Version 5.1.6

sepotc · Oct 28, 2022 · ec99d9b · ec99d9b
1 parent 48ad78b
commit ec99d9b
Show file tree

Hide file tree

Showing 13 changed files with 165 additions and 43 deletions.
diff --git a/MemProcFS.sln b/MemProcFS.sln
@@ -97,6 +97,11 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "internal", "internal", "{A8
 		vmmjava\vmm\internal\VmmNative.java = vmmjava\vmm\internal\VmmNative.java
 	EndProjectSection
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{99570206-7FB9-41C4-87C9-69064B8069FA}"
+	ProjectSection(SolutionItems) = preProject
+		README.md = README.md
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|ARM64 = Debug|ARM64

diff --git a/README.md b/README.md
@@ -213,4 +213,5 @@ v1.1-v3.10
 Latest:
 * Bug fixes.
 * FPGA performance improvements.
+* Linux feature additions (memcompress, token).
 * [ARM64 Windows support](https://github.com/ufrisk/MemProcFS/wiki/_ARM64).
diff --git a/m_vmemd/version.h b/m_vmemd/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               1
-#define VERSION_REVISION            5
-#define VERSION_BUILD               84
+#define VERSION_REVISION            6
+#define VERSION_BUILD               85
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Plugin vmemd"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/memprocfs/version.h b/memprocfs/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               1
-#define VERSION_REVISION            5
-#define VERSION_BUILD               84
+#define VERSION_REVISION            6
+#define VERSION_BUILD               85
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/vmm/Makefile b/vmm/Makefile
@@ -27,8 +27,8 @@ OBJ = oscompatibility.o charutil.o util.o pe.o vmmdll.o vmmdll_core.o vmmdll_sca
 	  m_file_handles_vads.o m_file_modules.o                                 \
 	  m_findevil.o m_misc_bitlocker.o m_misc_web.o m_misc_view.o             \
 	  m_phys2virt.o m_proc_handle.o m_proc_heap.o m_proc_ldrmodules.o        \
-	  m_proc_memmap.o m_proc_minidump.o m_proc_thread.o m_search.o           \
-	  m_sys.o m_sys_driver.o m_sys_mem.o m_sys_net.o m_sys_obj.o             \
+	  m_proc_memmap.o m_proc_minidump.o m_proc_thread.o m_proc_token.o       \
+	  m_search.o m_sys.o m_sys_driver.o m_sys_mem.o m_sys_net.o m_sys_obj.o  \
 	  m_sys_pool.c m_sys_proc.o m_sys_svc.o m_sys_task.o m_sys_user.o        \
 	  m_virt2phys.o
 

diff --git a/vmm/m_modules.h b/vmm/m_modules.h
@@ -91,6 +91,7 @@ VOID(*g_pfnModulesAllInternal[])(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_REGINFO
     M_ProcMemMap_Initialize,
     M_ProcMiniDump_Initialize,
     M_ProcThread_Initialize,
+    M_ProcToken_Initialize,
     M_Search_Initialize,
     M_Virt2Phys_Initialize,
     // global modules
@@ -121,8 +122,6 @@ VOID(*g_pfnModulesAllInternal[])(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_REGINFO
     M_FcSys_Initialize,
     M_FcThread_Initialize,
 #ifdef _WIN32
-    // windows-only per-process modules
-    M_ProcToken_Initialize,         // req: winapi
     // windows-only global modules
     M_SysCert_Initialize,           // req: winapi
     M_SysSyscall_Initialize,        // req: full symbols

diff --git a/vmm/m_proc_token.c b/vmm/m_proc_token.c
@@ -11,7 +11,9 @@
 #include "vmmwindef.h"
 #include "charutil.h"
 #include "infodb.h"
+#ifdef _WIN32
 #include <sddl.h>
+#endif /* _WIN32 */
 
 #define MPROCTOKEN_PRIVILEGE_LINELENGTH     60ULL
 #define MPROCTOKEN_PRIVILEGE_LINEHEADER     "   #    PID Flags Privilege Name"

diff --git a/vmm/oscompatibility.c b/vmm/oscompatibility.c
@@ -223,6 +223,95 @@ BOOL FileTimeToSystemTime(_In_ PFILETIME lpFileTime, _Out_ PSYSTEMTIME pSystemTi
     return TRUE;
 }
 
