Skip to content

Commit

Permalink
Version 1.4
Browse files Browse the repository at this point in the history
  • Loading branch information
@ufrisk
ufrisk committed Sep 23, 2019
1 parent b5c6ee4 commit be8970e
Show file tree
Hide file tree
Showing 25 changed files with 177 additions and 30 deletions.
3 changes: 3 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,3 +112,6 @@ v1.2
v1.3
* Bug fixes.
* Use libusb for FPGA USB access. Contribution by: [Jérémie Boutoille / Synacktiv](https://github.com/tlk-synacktiv).

v1.4
* Minor API fixes and additions to allow extended MemProcFS dump file functionality.
Binary file modified files/agent/x64/leechcore.dll
View file
Binary file not shown.
Binary file modified files/agent/x64/leechcorepyc.pyd
View file
Binary file not shown.
Binary file modified files/agent/x64/vcruntime140.dll
View file
Binary file not shown.
Binary file modified files/agent/x64/vmm.dll
View file
Binary file not shown.
58 changes: 58 additions & 0 deletions files/agent/x64/vmmpy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -609,6 +609,64 @@ def VmmPy_VfsWrite(path_file, bytes_data, offset = 0):



#------------------------------------------------------------------------------
# VmmPy Windows Symbol Debugging (.pdb) FUNCTIONALITY BELOW:
#------------------------------------------------------------------------------

def VmmPy_PdbSymbolAddress(module_name, symbol_name):
"""Retrieve a symbol address by module and symbol name.
NB! Vmm PDB Symbol functionality is limited and there is no guarantee that
all modules will be loaded - or that the functionality is available.
If multiple modules with the same name exists - the symbol will be
searched for in the 1st hit.
Keyword arguments:
module_name -- str: the module name or 'nt' for kernel.
symbol_name -- str: the symbol name to lookup.
return -- int: address of the located symbol.
Example:
VmmPy_PdbSymbolAddress('nt', 'PsInitialSystemProcess') --> 0xffff800012345600
"""
return VMMPYC_PdbSymbolAddress(module_name, symbol_name)

def VmmPy_PdbTypeSize(module_name, type_name):
"""Retrieve a type size by by module and type name.
NB! Vmm PDB Symbol functionality is limited and there is no guarantee that
all modules will be loaded - or that the functionality is available.
If multiple modules with the same name exists - the symbol will be
searched for in the 1st hit.
Keyword arguments:
module_name -- str: the module name or 'nt' for kernel.
type_name -- str: the type name to lookup.
return -- int: size of the type.
Example:
VmmPy_PdbTypeSize('nt', '_EPROCESS') --> 1568
"""
return VMMPYC_PdbTypeSize(module_name, type_name)

def VmmPy_PdbTypeChildOffset(module_name, type_name, type_child_name):
"""Retrieve the ofset of a type child (struct member) by by module, type and child name.
NB! Vmm PDB Symbol functionality is limited and there is no guarantee that
all modules will be loaded - or that the functionality is available.
If multiple modules with the same name exists - the symbol will be
searched for in the 1st hit.
Keyword arguments:
module_name -- str: the module name or 'nt' for kernel.
type_name -- str: the type name to lookup.
type_child_name -- str: the type child name (struct member) to lookup.
return -- int: offset (relative to type base) of the child type name.
Example:
VmmPy_PdbTypeChildOffset('nt', '_EPROCESS', 'CreateTime') --> 768
"""
return VMMPYC_PdbTypeChildOffset(module_name, type_name, type_child_name)



#------------------------------------------------------------------------------
# VmmPy WINDOWS ONLY FUNCTIONALITY BELOW:
#------------------------------------------------------------------------------
Expand Down
Binary file modified files/agent/x64/vmmpyc.pyd
View file
Binary file not shown.
Binary file modified files/agent/x86/leechcore.dll
View file
Binary file not shown.
Binary file modified files/agent/x86/vcruntime140.dll
View file
Binary file not shown.
Binary file modified files/leechcore.dll
View file
Binary file not shown.
18 changes: 15 additions & 3 deletions files/leechcore.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@
// (c) Ulf Frisk, 2018-2019
// Author: Ulf Frisk, pcileech@frizk.net
//
// Header Version: 1.3.0
// Header Version: 1.4
//
#ifndef __LEECHCORE_H__
#define __LEECHCORE_H__
Expand Down Expand Up @@ -155,6 +155,7 @@ typedef void *HANDLE, **PHANDLE;
typedef uint32_t BOOL, *PBOOL;
typedef uint8_t BYTE, *PBYTE;
typedef char CHAR, *PCHAR, *PSTR, *LPSTR;
typedef const CHAR *LPCSTR;
typedef uint16_t WORD, *PWORD, USHORT, *PUSHORT;
typedef uint32_t DWORD, *PDWORD;
typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64;
Expand All @@ -173,6 +174,7 @@ typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64;
#define _In_reads_(cbDataIn)
#define _Out_writes_opt_(x)
#define _Success_(return)
#define _Frees_ptr_opt_
#endif /* LINUX */

