leechcorepyc 2.18.0__tar.gz → 2.18.4__tar.gz

{leechcorepyc-2.18.0/leechcorepyc.egg-info → leechcorepyc-2.18.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 1.2
 Name: leechcorepyc
-Version: 2.18.0
+Version: 2.18.4
 Summary: LeechCore for Python
 Home-page: https://github.com/ufrisk/LeechCore
 Author: Ulf Frisk

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/includes/leechcore.h

@@ -14,7 +14,7 @@
 // (c) Ulf Frisk, 2020-2024
 // Author: Ulf Frisk, pcileech@frizk.net
 //
-// Header Version: 2.17
+// Header Version: 2.18.4
 //
 
 #ifndef __LEECHCORE_H__
@@ -568,6 +568,26 @@ typedef VOID(*PLC_TLP_FUNCTION_CALLBACK)(
 
 
 
+//-----------------------------------------------------------------------------
+// VMM (VM) LOOPBACK SUPPORT:
+// Functionality is used to create a VMM loopback device which is used by VMM
+// to read and write memory to/from a virtual machine. See VMM for an example.
+// Struct is passed in the 'hlcvmm' parameter to LcCreate() and will be copied.
+//-----------------------------------------------------------------------------
+
+#define LC_VMM_VERSION                          0x1eef0001
+
+typedef struct tdLC_VMM {
+    DWORD dwVersion;
+    HANDLE hVMM;
+    HANDLE hVMMVM;
+    PVOID pfnVMMDLL_ConfigGet;
+    PVOID pfnVMMDLL_VmMemReadScatter;
+    PVOID pfnVMMDLL_VmMemWriteScatter;
+} LC_VMM, *PLC_VMM;
+
+
+
 //-----------------------------------------------------------------------------
 // PCIE BAR SUPPORT:
 //-----------------------------------------------------------------------------

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/leechcore/device_file.c

@@ -883,7 +883,7 @@ BOOL DeviceFile_Open(_Inout_ PLC_CONTEXT ctxLC, _Out_opt_ PPLC_CONFIG_ERRORINFO
         // check if file is hibernation file, in which case delegate open to hibr device:
         _fseeki64(ctx->File[0].h, 0, SEEK_SET);
         fread(&dwFileMagic, 1, sizeof(DWORD), ctx->File[0].h);
-        if(dwFileMagic == 0x52424948) {     // 'HIBR'
+        if((dwFileMagic == 0x52424948) || (dwFileMagic == 0x454b4157)) {     // 'HIBR' or 'WAKE'
             strncpy_s(ctxLC->Config.szDevice, _countof(ctxLC->Config.szDevice), "hibr://file=", _TRUNCATE);
             strncpy_s(ctxLC->Config.szDevice + 12, _countof(ctxLC->Config.szDevice) - 12, ctx->szFileName, _TRUNCATE);
             strncpy_s(ctxLC->Config.szDeviceName, _countof(ctxLC->Config.szDeviceName), "hibr", _TRUNCATE);

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/leechcore/device_fpga.c

@@ -2273,7 +2273,7 @@ VOID DeviceFPGA_Synch_ReadScatter_Impl(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cMEMs,
                 continue;
             }
             if(cbTotalInCycle >= ctx->perf.MAX_SIZE_RX) { break; }  // over max size -> break loop and read result
-            cbTotalInCycle += pDMA->cb;
+            cbTotalInCycle += (pDMA->cb == 0x1000) ? 0x1000 : (pDMA->cb + 48);
             o = 0;
             while(o < pDMA->cb) {
                 cb = fTiny ? min(0x80, pDMA->cb - o) : pDMA->cb;

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/leechcore/device_hibr.c

@@ -70,6 +70,7 @@ const HIBR_OFFSET HIBR_OFFSET_PROFILES[] = {
 #define VMM_PTR_OFFSET(f32, pb, o)              ((f32) ? *(PDWORD)((o) + (PBYTE)(pb)) : *(PQWORD)((o) + (PBYTE)(pb)))
 
