Version 5.10.1

ufrisk · Jul 21, 2024 · 4d2e2df · 4d2e2df
1 parent 04217bc
commit 4d2e2df
Show file tree

Hide file tree

Showing 18 changed files with 157 additions and 64 deletions.
diff --git a/README.md b/README.md
@@ -225,3 +225,6 @@ v5.8
 * [Eventlog module](https://github.com/ufrisk/MemProcFS/wiki/FS_Misc_Eventlog) for convenient access to event log files.
 * Binary search API now allows for up to 16M search terms (up from previous 16).
 * Prefetch parsing.
+
+Latest:
+* Bug fixes.
diff --git a/m_vmemd/oscompatibility.h b/m_vmemd/oscompatibility.h
@@ -21,6 +21,7 @@ typedef unsigned __int64                    QWORD, *PQWORD;
 
 #endif /* _WIN32 */
 #ifdef LINUX
+#define _FILE_OFFSET_BITS 64
 #include <byteswap.h>
 #include <ctype.h>
 #include <dirent.h>
@@ -178,10 +179,10 @@ typedef int(*_CoreCrtNonSecureSearchSortCompareFunction)(void const *, void cons
 #define ExitProcess(c)                      (exit(c ? EXIT_SUCCESS : EXIT_FAILURE))
 #define Sleep(dwMilliseconds)               (usleep(1000*dwMilliseconds))
 #define _fsopen(szFile, szMode, dwAttr)     fopen(szFile, szMode)
-#define fopen_s(ppFile, szFile, szAttr)     ((*ppFile = fopen64(szFile, szAttr)) ? 0 : 1)
+#define fopen_s(ppFile, szFile, szAttr)     ((*ppFile = fopen(szFile, szAttr)) ? 0 : 1)
 #define ZeroMemory(pb, cb)                  (memset(pb, 0, cb))
-#define _ftelli64(f)                        (ftello64(f))
-#define _fseeki64(f, o, w)                  (fseeko64(f, o, w))
+#define _ftelli64(f)                        (ftello(f))
+#define _fseeki64(f, o, w)                  (fseeko(f, o, w))
 #define _chsize_s(fd, cb)                   (ftruncate64(fd, cb))
 #define _fileno(f)                          (fileno(f))
 #define InterlockedAdd64(p, v)              (__sync_add_and_fetch(p, v))

diff --git a/m_vmemd/version.h b/m_vmemd/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               10
-#define VERSION_REVISION            0
-#define VERSION_BUILD               166
+#define VERSION_REVISION            1
+#define VERSION_BUILD               167
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Plugin vmemd"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/memprocfs/oscompatibility.h b/memprocfs/oscompatibility.h
@@ -1,11 +1,12 @@
 // oscompatibility.h : VMM Windows/Linux compatibility layer.
 //
-// (c) Ulf Frisk, 2021-2023
+// (c) Ulf Frisk, 2021-2024
 // Author: Ulf Frisk, [email protected]
 //
 #ifdef LINUX
 #ifndef __OSCOMPATIBILITY_H__
 #define __OSCOMPATIBILITY_H__
+#define _FILE_OFFSET_BITS 64
 #include <leechcore.h>
 #include <vmmdll.h>
 

diff --git a/memprocfs/version.h b/memprocfs/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               10
-#define VERSION_REVISION            0
-#define VERSION_BUILD               166
+#define VERSION_REVISION            1
+#define VERSION_BUILD               167
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/vmm/modules/m_fc_prefetch.c b/vmm/modules/m_fc_prefetch.c
@@ -15,6 +15,8 @@
 // Prefetch map generation functionality:
 //------------------------------------------------------------------------------
 