+
+
+// ----------------------------------------------------------------------------
+// SID functionality below:
+// ----------------------------------------------------------------------------
+
+_Success_(return)
+BOOL ConvertStringSidToSidA(_In_opt_ LPSTR szSID, _Outptr_ PSID *ppSID)
+{
+    BYTE c = 0;
+    DWORD i, csz;
+    PBYTE pbSID = NULL;
+    if(!szSID || !ppSID) { return FALSE; }
+    if(strncmp(szSID, "S-1-", 4)) { return FALSE; }
+    szSID += 4;
+    csz = (DWORD)strlen(szSID);
+    for(i = 0; i < csz; i++) {
+        if(szSID[i] == '-') {
+            if(szSID[i - 1] == '-') { return FALSE; }
+            c++;
+        }
+    }
+    if((c == 0) || (c > SID_MAX_SUB_AUTHORITIES) || (szSID[csz - 1] == '-')) { return FALSE; }
+    if(!(pbSID = LocalAlloc(0, 8 + c * sizeof(DWORD)))) { return FALSE; }
+    *ppSID = (PSID)pbSID;
+    *(PQWORD)pbSID = _byteswap_uint64(strtoull(szSID, NULL, 10));
+    pbSID[0] = 1;
+    pbSID[1] = c;
+    pbSID += sizeof(QWORD);
+    while(TRUE) {
+        while(TRUE) {
+            szSID += 1;
+            if(szSID[0] == 0) { return TRUE; }
+            if(szSID[0] == '-') { szSID += 1; break; }
+        }
+        *(PDWORD)pbSID = strtoul(szSID, NULL, 10);
+        pbSID += sizeof(DWORD);
+    }
+}
+
+/*
+* Linux compatible function of WIN32 API function ConvertSidToStringSidA()
+* CALLER LocalFree: *pszSid
+* -- pSID
+* -- pszSID
+* -- return
+*/
+_Success_(return)
+BOOL ConvertSidToStringSidA(_In_opt_ PSID pSID, _Outptr_ LPSTR *pszSid)
+{
+    PBYTE pbSID = (PBYTE)pSID;
+    DWORD dwVersion, c, o, cbSID;
+    QWORD qwAuthority;
+    LPSTR szSID;
+    if(!pSID) { return FALSE; }
+    dwVersion = pbSID[0];
+    if(dwVersion != 1) { return FALSE; }
+    c = pbSID[1];
+    if((c == 0) || (c > SID_MAX_SUB_AUTHORITIES)) { return FALSE; }
+    qwAuthority = _byteswap_uint64(*(PQWORD)(pbSID)) & 0x0000ffffffffffff;
+    cbSID = 64 + c * 12;
+    if(!(szSID = LocalAlloc(0, cbSID))) { return FALSE; }
+    o = snprintf(szSID, cbSID, "S-1-%llu", qwAuthority);
+    pbSID += 8;
+    while(c) {
+        o += snprintf(szSID + o, cbSID - o, "-%u", *(PDWORD)pbSID);
+        pbSID += 4;
+        c--;
+    }
+    *pszSid = szSID;
+    return TRUE;
+}
+
+/*
+* Linux compatible function of WIN32 API function ConvertSidToStringSidA()
+* -- pSID
+* -- return
+*/
+_Success_(return)
+BOOL IsValidSid(_In_opt_ PSID pSID)
+{
+    LPSTR szSID = NULL;
+    BOOL fResult = ConvertSidToStringSidA(pSID, &szSID);
+    LocalFree(szSID);
+    return fResult;
+}
+
+
+
 // ----------------------------------------------------------------------------
 // CRITICAL_SECTION functionality below:
 // ----------------------------------------------------------------------------
@@ -500,9 +589,41 @@ PSLIST_ENTRY InterlockedPushEntrySList(_Inout_ PSLIST_HEADER ListHead, _Inout_ P
 // VARIOUS FUNCTIONALITY BELOW:
 // ----------------------------------------------------------------------------
 
