Split the library into CORE / ENGINE / HANDLERS layers

CORE (src/core): vmie_mem — guest-physical substrate with a data-driven
segment map (replaces the hardcoded 4 GiB PCI-hole topology). ENGINE
(src/engine): x86-64 paging + Windows bring-up; produces the generic memory
model. HANDLERS (src/handlers): the signature/value/pointer scanners, which
now consume an OS-agnostic contract.

Keystone: gva_ctx is split into vmie_mem (core) + vmie (engine); the generic
access functions take vmie_mem* + cr3 and no longer compile in the Windows
offset table. New public contract include/memmodel.h (vmie_mem, mem_view_t,
vregion, task, range, the gva_* access); win32 surface in include/vmie.h.
Leak relocations: the PE parser, UTF-16 decode and CR3-recovery heuristics
move engine-side; the matcher stays a pure, source-agnostic handler, and the
pointer scanner takes a generic range[] instead of reaching into the process
enumerator.

include/sigscan.h

@@ -6,26 +6,16 @@
  * results are reported as addresses in the view's own coordinate space
  * (base_va + offset): a guest VA for a virtual view, a GPA for a physical view.
  *
- * This module is pure: it never touches a gva_ctx and performs no I/O. To scan
- * guest memory, build views from the gva layer (see scan.h: gva_sig_scan,
- * gva_pe_section, gva_sig_phys) and feed them here.
+ * This module is pure: it never touches a vmie_mem and performs no I/O. To scan
+ * guest memory, build views from the gva layer (see scan.h: gva_sig_scan) and
+ * feed them here.
  */
 #ifndef VMIE_SIGSCAN_H
 #define VMIE_SIGSCAN_H
 #include <stdint.h>
 #include <stddef.h>
 #include <stdbool.h>
-
-/* A contiguous view of memory.
- *   data    - host pointer to the bytes (borrowed; not owned by the view)
- *   size    - number of valid bytes at `data`
- *   base_va - address that data[0] corresponds to (guest VA, or GPA for a
- *             physical view). All matches are reported as base_va + offset. */
-typedef struct {
-    const uint8_t* data;
-    size_t         size;
-    uint64_t       base_va;
-} mem_view_t;
+#include "memmodel.h"   /* mem_view_t (the single owner of the view type) */
 
 /* A parsed byte pattern. mask[i] == 1 means bytes[i] must match; 0 = wildcard.
  * Owns two heap allocations of `len` bytes each; release with sig_free(). */
@@ -83,23 +73,4 @@ uint64_t sig_rip(mem_view_t v, uint64_t hit_va, size_t disp_off, size_t instr_le
  * is actually available. Useful for narrowing a scan to a [start,end] window. */
 mem_view_t mem_sub(mem_view_t v, uint64_t start_va, size_t size);
 
-/* Locate a PE section by name within a view that contains at least the image
- * headers at `module_base` (the first page is enough).
- *   module_base - image base VA, must be >= v.base_va and inside `v`
- *   name        - section name, e.g. ".text" (compared up to 8 bytes)
- *   rva_out     - receives the section RVA (relative to module_base); may be NULL
- *   vsize_out   - receives the section virtual size; may be NULL
- * Returns true if found. Only the headers need to be present in `v`; the section
- * body does not. */
-bool pe_find_section(mem_view_t v, uint64_t module_base, const char* name,
-                     uint64_t* rva_out, uint32_t* vsize_out);
-
-/* Locate a PE section AND return a sub-view spanning it. Requires the whole
- * section body to be present in `v` (true for an in-memory image dump). Prefer
- * scanning ".text" over a whole image: faster, and avoids false hits in data.
- * Returns true and fills *out on success. For guest memory, where the body is
- * usually not co-resident with the headers, use gva_pe_section (scan.h). */
-bool pe_section(mem_view_t v, uint64_t module_base, const char* name,
-                mem_view_t* out);
-
 #endif /* VMIE_SIGSCAN_H */