//-----------------------------------------------------------------------------
Expand Down Expand Up @@ -308,9 +310,17 @@ DLLEXPORT VOID LeechCore_Close();
#define LEECHCORE_FLAG_WRITE_RETRY 0x01
#define LEECHCORE_FLAG_WRITE_VERIFY 0x02

/*
* Free memory allocated by the LeechCore.
* -- pvMem
* -- return
*/
DLLEXPORT VOID LeechCore_MemFree(_Frees_ptr_opt_ PVOID pvMem);

/*
* Allocate a scatter buffer containing empty 0x1000-sized ppMEMs with address
* set to zero. Caller is responsible for calling LocalFree(ppMEMs).
* set to zero. Caller is responsible for calling LeechCore_MemFree(ppMEMs).
* CALLER FREE: LeechCore_MemFree(ppMEMs)
* -- cMEMs
* -- pppMEMs = pointer to receive ppMEMs on success.
* -- return
Expand Down Expand Up @@ -422,6 +432,7 @@ DLLEXPORT BOOL LeechCore_Probe(_In_ QWORD pa, _In_ DWORD cPages, _Inout_updates_
#define LEECHCORE_OPT_MEMORYINFO_OS_UPTIME 0x0200000e // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KERNELBASE 0x0200000f // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KERNELHINT 0x02000010 // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KdDebuggerDataBlock 0x02000011 // R

#define LEECHCORE_OPT_FPGA_PROBE_MAXPAGES 0x03000001 // RW
#define LEECHCORE_OPT_FPGA_RX_FLUSH_LIMIT 0x03000002 // RW
Expand Down Expand Up @@ -464,6 +475,7 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);

#define LEECHCORE_COMMANDDATA_FPGA_WRITE_TLP 0x00000101 // R
#define LEECHCORE_COMMANDDATA_FPGA_LISTEN_TLP 0x00000102 // R
#define LEECHCORE_COMMANDDATA_FILE_DUMPHEADER_GET 0x00000201 // R
#define LEECHCORE_COMMANDDATA_STATISTICS_GET 0x80000100 // R

#define LEECHCORE_STATISTICS_MAGIC 0xffff6550
Expand All @@ -478,7 +490,7 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);
#define LEECHCORE_STATISTICS_ID_COMMANDSVC 0x07
#define LEECHCORE_STATISTICS_ID_MAX 0x07

static const LPSTR LEECHCORE_STATISTICS_NAME[] = {
static LPCSTR LEECHCORE_STATISTICS_NAME[] = {
"LeechCore_Open",
"LeechCore_ReadScatter",
"LeechCore_Write",
Expand Down
Binary file modified files/leechcore.lib
View file
Binary file not shown.
Binary file modified files/leechcore.so
View file
Binary file not shown.
3 changes: 3 additions & 0 deletions files/redist_vcruntime.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Distributable Code for Microsoft Visual Studio 2019 (Includes Utilities & BuildServer Files)

For the latest version of this Redist file, please visit https://aka.ms/vs/16/redist.txt.
Binary file modified files/vcruntime140.dll
View file
Binary file not shown.
Binary file modified files/x86/leechcore.dll
View file
Binary file not shown.
18 changes: 15 additions & 3 deletions files/x86/leechcore.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@
// (c) Ulf Frisk, 2018-2019
// Author: Ulf Frisk, pcileech@frizk.net
//
// Header Version: 1.3.0
// Header Version: 1.4
//
#ifndef __LEECHCORE_H__
#define __LEECHCORE_H__
Expand Down Expand Up @@ -155,6 +155,7 @@ typedef void *HANDLE, **PHANDLE;
typedef uint32_t BOOL, *PBOOL;
typedef uint8_t BYTE, *PBYTE;
typedef char CHAR, *PCHAR, *PSTR, *LPSTR;
typedef const CHAR *LPCSTR;
typedef uint16_t WORD, *PWORD, USHORT, *PUSHORT;
typedef uint32_t DWORD, *PDWORD;
typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64;
Expand All @@ -173,6 +174,7 @@ typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64;
#define _In_reads_(cbDataIn)
#define _Out_writes_opt_(x)
#define _Success_(return)
#define _Frees_ptr_opt_
#endif /* LINUX */