+static LPSTR MFCPREFETCH_CSV = "Process,RunCount,FileCount,PrefetchFile,RunTime1,RunTime2,RunTime3,RunTime4,RunTime5,RunTime6,RunTime7,RunTim8,FileObjectAddress\n";
+
 #define MFCPREFETCH_MAXSIZE             0x00100000  // 1MB
 #define MFCPREFETCH_COMPRESSED_MAGIC    0x044D414D  // MAM
 #define MFCPREFETCH_MAGIC               0x41434353  // SCCA
@@ -461,12 +463,42 @@ VOID MFcPrefetch_FcTimeline(
                 }
             }
         }
+        Ob_DECREF(pObPfMap);
+    }
+}
+
+VOID MFcPrefetch_FcLogCSV(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _In_ VMMDLL_CSV_HANDLE hCSV)
+{
+    DWORD i;
+    PVMM_MAP_PREFETCHENTRY pe;
+    PVMMOB_MAP_PREFETCH pObPfMap = NULL;
+    if(!ctxP->pProcess && ctxP->ctxM && (pObPfMap = MFcPrefetch_GetMap(H, (POB_CONTAINER)ctxP->ctxM))) {
+        for(i = 0; i < pObPfMap->cMap; i++) {
+            pe = &pObPfMap->pMap[i];
+            FcCsv_Reset(hCSV);
+            FcFileAppend(H, "prefetch.csv", "%s,%u,%u,%s,%s,%s,%s,%s,%s,%s,%s,%s,%llx\n",
+                pe->uszExecutableFileName,
+                pe->cRunCount,
+                pe->cFileMetrics,
+                pe->uszPrefetchFileName,
+                FcCsv_FileTime(hCSV, pe->ftRunTimes[0]),
+                FcCsv_FileTime(hCSV, pe->ftRunTimes[1]),
+                FcCsv_FileTime(hCSV, pe->ftRunTimes[2]),
+                FcCsv_FileTime(hCSV, pe->ftRunTimes[3]),
+                FcCsv_FileTime(hCSV, pe->ftRunTimes[4]),
+                FcCsv_FileTime(hCSV, pe->ftRunTimes[5]),
+                FcCsv_FileTime(hCSV, pe->ftRunTimes[6]),
+                FcCsv_FileTime(hCSV, pe->ftRunTimes[7]),
+                pe->vaPrefetchFile
+            );
+        }
+        Ob_DECREF(pObPfMap);
     }
-    Ob_DECREF(pObPfMap);
 }
 
 PVOID MFcPrefetch_FcInitialize(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP)
 {
+    FcFileAppend(H, "prefetch.csv", MFCPREFETCH_CSV);
     return ctxP->ctxM;
 }
 
@@ -498,6 +530,7 @@ VOID M_FcPrefetch_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO p
     pRI->reg_fnfc.pfnInitialize = MFcPrefetch_FcInitialize;
     pRI->reg_fnfc.pfnTimeline = MFcPrefetch_FcTimeline;                         // Forensic timelining supported
     pRI->reg_fnfc.pfnLogJSON = MFcPrefetch_FcLogJSON;                           // JSON log function supported
+    pRI->reg_fnfc.pfnLogCSV = MFcPrefetch_FcLogCSV;                             // CSV log function supported
     memcpy(pRI->reg_info.sTimelineNameShort, "PREF", 5);
     strncpy_s(pRI->reg_info.uszTimelineFile, 32, "timeline_prefetch", _TRUNCATE);
     pRI->pfnPluginManager_Register(H, pRI);

diff --git a/vmm/modules/m_fc_yara.c b/vmm/modules/m_fc_yara.c
@@ -13,6 +13,7 @@
 #define MFC_YARA_MAX_MATCHES    0x10000
 
 typedef struct tdMFCYARA_CONTEXT {
+    VMMSTATISTICS_LOG Statistics;
     DWORD cMatches;
     POB_MEMFILE pmfObMemFileUser;
     PVMMYARAUTILOB_CONTEXT ctxObInit;
@@ -105,23 +106,27 @@ VOID MFcYara_FcIngestFinalize(_In_ VMM_HANDLE H, _In_opt_ PVOID ctxfc)
 fail:
     Ob_DECREF_NULL(&ctx->ctxObInit);
     Ob_DECREF(psObDuplicateCheck);
+    VmmStatisticsLogEnd(H, &ctx->Statistics, "SCAN");
 }
 
