftLastAccessTime : ctxVfs->ftDefaultTime,
+            (fExInfo && pExInfo->qwLastWriteTime) ? pExInfo->ftLastWriteTime : ctxVfs->ftDefaultTime,
             0,
             0,
-            szName
+            szName,
+            wszName
         );
     }
 }
@@ -211,7 +222,7 @@ VOID VfsCacheDirectory_Put(_In_ LPCWSTR wcsDirectoryName, _In_ PVFS_FILELIST pFi
 {
     EnterCriticalSection(&ctxVfs->CacheDirectoryLock);
     ctxVfs->CacheDirectory[ctxVfs->CacheDirectoryIndex].qwExpireTickCount64 = GetTickCount64() + VMMVFS_CACHE_DIRECTORY_LIFETIME_PROC_MS;
-    wcscpy_s(ctxVfs->CacheDirectory[ctxVfs->CacheDirectoryIndex].wszDirectoryName, MAX_PATH, wcsDirectoryName);
+    wcsncpy_s(ctxVfs->CacheDirectory[ctxVfs->CacheDirectoryIndex].wszDirectoryName, MAX_PATH, wcsDirectoryName, _TRUNCATE);
     VfsFileList_Free(ctxVfs->CacheDirectory[ctxVfs->CacheDirectoryIndex].pFileList);
     ctxVfs->CacheDirectory[ctxVfs->CacheDirectoryIndex].pFileList = pFileList;
     ctxVfs->CacheDirectoryIndex = (ctxVfs->CacheDirectoryIndex + 1) % VMMVFS_CACHE_DIRECTORY_ENTRIES;
@@ -240,6 +251,7 @@ BOOL VfsListVmmDirectory(_In_ LPWSTR wszDirectoryName)
     PVFS_FILELIST pFileList = VfsFileList_Alloc(ctxVfs->ftDefaultTime);
     VMMDLL_VFS_FILELIST VfsFileList;
     if(!pFileList) { return FALSE; }
+    VfsFileList.dwVersion = VMMDLL_VFS_FILELIST_VERSION;
     VfsFileList.h = (HANDLE)pFileList;
     VfsFileList.pfnAddFile = VfsFileList_AddFile;
     VfsFileList.pfnAddDirectory = VfsFileList_AddDirectory;

MemProcFS/vmmdll.h

@@ -4,7 +4,7 @@
 // (c) Ulf Frisk, 2018-2019
 // Author: Ulf Frisk, [email protected]
 //
-// Header Version: 2.8
+// Header Version: 2.9
 //
 
 #include <windows.h>
@@ -152,17 +152,60 @@ BOOL VMMDLL_ConfigSet(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);
 #define VMMDLL_STATUS_FILE_INVALID                  ((NTSTATUS)0xC0000098L)
 #define VMMDLL_STATUS_FILE_SYSTEM_LIMITATION        ((NTSTATUS)0xC0000427L)
 
+#define VMMDLL_VFS_FILELIST_EXINFO_VERSION          1
+#define VMMDLL_VFS_FILELIST_VERSION                 1
+
+typedef struct tdVMMDLL_VFS_FILELIST_EXINFO {
+    DWORD dwVersion;
+    BOOL fCompressed;                   // set flag FILE_ATTRIBUTE_COMPRESSED - (no meaning but shows gui artifact in explorer.exe)
+    union {
+        FILETIME ftCreationTime;        // 0 = default time
+        QWORD qwCreationTime;
+    };
+    union {
+        FILETIME ftLastAccessTime;      // 0 = default time
+        QWORD qwLastAccessTime;
+    };
+    union {
+        FILETIME ftLastWriteTime;       // 0 = default time
+        QWORD qwLastWriteTime;
+    };
+} VMMDLL_VFS_FILELIST_EXINFO, *PVMMDLL_VFS_FILELIST_EXINFO;
+
 typedef struct tdVMMDLL_VFS_FILELIST {
-    VOID(*pfnAddFile)     (_Inout_ HANDLE h, _In_ LPSTR szName, _In_ ULONG64 cb, _In_ PVOID pvReserved);
-    VOID(*pfnAddDirectory)(_Inout_ HANDLE h, _In_ LPSTR szName, _In_ PVOID pvReserved);
+    DWORD dwVersion;
+    VOID(*pfnAddFile)     (_Inout_ HANDLE h, _In_opt_ LPSTR szName, _In_opt_ LPWSTR wszName, _In_ ULONG64 cb, _In_opt_ PVMMDLL_VFS_FILELIST_EXINFO pExInfo);
+    VOID(*pfnAddDirectory)(_Inout_ HANDLE h, _In_opt_ LPSTR szName, _In_opt_ LPWSTR wszName, _In_opt_ PVMMDLL_VFS_FILELIST_EXINFO pExInfo);
     HANDLE h;
 } VMMDLL_VFS_FILELIST, *PVMMDLL_VFS_FILELIST;
 