//-----------------------------------------------------------------------------
Expand Down Expand Up @@ -308,9 +310,17 @@ DLLEXPORT VOID LeechCore_Close();
#define LEECHCORE_FLAG_WRITE_RETRY 0x01
#define LEECHCORE_FLAG_WRITE_VERIFY 0x02

/*
* Free memory allocated by the LeechCore.
* -- pvMem
* -- return
*/
DLLEXPORT VOID LeechCore_MemFree(_Frees_ptr_opt_ PVOID pvMem);

/*
* Allocate a scatter buffer containing empty 0x1000-sized ppMEMs with address
* set to zero. Caller is responsible for calling LocalFree(ppMEMs).
* set to zero. Caller is responsible for calling LeechCore_MemFree(ppMEMs).
* CALLER FREE: LeechCore_MemFree(ppMEMs)
* -- cMEMs
* -- pppMEMs = pointer to receive ppMEMs on success.
* -- return
Expand Down Expand Up @@ -422,6 +432,7 @@ DLLEXPORT BOOL LeechCore_Probe(_In_ QWORD pa, _In_ DWORD cPages, _Inout_updates_
#define LEECHCORE_OPT_MEMORYINFO_OS_UPTIME 0x0200000e // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KERNELBASE 0x0200000f // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KERNELHINT 0x02000010 // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KdDebuggerDataBlock 0x02000011 // R

#define LEECHCORE_OPT_FPGA_PROBE_MAXPAGES 0x03000001 // RW
#define LEECHCORE_OPT_FPGA_RX_FLUSH_LIMIT 0x03000002 // RW
Expand Down Expand Up @@ -464,6 +475,7 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);

#define LEECHCORE_COMMANDDATA_FPGA_WRITE_TLP 0x00000101 // R
#define LEECHCORE_COMMANDDATA_FPGA_LISTEN_TLP 0x00000102 // R
#define LEECHCORE_COMMANDDATA_FILE_DUMPHEADER_GET 0x00000201 // R
#define LEECHCORE_COMMANDDATA_STATISTICS_GET 0x80000100 // R

#define LEECHCORE_STATISTICS_MAGIC 0xffff6550
Expand All @@ -478,7 +490,7 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);
#define LEECHCORE_STATISTICS_ID_COMMANDSVC 0x07
#define LEECHCORE_STATISTICS_ID_MAX 0x07

static const LPSTR LEECHCORE_STATISTICS_NAME[] = {
static LPCSTR LEECHCORE_STATISTICS_NAME[] = {
"LeechCore_Open",
"LeechCore_ReadScatter",
"LeechCore_Write",
Expand Down
Binary file modified files/x86/leechcore.lib
View file
Binary file not shown.
Binary file modified files/x86/vcruntime140.dll
View file
Binary file not shown.
18 changes: 15 additions & 3 deletions leechagent/leechcore.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@
// (c) Ulf Frisk, 2018-2019
// Author: Ulf Frisk, pcileech@frizk.net
//
// Header Version: 1.3.0
// Header Version: 1.4
//
#ifndef __LEECHCORE_H__
#define __LEECHCORE_H__
Expand Down Expand Up @@ -155,6 +155,7 @@ typedef void *HANDLE, **PHANDLE;
typedef uint32_t BOOL, *PBOOL;
typedef uint8_t BYTE, *PBYTE;
typedef char CHAR, *PCHAR, *PSTR, *LPSTR;
typedef const CHAR *LPCSTR;
typedef uint16_t WORD, *PWORD, USHORT, *PUSHORT;
typedef uint32_t DWORD, *PDWORD;
typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64;
Expand All @@ -173,6 +174,7 @@ typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64;
#define _In_reads_(cbDataIn)
#define _Out_writes_opt_(x)
#define _Success_(return)
#define _Frees_ptr_opt_
#endif /* LINUX */