 #define HIBR_MAGIC                              0x52424948
+#define WAKE_MAGIC                              0x454b4157
 
 #define COMPRESS_ALGORITHM_NONE                 0
 #define COMPRESS_ALGORITHM_XPRESS               3
@@ -168,6 +169,7 @@ NTSTATUS OSCOMPAT_RtlDecompressBufferEx(USHORT CompressionFormat, PUCHAR Uncompr
     static BOOL fFirst = TRUE;
     static SRWLOCK LockSRW = SRWLOCK_INIT;
     static int(*pfn_xpress_decompress)(PBYTE pbIn, SIZE_T cbIn, PBYTE pbOut, SIZE_T *pcbOut) = NULL;
+    static int(*pfn_xpress_decompress_huff)(PBYTE pbIn, SIZE_T cbIn, PBYTE pbOut, SIZE_T * pcbOut) = NULL;
     CHAR szPathLib[MAX_PATH] = { 0 };
     Util_GetPathLib(szPathLib);
     strncat_s(szPathLib, sizeof(szPathLib), "libMSCompression.so", _TRUNCATE);
@@ -178,20 +180,18 @@ NTSTATUS OSCOMPAT_RtlDecompressBufferEx(USHORT CompressionFormat, PUCHAR Uncompr
             fFirst = FALSE;
             lib_mscompress = dlopen(szPathLib, RTLD_NOW);
             if(lib_mscompress) {
-                if(CompressionFormat == 3) {    // COMPRESS_ALGORITHM_XPRESS
-                    pfn_xpress_decompress = (int(*)(PBYTE, SIZE_T, PBYTE, SIZE_T *))dlsym(lib_mscompress, "xpress_decompress");
-                }
-                if(CompressionFormat == 4) {    // COMPRESS_ALGORITHM_XPRESS_HUFF
-                    pfn_xpress_decompress = (int(*)(PBYTE, SIZE_T, PBYTE, SIZE_T *))dlsym(lib_mscompress, "xpress_huff_decompress");
-                }
+                pfn_xpress_decompress = (int(*)(PBYTE, SIZE_T, PBYTE, SIZE_T *))dlsym(lib_mscompress, "xpress_decompress");
+                pfn_xpress_decompress_huff = (int(*)(PBYTE, SIZE_T, PBYTE, SIZE_T *))dlsym(lib_mscompress, "xpress_huff_decompress");
             }
         }
         ReleaseSRWLockExclusive(&LockSRW);
     }
     *FinalUncompressedSize = 0;
-    if(pfn_xpress_decompress) {
+    if(pfn_xpress_decompress && pfn_xpress_decompress_huff) {
         cbOut = UncompressedBufferSize;
-        rc = pfn_xpress_decompress(CompressedBuffer, CompressedBufferSize, UncompressedBuffer, &cbOut);
+        rc = (CompressionFormat == 4) ?
+            pfn_xpress_decompress_huff(CompressedBuffer, CompressedBufferSize, UncompressedBuffer, &cbOut) :
+            pfn_xpress_decompress(CompressedBuffer, CompressedBufferSize, UncompressedBuffer, &cbOut);
         if(rc == 0) {
             *FinalUncompressedSize = cbOut;
             return HIBR_STATUS_SUCCESS;
@@ -410,7 +410,7 @@ BOOL DeviceHibr_HibrInitialize(_In_ PLC_CONTEXT ctxLC)
     // 1: fetch header:
     if(_fseeki64(ctx->hFile, 0, SEEK_SET)) { goto fail; }
     if(fread(pb, 1, sizeof(pb), ctx->hFile) != sizeof(pb)) { goto fail; }
-    if(*(PDWORD)(pb + 0x000) != HIBR_MAGIC) { goto fail; }
+    if((*(PDWORD)(pb + 0x000) != HIBR_MAGIC) && (*(PDWORD)(pb + 0x000) != WAKE_MAGIC)) { goto fail; }
     // 2: fetch offsets to use by looking at struct length:
     cbPO_MEMORY_IMAGE = *(PDWORD)(pb + 0x00c);
     for(i = 0; i < _countof(HIBR_OFFSET_PROFILES); i++) {