+/*
+* Linux implementation of ntdll!RtlDecompressBuffer for COMPRESS_ALGORITHM_XPRESS:
+* Dynamically load libMSCompression.so (if it exists) and use it. If library does
+* not exist then fail gracefully (i.e. don't support XPRESS decompress).
+* https://github.com/coderforlife/ms-compress   (License: GPLv3)
+*/
 NTSTATUS OSCOMPAT_RtlDecompressBuffer(USHORT CompressionFormat, PUCHAR UncompressedBuffer, ULONG  UncompressedBufferSize, PUCHAR CompressedBuffer, ULONG  CompressedBufferSize, PULONG FinalUncompressedSize)
 {
-    // TODO: not implemented yet
+    int rc;
+    void* lib_mscompress;
+    SIZE_T cbOut;
+    static BOOL fFirst = TRUE;
+    static SRWLOCK LockSRW = SRWLOCK_INIT;
+    static int(*pfn_xpress_decompress)(PBYTE pbIn, SIZE_T cbIn, PBYTE pbOut, SIZE_T *pcbOut) = NULL;
+    if(CompressionFormat != 3) { return VMM_STATUS_UNSUCCESSFUL; } // 3 == COMPRESS_ALGORITHM_XPRESS
+    if(fFirst) {
+        AcquireSRWLockExclusive(&LockSRW);
+        if(fFirst) {
+            fFirst = FALSE;
+            lib_mscompress = dlopen("libMSCompression.so", RTLD_NOW);
+            if(lib_mscompress) {
+                pfn_xpress_decompress = (int(*)(PBYTE,SIZE_T,PBYTE,SIZE_T*))dlsym(lib_mscompress, "xpress_decompress");
+            }
+        }
+        ReleaseSRWLockExclusive(&LockSRW);
+    }
+    *FinalUncompressedSize = 0;
+    if(pfn_xpress_decompress) {
+        cbOut = UncompressedBufferSize;
+        rc = pfn_xpress_decompress(CompressedBuffer, CompressedBufferSize, UncompressedBuffer, &cbOut);
+        if(rc == 0) {
+            *FinalUncompressedSize = cbOut;
+            return VMM_STATUS_SUCCESS;
+        }
+    }
     return VMM_STATUS_UNSUCCESSFUL;
 }
 

diff --git a/vmm/oscompatibility.h b/vmm/oscompatibility.h
@@ -140,6 +140,7 @@ typedef int(*_CoreCrtNonSecureSearchSortCompareFunction)(void const *, void cons
 #define _Out_writes_to_(x,y)
 #define _Out_writes_to_opt_(x,y)
 #define _Out_writes_z_(x)
+#define _Outptr_
 #define _Post_ptr_invalid_
 #define _Printf_format_string_
 #define _Success_(x)
@@ -173,6 +174,7 @@ typedef int(*_CoreCrtNonSecureSearchSortCompareFunction)(void const *, void cons
 #define strtok_s(s, d, c)                   (strtok_r(s, d, c))
 #define _snprintf_s(s,l,c,...)              (snprintf(s,min((size_t)(l), (size_t)(c)),__VA_ARGS__))
 #define sscanf_s(s, f, ...)                 (sscanf(s, f, __VA_ARGS__))
+#define StrStrIA(s, f)                      (strcasestr(s, f))
 #define SwitchToThread()                    (sched_yield())
 #define ExitThread(dwExitCode)              (pthread_exit(dwExitCode))
 #define ExitProcess(c)                      (exit(c ? EXIT_SUCCESS : EXIT_FAILURE))
@@ -198,6 +200,12 @@ typedef int(*_CoreCrtNonSecureSearchSortCompareFunction)(void const *, void cons
 HMODULE LoadLibraryA(LPSTR lpFileName);
 FARPROC GetProcAddress(HMODULE hModule, LPSTR lpProcName);
 
