leechcorepyc 2.22.1__tar.gz → 2.22.3__tar.gz

{leechcorepyc-2.22.1/leechcorepyc.egg-info → leechcorepyc-2.22.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 1.2
 Name: leechcorepyc
-Version: 2.22.1
+Version: 2.22.3
 Summary: LeechCore for Python
 Home-page: https://github.com/ufrisk/LeechCore
 Author: Ulf Frisk

{leechcorepyc-2.22.1 → leechcorepyc-2.22.3}/leechcore/device_fpga.c

@@ -293,6 +293,8 @@ typedef struct tdDEVICE_CONTEXT_FPGA {
     } tlp_callback;
     BOOL fFT601;
     BOOL fCustomDriver;
+    BOOL fATS;
+    BYTE bAT;
 } DEVICE_CONTEXT_FPGA, *PDEVICE_CONTEXT_FPGA;
 
 // STRUCT FROM FTD3XX.h
@@ -339,7 +341,7 @@ typedef struct {
 
 typedef struct tdTLP_HDR {
     WORD Length : 10;
-    WORD _AT : 2;
+    WORD AT : 2;
     WORD _Attr : 2;
     WORD _EP : 1;
     WORD _TD : 1;
@@ -2354,6 +2356,7 @@ VOID DeviceFPGA_Synch_ReadScatter_Impl(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cMEMs,
     BYTE bTag;
     SIZE_T cbTlpRaw;
     BYTE pbTlpRaw[TLP_RX_MAX_SIZE];
+    BOOL fATS = ctx->fATS;
     // TX queued RAW TLPs (if any) from other threads and flush:
     if(ObByteQueue_Size(ctx->tlp_callback.pBqTx)) {
         while(ObByteQueue_Pop(ctx->tlp_callback.pBqTx, NULL, sizeof(pbTlpRaw), pbTlpRaw, &cbTlpRaw)) {
@@ -2392,6 +2395,7 @@ VOID DeviceFPGA_Synch_ReadScatter_Impl(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cMEMs,
                 is32 = pDMA->qwA < 0x100000000;
                 if(is32) {
                     hdrRd32->h.TypeFmt = TLP_MRd32;
+                    if(fATS) { hdrRd32->h.AT = ctx->bAT; }
                     hdrRd32->h.Length = (WORD)((cb < 0x1000) ? cb >> 2 : 0);
                     hdrRd32->RequesterID = ctx->wDeviceId;
                     hdrRd32->Tag = bTag;
@@ -2400,6 +2404,7 @@ VOID DeviceFPGA_Synch_ReadScatter_Impl(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cMEMs,
                     hdrRd32->Address = (DWORD)(pDMA->qwA + o);
                 } else {
                     hdrRd64->h.TypeFmt = TLP_MRd64;
+                    if(fATS) { hdrRd64->h.AT = ctx->bAT; }
                     hdrRd64->h.Length = (WORD)((cb < 0x1000) ? cb >> 2 : 0);
                     hdrRd64->RequesterID = ctx->wDeviceId;
                     hdrRd64->Tag = bTag;
@@ -2679,6 +2684,7 @@ VOID DeviceFPGA_Async2_Read_TxTlpSingle_MrdTlp(_In_ PLC_CONTEXT ctxLC, _In_ PDEV
     PTLP_HDR_MRdWr32 hdrRd32 = (PTLP_HDR_MRdWr32)tx;
     if(f32) {
         hdrRd32->h.TypeFmt = TLP_MRd32;
