Version 4.13

ufrisk · Jan 7, 2022 · ea788da · ea788da
1 parent 86caa8a
commit ea788da
Show file tree

Hide file tree

Showing 44 changed files with 6,412 additions and 1,373 deletions.
diff --git a/includes/dokan.h b/includes/dokan.h
diff --git a/includes/public.h b/includes/public.h
@@ -1,8  1,8 @@
 /*
   Dokan : user-mode file system library for Windows
 
   Copyright (C) 2017 - 2021 Google, Inc.
   Copyright (C) 2015 - 2019 Adrien J. <[email protected]> and Maxime C. <[email protected]>
-  Copyright (C) 2017 - 2018 Google, Inc.
   Copyright (C) 2007 - 2011 Hiroki Asakawa <[email protected]>
 
   http://dokan-dev.github.io
@@ -24,52  24,43 @@ with this program. If not, see <http://www.gnu.org/licenses/>.
 #define PUBLIC_H_
 
 #ifndef DOKAN_MAJOR_API_VERSION
-#define DOKAN_MAJOR_API_VERSION L"1"
 #define DOKAN_MAJOR_API_VERSION L"2"
 #include <minwindef.h>
 #endif
 
 #define DOKAN_DRIVER_VERSION 0x0000190
 
 #define EVENT_CONTEXT_MAX_SIZE (1024 * 32)
 // This is arbitrary. There isn't really an absolute max, but we marshal it in
 // a fixed-size buffer.
 #define VOLUME_SECURITY_DESCRIPTOR_MAX_SIZE (1024 * 16)
 
-#define IOCTL_GET_VERSION                                                      \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define FSCTL_GET_VERSION \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
-#define IOCTL_SET_DEBUG_MODE                                                   \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define FSCTL_SET_DEBUG_MODE \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
-#define IOCTL_EVENT_WAIT                                                       \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define FSCTL_EVENT_RELEASE \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
-#define IOCTL_EVENT_INFO                                                       \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define FSCTL_EVENT_START \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x805, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
-#define IOCTL_EVENT_RELEASE                                                    \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define FSCTL_EVENT_WRITE \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x806, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
 
-#define IOCTL_EVENT_START                                                      \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define FSCTL_RESET_TIMEOUT \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80B, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
-#define IOCTL_EVENT_WRITE                                                      \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x806, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
 #define FSCTL_GET_ACCESS_TOKEN \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80C, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
-#define IOCTL_KEEPALIVE                                                        \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x809, METHOD_NEITHER, FILE_ANY_ACCESS)
 #define FSCTL_EVENT_MOUNTPOINT_LIST \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80D, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
-#define IOCTL_SERVICE_WAIT                                                     \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80A, METHOD_BUFFERED, FILE_ANY_ACCESS)
-
-#define IOCTL_RESET_TIMEOUT                                                    \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80B, METHOD_BUFFERED, FILE_ANY_ACCESS)
-
-#define IOCTL_GET_ACCESS_TOKEN                                                 \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80C, METHOD_BUFFERED, FILE_ANY_ACCESS)
-
-#define IOCTL_EVENT_MOUNTPOINT_LIST                                            \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80D, METHOD_BUFFERED, FILE_ANY_ACCESS)
-
-#define IOCTL_MOUNTPOINT_CLEANUP                                               \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80E, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define FSCTL_MOUNTPOINT_CLEANUP                                               \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80E, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
 // DeviceIoControl code to send to a keepalive handle to activate it (see the
 // documentation for the keepalive flags in the DokanFCB struct).
@@ -82,8  73,11 @@ with this program. If not, see <http://www.gnu.org/licenses/>.
 
 // DeviceIoControl code to retrieve the VOLUME_METRICS struct for the targeted
 // volume.
-#define IOCTL_GET_VOLUME_METRICS                                               \
-  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x811, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define FSCTL_GET_VOLUME_METRICS \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x811, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
 #define FSCTL_EVENT_PROCESS_N_PULL                                                     \
   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x812, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
 #define DRIVER_FUNC_INSTALL 0x01
 #define DRIVER_FUNC_REMOVE 0x02
@@ -109,7  103,8 @@ with this program. If not, see <http://www.gnu.org/licenses/>.
 #define DOKAN_WRITE_TO_END_OF_FILE 128
 #define DOKAN_NOCACHE 256
 #define DOKAN_RETRY_CREATE 512
-#define DOKAN_FILE_CHANGE_LAST_WRITE 1024
 #define DOKAN_EVER_USED_IN_NOTIFY_LIST 1024
 #define DOKAN_FILE_CHANGE_LAST_WRITE 2048
 
 // used in DOKAN_START->DeviceType
 #define DOKAN_DISK_FILE_SYSTEM 0
@@ -351,11  346,17 @@ typedef struct _VOLUME_METRICS {
   ULONG64 FcbDeletions;
   // A "cancellation" is when a single FCB's garbage collection gets canceled.
   ULONG64 FcbGarbageCollectionCancellations;
   // Number of IRPs with a too large buffer that could not be registered for
   // being forward to userland.
   ULONG64 LargeIRPRegistrationCanceled;
 } VOLUME_METRICS, *PVOLUME_METRICS;
 