 /*
-* Helper function macros for callbacks into the VMM_VFS_FILELIST structure.
+* Helper inline functions for callbacks into the VMM_VFS_FILELIST structure.
 */
-#define VMMDLL_VfsList_AddFile(pFileList, szName, cb)      { ((PVMMDLL_VFS_FILELIST)pFileList)->pfnAddFile(((PVMMDLL_VFS_FILELIST)pFileList)->h, szName, cb, NULL); }
-#define VMMDLL_VfsList_AddDirectory(pFileList, szName)     { ((PVMMDLL_VFS_FILELIST)pFileList)->pfnAddDirectory(((PVMMDLL_VFS_FILELIST)pFileList)->h, szName, NULL); }
+inline VOID VMMDLL_VfsList_AddFile(_In_ HANDLE pFileList, _In_opt_ LPSTR szName, _In_ ULONG64 cb)
+{
+    ((PVMMDLL_VFS_FILELIST)pFileList)->pfnAddFile(((PVMMDLL_VFS_FILELIST)pFileList)->h, szName, NULL, cb, NULL);
+}
+
+inline VOID VMMDLL_VfsList_AddFileEx(_In_ HANDLE pFileList, _In_opt_ LPSTR szName, _In_opt_ LPWSTR wszName, _In_ ULONG64 cb, _In_opt_ PVMMDLL_VFS_FILELIST_EXINFO pExInfo)
+{
+    ((PVMMDLL_VFS_FILELIST)pFileList)->pfnAddFile(((PVMMDLL_VFS_FILELIST)pFileList)->h, szName, wszName, cb, pExInfo);
+}
+
+inline VOID VMMDLL_VfsList_AddDirectory(_In_ HANDLE pFileList, _In_opt_ LPSTR szName)
+{
+    ((PVMMDLL_VFS_FILELIST)pFileList)->pfnAddDirectory(((PVMMDLL_VFS_FILELIST)pFileList)->h, szName, NULL, NULL);
+}
+
+inline VOID VMMDLL_VfsList_AddDirectoryEx(_In_ HANDLE pFileList, _In_opt_ LPSTR szName, _In_opt_ LPWSTR wszName, _In_opt_ PVMMDLL_VFS_FILELIST_EXINFO pExInfo)
+{
+    ((PVMMDLL_VFS_FILELIST)pFileList)->pfnAddDirectory(((PVMMDLL_VFS_FILELIST)pFileList)->h, szName, wszName, pExInfo);
+}
+
+inline BOOL VMMDLL_VfsList_IsHandleValid(_In_ HANDLE pFileList)
+{
+    return ((PVMMDLL_VFS_FILELIST)pFileList)->dwVersion == VMMDLL_VFS_FILELIST_VERSION;
+}
 
 /*
 * List a directory of files in the memory process file system. Directories and
@@ -234,9 +277,9 @@ _Success_(return)
 BOOL VMMDLL_VfsInitializePlugins();
 
 #define VMMDLL_PLUGIN_CONTEXT_MAGIC             0xc0ffee663df9301c
-#define VMMDLL_PLUGIN_CONTEXT_VERSION           2
+#define VMMDLL_PLUGIN_CONTEXT_VERSION           3
 #define VMMDLL_PLUGIN_REGINFO_MAGIC             0xc0ffee663df9301d
-#define VMMDLL_PLUGIN_REGINFO_VERSION           3
+#define VMMDLL_PLUGIN_REGINFO_VERSION           4
 
 #define VMMDLL_PLUGIN_EVENT_VERBOSITYCHANGE     0x01
 #define VMMDLL_PLUGIN_EVENT_TOTALREFRESH        0x02
@@ -247,8 +290,8 @@ typedef struct tdVMMDLL_PLUGIN_CONTEXT {
     WORD wSize;
     DWORD dwPID;
     PVOID pProcess;
-    LPSTR szModule;
-    LPSTR szPath;
+    LPWSTR wszModule;
+    LPWSTR wszPath;
     PVOID pvReserved1;
     PVOID pvReserved2;
 } VMMDLL_PLUGIN_CONTEXT, *PVMMDLL_PLUGIN_CONTEXT;
@@ -266,7 +309,7 @@ typedef struct tdVMMDLL_PLUGIN_REGINFO {
     PVOID pvReserved2;
     // general plugin registration info to be filled out by the plugin below:
     struct {
-        CHAR szModuleName[32];
+        WCHAR wszModuleName[32];
         BOOL fRootModule;
         BOOL fProcessModule;
         PVOID pvReserved1;
@@ -656,6 +699,82 @@ BOOL VMMDLL_WinReg_HiveReadEx(_In_ ULONG64 vaCMHive, _In_ DWORD ra, _Out_ PBYTE
 _Success_(return)
 BOOL VMMDLL_WinReg_HiveWrite(_In_ ULONG64 vaCMHive, _In_ DWORD ra, _In_ PBYTE pb, _In_ DWORD cb);
 
