Version 3.3

pcileech/extra.c

@@ -224,6 +224,14 @@ VOID Action_TlpTx(_Inout_ PPCILEECH_CONTEXT ctx)
         return;
     }
     printf("TLP: Transmitting PCIe TLP.%s\n", ctx->cfg->fVerboseExtra ? "" : " (use -vvv option for detailed info).");
+    if(ctx->cfg->fLoop) {
+        printf("TLP: Starting loop TLP transmit. Press CTRL+C to abort.\n");
+        while(TRUE) {
+            DeviceWriteTlp(ctx, ctx->cfg->pbIn, (DWORD)ctx->cfg->cbIn);
+            DeviceListenTlp(ctx, 100);
+        }
+        return;
+    }
     DeviceWriteTlp(ctx, ctx->cfg->pbIn, (DWORD)ctx->cfg->cbIn);
     DeviceListenTlp(ctx, 100);
 }

pcileech/help.c

@@ -143,7 +143,7 @@ VOID Help_ShowInfo()
     printf(
         " PCILEECH INFORMATION                                                          \n" \
         " PCILeech (c) 2016-2018 Ulf Frisk                                              \n" \
-        " Version: 3.2.1                                                                \n" \
+        " Version: 3.3                                                                  \n" \
         " License: GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007                 \n" \
         " Contact information: pcileech@frizk.net                                       \n" \
         " System requirements: 64-bit Windows 7, 10 or Linux.                           \n" \

pcileech/vmm.c

@@ -270,7 +270,7 @@ PVMM_PROCESS VmmProcessGet(_In_ PVMM_CONTEXT ctxVmm, _In_ DWORD dwPID)
     return VmmProcessGetEx(ctxVmm->ptPROC, dwPID);
 }
 
-PVMM_PROCESS VmmProcessCreateEntry(_In_ PVMM_CONTEXT ctxVmm, _In_ DWORD dwPID, _In_ DWORD dwState, _In_ QWORD paPML4, _In_ CHAR szName[16], _In_ BOOL fUserOnly, _In_ BOOL fSpiderPageTableDone)
+PVMM_PROCESS VmmProcessCreateEntry(_In_ PVMM_CONTEXT ctxVmm, _In_ DWORD dwPID, _In_ DWORD dwState, _In_ QWORD paPML4, _In_ QWORD paPML4_UserOpt, _In_ CHAR szName[16], _In_ BOOL fUserOnly, _In_ BOOL fSpiderPageTableDone)
 {
     QWORD i, iStart, cEmpty = 0, cValid = 0;
     PVMM_PROCESS pNewProcess;
@@ -292,6 +292,7 @@ PVMM_PROCESS VmmProcessCreateEntry(_In_ PVMM_CONTEXT ctxVmm, _In_ DWORD dwPID, _
     pNewProcess->dwPID = dwPID;
     pNewProcess->dwState = dwState;
     pNewProcess->paPML4 = paPML4;
+    pNewProcess->paPML4_UserOpt = paPML4_UserOpt;
     pNewProcess->fUserOnly = fUserOnly;
     pNewProcess->fSpiderPageTableDone = pNewProcess->fSpiderPageTableDone || fSpiderPageTableDone;
     pNewProcess->_i_fMigrated = TRUE;
@@ -321,6 +322,7 @@ VOID VmmProcessCloseTable(_In_ PVMM_PROCESS_TABLE pt, _In_ BOOL fForceFreeAll)
     while(pProcess) {
         if(fForceFreeAll || !pProcess->_i_fMigrated) {
             LocalFree(pProcess->pMemMap);
+            LocalFree(pProcess->pModuleMap);
             LocalFree(pProcess->pbMemMapDisplayCache);
             for(i = 0; i < VMM_PROCESS_OS_ALLOC_PTR_MAX; i++) {
                 LocalFree(pProcess->os.unk.pvReserved[i]);
@@ -517,7 +519,7 @@ VOID VmmMapInitialize(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess)
 * -- szTag
 * -- wszTag
 */
-VOID VmmMapTag(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWORD vaBase, _In_ QWORD vaLimit, _In_opt_ LPSTR szTag, _In_opt_ LPWSTR wszTag)
+VOID VmmMapTag(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWORD vaBase, _In_ QWORD vaLimit, _In_opt_ LPSTR szTag, _In_opt_ LPWSTR wszTag, _In_opt_ BOOL fWoW64)
 {
     PVMM_MEMMAP_ENTRY pMap;
     QWORD i, lvl, cMap;
@@ -545,6 +547,7 @@ VOID VmmMapTag(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWO
     // 3: fill in tag
     while((i < cMap) && (pMap[i].AddrBase + (pMap[i].cPages << 12) <= vaLimit)) {
         if(pMap[i].AddrBase >= vaBase) {
+            pMap[i].fWoW64 = fWoW64;
             if(wszTag) {
                 snprintf(pMap[i].szName, 31, "%S", wszTag);
             }
@@ -564,12 +567,12 @@ VOID VmmMapDisplayBufferGenerate(_In_ PVMM_PROCESS pProcess)
     pProcess->cbMemMapDisplayCache = 0;
     LocalFree(pProcess->pbMemMapDisplayCache);
     pProcess->pbMemMapDisplayCache = NULL;
-    pbBuffer = LocalAlloc(LMEM_ZEROINIT, 86 * pProcess->cMemMap);
+    pbBuffer = LocalAlloc(LMEM_ZEROINIT, 89 * pProcess->cMemMap);
     if(!pbBuffer) { return; }
     for(i = 0; i < pProcess->cMemMap; i++) {
         o += snprintf(
             pbBuffer + o,
-            86,
+            89,
             "%04x %8x %016llx-%016llx %sr%s%s%s%s\n",
             i,
             (DWORD)pProcess->pMemMap[i].cPages,
@@ -578,7 +581,7 @@ VOID VmmMapDisplayBufferGenerate(_In_ PVMM_PROCESS pProcess)
             pProcess->pMemMap[i].fPage & VMM_MEMMAP_FLAG_PAGE_NS ? "-" : "s",
             pProcess->pMemMap[i].fPage & VMM_MEMMAP_FLAG_PAGE_W ? "w" : "-",
             pProcess->pMemMap[i].fPage & VMM_MEMMAP_FLAG_PAGE_NX ? "-" : "x",
-            pProcess->pMemMap[i].szName[0] ? " " : "",
+            pProcess->pMemMap[i].szName[0] ? (pProcess->pMemMap[i].fWoW64 ? " 32 " : "    ") : "",
             pProcess->pMemMap[i].szName
         );
     }
@@ -930,6 +933,21 @@ VOID VmmReadEx(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWO
     LocalFree(pbBuffer);
 }
 