 #define WRITE_MAX_SIZE                                                         \
   (EVENT_CONTEXT_MAX_SIZE - sizeof(EVENT_CONTEXT) - 256 * sizeof(WCHAR))
 
 #define DOKAN_EVENT_INFO_MIN_BUFFER_SIZE 8
 #define DOKAN_EVENT_INFO_DEFAULT_BUFFER_SIZE (1024 * 4)
 
 typedef struct _EVENT_INFORMATION {
   ULONG SerialNumber;
   NTSTATUS Status;
@@ -386,26  387,78 @@ typedef struct _EVENT_INFORMATION {
   } Operation;
   ULONG64 Context;
   ULONG BufferLength;
-  UCHAR Buffer[8];
-
   ULONG PullEventTimeoutMs;
   UCHAR Buffer[DOKAN_EVENT_INFO_MIN_BUFFER_SIZE];
 } EVENT_INFORMATION, *PEVENT_INFORMATION;
 
 // By default we pool EVENT_INFORMATION objects with a 4k buffer (1 page) as most read/writes are this size
 // or smaller
 #define DOKAN_EVENT_INFO_DEFAULT_SIZE                                          \
   (FIELD_OFFSET(EVENT_INFORMATION, Buffer)                                     \
    DOKAN_EVENT_INFO_DEFAULT_BUFFER_SIZE)
 
 // Dokan mount options
 #define DOKAN_EVENT_ALTERNATIVE_STREAM_ON                           1
 #define DOKAN_EVENT_WRITE_PROTECT                                   (1 << 1)
 #define DOKAN_EVENT_REMOVABLE                                       (1 << 2)
 #define DOKAN_EVENT_MOUNT_MANAGER                                   (1 << 3)
 #define DOKAN_EVENT_CURRENT_SESSION                                 (1 << 4)
 #define DOKAN_EVENT_FILELOCK_USER_MODE                              (1 << 5)
-#define DOKAN_EVENT_DISABLE_OPLOCKS                                 (1 << 6)
-#define DOKAN_EVENT_ENABLE_FCB_GC                                   (1 << 7)
 // CaseSenitive FileName: NTFS can look to be case-insensitive
 // but in some situation it can also be case-sensitive :
 // * NTFS keep the filename casing used during Create internally.
 // * Open "MyFile" on NTFS can open "MYFILE" if it exists.
 // * FILE_FLAG_POSIX_SEMANTICS (IRP_MJ_CREATE: SL_CASE_SENSITIVE)
 //   can be used during Create to make the lookup case-sensitive.
 // * Since Win10, NTFS can have specific directories
 //   case-sensitive / insensitive, even if the device tags says otherwise.
 // Dokan choose to support case-sensitive or case-insensitive filesystem
 // but not those NTFS specific scenarios.
 #define DOKAN_EVENT_CASE_SENSITIVE                                  (1 << 6)
 // Enables unmounting of network drives via file explorer
 #define DOKAN_EVENT_ENABLE_NETWORK_UNMOUNT                          (1 << 7)
 #define DOKAN_EVENT_DISPATCH_DRIVER_LOGS                            (1 << 8)
 #define DOKAN_EVENT_ALLOW_IPC_BATCHING                              (1 << 9)
 #define DOKAN_EVENT_DRIVE_LETTER_IN_USE                             (1 << 10)
 
 // Non-exclusive bits that can be set in EVENT_DRIVER_INFO.Flags for the driver
 // to send back extra info about what happened during a mount attempt, whether
 // or not it succeeded.
 
 // The volume arrival notification did not trigger mounting as expected, so an
 // explicit request was made to the mount manager.
 #define DOKAN_DRIVER_INFO_MOUNT_FORCED 1
 
 // Dokan did not specify a preferred drive letter in response to the suggested
 // link name query from the mount manager. This happens if we know the preferred
 // drive letter is in use, and want the mount manager to select one.
 #define DOKAN_DRIVER_INFO_AUTO_ASSIGN_REQUESTED 2
 
 // Dokan unmounted and then reused the preferred drive letter, because it was
 // determined to be another dokan drive owned by the same Windows user.
 #define DOKAN_DRIVER_INFO_OLD_DRIVE_UNMOUNTED 4
 
 // Dokan determined that the preferred drive letter was in use by a dokan drive
 // owned by a different Windows user. If this is set, then
 // DOKAN_DRIVER_INFO_AUTO_ASSIGNED is also set.
 #define DOKAN_DRIVER_INFO_OLD_DRIVE_LEFT_MOUNTED 8
 
 // The dokan driver is returning a mount response to the DLL before the mount
 // manager has actually assigned a drive letter. We are not sure if this ever
 // happens; if so, it should be very rare.
 #define DOKAN_DRIVER_INFO_NO_MOUNT_POINT_ASSIGNED 16
 
