win_ver_t
vmi_get_winver(
vmi_instance_t vmi)
{
#ifndef ENABLE_WINDOWS
errprint("**LibVMI wasn't compiled with Windows support!\n");
return VMI_OS_WINDOWS_NONE;
#else
windows_instance_t windows_instance = NULL;
if (VMI_OS_WINDOWS != vmi->os_type)
return VMI_OS_WINDOWS_NONE;
if (!vmi->os_data) {
return VMI_OS_WINDOWS_NONE;
}
windows_instance = vmi->os_data;
if (!windows_instance->version || windows_instance->version == VMI_OS_WINDOWS_UNKNOWN) {
addr_t kdbg = windows_instance->ntoskrnl + windows_instance->kdbg_offset;
windows_instance->version = find_windows_version(vmi, kdbg);
}
return windows_instance->version;
#endif
}
status_t
windows_kpcr_lookup(
vmi_instance_t vmi,
char *symbol,
addr_t *address)
{
unsigned long offset = 0;
if (!vmi->os.windows_instance.kdversion_block) {
if (VMI_FAILURE == init_kdversion_block(vmi)) {
goto error_exit;
}
}
// Use heuristic to find windows version
addr_t kdvb_p = vmi_translate_kv2p(vmi, vmi->os.windows_instance.kdversion_block);
vmi->os.windows_instance.version =
find_windows_version(vmi, kdvb_p);
if (VMI_FAILURE == kpcr_symbol_offset(vmi, symbol, &offset)) {
goto error_exit;
}
if (VMI_FAILURE == kpcr_symbol_resolve(vmi, offset, address)) {
goto error_exit;
}
return VMI_SUCCESS;
error_exit:
return VMI_FAILURE;
}
win_ver_t
vmi_get_winver_manual(
vmi_instance_t vmi,
addr_t kdbg_pa)
{
return find_windows_version(vmi, kdbg_pa);
}
status_t init_kdversion_block (vmi_instance_t vmi)
{
addr_t KdVersionBlock_phys = 0;
addr_t DebuggerDataList = 0, ListPtr = 0;
KdVersionBlock_phys = find_kdversionblock_address_fast(vmi);
//KdVersionBlock_phys = find_kdversionblock_address(vmi);
if (!KdVersionBlock_phys){
goto error_exit;
}
// Use heuristic to find windows version
find_windows_version(vmi, KdVersionBlock_phys);
// get the virtual address for KdVersionBlock from the physical
if (VMI_FAILURE == vmi_read_addr_pa(vmi, KdVersionBlock_phys, &DebuggerDataList)){
goto error_exit;
}
if (VMI_FAILURE == vmi_read_addr_va(vmi, DebuggerDataList, 0, &ListPtr)){
goto error_exit;
}
if (ListPtr && !vmi->os.windows_instance.kdversion_block){
vmi->os.windows_instance.kdversion_block = ListPtr;
printf("LibVMI Suggestion: set win_kdvb=0x%llx in libvmi.conf for faster startup.\n", vmi->os.windows_instance.kdversion_block);
}
dbprint("**set KdVersionBlock address=0x%llx\n", vmi->os.windows_instance.kdversion_block);
return VMI_SUCCESS;
error_exit:
vmi->os.windows_instance.version = VMI_OS_WINDOWS_UNKNOWN;
return VMI_FAILURE;
}
win_ver_t
vmi_get_winver_manual(
vmi_instance_t vmi,
addr_t kdbg_pa)
{
#ifdef ENABLE_WINDOWS
return find_windows_version(vmi, kdbg_pa);
#else
errprint("**LibVMI wasn't compiled with Windows support!\n");
return VMI_OS_WINDOWS_NONE;
#endif
}
win_ver_t
vmi_get_winver(
vmi_instance_t vmi)
{
if (VMI_OS_WINDOWS != vmi->os_type)
return VMI_OS_WINDOWS_NONE;
if (!vmi->os.windows_instance.version ||
vmi->os.windows_instance.version == VMI_OS_WINDOWS_UNKNOWN) {
find_windows_version(vmi,
vmi->os.windows_instance.kdversion_block);
}
return vmi->os.windows_instance.version;
}
win_ver_t
vmi_get_winver(
vmi_instance_t vmi)
{
windows_instance_t windows_instance = NULL;
if (VMI_OS_WINDOWS != vmi->os_type || (VMI_INIT_PARTIAL & vmi->init_mode))
