-
-
Notifications
You must be signed in to change notification settings - Fork 103
LeechCore_API
All functionality in the LeechCore library is exported in a C/C++ API for use by developers. The header file is named: leechcore.h
which use leechcore.dll
/ leechcore.lib
on Windows and leechcore.so
on Linux.
NB! Currently 64-bit Linux and 32-bit and 64-bit versions of Windows are supported. The Windows version have somewhat better performance than Linux for select memory acquisition methods - such as FPGA DMA due to better driver support.
This wiki entry contains an overview of the LeechCore API. The complete documentation is found in leechcore.h
If developing a plugin device for LeechCore please also see leechcore_device.h
(not documented in this guide, but please see LeechCore-plugins repository for examples).
Examples how to use LeechCore may be found in the sources for PCILeech and MemProcFS which makes use of the LeechCore library.
After leechcore.dll
is loaded it has to be initialized by calling the LeechCore_Create
function. When it no longer is in use LeechCore_Close
should be called on all open handles before unloading the .dll.
The LeechCore_Create
takes a pointer to a LC_CONFIG
struct which contains initial configuration information - such as, but not limited to, the desired device type (in the .szDevice property) and possible remote connection configuration (in the .szRemote property). The LeechCore library, will upon success, update this struct with more values that are returned on success. NB! The caller must also fill in the required magic and struct version before making the call to LeechCore_Create. For a complete documentation of the LC_CONFIG
struct please check out the definition in the leechcore.h
header file
Upon initialization LeechCore tries to auto-identify the maximum physical memory address if it is previously unknown. To disable auto-identify please set the paMax
member of the LC_CONFIG
struct to a valid value.
HANDLE LcCreate(
_Inout_ PLC_CONFIG pLcCreateConfig
);
HANDLE LcCreateEx(
_Inout_ PLC_CONFIG pLcCreateConfig,
_Out_opt_ PPLC_CONFIG_ERRORINFO ppLcCreateErrorInfo
);
VOID LcClose(
_In_opt_ _Post_ptr_invalid_ HANDLE hLC
);
VOID LcMemFree(
_Frees_ptr_opt_ PVOID pv
);
The functionality below allows a the calling function to read and possibly write physical memory by using an initialized LeechCore library. The LcAllocScatter*
functions are utility functions meant to ease the allocation of MEM_SCATTER
used in LcReadScatter
and LcWriteScatter
. The preferred read function is LcReadScatter
due to being more efficient than LcRead
if multiple non-contiguous memory pages are to be read.
BOOL LcAllocScatter1(
_In_ DWORD cMEMs,
_Out_ PPMEM_SCATTER *pppMEMs
);
BOOL LcAllocScatter2(
_In_ DWORD cbData,
_Inout_updates_opt_(cbData) PBYTE pbData,
_In_ DWORD cMEMs,
_Out_ PPMEM_SCATTER *pppMEMs
);
BOOL LcAllocScatter3(
_Inout_updates_opt_(0x1000) PBYTE pbDataFirstPage,
_Inout_updates_opt_(0x1000) PBYTE pbDataLastPage,
_In_ DWORD cbData,
_Inout_updates_opt_(cbData) PBYTE pbData,
_In_ DWORD cMEMs,
_Out_ PPMEM_SCATTER *pppMEMs
);
BOOL LcRead(
_In_ HANDLE hLC,
_In_ QWORD pa,
_In_ DWORD cb,
_Out_writes_(cb) PBYTE pb
);
VOID LcReadScatter(
_In_ HANDLE hLC,
_In_ DWORD cMEMs,
_Inout_ PPMEM_SCATTER ppMEMs
);
BOOL LcWrite(
_In_ HANDLE hLC,
_In_ QWORD pa,
_In_ DWORD cb,
_In_reads_(cb) PBYTE pb
);
VOID LcWriteScatter(
_In_ HANDLE hLC,
_In_ DWORD cMEMs,
_Inout_ PPMEM_SCATTER ppMEMs
);
Sometimes it's necessary to query the underlying devices for device specific configuration settings - or even set configurations settings. This is possible to do with the functions below. Numeric options are most often queried and set via the LcGetOption
and LcSetOption
functions. More complex actions are undertaken via the LcCommand
function.
Options related to LcGetOption
and LcSetOption
are found in defines LC_OPT_*
in the leechcore.h
header.
Options related to LcCommand
are found in defines LC_CMD_*
in the leechcore.h
header.
BOOL LcGetOption(
_In_ HANDLE hLC,
_In_ QWORD fOption,
_Out_ PQWORD pqwValue
);
BOOL LcSetOption(
_In_ HANDLE hLC,
_In_ QWORD fOption,
_In_ QWORD qwValue
);
BOOL LcCommand(
_In_ HANDLE hLC,
_In_ QWORD fOption,
_In_ DWORD cbDataIn,
_In_reads_opt_(cbDataIn) PBYTE pbDataIn,
_Out_opt_ PBYTE *ppbDataOut,
_Out_opt_ PDWORD pcbDataOut
);
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