 // Dokan failed to set the reparse point for the mount point folder provided.
 #define DOKAN_DRIVER_INFO_SET_REPARSE_POINT_FAILED 32
 
 typedef struct _EVENT_DRIVER_INFO {
   ULONG DriverVersion;
   ULONG Status;
   ULONG Flags;
   ULONG DeviceNumber;
   ULONG MountId;
   WCHAR DeviceName[64];
   WCHAR ActualDriveLetter;
 } EVENT_DRIVER_INFO, *PEVENT_DRIVER_INFO;
 
 typedef struct _EVENT_START {
@@ -415,6  468,9 @@ typedef struct _EVENT_START {
   WCHAR MountPoint[260];
   WCHAR UNCName[64];
   ULONG IrpTimeout;
   ULONG FcbGarbageCollectionIntervalMs;
   ULONG VolumeSecurityDescriptorLength;
   CHAR VolumeSecurityDescriptor[VOLUME_SECURITY_DESCRIPTOR_MAX_SIZE];
 } EVENT_START, *PEVENT_START;
 
 #ifdef _MSC_VER
@@ -444,10  500,10 @@ typedef struct _DOKAN_LINK_INFORMATION {
 } DOKAN_LINK_INFORMATION, *PDOKAN_LINK_INFORMATION;
 
 /**
-* \struct DOKAN_CONTROL
-* \brief Dokan Control
 * \struct DOKAN_MOUNT_POINT_INFO
 * \brief Dokan Mount point information
 */
-typedef struct _DOKAN_CONTROL {
 typedef struct _DOKAN_MOUNT_POINT_INFO {
   /** File System Type */
   ULONG Type;
   /** Mount point. Can be "M:\" (drive letter) or "C:\mount\dokan" (path in NTFS) */
@@ -456,10  512,20 @@ typedef struct _DOKAN_CONTROL {
   WCHAR UNCName[64];
   /** Disk Device Name */
   WCHAR DeviceName[64];
-  /** Volume Device Object */
-  PVOID64 VolumeDeviceObject;
   /** Session ID of calling process */
   ULONG SessionId;
-} DOKAN_CONTROL, *PDOKAN_CONTROL;
   /** Contains information about the flags on the mount */
   ULONG MountOptions;
 } DOKAN_MOUNT_POINT_INFO, *PDOKAN_MOUNT_POINT_INFO;
 
 // Dokan Major IRP values dispatched to userland for custom request with
 // EVENT_CONTEXT.
 #define DOKAN_IRP_LOG_MESSAGE 0x20
 
 // Driver log message disptached during DOKAN_IRP_LOG_MESSAGE event.
 typedef struct _DOKAN_LOG_MESSAGE {
   ULONG MessageLength;
   CHAR Message[1];
 } DOKAN_LOG_MESSAGE, *PDOKAN_LOG_MESSAGE;
 
 #endif // PUBLIC_H_
diff --git a/pcileech/Makefile b/pcileech/Makefile
@@ -1,12  1,12 @@
 CC=gcc
-CFLAGS   =-I. -I../includes -D LINUX -L. -l:leechcore.so -l:vmm.so -pthread
-#CFLAGS   = -g -O0
-CFLAGS   = -fPIE -pie -fstack-protector -D_FORTIFY_SOURCE=2 -O1 -Wl,-z,noexecstack
 CFLAGS   =-I. -I../includes -D LINUX -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -L. -l:leechcore.so -l:vmm.so -pthread
 #CFLAGS   = -g -O0 -Wextra
 CFLAGS   = -fPIE -fPIC -pie -fstack-protector -D_FORTIFY_SOURCE=2 -O1 -Wl,-z,noexecstack
 CFLAGS   = -Wall -Wno-format-truncation -Wno-enum-compare -Wno-pointer-sign -Wno-multichar -Wno-unused-variable -Wno-unused-value
 CFLAGS   = -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast
 LDFLAGS  =-Wl,-rpath,'$$ORIGIN' -ldl
 DEPS = pcileech.h
-OBJ = oscompatibility.o device.o pcileech.o executor.o extra.o help.o kmd.o memdump.o mempatch.o statistics.o umd.o util.o vfs.o vmmx.o
 OBJ  = oscompatibility.o charutil.o device.o pcileech.o executor.o extra.o help.o kmd.o memdump.o mempatch.o statistics.o umd.o util.o vfslist.o vfs.o vmmx.o ob/ob_cachemap.o ob/ob_core.o ob/ob_map.o ob/ob_set.o
 
 %.o: %.c $(DEPS)
 	$(CC) -c -o $@ $< $(CFLAGS)
@@ -19,9  19,11 @@ pcileech: $(OBJ)
 	mv vmm.so ../files/ |true
 	mv leechcore.so ../files/ |true
 	rm -f *.o || true
 	rm -f */*.o || true
 	rm -f *.so || true
 	true
 
 clean:
 	rm -f *.o || true
 	rm -f */*.o || true
 	rm -f *.so || true