-PVOID MFcYara_FcInitialize(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP)
+/*
+* Initialize a yara ruleset (either built-in find-evil or user supplied).
+*/
+PVOID MFcYara_FcInitialize_DoWork(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _In_ BOOL fBuiltin)
 {
     PMFCYARA_CONTEXT ctx = (PMFCYARA_CONTEXT)ctxP->ctxM;
     VMMYARA_ERROR err;
     PVMMYARA_RULES pYrRules = NULL;
     PINFODB_YARA_RULES pObYaraRules = NULL;
-    LPSTR szUserYaraRules = H->cfg.szForensicYaraRules;
+    LPSTR szUserYaraRules = fBuiltin ? "" : H->cfg.szForensicYaraRules;
     // 1: try initialize pre-compiled yara rules,
     //    compiled rules will disable built-in rules:
     if(szUserYaraRules[0]) {
         err = VmmYara_RulesLoadCompiled(szUserYaraRules, &pYrRules);
         if(err == VMMYARA_ERROR_SUCCESS) { goto finish; }
     }
     // 2: try initialize combined rules (built-in rules + optional user rule):
-    if(InfoDB_YaraRulesBuiltIn(H, &pObYaraRules)) {
+    if(fBuiltin && InfoDB_YaraRulesBuiltIn(H, &pObYaraRules)) {
         if(szUserYaraRules[0]) {
             pObYaraRules->szRules[0] = szUserYaraRules;
             err = VmmYara_RulesLoadSourceCombined(pObYaraRules->cRules, pObYaraRules->szRules, &pYrRules);
@@ -144,9 +149,21 @@ PVOID MFcYara_FcInitialize(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP)
         if(pYrRules) { VmmYara_RulesDestroy(pYrRules); }
         return NULL;
     }
+    VmmStatisticsLogStart(H, ctxP->MID, LOGLEVEL_6_TRACE, NULL, &ctx->Statistics, "SCAN");
+    ctx->Statistics.fShowReads = FALSE;
     return ctx;
 }
 
+PVOID MFcYara_FcInitialize_Builtin(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP)
+{
+    return MFcYara_FcInitialize_DoWork(H, ctxP, TRUE);
+}
+
+PVOID MFcYara_FcInitialize_User(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP)
+{
+    return MFcYara_FcInitialize_DoWork(H, ctxP, FALSE);
+}
+
 NTSTATUS MFcYara_Read(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset)
 {
     PMFCYARA_CONTEXT ctx = (PMFCYARA_CONTEXT)ctxP->ctxM;
@@ -182,10 +199,14 @@ VOID MFcYara_Close(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP)
     }
 }
 
-BOOL MFcYara_ExistsRules(_In_ VMM_HANDLE H)
+BOOL MFcYara_ExistsRules_Builtin(_In_ VMM_HANDLE H)
+{
+    return !H->cfg.fDisableYara && InfoDB_YaraRulesBuiltIn_Exists(H);
+}
+
+BOOL MFcYara_ExistsRules_User(_In_ VMM_HANDLE H)
 {
-    if(H->cfg.fDisableYara) { return FALSE; }
-    return H->cfg.szForensicYaraRules[0] || InfoDB_YaraRulesBuiltIn_Exists(H);
+    return !H->cfg.fDisableYara && H->cfg.szForensicYaraRules[0];
 }
 