+BOOL VmmReadString_Unicode2Ansi(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWORD qwVA, _Out_ LPSTR sz, _In_ DWORD cch)
+{
+    DWORD i = 0;
+    BOOL result;
+    WCHAR wsz[0x1000];
+    if(cch > 0x1000) { return FALSE; }
+    result = VmmRead(ctxVmm, pProcess, qwVA, (PBYTE)wsz, cch << 1);
+    if(!result) { return FALSE; }
+    for(i = 0; i < cch; i++) {
+        sz[i] = ((WORD)wsz[i] <= 0xff) ? (CHAR)wsz[i] : '?';
+        if(sz[i] == 0) { return TRUE; }
+    }
+    return TRUE;
+}
+
 BOOL VmmRead(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWORD qwVA, _Out_ PBYTE pb, _In_ DWORD cb)
 {
     DWORD cbRead;

pcileech/vmm.h

@@ -15,7 +15,7 @@
 // ----------------------------------------------------------------------------
 
 #define VMM_PROCESSTABLE_ENTRIES_MAX    0x4000
-#define VMM_PROCESS_OS_ALLOC_PTR_MAX    0x2    // max number of operating system specific pointers that must be free'd
+#define VMM_PROCESS_OS_ALLOC_PTR_MAX    0x4    // max number of operating system specific pointers that must be free'd
 #define VMM_MEMMAP_ENTRIES_MAX          0x4000
 
 #define VMM_MEMMAP_FLAG_PAGE_W          0x0000000000000002
@@ -31,13 +31,31 @@ typedef struct tdVMM_MEMMAP_ENTRY {
     QWORD AddrBase;
     QWORD cPages;
     QWORD fPage;
+    BOOL  fWoW64;
     CHAR  szName[32];
 } VMM_MEMMAP_ENTRY, *PVMM_MEMMAP_ENTRY;
 