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/leechcore/device_vmm.c

@@ -17,76 +17,54 @@ typedef BOOL(*FN_VMMDLL_ConfigGet)(_In_ VMM_HANDLE hVMM, _In_ ULONG64 fOption, _
 typedef DWORD(*FN_VMMDLL_VmMemReadScatter)(_In_ VMM_HANDLE hVMM, _In_ VMMVM_HANDLE hVM, _Inout_ PPMEM_SCATTER ppMEMsGPA, _In_ DWORD cpMEMsGPA, _In_ DWORD flags);
 typedef DWORD(*FN_VMMDLL_VmMemWriteScatter)(_In_ VMM_HANDLE hVMM, _In_ VMMVM_HANDLE hVM, _Inout_ PPMEM_SCATTER ppMEMsGPA, _In_ DWORD cpMEMsGPA);
 
-typedef struct tdDEVICE_CONTEXT_VMM {
-    HMODULE hModuleVMM;
-    VMM_HANDLE hVMM;
-    VMMVM_HANDLE hVM;
-    FN_VMMDLL_ConfigGet pfnFN_VMMDLL_ConfigGet;
-    FN_VMMDLL_VmMemReadScatter pfnVMMDLL_VmMemReadScatter;
-    FN_VMMDLL_VmMemWriteScatter pfnVMMDLL_VmMemWriteScatter;
-} DEVICE_CONTEXT_VMM , *PDEVICE_CONTEXT_VMM;
-
 //-----------------------------------------------------------------------------
 // GENERAL FUNCTIONALITY BELOW:
 //-----------------------------------------------------------------------------
 
 VOID DeviceVMM_ReadScatter(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cpMEMs, _Inout_ PPMEM_SCATTER ppMEMs)
 {
-    PDEVICE_CONTEXT_VMM ctx = (PDEVICE_CONTEXT_VMM)ctxLC->hDevice;
-    ctx->pfnVMMDLL_VmMemReadScatter(ctx->hVMM, ctx->hVM, ppMEMs, cpMEMs, 0);
+    PLC_VMM ctx = (PLC_VMM)ctxLC->hDevice;
+    ((FN_VMMDLL_VmMemReadScatter)ctx->pfnVMMDLL_VmMemReadScatter)(ctx->hVMM, ctx->hVMMVM, ppMEMs, cpMEMs, 0);
 }
 
 VOID DeviceVMM_WriteScatter(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cpMEMs, _Inout_ PPMEM_SCATTER ppMEMs)
 {
-    PDEVICE_CONTEXT_VMM ctx = (PDEVICE_CONTEXT_VMM)ctxLC->hDevice;
-    ctx->pfnVMMDLL_VmMemWriteScatter(ctx->hVMM, ctx->hVM, ppMEMs, cpMEMs);
+    PLC_VMM ctx = (PLC_VMM)ctxLC->hDevice;
+    ((FN_VMMDLL_VmMemWriteScatter)ctx->pfnVMMDLL_VmMemWriteScatter)(ctx->hVMM, ctx->hVMMVM, ppMEMs, cpMEMs);
 }
 
 VOID DeviceVMM_Close(_Inout_ PLC_CONTEXT ctxLC)
 {
-    PDEVICE_CONTEXT_VMM ctx = (PDEVICE_CONTEXT_VMM)ctxLC->hDevice;
-    if(ctx) {
-        ctxLC->hDevice = 0;
-        if(ctx->hModuleVMM) { FreeLibrary(ctx->hModuleVMM); }
-        LocalFree(ctx);
-    }
+    PLC_VMM ctx = (PLC_VMM)ctxLC->hDevice;
+    ctxLC->hDevice = 0;
+    LocalFree(ctx);
 }
 
