mirror of
https://dev.lirent.ru/Vatrog/vm-introspection-engine.git
synced 2026-06-18 02:06:36 +03:00
35 lines
1.5 KiB
C
35 lines
1.5 KiB
C
|
/* snapdiff.h - per-process temporal snapshot + diff (OS-agnostic handler).
|
||
|
|
*
|
||
|
|
* A `snapshot` captures the bytes of every mapped run in a VA window under a
|
||
|
|
* `cr3` at time T0. snap_diff re-reads the same window now and emits the runs
|
||
|
|
* whose bytes changed (coalesced VA-contiguous diffs), including runs that
|
||
|
|
* appeared or disappeared since T0. Keyed by `vmie_mem* + cr3`; it names no
|
||
|
|
* Windows object.
|
||
|
|
*
|
||
|
|
* Ownership: snap_take / snap_free (create/destroy). snap_free is safe on NULL.
|
||
|
|
*/
|
||
|
|
#ifndef VMIE_SNAPDIFF_H
|
||
|
|
#define VMIE_SNAPDIFF_H
|
||
|
|
#include <stdint.h>
|
||
|
|
#include <stddef.h>
|
||
|
|
#include "memmodel.h" /* vmie_mem, vregion */
|
||
|
|
|
||
|
|
typedef struct snapshot snapshot;
|
||
|
|
|
||
|
|
/* Capture the bytes of every mapped run in [lo,hi] (prot filter) under `cr3` at
|
||
|
|
* T0. Returns a heap-owned snapshot, or NULL on OOM / bad input. */
|
||
|
|
snapshot* snap_take(vmie_mem* m, uintptr_t cr3, uint64_t lo, uint64_t hi, uint32_t prot_any);
|
||
|
|
|
||
|
|
/* Release a snapshot from snap_take. Safe on NULL. */
|
||
|
|
void snap_free(snapshot* s);
|
||
|
|
|
||
|
|
/* Re-read the window now, compare to the snapshot, and emit changed runs as
|
||
|
|
* vregion {va, len, prot = current} - coalescing VA-contiguous changed bytes
|
||
|
|
* into one run. Runs that appeared or disappeared since T0 count as changed.
|
||
|
|
* Writes up to `max` runs to `changed` (NULL to count only) and returns the
|
||
|
|
* TOTAL number of changed runs, or -1 on bad input. */
|
||
|
|
int snap_diff(const snapshot* s, vmie_mem* m, uintptr_t cr3,
|
||
|
|
vregion* changed, int max);
|
||
|
|
|
||
|
|
#endif /* VMIE_SNAPDIFF_H */
|