+        if(ctx->fATS) { hdrRd32->h.AT = ctx->bAT; }
         hdrRd32->h.Length = wTlpDwLength;
         hdrRd32->RequesterID = ctx->wDeviceId;
         hdrRd32->Tag = iTag;
@@ -2687,6 +2693,7 @@ VOID DeviceFPGA_Async2_Read_TxTlpSingle_MrdTlp(_In_ PLC_CONTEXT ctxLC, _In_ PDEV
         hdrRd32->Address = (DWORD)(qwA);
     } else {
         hdrRd64->h.TypeFmt = TLP_MRd64;
+        if(ctx->fATS) { hdrRd32->h.AT = ctx->bAT; }
         hdrRd64->h.Length = wTlpDwLength;
         hdrRd64->RequesterID = ctx->wDeviceId;
         hdrRd64->Tag = iTag;
@@ -3310,6 +3317,7 @@ VOID DeviceFPGA_ProbeMEM_Impl(_In_ PLC_CONTEXT ctxLC, _In_ QWORD qwAddr, _In_ DW
         is32 = qwAddr + (i << 12) < 0x100000000;
         if(is32) {
             hdrRd32->h.TypeFmt = TLP_MRd32;
+            if(ctx->fATS) { hdrRd32->h.AT = ctx->bAT; }
             hdrRd32->h.Length = 1;
             hdrRd32->RequesterID = ctx->wDeviceId;
             hdrRd32->FirstBE = 0xf;
@@ -3318,6 +3326,7 @@ VOID DeviceFPGA_ProbeMEM_Impl(_In_ PLC_CONTEXT ctxLC, _In_ QWORD qwAddr, _In_ DW
             hdrRd32->Tag = (BYTE)((i >> 5) & 0x1f); // 5 high address bits coded into tag.
         } else {
             hdrRd64->h.TypeFmt = TLP_MRd64;
+            if(ctx->fATS) { hdrRd32->h.AT = ctx->bAT; }
             hdrRd64->h.Length = 1;
             hdrRd64->RequesterID = ctx->wDeviceId;
             hdrRd64->FirstBE = 0xf;
@@ -3376,6 +3385,7 @@ BOOL DeviceFPGA_WriteMEM_TXP(_In_ PLC_CONTEXT ctxLC, _Inout_ PDEVICE_CONTEXT_FPG
     memset(pbTlp, 0, 16);
     if(pa < 0x100000000) {
         hdrWr32->h.TypeFmt = TLP_MWr32;
+        if(ctx->fATS) { hdrWr32->h.AT = ctx->bAT; }
         hdrWr32->h.Length = (WORD)(cb + 3) >> 2;
         hdrWr32->FirstBE = bFirstBE;
         hdrWr32->LastBE = bLastBE;
@@ -3389,6 +3399,7 @@ BOOL DeviceFPGA_WriteMEM_TXP(_In_ PLC_CONTEXT ctxLC, _Inout_ PDEVICE_CONTEXT_FPG
         cbTlp = (12 + cb + 3) & ~0x3;
     } else {
         hdrWr64->h.TypeFmt = TLP_MWr64;
+        if(ctx->fATS) { hdrWr64->h.AT = ctx->bAT; }
         hdrWr64->h.Length = (WORD)(cb + 3) >> 2;
         hdrWr64->FirstBE = bFirstBE;
         hdrWr64->LastBE = bLastBE;
@@ -3848,6 +3859,7 @@ BOOL DeviceFPGA_SetOption_DoLock(_In_ PLC_CONTEXT ctxLC, _In_ QWORD fOption, _In
 #define FPGA_PARAMETER_DEVICE_ID       "bdf"
 #define FPGA_PARAMETER_DRIVER          "driver"
 #define FPGA_PARAMETER_FT601           "ft601"
+#define FPGA_PARAMETER_ATS             "ats"
 
