lirent/vatrog-vm-introspection-engine
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-introspection-engine.git synced 2026-06-18 03:06:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Define the win32 engine; add a dump source and physical sigscan

Browse Source 
Name and isolate the Windows engine as one of potentially several. The
public surface moves to include/win32.h with an opaque vmie_win32 handle
(vmie_win32_open/close/mem); the engine's Windows internals — host bring-up,
the struct-offset profile, process/module/PE/text decode — live under
src/engine/win32. The generic address-space layer stays in src/engine
(gva.c + engine-arch.h, carrying no offset table): gva.c is de-profiled, and
CR3 bring-up reaches the hot translator through a cold gva_translate bridge
so the zero-copy hot path stays private and inlinable.

A memory source is now first-class and public: vmie_mem_open/_open_segs/
_close open a flat dump (or an explicit segment map) as a vmie_mem, with
gpa_seg promoted to the public contract. The physical signature scan is
exposed source-agnostically: sig_scan_mem returns GPAs for any vmie_mem,
sig_scan_sources scans several sources with per-source attribution, and
sig_from_bytes builds an exact needle from a byte span. The pure matcher is
unchanged; dumps and the live engine image are scanned uniformly, neither
needing the other.
This commit is contained in:
Gregory Lirent
2026-06-15 08:20:50 +03:00
parent b3441dd6f6
commit 93966c3df2
21 changed files with 383 additions and 211 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/scan.h
+19 -3
View File
@@ -9,7 +9,7 @@
* memory and feed them to the signature matcher.
*
* The Windows-typed convenience entry points (scan_new(process*),
* vmie_scan_pointer(process*)) live in the win32 surface (vmie.h).
* vmie_scan_pointer(process*)) live in the win32 surface (win32.h).
*/
#ifndef VMIE_SCAN_H
#define VMIE_SCAN_H
@@ -61,7 +61,23 @@ int gva_sig_first(vmie_mem* m, uintptr_t cr3, uint64_t lo, uint64_t hi,
int gva_sig_rip (vmie_mem* m, uintptr_t cr3, uint64_t hit_va,
size_t disp_off, size_t instr_len, uint64_t* target);
/* gva_sig_phys (scan the raw physical image) needs the core segment map, so it
* is an engine bridge, declared in engine.h - not part of the handler surface. */
/* ---- physical-image signature scan (OS-agnostic engine bridge) ----------- *
* Scan the raw physical image (the core segment map) for a signature, without a
* cr3 or page tables: each seg is one mem_view_t over its file span, fed to the
* pure matcher. This is the dump path - a dump (vmie_mem_open*) supports the
* physical scan only. Keyed by vmie_mem*, like the rest of this header. */
/* Attributed hit from a multi-source scan: which source matched, and where. */
typedef struct { int source; uint64_t gpa; } sig_hit_src;
/* Scan one physical image for `p`. Writes up to `max` GPA hits to `out` (NULL to
* count only) and returns the TOTAL number of hits, or -1 on a bad pattern. */
int sig_scan_mem (vmie_mem* m, const sig_pattern_t* p, uint64_t* out, int max);
/* Scan `nsrc` physical images for `p`, tagging each hit with its source index.
* Writes up to `max` attributed hits to `out` (NULL to count only) and returns
* the TOTAL across all sources, or -1 on a bad pattern. */
int sig_scan_sources(vmie_mem* const* srcs, int nsrc, const sig_pattern_t* p,
sig_hit_src* out, int max);
#endif /* VMIE_SCAN_H */