+/*
+* Enumerate registry sub keys - similar to WINAPI function 'RegEnumKeyExW.'
+* Please consult WINAPI function documentation for information.
+* May be called with HKLM base or virtual address of CMHIVE base examples:
+*   1) 'HKLM\SOFTWARE\Key\SubKey'
+*   2) 'HKLM\ORPHAN\SAM\Key\SubKey'              (orphan key)
+*   3) '0x<vaCMHIVE>\ROOT\Key\SubKey'
+*   4) '0x<vaCMHIVE>\ORPHAN\Key\SubKey'          (orphan key)
+* -- wszFullPathKey
+* -- dwIndex
+* -- lpName
+* -- lpcchName
+* -- lpftLastWriteTime
+* -- return
+*/
+_Success_(return)
+BOOL VMMDLL_WinReg_EnumKeyExW(
+    _In_ LPWSTR wszFullPathKey,
+    _In_ DWORD dwIndex,
+    _Out_writes_opt_(*lpcchName) LPWSTR lpName,
+    _Inout_ LPDWORD lpcchName,
+    _Out_opt_ PFILETIME lpftLastWriteTime
+);
+
+/*
+* Enumerate registry values given a registry key - similar to WINAPI function
+* 'EnumValueW'. Please consult WINAPI function documentation for information.
+* May be called in two ways:
+* May be called with HKLM base or virtual address of CMHIVE base examples:
+*   1) 'HKLM\SOFTWARE\Key\SubKey'
+*   2) 'HKLM\ORPHAN\SAM\Key\SubKey'              (orphan key)
+*   3) '0x<vaCMHIVE>\ROOT\Key\SubKey'
+*   4) '0x<vaCMHIVE>\ORPHAN\Key\SubKey'          (orphan key)
+* -- wszFullPathKey
+* -- dwIndex
+* -- lpValueName
+* -- lpcchValueName
+* -- lpType
+* -- lpData
+* -- lpcbData
+* -- return
+*/
+_Success_(return)
+BOOL VMMDLL_WinReg_EnumValueW(
+    _In_ LPWSTR wszFullPathKey,
+    _In_ DWORD dwIndex,
+    _Out_writes_opt_(*lpcchValueName) LPWSTR lpValueName,
+    _Inout_ LPDWORD lpcchValueName,
+    _Out_opt_ LPDWORD lpType,
+    _Out_writes_opt_(*lpcbData) LPBYTE lpData,
+    _Inout_opt_ LPDWORD lpcbData
+);
+
+/*
+* Query a registry value given a registry key/value path - similar to WINAPI
+* function 'RegQueryValueEx'.
+* Please consult WINAPI function documentation for information.
+* May be called with HKLM base or virtual address of CMHIVE base examples:
+*   1) 'HKLM\SOFTWARE\Key\SubKey\Value'
+*   2) 'HKLM\ORPHAN\SAM\Key\SubKey\'             (orphan key and default value)
+*   3) '0x<vaCMHIVE>\ROOT\Key\SubKey\Value'
+*   4) '0x<vaCMHIVE>\ORPHAN\Key\SubKey\Value'    (orphan key value)
+* -- wszFullPathKeyValue
+* -- lpType
+* -- lpData
+* -- lpcbData
+* -- return
+*/
+_Success_(return)
+BOOL VMMDLL_WinReg_QueryValueExW(
+    _In_ LPWSTR wszFullPathKeyValue,
+    _Out_opt_ LPDWORD lpType,
+    _Out_writes_opt_(*lpcbData) LPBYTE lpData,
+    _When_(lpData == NULL, _Out_opt_) _When_(lpData != NULL, _Inout_opt_) LPDWORD lpcbData
+);
+
 
 
 //-----------------------------------------------------------------------------
@@ -764,11 +883,12 @@ BOOL VMMDLL_WinGetThunkInfoEAT(_In_ DWORD dwPID, _In_ LPSTR szModuleName, _In_ L
 * -- pb
 * -- cb
 * -- cbInitialOffset = offset, must be max 0x1000 and multiple of 0x10.
-* -- sz = buffer to fill, NULL to retrieve size in pcsz parameter.
-* -- pcsz = ptr to size of buffer on entry, size of characters on exit.
+* -- sz = buffer to fill, NULL to retrieve buffer size in pcsz parameter.
+* -- pcsz = IF sz==NULL :: size of buffer (including space for terminating NULL) on exit
+*           IF sz!=NULL :: size of buffer on entry, size of characters (excluding terminating NULL) on exit.
 */
 _Success_(return)
-BOOL VMMDLL_UtilFillHexAscii(_In_ PBYTE pb, _In_ DWORD cb, _In_ DWORD cbInitialOffset, _Inout_opt_ LPSTR sz, _Out_ PDWORD pcsz);
+BOOL VMMDLL_UtilFillHexAscii(_In_ PBYTE pb, _In_ DWORD cb, _In_ DWORD cbInitialOffset, _Out_opt_ LPSTR sz, _Inout_ PDWORD pcsz);
 
