lirent/vatrog-vm-introspection-engine
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-introspection-engine.git synced 2026-06-18 04:16:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add function inventory (.pdata), signature generation, and export/PDB symbols

Browse Source 
Three reversing capabilities on the win32 surface plus a pure sig-gen handler:

- vmie_win32_functions enumerates a module's functions from the exception
  directory (.pdata RUNTIME_FUNCTION), folding unwind chain continuations into
  their primary - authoritative non-leaf boundaries, not prologue heuristics.
- vmie_win32_exports resolves the export table to {name, rva, ordinal,
  forwarded}: named functions with no PDB or network. vmie_win32_pdb_ref pulls
  the CodeView/RSDS {guid, age, pdb} from the debug directory - the symbol-server
  key for any module (full PDB parsing stays out of scope).
- sig_generate (siggen.h) builds a unique masked signature for a code span,
  wildcarding the rel/RIP-relative displacement bytes the x86 decoder locates and
  growing until it matches the scope exactly once - the dual of sigscan.

The decoder now also reports disp_off/disp_len so a caller can mask the floating
bytes. The MZ/PE walk gains one shared data-directory accessor and one shared
CodeView/RSDS parser; the kernel bootstrap is moved onto both, removing its
private copies - one PE parser in the tree.
This commit is contained in:
Gregory Lirent
2026-06-16 19:27:42 +03:00
parent 06230ac680
commit c4419964aa
9 changed files with 542 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/engine/include/pe.h
+32
View File
@@ -60,4 +60,36 @@ bool pe_section(mem_view_t v, uint64_t module_base, const char* name,
int vmie_pe_section(vmie_mem* m, uintptr_t cr3, uint64_t module_base,
const char* name, uint8_t* buf, size_t bufcap, mem_view_t* out);
/* OptionalHeader DataDirectory indices used across the engine. */
#define PE_DIR_EXPORT 0u /* IMAGE_DIRECTORY_ENTRY_EXPORT */
#define PE_DIR_DEBUG 6u /* IMAGE_DIRECTORY_ENTRY_DEBUG */
#define PE_DIR_EXCEPTION 3u /* IMAGE_DIRECTORY_ENTRY_EXCEPTION (.pdata) */
/* Read one OptionalHeader DataDirectory entry of the PE32+ image based at `base`
* in the address space `cr3`. This is the SINGLE data-directory accessor used by
* every directory walk in the engine (.pdata / export / debug) - it walks the
* DOS+NT headers from `base` once and reads DataDirectory[idx].
* idx - directory index (PE_DIR_*).
* rva - receives DataDirectory[idx].VirtualAddress (0 if the directory is
* absent); never NULL.
* size - receives DataDirectory[idx].Size; may be NULL.
* Returns 0 on success (rva/size filled), -1 if the headers are unreadable. A
* present-but-absent directory reports rva==0 with return 0. */
int pe_data_dir(vmie_mem* m, uintptr_t cr3, uint64_t base, unsigned idx,
uint32_t* rva, uint32_t* size);
/* Extract a module's CodeView RSDS reference from its debug directory. This is
* the SINGLE debug-dir/RSDS parser in the engine, shared by the kernel bootstrap
* (host.c) and the public vmie_win32_pdb_ref - there is no second copy.
* base - image base VA in `cr3`.
* guid[16] - receives the PDB GUID (in-memory byte order); never NULL.
* age - receives the PDB age; never NULL.
* name - receives the NUL-terminated PDB file name; never NULL.
* namecap - capacity of `name` (>= 1). The name is truncated to namecap-1.
* Walks PE_DIR_DEBUG for an IMAGE_DEBUG_TYPE_CODEVIEW entry whose payload starts
* with 'RSDS', then reads {guid, age, name}. Returns 0 on success, -1 if there
* is no debug directory, no CodeView/RSDS entry, or the bytes are unreadable. */
int pe_pdb_ref(vmie_mem* m, uintptr_t cr3, uint64_t base,
uint8_t guid[16], uint32_t* age, char* name, size_t namecap);
#endif /* VMIE_PE_H */