lirent/vatrog-vm-introspection-engine
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-introspection-engine.git synced 2026-06-18 04:16:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add PE section enumeration and section views (section-local / RVA / absolute)

Browse Source 
vmie_win32_sections lists a module's PE sections (name, RVA, virtual size,
VR_* protection) for any image base in a process address space - including a
base found by scanning, not only loader-list modules. vmie_win32_section_view
gathers a section's bytes into a caller buffer and returns a mem_view_t whose
base_va is chosen by view_base: SECTION_LOCAL (0, section-relative offsets),
MODULE_RVA (ASLR-stable module RVAs), or ABSOLUTE_VA (live VA). Because the pure
scanners report base_va + offset, the mode directly selects the coordinate space
of every hit - feeding a view to sig_all or x86_decode yields section-relative,
RVA, or absolute results with no extra work.

The MZ/PE header walk is factored into one helper that both pe_find_section and
the new enumerator share - no second parser. The whole public surface is
documented with the operational nuances (coordinate stability, borrowed-buffer
lifetime, truncation, residency) and worked examples.
This commit is contained in:
Gregory Lirent
2026-06-16 19:06:59 +03:00
parent 3199fbf258
commit 06230ac680
3 changed files with 273 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/engine/include/pe.h
+17
View File
@@ -14,6 +14,23 @@
#include <stdbool.h>
#include "memmodel.h" /* mem_view_t, vmie_mem */
/* One enumerated PE section header, decoded by pe_sections. Mirrors the public
* win32 section_desc, but stays engine-private (this header is engine-only).
* name - section name, NUL-terminated (PE names are <= 8 bytes; name[8] NUL)
* rva - section RVA (relative to module_base)
* vsize - virtual size in bytes
* prot - VR_R/VR_W/VR_X from the section Characteristics (VR_U never set) */
typedef struct { char name[9]; uint32_t rva; uint32_t vsize; uint32_t prot; } pe_secrec;
/* Enumerate the section headers of the PE image based at `module_base` inside a
* view holding at least the image headers (the first page is enough).
* out, max - caller array receiving up to `max` pe_secrec; out may be NULL to
* count only. Headers truncated by the view end are not reported.
* Returns the TOTAL section count (may exceed `max`), or -1 if `v` does not hold
* a parseable PE at `module_base`. Shares the section-table walk with
* pe_find_section (one header parser, no duplication). */
int pe_sections(mem_view_t v, uint64_t module_base, pe_secrec* out, int max);
/* Locate a PE section by name within a view that contains at least the image
* headers at `module_base` (the first page is enough).
* module_base - image base VA, must be >= v.base_va and inside `v`