//-----------------------------------------------------------------------------
Expand Down Expand Up @@ -308,9 +310,17 @@ DLLEXPORT VOID LeechCore_Close();
#define LEECHCORE_FLAG_WRITE_RETRY 0x01
#define LEECHCORE_FLAG_WRITE_VERIFY 0x02

/*
* Free memory allocated by the LeechCore.
* -- pvMem
* -- return
*/
DLLEXPORT VOID LeechCore_MemFree(_Frees_ptr_opt_ PVOID pvMem);

/*
* Allocate a scatter buffer containing empty 0x1000-sized ppMEMs with address
* set to zero. Caller is responsible for calling LocalFree(ppMEMs).
* set to zero. Caller is responsible for calling LeechCore_MemFree(ppMEMs).
* CALLER FREE: LeechCore_MemFree(ppMEMs)
* -- cMEMs
* -- pppMEMs = pointer to receive ppMEMs on success.
* -- return
Expand Down Expand Up @@ -422,6 +432,7 @@ DLLEXPORT BOOL LeechCore_Probe(_In_ QWORD pa, _In_ DWORD cPages, _Inout_updates_
#define LEECHCORE_OPT_MEMORYINFO_OS_UPTIME 0x0200000e // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KERNELBASE 0x0200000f // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KERNELHINT 0x02000010 // R
#define LEECHCORE_OPT_MEMORYINFO_OS_KdDebuggerDataBlock 0x02000011 // R

#define LEECHCORE_OPT_FPGA_PROBE_MAXPAGES 0x03000001 // RW
#define LEECHCORE_OPT_FPGA_RX_FLUSH_LIMIT 0x03000002 // RW
Expand Down Expand Up @@ -464,6 +475,7 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);

#define LEECHCORE_COMMANDDATA_FPGA_WRITE_TLP 0x00000101 // R
#define LEECHCORE_COMMANDDATA_FPGA_LISTEN_TLP 0x00000102 // R
#define LEECHCORE_COMMANDDATA_FILE_DUMPHEADER_GET 0x00000201 // R
#define LEECHCORE_COMMANDDATA_STATISTICS_GET 0x80000100 // R

#define LEECHCORE_STATISTICS_MAGIC 0xffff6550
Expand All @@ -478,7 +490,7 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);
#define LEECHCORE_STATISTICS_ID_COMMANDSVC 0x07
#define LEECHCORE_STATISTICS_ID_MAX 0x07

static const LPSTR LEECHCORE_STATISTICS_NAME[] = {
static LPCSTR LEECHCORE_STATISTICS_NAME[] = {
"LeechCore_Open",
"LeechCore_ReadScatter",
"LeechCore_Write",
Expand Down
47 changes: 33 additions & 14 deletions leechcore/device_file.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,14 @@ typedef struct {
} _PHYSICAL_MEMORY_DESCRIPTOR32;

typedef struct tdDUMP_HEADER32 {
ULONG Signature;
ULONG ValidDump;
ULONG MajorVersion;
ULONG MinorVersion;
ULONG DirectoryTableBase;
ULONG PfnDataBase;
ULONG PsLoadedModuleList;
ULONG PsActiveProcessHead;
ULONG Signature; // 0x0000
ULONG ValidDump; // 0x0004
ULONG MajorVersion; // 0x0008
ULONG MinorVersion; // 0x000c
ULONG DirectoryTableBase; // 0x0010
ULONG PfnDataBase; // 0x0014
ULONG PsLoadedModuleList; // 0x0018
ULONG PsActiveProcessHead; // 0x001c
ULONG MachineImageType;
ULONG NumberProcessors;
ULONG BugCheckCode;
Expand Down Expand Up @@ -77,10 +77,10 @@ typedef struct tdDUMP_HEADER32 {
ULONG ProductType;
ULONG SuiteMask;
UCHAR reserved1[4];
LARGE_INTEGER RequiredDumpSpace;
ULONG64 RequiredDumpSpace;
UCHAR reserved2[16];
FILETIME SystemUpTime;
FILETIME SystemTime;
ULONG64 SystemUpTime;
ULONG64 SystemTime;
UCHAR reserved3[56];
} DUMP_HEADER32, *PDUMP_HEADER32;