-#define VMM_PARAMETER_HANDLE_VMM    "hvmm"
-#define VMM_PARAMETER_HANDLE_VM     "hvm"
+#define VMM_PARAMETER_HANDLE_LCVMM    "hlcvmm"
 
 _Success_(return)
 BOOL DeviceVMM_Open(_Inout_ PLC_CONTEXT ctxLC, _Out_opt_ PPLC_CONFIG_ERRORINFO ppLcCreateErrorInfo)
 {
-    PDEVICE_CONTEXT_VMM ctx;
+    PLC_VMM ctx, ctxSrc;
     QWORD qwReadOnly = 0, qwVolatile = 0;
     if(ppLcCreateErrorInfo) { *ppLcCreateErrorInfo = NULL; }
     // 1: initialize core context:
-    if(sizeof(PVOID) < 8) { return FALSE; }     // only supported on 64-bit os (due to resource constraints)
-    ctx = (PDEVICE_CONTEXT_VMM)LocalAlloc(LMEM_ZEROINIT, sizeof(DEVICE_CONTEXT_VMM));
+    if(sizeof(PVOID) != 8) { return FALSE; }     // only supported on 64-bit os (due to resource constraints)
+    ctx = (PLC_VMM)LocalAlloc(LMEM_ZEROINIT, sizeof(LC_VMM));
     if(!ctx) { return FALSE; }
-    ctxLC->hDevice = (HANDLE)ctx;
-    // 2: initialize vmm references:
-    ctx->hModuleVMM = LoadLibraryA("vmm.dll");
-    if(!ctx->hModuleVMM) {
-        lcprintfv(ctxLC, "DEVICE: VMM: Unable to open loopback device #1.\n");
-        goto fail;
-    }
-    ctx->pfnFN_VMMDLL_ConfigGet = (FN_VMMDLL_ConfigGet)GetProcAddress(ctx->hModuleVMM, "VMMDLL_ConfigGet");
-    ctx->pfnVMMDLL_VmMemReadScatter = (FN_VMMDLL_VmMemReadScatter)GetProcAddress(ctx->hModuleVMM, "VMMDLL_VmMemReadScatter");
-    ctx->pfnVMMDLL_VmMemWriteScatter = (FN_VMMDLL_VmMemWriteScatter)GetProcAddress(ctx->hModuleVMM, "VMMDLL_VmMemWriteScatter");
-    if(!ctx->pfnFN_VMMDLL_ConfigGet || !ctx->pfnVMMDLL_VmMemReadScatter || !ctx->pfnVMMDLL_VmMemWriteScatter) {
-        lcprintfv(ctxLC, "DEVICE: VMM: Unable to open loopback device #2.\n");
+    // 2: initialize device
+    ctxSrc = (PLC_VMM)LcDeviceParameterGetNumeric(ctxLC, VMM_PARAMETER_HANDLE_LCVMM);
+    if(!ctxSrc || (ctxSrc->dwVersion != LC_VMM_VERSION) || !ctxSrc->hVMM || !ctxSrc->hVMMVM || !ctxSrc->pfnVMMDLL_ConfigGet || !ctxSrc->pfnVMMDLL_VmMemReadScatter || !ctxSrc->pfnVMMDLL_VmMemWriteScatter) {
+        lcprintfv(ctxLC, "DEVICE: VMM: Unable to open loopback device #1\n");
         goto fail;
     }
+    memcpy(ctx, ctxSrc, sizeof(LC_VMM));
     // 3: fetch config parameters:
-    ctx->hVMM = (VMM_HANDLE)LcDeviceParameterGetNumeric(ctxLC, VMM_PARAMETER_HANDLE_VMM);
-    ctx->hVM = (VMMVM_HANDLE)LcDeviceParameterGetNumeric(ctxLC, VMM_PARAMETER_HANDLE_VM);
-    if(!ctx->pfnFN_VMMDLL_ConfigGet(ctx->hVMM, LC_OPT_CORE_VOLATILE, &qwVolatile)) {    // inherit from vm parent vmm
+    if(!((FN_VMMDLL_ConfigGet)ctx->pfnVMMDLL_ConfigGet)(ctx->hVMM, LC_OPT_CORE_VOLATILE, &qwVolatile)) {    // inherit from vm parent vmm
         lcprintfv(ctxLC, "DEVICE: VMM: Unable to communicate with loopback device #1.\n");
         goto fail;
     }
-    if(!ctx->pfnFN_VMMDLL_ConfigGet(ctx->hVMM, LC_OPT_CORE_READONLY, &qwReadOnly)) {    // inherit from vm parent vmm
+    if(!((FN_VMMDLL_ConfigGet)ctx->pfnVMMDLL_ConfigGet)(ctx->hVMM, LC_OPT_CORE_READONLY, &qwReadOnly)) {    // inherit from vm parent vmm
         lcprintfv(ctxLC, "DEVICE: VMM: Unable to communicate with loopback device #2.\n");
         goto fail;
     }