 #ifdef __cplusplus
 }

README.md

@@ -4,7 +4,7 @@ The Memory Process File System is an easy and convenient way of accessing physic
 
 Easy trivial point and click memory analysis without the need for complicated commandline arguments! Access memory content and artifacts via files in a mounted virtual file system or via a feature rich application library to include in your own projects!
 
-Analyze memory dump files, <b>live memory</b> via [DumpIt](https://www.comae.com/), loaded driver or even <b>live memory in read-write mode</b> via linked [PCILeech](https://github.com/ufrisk/pcileech/) and [PCILeech-FPGA](https://github.com/ufrisk/pcileech-fpga/) devices!
+Analyze memory dump files, <b>live memory</b> via [DumpIt](https://www.comae.com/) or WinPMEM, <b>live memory in read-write mode</b> via linked [PCILeech](https://github.com/ufrisk/pcileech/) and [PCILeech-FPGA](https://github.com/ufrisk/pcileech-fpga/) devices!
 
 It's even possible to connect to a remote LeechAgent memory acquisition agent over a secured connection - allowing for remote live memory incident response - even over higher latency low band-width connections!
 
@@ -51,7 +51,7 @@ The Memory Process File System is also dependant in the <b>Microsoft Visual C++
 
 Mounting the file system requires the <b>Dokany file system library</b> to be installed. Please download and install the latest version of Dokany at: https://github.com/dokan-dev/dokany/releases/latest It is recommended to download and install the <b>DokanSetup_redist</b> version.
 
-Python support requires Python 3.6. The user may specify the path to the Python 3.6 installation with the command line parameter `-pythonhome`, alternatively download [Python 3.6 - Windows x86-64 embeddable zip file](https://www.python.org/downloads/windows/) and unzip its contents into the `files/python36` folder when using Python modules in the file system. To use the Python API a normal Python 3.6 installation for Windows is required.
+Python support requires Python 3.6 or later. The user may specify the path to the Python installation with the command line parameter `-pythonhome`, alternatively download [Python 3.7 - Windows x86-64 embeddable zip file](https://www.python.org/downloads/windows/) and unzip its contents into the `files/python` folder when using Python modules in the file system. To use the Python API a normal 64-bit Python 3.6 or later installation for Windows is required.
 
 To capture live memory (without PCILeech FPGA hardware) download [DumpIt](https://www.comae.com/) and start the Memory Process File System via the DumpIt /LIVEKD mode. Alternatively, get WinPMEM by downloading the most recent signed [WinPMEM driver](https://github.com/Velocidex/c-aff4/tree/master/tools/pmem/resources/winpmem) and place it alongside MemProcFS - detailed instructions in the [LeechCore Wiki](https://github.com/ufrisk/LeechCore/wiki/Device_WinPMEM).
 
@@ -64,7 +64,7 @@ Examples:
 =========
 Start the Memory Process File System from the command line - possibly by using one of the examples below.
 
-Or register the memory dump extension with MemProcFS.exe so that the file system is mounted when double-clicking on a memory dump file!
+Or register the memory dump file extension with MemProcFS.exe so that the file system is automatically mounted when double-clicking on a memory dump file!
 
 - mount the memory dump file as default M: <br>`memprocfs.exe -device c:\temp\win10x64-dump.raw`
 - mount the memory dump file as default M: with extra verbosity: <br>`memprocfs.exe -device c:\temp\win10x64-dump.raw -v`
@@ -169,3 +169,8 @@ v2.7
 v2.8
 * Bug fixes.
 * Windows 10 Compressed Memory support.
+
+v2.9
+* Bug fixes and major internal refactorings.
+* Full Registry support - Explore the Windows registry in the file system or via the API.
+* NB! The v2.9 C/C++ API vfs (virtual file system) API is incompatible with earlier versions.

files/leechcore.h

@@ -126,7 +126,7 @@
 // (c) Ulf Frisk, 2018-2019
 // Author: Ulf Frisk, [email protected]
 //
-// Header Version: 1.2.0
+// Header Version: 1.3.0
 //
 #ifndef __LEECHCORE_H__
 #define __LEECHCORE_H__