Expand Down Expand Up @@ -109,10 +109,10 @@ typedef struct tdDUMP_HEADER64 {
UCHAR ContextRecord[3000]; // 0x0348
EXCEPTION_RECORD64 ExceptionRecord; // 0x0F00
ULONG DumpType; // 0x0F98
LARGE_INTEGER RequiredDumpSpace; // 0x0FA0
FILETIME SystemTime; // 0x0FA8
ULONG64 RequiredDumpSpace; // 0x0FA0
ULONG64 SystemTime; // 0x0FA8
CHAR Comment[0x80]; // 0x0FB0 May not be present.
FILETIME SystemUpTime; // 0x1030
ULONG64 SystemUpTime; // 0x1030
ULONG MiniDumpFields; // 0x1038
ULONG SecondaryDataState; // 0x103c
ULONG ProductType; // 0x1040
Expand Down Expand Up @@ -294,11 +294,29 @@ BOOL DeviceFile_GetOption(_In_ QWORD fOption, _Out_ PQWORD pqwValue)
case LEECHCORE_OPT_MEMORYINFO_OS_UPTIME:
*pqwValue = ctx->CrashDump.f32 ? *(PQWORD)&ctx->CrashDump.Hdr32.SystemUpTime : *(PQWORD)&ctx->CrashDump.Hdr64.SystemUpTime;
return TRUE;
case LEECHCORE_OPT_MEMORYINFO_OS_KdDebuggerDataBlock:
*pqwValue = ctx->CrashDump.f32 ? ctx->CrashDump.Hdr32.KdDebuggerDataBlock : ctx->CrashDump.Hdr64.KdDebuggerDataBlock;
return TRUE;
}
*pqwValue = 0;
return FALSE;
}

_Success_(return)
BOOL DeviceFile_CommandData(_In_ ULONG64 fOption, _In_reads_(cbDataIn) PBYTE pbDataIn, _In_ DWORD cbDataIn, _Out_writes_opt_(cbDataOut) PBYTE pbDataOut, _In_ DWORD cbDataOut, _Out_opt_ PDWORD pcbDataOut)
{
PDEVICE_CONTEXT_FILE ctx = (PDEVICE_CONTEXT_FILE)ctxDeviceMain->hDevice;
if(fOption == LEECHCORE_COMMANDDATA_FILE_DUMPHEADER_GET) {
if(!ctx->CrashDump.fValid || !pbDataOut || (cbDataOut < (ctx->CrashDump.f32 ? 0x1000UL : 0x2000UL))) { return FALSE; }
if(pcbDataOut) {
*pcbDataOut = ctx->CrashDump.f32 ? 0x1000 : 0x2000;
}
memcpy(pbDataOut, ctx->CrashDump.pbHdr, (ctx->CrashDump.f32 ? 0x1000 : 0x2000));
return TRUE;
}
return FALSE;
}

//-----------------------------------------------------------------------------
// OPEN/CLOSE FUNCTIONALITY BELOW:
//-----------------------------------------------------------------------------
Expand Down Expand Up @@ -341,6 +359,7 @@ BOOL DeviceFile_Open()
ctxDeviceMain->pfnClose = DeviceFile_Close;
ctxDeviceMain->pfnReadScatterMEM = DeviceFile_ReadScatterMEM;
ctxDeviceMain->pfnGetOption = DeviceFile_GetOption;
ctxDeviceMain->pfnCommandData = DeviceFile_CommandData;
if(!DeviceFile_MsCrashDumpInitialize()) { goto fail; }
if(ctx->CrashDump.fValid) {
ctxDeviceMain->cfg.paMaxNative = ctx->CrashDump.paMax;
Expand Down
5 changes: 5 additions & 0 deletions leechcore/leechcore.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,11 @@ QWORD LeechCore_StatisticsCallEnd(_In_ DWORD fId, QWORD tmCallStart)
return tmNow - tmCallStart;
}

DLLEXPORT VOID LeechCore_MemFree(_Frees_ptr_opt_ PVOID pvMem)
{
LocalFree(pvMem);
}

_Success_(return)
DLLEXPORT BOOL LeechCore_AllocScatterEmpty(_In_ DWORD cMEMs, _Out_ PPMEM_IO_SCATTER_HEADER *pppMEMs)
{
Expand Down
Loading

0 comments on commit be8970e

Please sign in to comment.