Split the library into CORE / ENGINE / HANDLERS layers

CORE (src/core): vmie_mem — guest-physical substrate with a data-driven
segment map (replaces the hardcoded 4 GiB PCI-hole topology). ENGINE
(src/engine): x86-64 paging + Windows bring-up; produces the generic memory
model. HANDLERS (src/handlers): the signature/value/pointer scanners, which
now consume an OS-agnostic contract.

Keystone: gva_ctx is split into vmie_mem (core) + vmie (engine); the generic
access functions take vmie_mem* + cr3 and no longer compile in the Windows
offset table. New public contract include/memmodel.h (vmie_mem, mem_view_t,
vregion, task, range, the gva_* access); win32 surface in include/vmie.h.
Leak relocations: the PE parser, UTF-16 decode and CR3-recovery heuristics
move engine-side; the matcher stays a pure, source-agnostic handler, and the
pointer scanner takes a generic range[] instead of reaching into the process
enumerator.

include/scan.h

@@ -1,16 +1,21 @@
 /* scan.h - typed value scanner, pointer scanner, and gva<->signature bridges.
  *
- * Layered above the pure matcher (sigscan.h) and the gva core (include.h): this
- * is the gva-bound scanning surface. The value scanner narrows a candidate set
- * across successive snapshots; the pointer scanner discovers module-anchored
+ * Layered above the pure matcher (sigscan.h) and the generic memory-model
+ * contract (memmodel.h): this is the OS-agnostic scanning surface. Everything
+ * here is keyed by a `vmie_mem*` + `cr3` (and, for the pointer scan, a decoded
+ * `range[]`); it names no Windows object. The value scanner narrows a candidate
+ * set across successive snapshots; the pointer scanner discovers range-anchored
  * pointer chains; the gva_sig_* bridges build mem_view_t windows out of guest
  * memory and feed them to the signature matcher.
+ *
+ * The Windows-typed convenience entry points (scan_new(process*),
+ * vmie_scan_pointer(process*)) live in the win32 surface (vmie.h).
  */
 #ifndef VMIE_SCAN_H
 #define VMIE_SCAN_H
 #include <stdint.h>
 #include <stddef.h>
-#include "include.h"     /* gva_ctx, process (vregion - internal) */
+#include "memmodel.h"    /* vmie_mem, range, vregion */
 #include "sigscan.h"     /* mem_view_t, sig_pattern_t */
 
 /* typed value scanner. ENUMERATOR ORDER IS LOAD-BEARING: scan.c indexes the
@@ -32,32 +37,31 @@ typedef struct { uint64_t addr; uint64_t value; } scan_hit;
 
 #define SCAN_PTR_MAXDEPTH 8                      /* DFS depth and size of off[] */
 typedef struct {
-    uint64_t base;                              /* module-anchored base address */
+    uint64_t base;                              /* range-anchored base address  */
     int      depth;                             /* number of offsets in off[]   */
     int32_t  off[SCAN_PTR_MAXDEPTH];            /* dereference chain            */
 } scan_ptr_path;
 
-scan*   scan_new(gva_ctx* ctx, const process* pr, scan_type t, const void* value,
-                 int be, int aligned, uint64_t lo, uint64_t hi);
-scan*   scan_new_cr3(gva_ctx* ctx, uintptr_t cr3, scan_type t, const void* value,
+scan*   scan_new_cr3(vmie_mem* m, uintptr_t cr3, scan_type t, const void* value,
                      int be, int aligned, uint64_t lo, uint64_t hi);
 int64_t scan_next(scan* s, scan_op op, const void* value);
 int64_t scan_count(scan* s);
 int     scan_results(scan* s, uint64_t offset, int max, scan_hit* out);
 void    scan_free(scan* s);
 
-int     scan_pointer(gva_ctx* ctx, const process* pr, uint64_t target,
-                     int max_depth, uint32_t max_off, scan_ptr_path* out, int max);
+int     scan_pointer(vmie_mem* m, uintptr_t cr3, const range* mods, int nmods,
+                     uint64_t target, int max_depth, uint32_t max_off,
+                     scan_ptr_path* out, int max);
 
 /* gva bridges to the signature matcher: build mem_view from guest memory and feed sigscan.h */
-int gva_sig_scan (gva_ctx* ctx, uintptr_t cr3, uint64_t lo, uint64_t hi,
+int gva_sig_scan (vmie_mem* m, uintptr_t cr3, uint64_t lo, uint64_t hi,
                   uint32_t prot_any, const sig_pattern_t* p, uint64_t* out, int max);
-int gva_sig_first(gva_ctx* ctx, uintptr_t cr3, uint64_t lo, uint64_t hi,
+int gva_sig_first(vmie_mem* m, uintptr_t cr3, uint64_t lo, uint64_t hi,
                   uint32_t prot_any, const sig_pattern_t* p, uint64_t* va);
-int gva_sig_rip  (gva_ctx* ctx, uintptr_t cr3, uint64_t hit_va,
+int gva_sig_rip  (vmie_mem* m, uintptr_t cr3, uint64_t hit_va,
                   size_t disp_off, size_t instr_len, uint64_t* target);
-int gva_pe_section(gva_ctx* ctx, uintptr_t cr3, uint64_t module_base,
-                   const char* name, uint8_t* buf, size_t bufcap, mem_view_t* out);
-int gva_sig_phys (gva_ctx* ctx, const sig_pattern_t* p, uint64_t* out, int max);
+
+/* gva_sig_phys (scan the raw physical image) needs the core segment map, so it
+ * is an engine bridge, declared in engine.h - not part of the handler surface. */
 
 #endif /* VMIE_SCAN_H */