Version 3.150 - Refactor VmmSearch to stateless API; add new native APIs

- Refactored VmmSearch from object/disposable to static/stateless API (breaking change); updated all usages and tests
- Added VMMDLL_MemReadPage and VMMDLL_WinGetThunkInfoIATW native APIs
- Introduced new SearchItem and SearchResult types for clarity and safety
- Added MemReadPage, MemReadPagePooled, and WinGetThunkInfoIAT methods to Vmm

Author: lone7254

README.md

@@ -10,8 +10,13 @@ Install-Package VmmSharpEx
 This library is **Windows Only**, and only bundles/targets the Windows x64 native libraries.
 
 ## Changelog
+- Version 3.150
+  - Added new APIs: VMMDLL_MemReadPage, VMMDLL_WinGetThunkInfoIATW
+  - Refactor VmmSearch to a static/stateless API. Provides better resource cleanup guarantees than the former object-based model. **This is a breaking change.**
 - Version 3.140
-  - Bump MemProcFS to 5.16.10 (fixes rare access violation in Scatter API)
+  - Bump MemProcFS to 5.16.11 (fixes rare buffer overflow/access violation in Scatter API)
+  - Improve finalizer safety
+  - #nullable support
 - Version 3.130
   - Optimized lots of methods and implementations.
   - Some breaking changes with a few renames and changed Map_Get return values to return NULL on failure instead of an empty array.

src/VmmSharpEx/Extensions/VmmExtensions.cs

@@ -243,20 +243,25 @@ public static ulong FindSignature(this Vmm vmm, uint pid, string signature, ulon
                     skipBytes[i] = 0;
                 }
             }
-            using var vmmSearch = vmm.CreateSearch(
+            var entries = new VmmSearch.SearchItem[]
+            {
+                new VmmSearch.SearchItem
+                {
+                    Search = searchBytes,
+                    SkipMask = skipBytes
+                }
+            };
+            var vmmSearch = vmm.MemSearch(
                 pid: pid,
+                searchItems: entries,
                 addr_min: addrMin,
                 addr_max: addrMax,
                 cMaxResult: 1);
-            vmmSearch.AddEntry(
-                search: searchBytes,
-                skipmask: skipBytes);
-            var result = vmmSearch.GetResult();
-            if (result.Results.Count == 0)
+            if (vmmSearch.Results.Count == 0)
             {
                 return 0;
             }
-            return result.Results.First().Address;
+            return vmmSearch.Results.First().Address;
         }
     }
 }

src/VmmSharpEx/Internal/Vmmi.cs

@@ -47,7 +47,6 @@ internal static partial class Vmmi
     public const uint VMMDLL_MAP_VM_VERSION = 2;
     public const uint VMMDLL_MAP_PFN_VERSION = 1;
     public const uint VMMDLL_MAP_SERVICE_VERSION = 3;
-    public const uint VMMDLL_MEM_SEARCH_VERSION = 0xfe3e0003;
     public const uint VMMDLL_REGISTRY_HIVE_INFORMATION_VERSION = 4;
 
     public const uint VMMDLL_VFS_FILELIST_EXINFO_VERSION = 1;
@@ -1000,6 +999,14 @@ public static unsafe partial bool VMMDLL_MemReadEx(
         out uint pcbReadOpt,
         VmmFlags flags);
 
+    [LibraryImport("vmm.dll", EntryPoint = "VMMDLL_MemReadPage")]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    public static unsafe partial bool VMMDLL_MemReadPage(
+        IntPtr hVMM,
+        uint dwPID,
+        ulong qwA,
+        byte* pbPage);
+
     [LibraryImport("vmm.dll", EntryPoint = "VMMDLL_MemPrefetchPages")]
     [return: MarshalAs(UnmanagedType.Bool)]
     public static unsafe partial bool VMMDLL_MemPrefetchPages(
@@ -1458,6 +1465,8 @@ public static unsafe partial bool VMMDLL_Log(
         [MarshalAs(UnmanagedType.LPStr)] string uszFormat,
         [MarshalAs(UnmanagedType.LPUTF8Str)] string uszTextToLog);
 
+    // Misc
+
     [LibraryImport("vmm.dll", EntryPoint = "VMMDLL_LogCallback")]
     [return: MarshalAs(UnmanagedType.Bool)]
     public static partial bool VMMDLL_LogCallback(
@@ -1472,5 +1481,16 @@ public static unsafe partial bool VMMDLL_MemCallback(
         IntPtr ctxUser,
         Vmm.VMMDLL_MEM_CALLBACK_PFN pfnCB);
 
+    [LibraryImport("vmm.dll", EntryPoint = "VMMDLL_WinGetThunkInfoIATW", StringMarshalling = StringMarshalling.Utf16)]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    public static partial bool VMMDLL_WinGetThunkInfoIATW(
+        IntPtr hVMM,
+        uint dwPID,
+        [MarshalAs(UnmanagedType.LPWStr)] string wszModuleName,
+        [MarshalAs(UnmanagedType.LPStr)] string szImportModuleName,
+        [MarshalAs(UnmanagedType.LPStr)] string szImportFunctionName,
+        out Vmm.VMMDLL_WIN_THUNKINFO_IAT pThunkInfoIAT
+    );
+
     #endregion
 }

src/VmmSharpEx/Vmm.cs

@@ -17,13 +17,15 @@
 
 using Collections.Pooled;
 using System.Buffers;
+using System.Net;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Text;
 using VmmSharpEx.Internal;
 using VmmSharpEx.Options;
 using VmmSharpEx.Refresh;
 using VmmSharpEx.Scatter;
+using static System.Runtime.InteropServices.JavaScript.JSType;
 
 namespace VmmSharpEx;
 