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/leechcore/leechcore.h

@@ -14,7 +14,7 @@
 // (c) Ulf Frisk, 2020-2024
 // Author: Ulf Frisk, pcileech@frizk.net
 //
-// Header Version: 2.17
+// Header Version: 2.18.4
 //
 
 #ifndef __LEECHCORE_H__
@@ -568,6 +568,26 @@ typedef VOID(*PLC_TLP_FUNCTION_CALLBACK)(
 
 
 
+//-----------------------------------------------------------------------------
+// VMM (VM) LOOPBACK SUPPORT:
+// Functionality is used to create a VMM loopback device which is used by VMM
+// to read and write memory to/from a virtual machine. See VMM for an example.
+// Struct is passed in the 'hlcvmm' parameter to LcCreate() and will be copied.
+//-----------------------------------------------------------------------------
+
+#define LC_VMM_VERSION                          0x1eef0001
+
+typedef struct tdLC_VMM {
+    DWORD dwVersion;
+    HANDLE hVMM;
+    HANDLE hVMMVM;
+    PVOID pfnVMMDLL_ConfigGet;
+    PVOID pfnVMMDLL_VmMemReadScatter;
+    PVOID pfnVMMDLL_VmMemWriteScatter;
+} LC_VMM, *PLC_VMM;
+
+
+
 //-----------------------------------------------------------------------------
 // PCIE BAR SUPPORT:
 //-----------------------------------------------------------------------------

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/leechcore/oscompatibility.c

@@ -240,9 +240,6 @@ HMODULE LoadLibraryA(LPSTR lpFileName)
     if(lpFileName && (0 == memcmp(lpFileName, "FTD2XX.dll", 10))) {
         lpFileName = "libftd2xx.so";
     }
-    if(lpFileName && (0 == memcmp(lpFileName, "vmm.dll", 7))) {
-        lpFileName = "vmm.so";
-    }
     strncat(szFileName, lpFileName, MAX_PATH);
     return dlopen(szFileName, RTLD_NOW);
 }

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/leechcore/version.h

@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               2
 #define VERSION_MINOR               18
-#define VERSION_REVISION            0
-#define VERSION_BUILD               69
+#define VERSION_REVISION            4
+#define VERSION_BUILD               73
 
 #define VER_FILE_DESCRIPTION_STR    "LeechCore Memory Acquisition Library"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4/leechcorepyc.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 1.2
 Name: leechcorepyc
-Version: 2.18.0
+Version: 2.18.4
 Summary: LeechCore for Python
 Home-page: https://github.com/ufrisk/LeechCore
 Author: Ulf Frisk

{leechcorepyc-2.18.0 → leechcorepyc-2.18.4}/setup.py

@@ -19,7 +19,7 @@ leechcorepyc = Extension(
 
 setup(
     name='leechcorepyc',
-    version='2.18.0', # VERSION_END
+    version='2.18.4', # VERSION_END
     description='LeechCore for Python',
     long_description='LeechCore for Python : native extension for physical memory access',
     url='https://github.com/ufrisk/LeechCore',