+// SID
+_Success_(return) BOOL IsValidSid(_In_opt_ PSID pSID);
+_Success_(return) BOOL ConvertSidToStringSidA(_In_opt_ PSID pSID, _Outptr_ LPSTR *pszSid);
+_Success_(return) BOOL ConvertStringSidToSidA(_In_opt_ LPSTR szSID, _Outptr_ PSID *ppSID);
+#define LookupAccountSidA(lpSystemName, Sid, Name, cchName, ReferencedDomainName, cchReferencedDomainName, peUse)       (FALSE)
+
 // CRITICAL SECTION
 #ifndef _LINUX_DEF_CRITICAL_SECTION
 #define _LINUX_DEF_CRITICAL_SECTION

diff --git a/vmm/version.h b/vmm/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               1
-#define VERSION_REVISION            5
-#define VERSION_BUILD               84
+#define VERSION_REVISION            6
+#define VERSION_BUILD               85
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Core"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/vmm/vmm.c b/vmm/vmm.c
@@ -637,11 +637,10 @@ BOOL VmmCachePrefetchPages5(_In_ VMM_HANDLE H, _In_opt_ PVMM_PROCESS pProcess, _
 // The process table object (only used internally): VMMOB_PROCESS_TABLE
 // ----------------------------------------------------------------------------
 
-#ifdef _WIN32
 VOID VmmProcess_TokenTryEnsure(_In_ VMM_HANDLE H, _In_ PVMMOB_PROCESS_TABLE pt)
 {
     BOOL f, f32 = H->vmm.f32;
-    DWORD j, i = 0, iM, cbHdr, cb, dwIntegrityLevelIndex;
+    DWORD j, i = 0, iM, cbHdr, cb, dwIntegrityLevelIndex = 0;
     QWORD va, *pva = NULL;
     BYTE pb[0x1000];
     PVMM_PROCESS *ppProcess = NULL, pObSystemProcess = NULL;
@@ -760,10 +759,6 @@ VOID VmmProcess_TokenTryEnsure(_In_ VMM_HANDLE H, _In_ PVMMOB_PROCESS_TABLE pt)
     LocalFree(ppProcess);
     Ob_DECREF(pObSystemProcess);
 }
-#endif /* _WIN32 */
-#ifdef LINUX
-VOID VmmProcess_TokenTryEnsure(_In_ VMM_HANDLE H, _In_ PVMMOB_PROCESS_TABLE pt) { return; }
-#endif /* LINUX */
 
 /*
 * Global Synchronization/Lock of VmmProcess_TokenTryEnsure()

diff --git a/vmm/vmmwin.c b/vmm/vmmwin.c
@@ -2532,7 +2532,6 @@ VOID VmmWinPhysMemMap_Refresh(_In_ VMM_HANDLE H)
 // well known and system-specific.
 // ----------------------------------------------------------------------------
 
