lirent/vatrog-vm-introspection-engine
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-introspection-engine.git synced 2026-06-18 04:16:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

Split the library into CORE / ENGINE / HANDLERS layers

Browse Source 
CORE (src/core): vmie_mem — guest-physical substrate with a data-driven
segment map (replaces the hardcoded 4 GiB PCI-hole topology). ENGINE
(src/engine): x86-64 paging + Windows bring-up; produces the generic memory
model. HANDLERS (src/handlers): the signature/value/pointer scanners, which
now consume an OS-agnostic contract.

Keystone: gva_ctx is split into vmie_mem (core) + vmie (engine); the generic
access functions take vmie_mem* + cr3 and no longer compile in the Windows
offset table. New public contract include/memmodel.h (vmie_mem, mem_view_t,
vregion, task, range, the gva_* access); win32 surface in include/vmie.h.
Leak relocations: the PE parser, UTF-16 decode and CR3-recovery heuristics
move engine-side; the matcher stays a pure, source-agnostic handler, and the
pointer scanner takes a generic range[] instead of reaching into the process
enumerator.
This commit is contained in:
Gregory Lirent
2026-06-15 02:57:46 +03:00
parent 7c0995a4f2
commit b3441dd6f6
24 changed files with 1014 additions and 766 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/engine/include/pe.h
+46
View File
@@ -0,0 +1,46 @@
/* pe.h - PE/COFF image parsing (engine-private, Windows-specific).
*
* Locating a section by name inside a mapped PE image is a Windows-image
* concern, not a property of the source-agnostic matcher: it lives in the
* engine, alongside the rest of the Windows bring-up. Handlers never see this
* header - they consume only the generic memory model (memmodel.h) and the pure
* matcher (sigscan.h). The engine uses these to build mem_view_t windows out of
* a guest image and feed them to the matcher.
*/
#ifndef VMIE_PE_H
#define VMIE_PE_H
#include <stdint.h>
#include <stddef.h>
#include <stdbool.h>
#include "memmodel.h" /* mem_view_t, vmie_mem */
/* Locate a PE section by name within a view that contains at least the image
* headers at `module_base` (the first page is enough).
* module_base - image base VA, must be >= v.base_va and inside `v`
* name - section name, e.g. ".text" (compared up to 8 bytes)
* rva_out - receives the section RVA (relative to module_base); may be NULL
* vsize_out - receives the section virtual size; may be NULL
* Returns true if found. Only the headers need to be present in `v`; the section
* body does not. */
bool pe_find_section(mem_view_t v, uint64_t module_base, const char* name,
uint64_t* rva_out, uint32_t* vsize_out);
/* Locate a PE section AND return a sub-view spanning it. Requires the whole
* section body to be present in `v` (true for an in-memory image dump). Prefer
* scanning ".text" over a whole image: faster, and avoids false hits in data.
* Returns true and fills *out on success. For guest memory, where the body is
* usually not co-resident with the headers, use vmie_pe_section. */
bool pe_section(mem_view_t v, uint64_t module_base, const char* name,
mem_view_t* out);
/* Read a PE section out of guest memory under `cr3` into `buf`.
* module_base - image base VA (headers read from the first page)
* name - section name, e.g. ".text"
* buf, bufcap - destination buffer and its capacity (section is truncated to fit)
* out - on success, a view spanning the bytes read into `buf`
* Returns 0 on success, -1 if the headers/section are unreadable or absent. The
* guest image body need not be co-resident with the headers (unlike pe_section).*/
int vmie_pe_section(vmie_mem* m, uintptr_t cr3, uint64_t module_base,
const char* name, uint8_t* buf, size_t bufcap, mem_view_t* out);
#endif /* VMIE_PE_H */