Version 5.13

README.md

@@ -234,7 +234,9 @@ v5.8
 * updates (FindEvil, New signatures, etc.).
 * New APIs for Kernel Objects, Drivers and Devices.
 
-Latest:
+[v5.13](https://github.com/ufrisk/MemProcFS/releases/tag/v5.12)
 * Bug fixes.
 * New [console module](https://github.com/ufrisk/MemProcFS/wiki/FS_Process_Console) added.
 * File recovery improvements (file sizes, signing info) for [files module](https://github.com/ufrisk/MemProcFS/wiki/FS_Forensic_Files).
+* Memory callback API functionality (C/C++ API only).
+* [Callstack parsing](https://github.com/ufrisk/MemProcFS/wiki/FS_Process_Threads) for x64 user-mode process callstacks.

includes/vmmdll.h

@@ -11,7 +11,7 @@
 // (c) Ulf Frisk, 2018-2024
 // Author: Ulf Frisk, pcileech@frizk.net
 //
-// Header Version: 5.12
+// Header Version: 5.13
 //
 
 #include "leechcore.h"
@@ -1031,6 +1031,46 @@ VOID VMMDLL_Scatter_CloseHandle(_In_opt_ _Post_ptr_invalid_ VMMDLL_SCATTER_HANDL
 
 
 
+//-----------------------------------------------------------------------------
+// MEMORY CALLBACK FUNCTIONALITY:
+// Allows for advanced memory access statistics and the creation of specialized
+// custom memory views for physical memory or per-process virtual memory.
+// Callback functions may be registered to modify memory reads and/or writes.
+//-----------------------------------------------------------------------------
+
+typedef enum tdVMMDLL_MEM_CALLBACK_TP {
+    VMMDLL_MEM_CALLBACK_READ_PHYSICAL_PRE = 1,
+    VMMDLL_MEM_CALLBACK_READ_PHYSICAL_POST = 2,
+    VMMDLL_MEM_CALLBACK_WRITE_PHYSICAL_PRE = 3,
+    VMMDLL_MEM_CALLBACK_READ_VIRTUAL_PRE = 4,
+    VMMDLL_MEM_CALLBACK_READ_VIRTUAL_POST = 5,
+    VMMDLL_MEM_CALLBACK_WRITE_VIRTUAL_PRE = 6,
+} VMMDLL_MEM_CALLBACK_TP;
+
+/*
+* MEM callback function definition.
+* -- ctxUser = user context pointer.
+* -- dwPID = PID of target process, (DWORD)-1 for physical memory.
+* -- cpMEMs = count of pMEMs.
+* -- ppMEMs = array of pointers to MEM scatter read headers.
+*/
+typedef VOID(*VMMDLL_MEM_CALLBACK_PFN)(_In_opt_ PVOID ctxUser, _In_ DWORD dwPID, _In_ DWORD cpMEMs, _In_ PPMEM_SCATTER ppMEMs);
+
+/*
+* Register or unregister am optional memory access callback function.
+* It's possible to have one callback function registered for each type.
+* To clear an already registered callback function specify NULL as pfnCB.
+* -- hVMM
+* -- tp = type of callback to register / unregister - VMMDLL_MEM_CALLBACK_*.
+* -- ctxUser = user context pointer to be passed to the callback function.
+* -- pfnCB = callback function to register / unregister.
+* -- return
+*/
+EXPORTED_FUNCTION _Success_(return)
+BOOL VMMDLL_MemCallback(_In_ VMM_HANDLE hVMM, _In_ VMMDLL_MEM_CALLBACK_TP tp, _In_opt_ PVOID ctxUser, _In_opt_ VMMDLL_MEM_CALLBACK_PFN pfnCB);
+
+
+
 //-----------------------------------------------------------------------------
 // VMM PROCESS MAP FUNCTIONALITY BELOW:
 // Functionality for retrieving process related collections of items such as
@@ -1048,6 +1088,7 @@ VOID VMMDLL_Scatter_CloseHandle(_In_opt_ _Post_ptr_invalid_ VMMDLL_SCATTER_HANDL
 #define VMMDLL_MAP_HEAP_VERSION             4
 #define VMMDLL_MAP_HEAPALLOC_VERSION        1
 #define VMMDLL_MAP_THREAD_VERSION           4
+#define VMMDLL_MAP_THREAD_CALLSTACK_VERSION 1
 #define VMMDLL_MAP_HANDLE_VERSION           3
 #define VMMDLL_MAP_POOL_VERSION             2
 #define VMMDLL_MAP_KOBJECT_VERSION          1
@@ -1316,6 +1357,18 @@ typedef struct tdVMMDLL_MAP_THREADENTRY {
     QWORD vaWin32StartAddress;
 } VMMDLL_MAP_THREADENTRY, *PVMMDLL_MAP_THREADENTRY;
 
+typedef struct tdVMMDLL_MAP_THREAD_CALLSTACKENTRY {
+    DWORD i;
+    BOOL  fRegPresent;
+    QWORD vaRetAddr;
+    QWORD vaRSP;
+    QWORD vaBaseSP;
+    DWORD _FutureUse1;
+    DWORD cbDisplacement;
+    union { LPSTR uszModule; LPWSTR wszModule; };           // U/W dependant
+    union { LPSTR uszFunction; LPWSTR wszFunction; };       // U/W dependant
+} VMMDLL_MAP_THREAD_CALLSTACKENTRY, *PVMMDLL_MAP_THREAD_CALLSTACKENTRY;
+
 typedef struct tdVMMDLL_MAP_HANDLEENTRY {
     QWORD vaObject;
     DWORD dwHandle;
@@ -1580,6 +1633,19 @@ typedef struct tdVMMDLL_MAP_THREAD {
     VMMDLL_MAP_THREADENTRY pMap[];  // map entries.
 } VMMDLL_MAP_THREAD, *PVMMDLL_MAP_THREAD;
 
