lirent/vatrog-vm-introspection-engine
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-introspection-engine.git synced 2026-06-18 02:06:36 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
c36ffe295d3559f50d910f196ef1872b2b8ca961
vatrog-vm-introspection-engine/include/snapdiff.h
T
lirent c36ffe295d Add process-scoped scanning algorithms: multi-pattern, code-xref, pointer-map, dissection, snapshot diff 
All are OS-agnostic handlers keyed by vmie_mem* + cr3, built on the windowed
sweep / region walk / matcher; none names a Windows concept and each compiles
against include/ alone.

Scanning: a compiled multi-pattern automaton (Aho-Corasick over each pattern's
longest literal anchor, then a masked verify) finds N signatures in one sweep
pass (sigscan.h sigset; scan.h gva_sig_scan_multi). gva_code_xref decodes
rel32 call/jmp and RIP-relative lea/mov to find every instruction targeting a
given VA.

Pointer graph (pmap.h): one sweep indexes every qword whose value lands in a
mapped region into reverse + forward edges. pmap_referrers is the keystone -
it answers who-points-here, class-instance enumeration (referrers of a vtable
VA), and string xref (referrers of a string VA) from the same index;
pmap_paths is the indexed counterpart to scan_pointer's one-shot DFS;
struct_dissect classifies the qwords of an instance (pointer/vtable/float/
int/string) into a field map.

Temporal (snapdiff.h): snap_take captures a window's bytes, snap_diff reports
the changed runs against a later read.
2026-06-16 17:38:10 +03:00

35 lines
1.5 KiB
C
Raw Blame History

/* snapdiff.h - per-process temporal snapshot + diff (OS-agnostic handler).
*
* A `snapshot` captures the bytes of every mapped run in a VA window under a
* `cr3` at time T0. snap_diff re-reads the same window now and emits the runs
* whose bytes changed (coalesced VA-contiguous diffs), including runs that
* appeared or disappeared since T0. Keyed by `vmie_mem* + cr3`; it names no
* Windows object.
*
* Ownership: snap_take / snap_free (create/destroy). snap_free is safe on NULL.
*/
#ifndef VMIE_SNAPDIFF_H
#define VMIE_SNAPDIFF_H
#include <stdint.h>
#include <stddef.h>
#include "memmodel.h" /* vmie_mem, vregion */
typedef struct snapshot snapshot;
/* Capture the bytes of every mapped run in [lo,hi] (prot filter) under `cr3` at
* T0. Returns a heap-owned snapshot, or NULL on OOM / bad input. */
snapshot* snap_take(vmie_mem* m, uintptr_t cr3, uint64_t lo, uint64_t hi, uint32_t prot_any);
/* Release a snapshot from snap_take. Safe on NULL. */
void snap_free(snapshot* s);
/* Re-read the window now, compare to the snapshot, and emit changed runs as
* vregion {va, len, prot = current} - coalescing VA-contiguous changed bytes
* into one run. Runs that appeared or disappeared since T0 count as changed.
* Writes up to `max` runs to `changed` (NULL to count only) and returns the
* TOTAL number of changed runs, or -1 on bad input. */
int snap_diff(const snapshot* s, vmie_mem* m, uintptr_t cr3,
vregion* changed, int max);
#endif /* VMIE_SNAPDIFF_H */
Reference in New Issue View Git Blame Copy Permalink