 #define FPGA_PARAMETER_ALGO_TINY                0x01
 #define FPGA_PARAMETER_ALGO_SYNCHRONOUS         0x02
@@ -3885,6 +3897,8 @@ BOOL DeviceFPGA_Open(_Inout_ PLC_CONTEXT ctxLC, _Out_opt_ PPLC_CONFIG_ERRORINFO
     }
     if(szDeviceError) { goto fail; }
     ctx->fRestartDevice = (1 == LcDeviceParameterGetNumeric(ctxLC, FPGA_PARAMETER_RESTART_DEVICE));
+    ctx->bAT = (BYTE)LcDeviceParameterGetNumeric(ctxLC, FPGA_PARAMETER_ATS);
+    ctx->fATS = ((ctx->bAT >= 1) && (ctx->bAT <= 3));
     DeviceFPGA_GetDeviceID_FpgaVersion(ctx);
     if(!ctx->wFpgaVersionMajor) {
         szDeviceError = "Unable to connect to FPGA device";

{leechcorepyc-2.22.1 → leechcorepyc-2.22.3}/leechcore/device_hibr.c

@@ -2,7 +2,7 @@
 //                           Windows 8+.
 // 
 // The hibernation file format of Windows 8+ is documented in the excellent
-// blog post by ForensicXlab at: https://www.forensicxlab.com/posts/hibernation/
+// blog post by ForensicXlab at: https://www.forensicxlab.com/blog/hibernation
 // Also the original paper at: https://www.cct.lsu.edu/~golden/Papers/sylvehiber.pdf
 //
 // (c) Ulf Frisk, 2024-2025
@@ -32,7 +32,7 @@ typedef struct tdHIBR_OFFSET {
 } HIBR_OFFSET, *PHIBR_OFFSET;
 
 const HIBR_OFFSET HIBR_OFFSET_PROFILES[] = {
-    {.LengthSelf = 0x4d8, .f32 = FALSE, .PageSize = 0x18, .SystemTime = 0x20, .NumPagesForLoader = 0x58, .FirstBootRestorePage = 0x68, .FirstKernelRestorePage = 0x70, .KernelPagesProcessed = 0x230, .HighestPhysicalPage = 0x498},  // 64-bit build 26100
+    {.LengthSelf = 0x4d8, .f32 = FALSE, .PageSize = 0x18, .SystemTime = 0x20, .NumPagesForLoader = 0x58, .FirstBootRestorePage = 0x68, .FirstKernelRestorePage = 0x70, .KernelPagesProcessed = 0x238, .HighestPhysicalPage = 0x498},  // 64-bit build 26100
     {.LengthSelf = 0x448, .f32 = FALSE, .PageSize = 0x18, .SystemTime = 0x20, .NumPagesForLoader = 0x58, .FirstBootRestorePage = 0x68, .FirstKernelRestorePage = 0x70, .KernelPagesProcessed = 0x230, .HighestPhysicalPage = 0x400},  // 64-bit build 22621
     {.LengthSelf = 0x448, .f32 = FALSE, .PageSize = 0x18, .SystemTime = 0x20, .NumPagesForLoader = 0x58, .FirstBootRestorePage = 0x68, .FirstKernelRestorePage = 0x70, .KernelPagesProcessed = 0x230, .HighestPhysicalPage = 0x400},  // 64-bit build 22000
     {.LengthSelf = 0x448, .f32 = FALSE, .PageSize = 0x18, .SystemTime = 0x20, .NumPagesForLoader = 0x58, .FirstBootRestorePage = 0x68, .FirstKernelRestorePage = 0x70, .KernelPagesProcessed = 0x230, .HighestPhysicalPage = 0x400},  // 64-bit build 20348
@@ -109,7 +109,7 @@ typedef struct tdHIBR_COMPRESSION_SET_TABLE {
     HIBR_COMPRESSION_SET v[HIBR_COMPRESSION_TABLE_SIZE];
 } HIBR_COMPRESSION_SET_TABLE, *PHIBR_COMPRESSION_SET_TABLE;
 
-typedef struct tdDEVICE_CONTEXT_FILE {
+typedef struct tdDEVICE_CONTEXT_HIBRFILE {
     FILE *hFile;
     QWORD cbFile;
     CHAR szFileName[MAX_PATH];
@@ -128,7 +128,7 @@ typedef struct tdDEVICE_CONTEXT_FILE {
     } CS_Cache[HIBR_NUM_CACHE_ENTRIES];
     BYTE pbBufferCompressedData[0x10000];
     BYTE pbWorkSpace[0x00100000];
-} DEVICE_CONTEXT_FILE, *PDEVICE_CONTEXT_FILE;
+} DEVICE_CONTEXT_HIBRFILE, *PDEVICE_CONTEXT_HIBRFILE;
 
