void convert_pe(const char *file, int parse)
{
FILE *f;
struct stat st;
char *buf;
struct aout a;
f = fopen(file, "rb");
if (f == NULL)
{
printf("CAN NOT OPEN\n");
return;
}
fstat(fileno(f), &st);
buf = (char *)calloc(1, st.st_size + 1);
fread(buf, 1, st.st_size, f);
fclose(f);
if (parse)
print_pe_header(buf, st.st_size);
else
{
init_aout(&a);
parse_pe(&a, buf, st.st_size);
write_aout(&a, buf, st.st_size, file);
}
free(buf);
}
int main(int argc, char **argv) {
vmi_instance_t vmi;
/* this is the VM that we are looking at */
if (argc != 3) {
printf("Usage: %s name|domid <domain name|domain id>\n", argv[0]);
return 1;
} // if
uint32_t domid = VMI_INVALID_DOMID;
GHashTable *config = g_hash_table_new(g_str_hash, g_str_equal);
if(strcmp(argv[1],"name")==0) {
g_hash_table_insert(config, "name", argv[2]);
} else
if(strcmp(argv[1],"domid")==0) {
domid = atoi(argv[2]);
g_hash_table_insert(config, "domid", &domid);
} else {
printf("You have to specify either name or domid!\n");
return 1;
}
/* partialy initialize the libvmi library */
if (vmi_init_custom(&vmi, VMI_AUTO | VMI_INIT_PARTIAL | VMI_CONFIG_GHASHTABLE, config) == VMI_FAILURE) {
printf("Failed to init LibVMI library.\n");
g_hash_table_destroy(config);
return 1;
}
g_hash_table_destroy(config);
/* the nice thing about the windows kernel is that it's page aligned */
uint32_t i;
uint32_t found = 0;
for(i = 0; i < MAX_SEARCH_SIZE; i += PAGE_SIZE) {
uint8_t pe[MAX_HEADER_SIZE];
if(VMI_SUCCESS == peparse_get_image_phys(vmi, i, MAX_HEADER_SIZE, pe)) {
if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, i, pe)) {
printf("Windows Kernel found @ 0x%"PRIx32"\n", i);
print_os_version(vmi, i, pe);
print_guid(vmi, i, pe);
print_pe_header(vmi, i, pe);
found=1;
break;
}
}
}
/* cleanup any memory associated with the LibVMI instance */
vmi_destroy(vmi);
if(found) return 0;
return 1;
}
int main(int argc, char **argv) {
vmi_instance_t vmi;
/* this is the VM that we are looking at */
if (argc != 2) {
printf("Usage: %s <domain name>\n", argv[0]);
return 1;
} // if
/* partialy initialize the libvmi library */
if (vmi_init(&vmi, VMI_AUTO | VMI_INIT_PARTIAL, argv[1]) == VMI_FAILURE) {
printf("Failed to init LibVMI library.\n");
return 1;
}
/* the nice thing about the windows kernel is that it's page aligned */
uint32_t i;
uint32_t found = 0;
for(i = 0; i < MAX_SEARCH_SIZE; i += PAGE_SIZE) {
uint8_t pe[MAX_HEADER_SIZE];
if(VMI_SUCCESS == peparse_get_image_phys(vmi, i, MAX_HEADER_SIZE, pe)) {
if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, i, pe)) {
printf("Windows Kernel found @ 0x%"PRIx32"\n", i);
print_os_version(vmi, i, pe);
print_guid(vmi, i, pe);
print_pe_header(vmi, i, pe);
found=1;
break;
}
}
}
/* cleanup any memory associated with the LibVMI instance */
vmi_destroy(vmi);
if(found) return 0;
return 1;
}
int main(int argc, char **argv) {
vmi_instance_t vmi = NULL;
vmi_mode_t mode;
/* this is the VM that we are looking at */
if (argc != 3) {
printf("Usage: %s name|domid <domain name|domain id>\n", argv[0]);
return 1;
} // if
void *domain;
uint64_t domid = VMI_INVALID_DOMID;
uint64_t init_flags = 0;
if(strcmp(argv[1],"name")==0) {
domain = (void*)argv[2];
init_flags |= VMI_INIT_DOMAINNAME;
} else
if(strcmp(argv[1],"domid")==0) {
domid = strtoull(argv[2], NULL, 0);
domain = (void*)&domid;
init_flags |= VMI_INIT_DOMAINID;
} else {
printf("You have to specify either name or domid!\n");
return 1;
}
if (VMI_FAILURE == vmi_get_access_mode(vmi, domain, init_flags, NULL, &mode) )
return 1;
/* initialize the libvmi library */
if (VMI_FAILURE == vmi_init(&vmi, mode, domain, init_flags, NULL, NULL))
{
printf("Failed to init LibVMI library.\n");
return 1;
}
max_mem = vmi_get_max_physical_address(vmi);
/* the nice thing about the windows kernel is that it's page aligned */
uint32_t found = 0;
access_context_t ctx = {
.translate_mechanism = VMI_TM_NONE,
};
for(ctx.addr = 0; ctx.addr < max_mem; ctx.addr += PAGE_SIZE) {
uint8_t pe[MAX_HEADER_SIZE];
if(VMI_SUCCESS == peparse_get_image(vmi, &ctx, MAX_HEADER_SIZE, pe)) {
if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, ctx.addr, pe)) {
printf("Windows Kernel found @ 0x%" PRIx64 "\n", ctx.addr);
print_os_version(pe);
print_guid(vmi, ctx.addr, pe);
print_pe_header(vmi, ctx.addr, pe);
found=1;
break;
}
}
}
/* cleanup any memory associated with the LibVMI instance */
vmi_destroy(vmi);
if(found) return 0;
return 1;
}