+typedef struct tdVMMDLL_MAP_THREAD_CALLSTACK {
+    DWORD dwVersion;                // VMMDLL_MAP_THREAD_CALLSTACK_VERSION
+    DWORD _Reserved1[6];
+    DWORD dwPID;
+    DWORD dwTID;
+    DWORD cbText;
+    union { LPSTR  uszText; LPWSTR wszText; };  // U/W dependant
+    PBYTE pbMultiText;              // multi-str pointed into by VMM_MAP_EATENTRY.[wszFunction|wszModule]
+    DWORD cbMultiText;
+    DWORD cMap;
+    VMMDLL_MAP_THREAD_CALLSTACKENTRY pMap[0];
+} VMMDLL_MAP_THREAD_CALLSTACK, *PVMMDLL_MAP_THREAD_CALLSTACK;
+
 typedef struct tdVMMDLL_MAP_HANDLE {
     DWORD dwVersion;                // VMMDLL_MAP_HANDLE_VERSION
     DWORD _Reserved1[5];
@@ -1811,6 +1877,24 @@ _Success_(return) BOOL VMMDLL_Map_GetHeapAlloc(_In_ VMM_HANDLE hVMM, _In_ DWORD
 EXPORTED_FUNCTION
 _Success_(return) BOOL VMMDLL_Map_GetThread(_In_ VMM_HANDLE hVMM, _In_ DWORD dwPID, _Out_ PVMMDLL_MAP_THREAD *ppThreadMap);
 
+/*
+* Retrieve the thread callstack for a specific thread.
+* Callstack retrieval is:
+* - supported for x64 user-mode threads.
+* - a best-effort operation and may not always succeed.
+* - may download a large amounts of pdb symbol data from Microsoft.
+* CALLER FREE: VMMDLL_MemFree(*ppThreadCallstack)
+* -- hVMM
+* -- dwPID
+* -- dwTID
+* -- flags = 0, VMMDLL_FLAG_NOCACHE or VMM_FLAG_FORCECACHE_READ
+* -- ppThreadCallstack
+* -- return
+*/
+EXPORTED_FUNCTION
+_Success_(return) BOOL VMMDLL_Map_GetThread_CallstackU(_In_ VMM_HANDLE hVMM, _In_ DWORD dwPID, _In_ DWORD dwTID, _In_ DWORD flags, _Out_ PVMMDLL_MAP_THREAD_CALLSTACK *ppThreadCallstack);
+_Success_(return) BOOL VMMDLL_Map_GetThread_CallstackW(_In_ VMM_HANDLE hVMM, _In_ DWORD dwPID, _In_ DWORD dwTID, _In_ DWORD flags, _Out_ PVMMDLL_MAP_THREAD_CALLSTACK *ppThreadCallstack);
+
 /*
 * Retrieve the handles for the specified process.
 * Entries returned are sorted on VMMDLL_MAP_HANDLEENTRY.dwHandle

m_vmemd/version.h

@@ -2,9 +2,9 @@
 #define STRINGIZE(s) STRINGIZE2(s)
 
 #define VERSION_MAJOR               5
-#define VERSION_MINOR               12
-#define VERSION_REVISION            7
-#define VERSION_BUILD               184
+#define VERSION_MINOR               13
+#define VERSION_REVISION            0
+#define VERSION_BUILD               185
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Plugin vmemd"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

memprocfs/version.h

@@ -2,9 +2,9 @@
 #define STRINGIZE(s) STRINGIZE2(s)
 
 #define VERSION_MAJOR               5
-#define VERSION_MINOR               12
-#define VERSION_REVISION            7
-#define VERSION_BUILD               184
+#define VERSION_MINOR               13
+#define VERSION_REVISION            0
+#define VERSION_BUILD               185
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

vmm/Makefile

@@ -29,8 +29,8 @@ OBJ = oscompatibility.o charutil.o util.o pe.o vmmdll.o vmmdll_core.o        \
 	  ob/ob_memfile.o ob/ob_set.o ob/ob_strmap.o                             \
 	  statistics.o sysquery.o vmmheap.o vmmlog.o vmmnet.o                    \
 	  vmmproc.o vmmvm.o vmmwininit.o vmmwin.o vmmwinobj.o vmmwinpool.o       \
-	  vmmwinreg.o vmmwinsvc.o vmmuserconfig.o vmmwork.o vmmyarautil.o        \
-	  vmmyarawrap.o                                                          \
+	  vmmwinreg.o vmmwinsvc.o vmmwinthread.o vmmuserconfig.o vmmwork.o       \
+	  vmmyarautil.o vmmyarawrap.o                                            \
 	  modules/m_vfsroot.o modules/m_vfsproc.o modules/m_vfsfc.o              \
 	  modules/m_conf.o modules/m_vm.o modules/m_winreg.o                     \
 	  modules/m_fc_csv.o modules/m_fc_file.o modules/m_fc_findevil.o         \