@@ -582,6 +584,43 @@ public unsafe bool MemReadSpan<T>(uint pid, ulong va, Span<T> span, VmmFlags fla
         }
     }
 
+    /// <summary>
+    /// Read a single 4096-byte page of memory.
+    /// </summary>
+    /// <param name="pid">PID of target process, (DWORD)-1 to read physical memory.</param>
+    /// <param name="qwA">Page address to read from.</param>
+    /// <returns>Byte array on success; otherwise null.</returns>
+    public unsafe byte[]? MemReadPage(uint pid, ulong qwA)
+    {
+        var arr = new byte[0x1000];
+        fixed (byte* pb = arr)
+        {
+            if (!Vmmi.VMMDLL_MemReadPage(_handle, pid, qwA, pb))
+                return null;
+        }
+        return arr;
+    }
+
+    /// <summary>
+    /// Read a single 4096-byte page of memory (Pooled).
+    /// </summary>
+    /// <param name="pid">PID of target process, (DWORD)-1 to read physical memory.</param>
+    /// <param name="qwA">Page address to read from.</param>
+    /// <returns>Pooled array on success; otherwise null.</returns>
+    public unsafe IMemoryOwner<byte>? MemReadPagePooled(uint pid, ulong qwA)
+    {
+        var pooled = new PooledMemory<byte>(0x1000);
+        fixed (byte* pb = pooled.Memory.Span)
+        {
+            if (!Vmmi.VMMDLL_MemReadPage(_handle, pid, qwA, pb))
+            {
+                pooled.Dispose();
+                return null;
+            }
+        }
+        return pooled;
+    }
+
     /// <summary>
     /// Prefetch pages into the MemProcFS internal cache.
     /// </summary>
@@ -3489,20 +3528,6 @@ public bool MemCallback(VmmMemCallbackType type, IntPtr context, VMMDLL_MEM_CALL
         return Vmmi.VMMDLL_MemCallback(_handle, type, context, pfnCB);
     }
 
-    /// <summary>
-    /// Create a <see cref="VmmSearch"/> object for searching memory.
-    /// </summary>
-    /// <param name="pid">Process ID (PID) for this operation.</param>
-    /// <param name="addr_min">Minimum address to search (inclusive).</param>
-    /// <param name="addr_max">Maximum address to search (inclusive).</param>
-    /// <param name="cMaxResult">Maximum number of results to collect (0 = unlimited).</param>
-    /// <param name="readFlags">Optional read flags passed to the search engine.</param>
-    /// <returns>A configured <see cref="VmmSearch"/> instance.</returns>
-    public VmmSearch CreateSearch(uint pid, ulong addr_min = 0, ulong addr_max = ulong.MaxValue, uint cMaxResult = 0, uint readFlags = 0)
-    {
-        return new VmmSearch(this, pid, addr_min, addr_max, cMaxResult, readFlags);
-    }
-
     /// <summary>
     /// Throw an exception if memory writing is disabled.
     /// </summary>
@@ -3516,6 +3541,58 @@ internal void ThrowIfMemWritesDisabled()
         }
     }
 
+    [StructLayout(LayoutKind.Sequential)]
+    public struct VMMDLL_WIN_THUNKINFO_IAT
+    {
+        private int _fValid; // WIN32 BOOL
+        public bool fValid
+        {
+            readonly get => _fValid != 0;
+            set => _fValid = value ? 1 : 0;
+        }
+        private int _f32; // WIN32 BOOL
+        /// <summary>
+        /// if TRUE fn is a 32-bit/4-byte entry, otherwise 64-bit/8-byte entry.
+        /// </summary>
+        public bool f32
+        {
+            readonly get => _f32 != 0;
+            set => _f32 = value ? 1 : 0;
+        }
+        /// <summary>
+        /// address of import address table 'thunk'.
+        /// </summary>        
+        public ulong vaThunk;
+        /// <summary>
+        /// value if import address table 'thunk' == address of imported function.
+        /// </summary>        
+        public ulong vaFunction;
+        /// <summary>
+        /// address of name string for imported module.
+        /// </summary>        
+        public ulong vaNameModule;
+        /// <summary>
+        /// address of name string for imported function.
+        /// </summary>
+        public ulong vaNameFunction;
+    }
+
+    /// <summary>
+    /// Retrieve information about the import address table IAT thunk for an imported
+    /// function.This includes the virtual address of the IAT thunk which is useful
+    /// for hooking.
+    /// </summary>
+    /// <param name="dwPID"></param>
+    /// <param name="wszModuleName"></param>
+    /// <param name="szImportModuleName"></param>
+    /// <param name="szImportFunctionName"></param>
+    /// <param name="pThunkInfoIAT"></param>
+    /// <returns><see langword="true"/> if the call was successful, otherwise <see langword="false"/>.</returns>
+    public bool WinGetThunkInfoIAT(uint dwPID, string wszModuleName, string szImportModuleName, string szImportFunctionName, out VMMDLL_WIN_THUNKINFO_IAT pThunkInfoIAT)
+    {
+        return Vmmi.VMMDLL_WinGetThunkInfoIATW(_handle, dwPID, wszModuleName, szImportModuleName, szImportFunctionName, out pThunkInfoIAT);
+    }
+
     #endregion // Utility functionality
 
     #region Custom Refresh Functionality