return VMI_OS_WINDOWS_NONE;
if (!vmi->os_data) {
return VMI_OS_WINDOWS_NONE;
}
windows_instance = vmi->os_data;
if (!windows_instance->version || windows_instance->version == VMI_OS_WINDOWS_UNKNOWN) {
addr_t kdbg = windows_instance->ntoskrnl + windows_instance->kdbg_offset;
windows_instance->version = find_windows_version(vmi, kdbg);
}
return windows_instance->version;
}
win_ver_t
vmi_get_winver(
vmi_instance_t vmi)
{
windows_instance_t windows_instance = NULL;
if (VMI_OS_WINDOWS != vmi->os_type || (VMI_INIT_PARTIAL & vmi->init_mode))
return VMI_OS_WINDOWS_NONE;
if (!vmi->os_data) {
return VMI_OS_WINDOWS_NONE;
}
windows_instance = vmi->os_data;
if (!windows_instance->version
|| windows_instance->version == VMI_OS_WINDOWS_UNKNOWN) {
windows_instance->version = find_windows_version(vmi,
windows_instance->kdversion_block);
}
return windows_instance->version;
}
/*
* This functions is responsible for setting up
* Windows specific variables:
* - ntoskrnl (*)
* - ntoskrnl_va (*)
* - kdbg_offset (*)
* - kdbg_va (*)
* The variables marked with (*) can be also specified
* in the libvmi config.
*/
status_t
init_from_kdbg(
vmi_instance_t vmi)
{
status_t ret = VMI_FAILURE;
addr_t kernbase_pa = 0;
addr_t kernbase_va = 0;
addr_t kdbg_pa = 0;
if (vmi->os_data == NULL) {
goto exit;
}
windows_instance_t windows = vmi->os_data;
/* If all 3 values are specified in the config, we can calculate ntoskrnl_va,
* but can't verify if there is no arch for doing translations.
*/
if (windows->kdbg_va && windows->kdbg_offset && windows->ntoskrnl
&& !vmi->arch_interface) {
/* All values were user specified, so set them, but we can't use
* translations to verify them */
windows->ntoskrnl_va = windows->kdbg_va - windows->kdbg_offset;
goto done;
}
if (!vmi->arch_interface) {
/* nothing that requires a virtual-to-physical translation will work
* so skip straight to the physical only methods. */
goto find_kdbg;
}
/* Otherwise, look up what we need and check for consistency */
if (windows->kdbg_va) {
dbprint(VMI_DEBUG_MISC, "**using KdDebuggerDataBlock address=0x%"PRIx64" from config\n",
windows->kdbg_va);
if (VMI_SUCCESS != windows_kdbg_lookup(vmi, "KernBase", &windows->ntoskrnl_va)) {
dbprint(VMI_DEBUG_MISC, "**Error reading KernBase value, falling back to search methods\n");
goto find_kdbg;
}
dbprint(VMI_DEBUG_MISC, "**KernBase VA=0x%"PRIx64"\n", windows->ntoskrnl_va);
if (windows->kdbg_offset) {
/* only needed ntoskrnl_va, verify the other values */
if (windows->kdbg_va != (windows->ntoskrnl_va + windows->kdbg_offset)) {
errprint("Invalid configuration values for win_kdvb and win_kdbg\n");
goto exit;
}
} else {
windows->kdbg_offset = windows->kdbg_va - windows->ntoskrnl_va;
}
} else if (windows->ntoskrnl && windows->kdbg_offset) {
/* Calculate ntoskrnl_va and kdbg_va */
unsigned long offset = 0;
kdbg_symbol_offset("KernBase", &offset);
if (VMI_FAILURE == vmi_read_addr_pa(vmi, windows->ntoskrnl + windows->kdbg_offset + offset, &windows->ntoskrnl_va)) {
errprint("Inconsistent addresses passed in the config!\n");
goto exit;
}
dbprint(VMI_DEBUG_MISC, "**KernBase VA=0x%"PRIx64"\n", windows->ntoskrnl_va);