 
 //-----------------------------------------------------------------------------
@@ -143,7 +143,7 @@ typedef struct tdDEVICE_CONTEXT_FILE {
 * -- return = TRUE on success, FALSE on failure.
 */
 _Success_(return)
-BOOL DeviceHibr_InitializeFunctions(_In_ PDEVICE_CONTEXT_FILE ctx)
+BOOL DeviceHibr_InitializeFunctions(_In_ PDEVICE_CONTEXT_HIBRFILE ctx)
 {
     HMODULE hNtDll = NULL;
     if((hNtDll = LoadLibraryA("ntdll.dll"))) {
@@ -208,7 +208,7 @@ NTSTATUS OSCOMPAT_RtlDecompressBufferEx(USHORT CompressionFormat, PUCHAR Uncompr
 * -- return = TRUE on success, FALSE on failure.
 */
 _Success_(return)
-BOOL DeviceHibr_InitializeFunctions(_In_ PDEVICE_CONTEXT_FILE ctx)
+BOOL DeviceHibr_InitializeFunctions(_In_ PDEVICE_CONTEXT_HIBRFILE ctx)
 {
     void *lib_mscompress;
     CHAR szPathLib[MAX_PATH] = { 0 };
@@ -241,7 +241,7 @@ BOOL DeviceHibr_InitializeFunctions(_In_ PDEVICE_CONTEXT_FILE ctx)
 _Success_(return != NULL)
 PBYTE DeviceHibr_ReadPage(_In_ PLC_CONTEXT ctxLC, _In_ PHIBR_COMPRESSION_SET pCS, _In_ DWORD iCS, _In_ DWORD iPG)
 {
-    PDEVICE_CONTEXT_FILE ctx = (PDEVICE_CONTEXT_FILE)ctxLC->hDevice;
+    PDEVICE_CONTEXT_HIBRFILE ctx = (PDEVICE_CONTEXT_HIBRFILE)ctxLC->hDevice;
     NTSTATUS nt;
     PBYTE pbBufferUncompressed;
     DWORD i, cbUncompressed, cbUncompressedResult = 0;
@@ -287,7 +287,7 @@ PBYTE DeviceHibr_ReadPage(_In_ PLC_CONTEXT ctxLC, _In_ PHIBR_COMPRESSION_SET pCS
 */
 VOID DeviceHibr_ReadScatter(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cpMEMs, _Inout_ PPMEM_SCATTER ppMEMs)
 {
-    PDEVICE_CONTEXT_FILE ctx = (PDEVICE_CONTEXT_FILE)ctxLC->hDevice;
+    PDEVICE_CONTEXT_HIBRFILE ctx = (PDEVICE_CONTEXT_HIBRFILE)ctxLC->hDevice;
     DWORD iMEM, iCS, iPG;
     QWORD qwPfn;
     PBYTE pbPage;
@@ -335,7 +335,7 @@ VOID DeviceHibr_ReadScatter(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cpMEMs, _Inout_ P
 */
 VOID DeviceHibr_HibrInitialize_RestoreSet(_In_ PLC_CONTEXT ctxLC, _In_ QWORD cbo, _In_ QWORD cPageTotal)
 {
-    PDEVICE_CONTEXT_FILE ctx = (PDEVICE_CONTEXT_FILE)ctxLC->hDevice;
+    PDEVICE_CONTEXT_HIBRFILE ctx = (PDEVICE_CONTEXT_HIBRFILE)ctxLC->hDevice;
     BOOL fWarning = FALSE;
     BYTE i, j, cDescCS;
     BYTE pb[0x1000];
@@ -356,8 +356,8 @@ restart:
     if(fread(pb, 1, sizeof(pb), ctx->hFile) != sizeof(pb)) { return; }
     dwStatusCS = *(PDWORD)(pb + 0x000);
     cDescCS = dwStatusCS & 0xff;
-    pCS->cb = (dwStatusCS >> 8) & 0x3fffff;
-    pCS->tp = (dwStatusCS & 0x80000000) ? COMPRESS_ALGORITHM_XPRESS_HUFF : COMPRESS_ALGORITHM_XPRESS;
+    pCS->cb = (dwStatusCS >> 8) & 0x0fffff;
+    pCS->tp = (dwStatusCS & 0xC0000000) ? COMPRESS_ALGORITHM_XPRESS_HUFF : COMPRESS_ALGORITHM_XPRESS;
     if(!cDescCS || !pCS->cb) { return; }
     // 2: iterate over page descriptors in the compression set.
     pbo = 4;
@@ -381,7 +381,7 @@ restart:
         pCS->cpg += (WORD)cDescPages;
     }
     if((pCS->cpg > 0x10) && !fWarning) {
-        lcprintf(ctxLC, "DEVICE: HIBR: WARNING: COMPRESSION SET #PAGES > 10 (only showed once).\n");
+        lcprintf(ctxLC, "DEVICE: HIBR: WARNING: COMPRESSION SET #PAGES > 16 (only showed once).\n");
         fWarning = TRUE;
     }
     if(pCS->cb == ((DWORD)pCS->cpg << 12)) {
@@ -404,7 +404,7 @@ restart:
 _Success_(return)
 BOOL DeviceHibr_HibrInitialize(_In_ PLC_CONTEXT ctxLC)
 {
-    PDEVICE_CONTEXT_FILE ctx = (PDEVICE_CONTEXT_FILE)ctxLC->hDevice;
+    PDEVICE_CONTEXT_HIBRFILE ctx = (PDEVICE_CONTEXT_HIBRFILE)ctxLC->hDevice;
     BYTE pb[0x1000];
     DWORD i, cbPO_MEMORY_IMAGE;
     QWORD cboRestoreBoot = 0, cboRestoreKernel = 0, cPagesLoader = 0, cPagesKernel = 0;
@@ -462,7 +462,7 @@ fail:
 // OPEN/CLOSE FUNCTIONALITY BELOW:
 //-----------------------------------------------------------------------------
 
