void dump_exports( vmi_instance_t vmi, struct export_table *et, addr_t base_addr, vmi_pid_t pid) { addr_t base1 = base_addr + et->address_of_names; addr_t base2 = base_addr + et->address_of_name_ordinals; addr_t base3 = base_addr + et->address_of_functions; uint32_t i = 0; /* print names */ for (; i < et->number_of_names; ++i) { uint32_t rva = 0; uint16_t ordinal = 0; uint32_t loc = 0; char *str = NULL; vmi_read_32_va(vmi, base1 + i * sizeof(uint32_t), pid, &rva); if (rva) { str = rva_to_string(vmi, (addr_t) rva, base_addr, pid); if (str) { vmi_read_16_va(vmi, base2 + i * sizeof(uint16_t), pid, &ordinal); vmi_read_32_va(vmi, base3 + ordinal + sizeof(uint32_t), pid, &loc); printf("%s:%d:0x%"PRIx32"\n", str, ordinal, loc); free(str); } } } }
/* returns a windows PE export from an RVA*/ char* windows_rva_to_export( vmi_instance_t vmi, addr_t rva, addr_t base_vaddr, vmi_pid_t pid) { struct export_table et; addr_t et_rva; size_t et_size; int aon_index = -1; int aof_index = -1; char* symbol = NULL; // get export table structure if (peparse_get_export_table(vmi, base_vaddr, pid, &et, &et_rva, &et_size) != VMI_SUCCESS) { dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get export table\n"); return NULL; } if(rva>=et_rva && rva < et_rva+et_size) { dbprint(VMI_DEBUG_MISC, "--PEParse: symbol @ %u:0x%"PRIx64" is forwarded\n", pid, base_vaddr+rva); return NULL; } addr_t base1 = base_vaddr + et.address_of_names; addr_t base2 = base_vaddr + et.address_of_name_ordinals; addr_t base3 = base_vaddr + et.address_of_functions; uint32_t i = 0; for (; i < et.number_of_functions; ++i) { uint32_t name_rva = 0; uint16_t ordinal = 0; uint32_t loc = 0; if(VMI_FAILURE==vmi_read_16_va(vmi, base2 + i * sizeof(uint16_t), pid, &ordinal)) continue; if(VMI_FAILURE==vmi_read_32_va(vmi, base3 + ordinal + sizeof(uint32_t), pid, &loc)) continue; if(loc==rva) { if(i < et.number_of_names && VMI_SUCCESS==vmi_read_32_va(vmi, base1 + i * sizeof(uint32_t), pid, &name_rva) && name_rva) { symbol = rva_to_string(vmi, (addr_t)name_rva, base_vaddr, pid); return symbol; } dbprint(VMI_DEBUG_MISC, "--PEParse: symbol @ %u:0x%"PRIx64" is exported by ordinal only\n", pid, base_vaddr+rva); break; } } return NULL; }
int get_aof_index( vmi_instance_t vmi, int aon_index, struct export_table *et, addr_t base_addr, vmi_pid_t pid) { addr_t aof_index_loc = base_addr + et->address_of_name_ordinals + aon_index * sizeof(uint16_t); uint16_t aof_index = 0; if (vmi_read_16_va(vmi, aof_index_loc, pid, &aof_index) == VMI_SUCCESS) { return (int) aof_index; } else { return -1; } }
/*根据data,执行vmi函数,并发送返回值*/ int rvmi_handle_data(int fd, char *buf) { int vmiFunNum; int i=0; char delims[] = " "; char *vmiFunArg[5] = {NULL,NULL,NULL,NULL}; char returnBuf[100]; char * returnVal =NULL; vmiFunArg[i] = strtok(buf, delims ); while( vmiFunArg[i] != NULL ) { i++; vmiFunArg[i] = strtok( NULL, delims ); } vmiFunNum = atoi(vmiFunArg[0]); //printf("vmifun %d\n",vmiFunNum); switch(vmiFunNum) { case 1: break; case 2: break; case 3: { int vmiID=atoi(vmiFunArg[1]); sprintf(returnBuf, "%d\0", vmi_destroy(vmiArr[vmiID]) ); vmiFlagArr[vmiID]=0; returnVal = returnBuf; } break; case 13: { sprintf(returnBuf, "%lu\0", vmi_get_offset(vmiArr[atoi(vmiFunArg[1])], vmiFunArg[2]) ); returnVal = returnBuf; } break; case 23: { for(i=0;i<MAX_DOMU_PER_MACHINE;i++) { if(0 == vmiFlagArr[i]) break; } vmi_init(&vmiArr[i], atoi(vmiFunArg[1]), vmiFunArg[2]); vmiFlagArr[i]=1; sprintf(returnBuf,"%d\0",i); returnVal = returnBuf; } break; case 38: { uint16_t tmp; vmi_read_16_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]), &tmp); sprintf(returnBuf, "%hu\0", tmp); returnVal = returnBuf; } break; case 40: { uint32_t tmp; vmi_read_32_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]), &tmp); sprintf(returnBuf, "%u\0", tmp); returnVal = returnBuf; } break; case 44: { uint64_t tmp; vmi_read_64_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]), &tmp); sprintf(returnBuf, "%lu\0", tmp); returnVal = returnBuf; } break; case 50: { addr_t tmp; vmi_read_addr_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]), &tmp); sprintf(returnBuf, "%lu\0", tmp); returnVal = returnBuf; } break; case 55: { sprintf(returnBuf, "%s\0", vmi_read_str_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]) )); returnVal = returnBuf; } break; case 67: { sprintf(returnBuf, "%lu\0", vmi_translate_ksym2v(vmiArr[atoi(vmiFunArg[1])], vmiFunArg[2]) ); returnVal = returnBuf; } break; default:break; } write (fd, returnVal, 100); return 1; }