mirror of
https://dev.lirent.ru/Vatrog/vm-introspection-engine.git
synced 2026-06-18 02:06:36 +03:00
lirent
06230ac680
vmie_win32_sections lists a module's PE sections (name, RVA, virtual size, VR_* protection) for any image base in a process address space - including a base found by scanning, not only loader-list modules. vmie_win32_section_view gathers a section's bytes into a caller buffer and returns a mem_view_t whose base_va is chosen by view_base: SECTION_LOCAL (0, section-relative offsets), MODULE_RVA (ASLR-stable module RVAs), or ABSOLUTE_VA (live VA). Because the pure scanners report base_va + offset, the mode directly selects the coordinate space of every hit - feeding a view to sig_all or x86_decode yields section-relative, RVA, or absolute results with no extra work. The MZ/PE header walk is factored into one helper that both pe_find_section and the new enumerator share - no second parser. The whole public surface is documented with the operational nuances (coordinate stability, borrowed-buffer lifetime, truncation, residency) and worked examples.