windows->kdbg_va = windows->ntoskrnl_va - windows->kdbg_offset;
dbprint(VMI_DEBUG_MISC, "**set KdDebuggerDataBlock address=0x%"PRIx64"\n",
windows->kdbg_va);
} else {
/* only ntoskrnl or kdbg_offset were given, which are not
* enough to find and calculate the others, so fall back to search methods. */
goto find_kdbg;
}
addr_t test = 0;
if (!windows->ntoskrnl) {
if ( VMI_FAILURE == vmi_translate_kv2p(vmi, windows->ntoskrnl_va, &windows->ntoskrnl) )
goto find_kdbg;
dbprint(VMI_DEBUG_MISC, "**set KernBase PA=0x%"PRIx64"\n", windows->ntoskrnl);
} else if (VMI_FAILURE == vmi_translate_kv2p(vmi, windows->ntoskrnl_va, &test) || test != windows->ntoskrnl) {
errprint("Invalid configuration values, win_ntoskrnl not match translated KernBase physical address\n");
goto exit;
}
goto done;
// We don't have the standard config informations
// so lets try our kdbg search method
find_kdbg:
dbprint(VMI_DEBUG_MISC, "**Attempting KdDebuggerDataBlock search methods\n");
if (VMI_SUCCESS == find_kdbg_address_instant(vmi, &kdbg_pa, &kernbase_pa, &kernbase_va)) {
goto found;
}
if (VMI_SUCCESS == find_kdbg_address_faster(vmi, &kdbg_pa, &kernbase_pa, &kernbase_va)) {
goto found;
}
if (VMI_SUCCESS == find_kdbg_address_fast(vmi, &kdbg_pa, &kernbase_pa, &kernbase_va)) {
goto found;
}
/* NOTE: This is the only method that does anything for VMI_FILE */
if (VMI_SUCCESS == find_kdbg_address(vmi, &kdbg_pa, &kernbase_va)) {
kernbase_pa = get_ntoskrnl_base(vmi, 0);
goto found;
}
dbprint(VMI_DEBUG_MISC, "**All KdDebuggerDataBlock search methods failed\n");
goto exit;
found:
windows->ntoskrnl_va = kernbase_va;
dbprint(VMI_DEBUG_MISC, "**set KernBase VA=0x%"PRIx64"\n", windows->ntoskrnl_va);
if (!windows->ntoskrnl) {
windows->ntoskrnl = kernbase_pa;
printf("LibVMI Suggestion: set win_ntoskrnl=0x%"PRIx64" in libvmi.conf for faster startup.\n",
windows->ntoskrnl);
} else if (windows->ntoskrnl != kernbase_pa) {
errprint("LibVMI found physical kernel base address 0x%"PRIx64" that conflicts with provided value from config file!\n",
kernbase_pa);
goto exit;
}
if (!windows->kdbg_offset) {
windows->kdbg_offset = kdbg_pa - windows->ntoskrnl;
printf("LibVMI Suggestion: set win_kdbg=0x%"PRIx64" in libvmi.conf for faster startup.\n",
windows->kdbg_offset);
} else if (windows->kdbg_offset != kdbg_pa - kernbase_pa) {
errprint("LibVMI found win_kdbg offset 0x%"PRIx64" that conflicts with provided value from config file!\n",
kdbg_pa - kernbase_pa);
goto exit;
}
if (!windows->kdbg_va) {
windows->kdbg_va = windows->ntoskrnl_va + windows->kdbg_offset;
printf("LibVMI Suggestion: set win_kdvb=0x%"PRIx64" in libvmi.conf for faster startup.\n",
windows->kdbg_va);
} else if (windows->kdbg_va != windows->ntoskrnl_va + windows->kdbg_offset) {
errprint("LibVMI found win_kdvb offset 0x%"PRIx64" that conflicts with provided value from config file!\n",
windows->ntoskrnl_va + windows->kdbg_offset);
goto exit;
}
done:
if (!kdbg_pa) {
kdbg_pa = windows->ntoskrnl + windows->kdbg_offset;
}
windows->version = find_windows_version(vmi, kdbg_pa);
if (VMI_OS_WINDOWS_UNKNOWN == windows->version) {
errprint("Unsupported Windows version or incorrect configuration\n");
}
ret = VMI_SUCCESS;
exit:
return ret;
}
