lirent/vatrog-vm-introspection-engine
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-introspection-engine.git synced 2026-06-18 03:06:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add process-scoped scanning algorithms: multi-pattern, code-xref, pointer-map, dissection, snapshot diff

Browse Source 
All are OS-agnostic handlers keyed by vmie_mem* + cr3, built on the windowed
sweep / region walk / matcher; none names a Windows concept and each compiles
against include/ alone.

Scanning: a compiled multi-pattern automaton (Aho-Corasick over each pattern's
longest literal anchor, then a masked verify) finds N signatures in one sweep
pass (sigscan.h sigset; scan.h gva_sig_scan_multi). gva_code_xref decodes
rel32 call/jmp and RIP-relative lea/mov to find every instruction targeting a
given VA.

Pointer graph (pmap.h): one sweep indexes every qword whose value lands in a
mapped region into reverse + forward edges. pmap_referrers is the keystone -
it answers who-points-here, class-instance enumeration (referrers of a vtable
VA), and string xref (referrers of a string VA) from the same index;
pmap_paths is the indexed counterpart to scan_pointer's one-shot DFS;
struct_dissect classifies the qwords of an instance (pointer/vtable/float/
int/string) into a field map.

Temporal (snapdiff.h): snap_take captures a window's bytes, snap_diff reports
the changed runs against a later read.
This commit is contained in:
Gregory Lirent
2026-06-16 17:38:10 +03:00
parent 25b8ed8ca9
commit c36ffe295d
9 changed files with 1160 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/scan.h
+28
View File
@@ -53,6 +53,34 @@ int scan_pointer(vmie_mem* m, uintptr_t cr3, const range* mods, int nmods,
uint64_t target, int max_depth, uint32_t max_off,
scan_ptr_path* out, int max);
/* ---- multi-pattern + code-xref bridges (over sigscan.h / gva_sweep) ------ *
* Same windowed-seam discipline as gva_sig_scan, but for a compiled sigset and
* a heuristic rel32 decoder. Both stream guest memory through gva_sweep and
* report VAs in the guest's own coordinate space. */
/* One attributed multi-pattern hit: which compiled pattern, and where. */
typedef struct { int pattern; uint64_t va; } sig_multi_hit;
/* Windowed multi-pattern scan over [lo,hi]: drives sig_set_each on each window,
* seam-deduped like gva_sig_scan. The sweep overlap is (longest pattern len - 1)
* = sigset_maxlen(s) - 1, so no full pattern is split at a window boundary.
* Writes up to `max` hits to `out` (NULL to count only) and returns the TOTAL
* number of hits, or -1 on a NULL/empty sigset. */
int gva_sig_scan_multi(vmie_mem* m, uintptr_t cr3, uint64_t lo, uint64_t hi,
uint32_t prot_any, const sigset* s,
sig_multi_hit* out, int max);
/* code-xref: every instruction in the X-regions of [lo,hi] whose rel32 operand
* targets `target_va`. Heuristic decoder (NOT a full disassembler): recognizes
* E8 call / E9 jmp (next_rip + disp32) and the RIP-relative ModRM forms
* (mod=00, rm=101) of lea/mov (REX.W 8D / 8B) where target = next_rip +
* (int32)disp. Records each matching instruction-start VA. The sweep forces
* VR_X and carries a >=15-byte overlap (max x86 instruction length) so no
* instruction is cut at a window seam. Writes up to `max` VAs to `out` (NULL to
* count only) and returns the TOTAL number of matches, or -1 on bad input. */
int gva_code_xref(vmie_mem* m, uintptr_t cr3, uint64_t lo, uint64_t hi,
uint64_t target_va, uint64_t* out, int max);
/* gva bridges to the signature matcher: build mem_view from guest memory and feed sigscan.h */
int gva_sig_scan (vmie_mem* m, uintptr_t cr3, uint64_t lo, uint64_t hi,
uint32_t prot_any, const sig_pattern_t* p, uint64_t* out, int max);