-#ifdef _WIN32
 /*
 * Retrieve the account name of the user account given a SID.
 * NB! Names for well known SIDs will be given in the language of the system
@@ -2666,10 +2665,8 @@ VOID VmmWinUser_Initialize_DoWork_UserHive(_In_ VMM_HANDLE H, _In_ POB_MAP pmOb)
     VMM_MAP_USERENTRY e;
     DWORD i, dwType, cbBuffer;
     BYTE pbBuffer[MAX_PATH];
-    CHAR szBufferUser[MAX_PATH];
-    WCHAR wszBufferSymlink[MAX_PATH];
-    LPSTR szHiveUser, szHiveNtdat;
-    LPWSTR wszSymlinkSid, wszSymlinkUser;
+    CHAR szBufferUser[MAX_PATH], szBufferSymlink[MAX_PATH];
+    LPSTR szHiveUser, szHiveNtdat, szSymlinkUser, szSymlinkSid = "";
     POB_REGISTRY_HIVE pObHive = NULL;
     while((pObHive = VmmWinReg_HiveGetNext(H, pObHive))) {
         szBufferUser[0] = 0;
@@ -2693,28 +2690,28 @@ VOID VmmWinUser_Initialize_DoWork_UserHive(_In_ VMM_HANDLE H, _In_ POB_MAP pmOb)
         }
         if(!e.pSID) {
             i = 0;
-            if(!VmmWinReg_ValueQuery1(H, pObHive, "ROOT\\Software\\Classes\\SymbolicLinkValue", &dwType, NULL, (PBYTE)wszBufferSymlink, sizeof(wszBufferSymlink) - 2, NULL, 0) || (dwType != REG_LINK)) { continue; }
-            wszBufferSymlink[MAX_PATH - 1] = 0;
-            if(!(wszSymlinkSid = wcsstr(wszBufferSymlink, L"\\S-"))) { continue; }
-            if(wcslen(wszSymlinkSid) < 20) { continue; }
-            while(wszSymlinkSid[i] && (wszSymlinkSid[i] != L'_') && ++i);
-            wszSymlinkSid[i] = 0;
-            if(!ConvertStringSidToSidW(wszSymlinkSid + 1, &e.pSID) || !e.pSID) { continue; }
+            f = VmmWinReg_ValueQuery1(H, pObHive, "ROOT\\Software\\Classes\\SymbolicLinkValue", &dwType, NULL, (PBYTE)pbBuffer, sizeof(pbBuffer) - 2, &cbBuffer, 0) &&
+                (dwType == REG_LINK) &&
+                CharUtil_WtoU((LPWSTR)pbBuffer, cbBuffer / 2, szBufferSymlink, sizeof(szBufferSymlink), NULL, NULL, CHARUTIL_FLAG_TRUNCATE | CHARUTIL_FLAG_STR_BUFONLY) &&
+                (szSymlinkSid = strstr(szBufferSymlink, "\\S-"));
+            if(!f || (strlen(szSymlinkSid) < 20)) { continue; }
+            while(szSymlinkSid[i] && (szSymlinkSid[i] != '_') && ++i);
+            szSymlinkSid[i] = 0;
+            if(!ConvertStringSidToSidA(szSymlinkSid + 1, &e.pSID) || !e.pSID) { continue; }
         }
         // get username - WinXP only
         if(!szBufferUser[0] && (H->vmm.kernel.dwVersionBuild <= 2600)) {
             i = 0;
-            wszSymlinkUser = wszBufferSymlink + 10;
-            while(wszSymlinkUser[i] && (wszSymlinkUser[i] != L'\\') && ++i);
+            szSymlinkUser = szBufferSymlink + 10;
+            while(szSymlinkUser[i] && (szSymlinkUser[i] != '\\') && ++i);
             if(i == 0) { continue; }
-            wszSymlinkUser[i] = 0;
-            CharUtil_WtoU(wszSymlinkUser, -1, szBufferUser, sizeof(szBufferUser), NULL, NULL, CHARUTIL_FLAG_TRUNCATE | CHARUTIL_FLAG_STR_BUFONLY);
+            szSymlinkUser[i] = 0;
+            CharUtil_UtoU(szSymlinkUser, -1, szBufferUser, sizeof(szBufferUser), NULL, NULL, CHARUTIL_FLAG_TRUNCATE | CHARUTIL_FLAG_STR_BUFONLY);
         }
         if(!szBufferUser[0]) { continue; }
         // get length and hash of sid string
         e.vaRegHive = pObHive->vaCMHIVE;
-        e.cbSID = GetLengthSid(e.pSID);
-        if(!e.cbSID || !ConvertSidToStringSidA(e.pSID, &e.szSID) || !e.szSID) {
+        if(!ConvertSidToStringSidA(e.pSID, &e.szSID) || !e.szSID) {
             LocalFree(e.pSID);
             continue;
         }
@@ -2806,12 +2803,6 @@ PVMMOB_MAP_USER VmmWinUser_Initialize(_In_ VMM_HANDLE H)
     return pObUser;
 }
 
-#endif /* _WIN32 */
-#ifdef LINUX
-_Success_(return) BOOL VmmWinUser_GetName(_In_ VMM_HANDLE H, _In_opt_ PSID pSID, _Out_writes_(cbuName) LPSTR uszName, _In_ DWORD cbuName, _Out_opt_ PBOOL pfAccountWellKnown) { return FALSE; }
-PVMMOB_MAP_USER VmmWinUser_Initialize(_In_ VMM_HANDLE H) { return NULL; }
-#endif /* LINUX */
-
 /*
 * Refresh the user map.
 * -- H

diff --git a/vmmpyc/version.h b/vmmpyc/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               1
-#define VERSION_REVISION            5
-#define VERSION_BUILD               84
+#define VERSION_REVISION            6
+#define VERSION_BUILD               85
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Python API"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD