lirent/vatrog-vm-introspection-engine
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-introspection-engine.git synced 2026-06-18 03:06:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Define the win32 engine; add a dump source and physical sigscan

Browse Source 
Name and isolate the Windows engine as one of potentially several. The
public surface moves to include/win32.h with an opaque vmie_win32 handle
(vmie_win32_open/close/mem); the engine's Windows internals — host bring-up,
the struct-offset profile, process/module/PE/text decode — live under
src/engine/win32. The generic address-space layer stays in src/engine
(gva.c + engine-arch.h, carrying no offset table): gva.c is de-profiled, and
CR3 bring-up reaches the hot translator through a cold gva_translate bridge
so the zero-copy hot path stays private and inlinable.

A memory source is now first-class and public: vmie_mem_open/_open_segs/
_close open a flat dump (or an explicit segment map) as a vmie_mem, with
gpa_seg promoted to the public contract. The physical signature scan is
exposed source-agnostically: sig_scan_mem returns GPAs for any vmie_mem,
sig_scan_sources scans several sources with per-source attribution, and
sig_from_bytes builds an exact needle from a byte span. The pure matcher is
unchanged; dumps and the live engine image are scanned uniformly, neither
needing the other.
This commit is contained in:
Gregory Lirent
2026-06-15 08:20:50 +03:00
parent b3441dd6f6
commit 93966c3df2
21 changed files with 383 additions and 211 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/memmodel.h
+34
View File
@@ -27,6 +27,40 @@
* pass it, with a cr3, to the address-space primitives below. */
typedef struct vmie_mem vmie_mem;
/* One contiguous GPA window backed by a file span: GPA [gpa, gpa+len) maps 1:1
* onto file offset [file_off, file_off+len). A POD descriptor, promoted here so
* an explicit-segment dump can be opened through the public surface below; the
* full vmie_mem (which embeds an array of these) is defined in core.h. */
#ifndef VMIE_GPA_SEG_DEFINED
#define VMIE_GPA_SEG_DEFINED
typedef struct gpa_seg {
uint64_t gpa;
uint64_t len;
uint64_t file_off;
} gpa_seg;
#endif
/* ---- dump source lifecycle ----------------------------------------------- *
* A vmie_mem is the universal memory source: a live win32 physical image and an
* on-disk dump are both vmie_mem. These open a dump (or any flat/segmented RAM
* image) as a heap-owned vmie_mem for the source-agnostic physical scanners
* (scan.h: sig_scan_mem/sig_scan_sources). No paging/cr3: a dump supports the
* physical signature scan only. The win32 engine produces its vmie_mem through
* the win32 surface (win32.h) instead. */
/* Open `path` as a single-`low` image (the classic QEMU split; low >= file size
* => one inert identity segment, i.e. a flat dump). Returns a heap-owned handle,
* or NULL on open/mmap failure. Release with vmie_mem_close(). */
vmie_mem* vmie_mem_open(const char* path, uint64_t low);
/* Open `path` with an explicit segment map (`nseg` entries; see gpa_seg). The
* map must be well-formed against the file size (dense, sorted, in-file).
* Returns a heap-owned handle, or NULL on failure. Release with vmie_mem_close(). */
vmie_mem* vmie_mem_open_segs(const char* path, const gpa_seg* segs, int nseg);
/* Unmap, close, and free a handle from vmie_mem_open*. Safe on NULL. */
void vmie_mem_close(vmie_mem* m);
/* ---- flat memory view (single owner) ------------------------------------- *
* A contiguous view of memory.
* data - host pointer to the bytes (borrowed; not owned by the view)