-VOID DeviceHibr_CloseInternal(_Frees_ptr_opt_ PDEVICE_CONTEXT_FILE ctx)
+VOID DeviceHibr_CloseInternal(_Frees_ptr_opt_ PDEVICE_CONTEXT_HIBRFILE ctx)
 {
     DWORD i;
     if(ctx) {
@@ -477,7 +477,7 @@ VOID DeviceHibr_CloseInternal(_Frees_ptr_opt_ PDEVICE_CONTEXT_FILE ctx)
 
 VOID DeviceHibr_Close(_Inout_ PLC_CONTEXT ctxLC)
 {
-    PDEVICE_CONTEXT_FILE ctx = (PDEVICE_CONTEXT_FILE)ctxLC->hDevice;
+    PDEVICE_CONTEXT_HIBRFILE ctx = (PDEVICE_CONTEXT_HIBRFILE)ctxLC->hDevice;
     DeviceHibr_CloseInternal(ctx);
 }
 
@@ -492,11 +492,11 @@ VOID DeviceHibr_Close(_Inout_ PLC_CONTEXT ctxLC)
 _Success_(return)
 BOOL DeviceHIBR_Open(_Inout_ PLC_CONTEXT ctxLC, _Out_opt_ PPLC_CONFIG_ERRORINFO ppLcCreateErrorInfo)
 {
-    PDEVICE_CONTEXT_FILE ctx;
+    PDEVICE_CONTEXT_HIBRFILE ctx;
     PLC_DEVICE_PARAMETER_ENTRY pParam;
     QWORD tmEnd = 0, tmStart = GetTickCount64();
     if(ppLcCreateErrorInfo) { *ppLcCreateErrorInfo = NULL; }
-    if(!(ctx = (PDEVICE_CONTEXT_FILE)LocalAlloc(LMEM_ZEROINIT, sizeof(DEVICE_CONTEXT_FILE)))) { return FALSE; }
+    if(!(ctx = (PDEVICE_CONTEXT_HIBRFILE)LocalAlloc(LMEM_ZEROINIT, sizeof(DEVICE_CONTEXT_HIBRFILE)))) { return FALSE; }
     if(!(ctx->CS_Directory[0] = (PHIBR_COMPRESSION_SET_TABLE)LocalAlloc(LMEM_ZEROINIT, sizeof(HIBR_COMPRESSION_SET_TABLE)))) { goto fail; }
     ctx->cCS = 1;   // 0 = reserved for invalid/not set compression set.
     if(0 == _strnicmp("hibr://", ctxLC->Config.szDevice, 7)) {

{leechcorepyc-2.22.1 → leechcorepyc-2.22.3}/leechcore/version.h

@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               2
 #define VERSION_MINOR               22
-#define VERSION_REVISION            1
-#define VERSION_BUILD               87
+#define VERSION_REVISION            3
+#define VERSION_BUILD               89
 
 #define VER_FILE_DESCRIPTION_STR    "LeechCore Memory Acquisition Library"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

{leechcorepyc-2.22.1 → leechcorepyc-2.22.3}/leechcore_device_rawtcp/version.h

@@ -5,8 +5,8 @@
 
 #define VERSION_MAJOR               2
 #define VERSION_MINOR               22
-#define VERSION_REVISION            1
-#define VERSION_BUILD               87
+#define VERSION_REVISION            2
+#define VERSION_BUILD               88
 
 #define VER_FILE_DESCRIPTION_STR    "LeechCorePlugin : RAWTCP"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

{leechcorepyc-2.22.1 → leechcorepyc-2.22.3/leechcorepyc.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 1.2
 Name: leechcorepyc
-Version: 2.22.1
+Version: 2.22.3
 Summary: LeechCore for Python
 Home-page: https://github.com/ufrisk/LeechCore
 Author: Ulf Frisk

{leechcorepyc-2.22.1 → leechcorepyc-2.22.3}/setup.py

@@ -19,7 +19,7 @@ leechcorepyc = Extension(
 
 setup(
     name='leechcorepyc',
-    version='2.22.1', # VERSION_END
+    version='2.22.3', # VERSION_END
     description='LeechCore for Python',
     long_description='LeechCore for Python : native extension for physical memory access',
     url='https://github.com/ufrisk/LeechCore',