+typedef struct tdVMM_MODULEMAP_ENTRY {
+    QWORD BaseAddress;
+    QWORD EntryPoint;
+    DWORD SizeOfImage;
+    BOOL  fWoW64;
+    CHAR  szName[32];
+    // # of entries in EAT / IAT (lazy loaded due to performance reasons)
+    BOOL  fLoadedEAT;
+    BOOL  fLoadedEAT_Prel;
+    DWORD cbDisplayBufferEAT;
+    BOOL  fLoadedIAT;
+    BOOL  fLoadedIAT_Prel;
+    DWORD cbDisplayBufferIAT;
+    DWORD cbDisplayBufferSections;
+} VMM_MODULEMAP_ENTRY, *PVMM_MODULEMAP_ENTRY;
+
 typedef struct tdVMM_PROCESS {
     DWORD dwPID;
     DWORD dwState;          // state of process, 0 = running
     QWORD paPML4;
+    QWORD paPML4_UserOpt;
     CHAR szName[16];
     BOOL _i_fMigrated;
     BOOL fUserOnly;
@@ -47,6 +65,9 @@ typedef struct tdVMM_PROCESS {
     PVMM_MEMMAP_ENTRY pMemMap;
     PBYTE pbMemMapDisplayCache;
     QWORD cbMemMapDisplayCache;
+    // module map (free must be called separately)
+    QWORD cModuleMap;
+    PVMM_MODULEMAP_ENTRY pModuleMap;
     struct {
         QWORD va;
         QWORD pas[5];   // physical addresses of pagetable[PML]/page[0]
@@ -59,10 +80,15 @@ typedef struct tdVMM_PROCESS {
         } unk;
         struct {
             PBYTE pbLdrModulesDisplayCache;
-            PVOID pbReserved[VMM_PROCESS_OS_ALLOC_PTR_MAX - 1];
+            PBYTE pbDisplayCacheEAT;
+            PBYTE pbDisplayCacheIAT;
+            PVOID pbReserved[VMM_PROCESS_OS_ALLOC_PTR_MAX - 3];
+            CHAR  szDisplayCacheEAT[32];
+            CHAR  szDisplayCacheIAT[32];
             DWORD cbLdrModulesDisplayCache;
             QWORD vaEPROCESS;
             QWORD vaPEB;
+            DWORD vaPEB32;                          // WoW64 only
             QWORD vaENTRY;
             BOOL fWow64;
         } win;
@@ -139,6 +165,19 @@ BOOL VmmWrite(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWOR
 */
 BOOL VmmWritePhysical(_Inout_ PVMM_CONTEXT ctxVmm, _In_ QWORD pa, _Out_ PBYTE pb, _In_ DWORD cb);
 
+/*
+* Read a virtually contigious arbitrary amount of memory containing cch number of
+* unicode characters and convert them into ansi characters. Characters > 0xff are
+* converted into '?'.
+* -- ctxVmm
+* -- pProcess
+* -- qwVA
+* -- sz
+* -- cch
+* -- return
+*/
+BOOL VmmReadString_Unicode2Ansi(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWORD qwVA, _Out_ LPSTR sz, _In_ DWORD cch);
+
 /*
 * Read a virtually contigious arbitrary amount of memory.
 * -- ctxVmm
@@ -267,8 +306,9 @@ VOID VmmMapInitialize(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess);
 * -- vaLimit = limit == vaBase + size (== top address in range +1)
 * -- szTag
 * -- wszTag
+* -- fWoW64
 */
-VOID VmmMapTag(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWORD vaBase, _In_ QWORD vaLimit, _In_opt_ LPSTR szTag, _In_opt_ LPWSTR wszTag);
+VOID VmmMapTag(_Inout_ PVMM_CONTEXT ctxVmm, _In_ PVMM_PROCESS pProcess, _In_ QWORD vaBase, _In_ QWORD vaLimit, _In_opt_ LPSTR szTag, _In_opt_ LPWSTR wszTag, _In_opt_ BOOL fWoW64);
 
 /*
 * Retrieve a memory map entry info given a specific address.
@@ -308,7 +348,7 @@ PVMM_PROCESS VmmProcessGet(_In_ PVMM_CONTEXT ctxVmm, _In_ DWORD dwPID);
 * structure and won't become visible to the "Process" functions until after the
 * VmmProcessCreateFinish have been called.
 */
-PVMM_PROCESS VmmProcessCreateEntry(_In_ PVMM_CONTEXT ctxVmm, _In_ DWORD dwPID, _In_ DWORD dwState, _In_ QWORD paPML4, _In_ CHAR szName[16], _In_ BOOL fUserOnly, _In_ BOOL fSpiderPageTableDone);
+PVMM_PROCESS VmmProcessCreateEntry(_In_ PVMM_CONTEXT ctxVmm, _In_ DWORD dwPID, _In_ DWORD dwState, _In_ QWORD paPML4, _In_ QWORD paPML4_UserOpt, _In_ CHAR szName[16], _In_ BOOL fUserOnly, _In_ BOOL fSpiderPageTableDone);
 
 /*
 * Activate the pending, not yet active, processes added by VmmProcessCreateEntry.