 VOID MFcYara_Notify(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_CONTEXT ctxP, _In_ DWORD fEvent, _In_opt_ PVOID pvEvent, _In_opt_ DWORD cbEvent)
@@ -206,20 +227,40 @@ VOID M_FcYara_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI)
 {
     PMFCYARA_CONTEXT ctx = NULL;
     if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; }
-    if(!MFcYara_ExistsRules(H)) { return; }
-    if(!(ctx = LocalAlloc(LMEM_ZEROINIT, sizeof(MFCYARA_CONTEXT)))) { return; }
-    if(!(ctx->pmfObMemFileUser = ObMemFile_New(H, H->vmm.pObCacheMapObCompressedShared))) { return; }
-    pRI->reg_info.ctxM = (PVMMDLL_PLUGIN_INTERNAL_CONTEXT)ctx;
-    strcpy_s(pRI->reg_info.uszPathName, 128, "\\forensic\\yara");
-    pRI->reg_info.fRootModule = TRUE;
-    pRI->reg_info.fRootModuleHidden = TRUE;
-    pRI->reg_fn.pfnList = MFcYara_List;
-    pRI->reg_fn.pfnRead = MFcYara_Read;
-    pRI->reg_fn.pfnNotify = MFcYara_Notify;
-    pRI->reg_fn.pfnClose = MFcYara_Close;
-    pRI->reg_fnfc.pfnInitialize = MFcYara_FcInitialize;
-    pRI->reg_fnfc.pfnIngestObject = MFcYara_IngestObject;
-    pRI->reg_fnfc.pfnIngestVirtmem = MFcYara_IngestVirtmem;
-    pRI->reg_fnfc.pfnIngestFinalize = MFcYara_FcIngestFinalize;
-    pRI->pfnPluginManager_Register(H, pRI);
+    if(!(MFcYara_ExistsRules_Builtin(H) || MFcYara_ExistsRules_User(H))) { return; }
+    // register the built-in yara rules (used for FindEvil):
+    if(MFcYara_ExistsRules_Builtin(H)) {
+        if(!(ctx = LocalAlloc(LMEM_ZEROINIT, sizeof(MFCYARA_CONTEXT)))) { return; }
+        pRI->reg_info.ctxM = (PVMMDLL_PLUGIN_INTERNAL_CONTEXT)ctx;
+        strcpy_s(pRI->reg_info.uszPathName, 128, "\\forensic\\yara_builtin");
+        pRI->reg_info.fRootModule = TRUE;
+        pRI->reg_info.fRootModuleHidden = TRUE;
+        pRI->reg_fn.pfnList = NULL;
+        pRI->reg_fn.pfnRead = NULL;
+        pRI->reg_fn.pfnNotify = NULL;
+        pRI->reg_fn.pfnClose = MFcYara_Close;
+        pRI->reg_fnfc.pfnInitialize = MFcYara_FcInitialize_Builtin;
+        pRI->reg_fnfc.pfnIngestObject = MFcYara_IngestObject;
+        pRI->reg_fnfc.pfnIngestVirtmem = MFcYara_IngestVirtmem;
+        pRI->reg_fnfc.pfnIngestFinalize = MFcYara_FcIngestFinalize;
+        pRI->pfnPluginManager_Register(H, pRI);
+    }
+    // register the user-supplied yara rules:
+    if(MFcYara_ExistsRules_User(H)) {
+        if(!(ctx = LocalAlloc(LMEM_ZEROINIT, sizeof(MFCYARA_CONTEXT)))) { return; }
+        if(!(ctx->pmfObMemFileUser = ObMemFile_New(H, H->vmm.pObCacheMapObCompressedShared))) { return; }
+        pRI->reg_info.ctxM = (PVMMDLL_PLUGIN_INTERNAL_CONTEXT)ctx;
+        strcpy_s(pRI->reg_info.uszPathName, 128, "\\forensic\\yara");
+        pRI->reg_info.fRootModule = TRUE;
+        pRI->reg_info.fRootModuleHidden = TRUE;
+        pRI->reg_fn.pfnList = MFcYara_List;
+        pRI->reg_fn.pfnRead = MFcYara_Read;
+        pRI->reg_fn.pfnNotify = MFcYara_Notify;
+        pRI->reg_fn.pfnClose = MFcYara_Close;
+        pRI->reg_fnfc.pfnInitialize = MFcYara_FcInitialize_User;
+        pRI->reg_fnfc.pfnIngestObject = MFcYara_IngestObject;
+        pRI->reg_fnfc.pfnIngestVirtmem = MFcYara_IngestVirtmem;
+        pRI->reg_fnfc.pfnIngestFinalize = MFcYara_FcIngestFinalize;
+        pRI->pfnPluginManager_Register(H, pRI);
+    }
 }
diff --git a/vmm/oscompatibility.h b/vmm/oscompatibility.h
@@ -30,6 +30,7 @@ int LZ4_decompress_safe(const char *src, char *dst, int compressedSize, int dstC
 
 #endif /* _WIN32 */
 #ifdef LINUX
+#define _FILE_OFFSET_BITS 64
 
 #if __SIZEOF_POINTER__ == 8
 #define VMM_64BIT
@@ -203,10 +204,10 @@ typedef int(*_CoreCrtNonSecureSearchSortCompareFunction)(void const *, void cons
 #define ExitProcess(c)                      (exit(c ? EXIT_SUCCESS : EXIT_FAILURE))
 #define Sleep(dwMilliseconds)               (usleep(1000*dwMilliseconds))
 #define _fsopen(szFile, szMode, dwAttr)     fopen(szFile, szMode)
-#define fopen_s(ppFile, szFile, szAttr)     ((*ppFile = fopen64(szFile, szAttr)) ? 0 : 1)
+#define fopen_s(ppFile, szFile, szAttr)     ((*ppFile = fopen(szFile, szAttr)) ? 0 : 1)
 #define ZeroMemory(pb, cb)                  (memset(pb, 0, cb))
-#define _ftelli64(f)                        (ftello64(f))
-#define _fseeki64(f, o, w)                  (fseeko64(f, o, w))
+#define _ftelli64(f)                        (ftello(f))
+#define _fseeki64(f, o, w)                  (fseeko(f, o, w))
 #define _chsize_s(fd, cb)                   (ftruncate64(fd, cb))
 #define _fileno(f)                          (fileno(f))
 #define InterlockedAdd64(p, v)              (__sync_add_and_fetch_8(p, v))

diff --git a/vmm/statistics.c b/vmm/statistics.c
@@ -152,6 +152,7 @@ VOID VmmStatisticsLogStart(_In_ VMM_HANDLE H, _In_ VMM_MODULE_ID MID, _In_ VMMLO
 {
     ps->f = VmmLogIsActive(H, MID, dwLogLevel);
     if(H->fAbort || !ps->f) { return; }
+    ps->fShowReads = TRUE;
     ps->dwPID = pProcess ? pProcess->dwPID : 0;
     ps->MID = MID;
     ps->dwLogLevel = dwLogLevel;
@@ -176,11 +177,19 @@ VOID VmmStatisticsLogEnd(_In_ VMM_HANDLE H, _In_ PVMMSTATISTICS_LOG ps, _In_ LPC
     QWORD v[3];
     if(H->fAbort || !ps->f) { return; }
     v[0] = GetTickCount64();
-    LcGetOption(H->hLC, LC_OPT_CORE_STATISTICS_CALL_COUNT | LC_STATISTICS_ID_READSCATTER, &v[1]);
-    v[2] = H->vmm.stat.cPhysReadSuccess;
-    if(ps->dwPID) {
-        VmmLog(H, ps->MID, ps->dwLogLevel, "%s END:   [pid=%i time=%llims scatter=0x%llx pages=0x%llx]", uszText, ps->dwPID, (v[0] - ps->v[0]), (v[1] - ps->v[1]), (v[2] - ps->v[2]));
+    if(ps->fShowReads) {
+        LcGetOption(H->hLC, LC_OPT_CORE_STATISTICS_CALL_COUNT | LC_STATISTICS_ID_READSCATTER, &v[1]);
+        v[2] = H->vmm.stat.cPhysReadSuccess;
+        if(ps->dwPID) {
+            VmmLog(H, ps->MID, ps->dwLogLevel, "%s END:   [pid=%i time=%llims scatter=0x%llx pages=0x%llx]", uszText, ps->dwPID, (v[0] - ps->v[0]), (v[1] - ps->v[1]), (v[2] - ps->v[2]));
+        } else {
+            VmmLog(H, ps->MID, ps->dwLogLevel, "%s END:   [time=%llims scatter=0x%llx pages=0x%llx]", uszText, (v[0] - ps->v[0]), (v[1] - ps->v[1]), (v[2] - ps->v[2]));
+        }
     } else {
-        VmmLog(H, ps->MID, ps->dwLogLevel, "%s END:   [time=%llims scatter=0x%llx pages=0x%llx]", uszText, (v[0] - ps->v[0]), (v[1] - ps->v[1]), (v[2] - ps->v[2]));
+        if(ps->dwPID) {
+            VmmLog(H, ps->MID, ps->dwLogLevel, "%s END:   [pid=%i time=%llims]", uszText, ps->dwPID, (v[0] - ps->v[0]));
+        } else {
+            VmmLog(H, ps->MID, ps->dwLogLevel, "%s END:   [time=%llims]", uszText, (v[0] - ps->v[0]));
+        }
     }
 }
diff --git a/vmm/statistics.h b/vmm/statistics.h
@@ -213,6 +213,7 @@ BOOL Statistics_CallToString(_In_ VMM_HANDLE H, _Out_opt_ LPSTR *psz, _Out_ PDWO
 
 typedef struct tdVMMSTATISTICS_LOG {
     BOOL f;
+    BOOL fShowReads;
     DWORD dwPID;
     DWORD MID;
     VMMLOG_LEVEL dwLogLevel;

diff --git a/vmm/version.h b/vmm/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               10
-#define VERSION_REVISION            0
-#define VERSION_BUILD               166
+#define VERSION_REVISION            1
+#define VERSION_BUILD               167
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Core"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD