static addr_t
find_process_by_name(
vmi_instance_t vmi,
check_magic_func check,
addr_t start_address,
const char *name)
{
dbprint(VMI_DEBUG_MISC, "--searching for process by name: %s\n", name);
addr_t block_pa = 0;
addr_t offset = 0;
uint32_t value = 0;
size_t read = 0;
unsigned char block_buffer[VMI_PS_4KB];
if (NULL == check) {
check = get_check_magic_func(vmi);
}
for (block_pa = start_address; block_pa + VMI_PS_4KB < vmi->max_physical_address;
block_pa += VMI_PS_4KB) {
read = vmi_read_pa(vmi, block_pa, block_buffer, VMI_PS_4KB);
if (VMI_PS_4KB != read) {
continue;
}
for (offset = 0; offset < VMI_PS_4KB; offset += 8) {
memcpy(&value, block_buffer + offset, 4);
if (check(value)) { // look for specific magic #
char *procname = windows_get_eprocess_name(vmi, block_pa + offset);
if (procname) {
if (strncmp(procname, name, 50) == 0) {
free(procname);
return block_pa + offset;
}
free(procname);
}
}
}
}
return 0;
}
static addr_t
find_process_by_name(
vmi_instance_t vmi,
check_magic_func check,
addr_t start_address,
const char *name)
{
addr_t block_pa = 0;
addr_t offset = 0;
uint32_t value = 0;
size_t read = 0;
#define BLOCK_SIZE 1024 * 1024 * 1
unsigned char block_buffer[BLOCK_SIZE];
if (NULL == check) {
check = get_check_magic_func(vmi);
}
for (block_pa = start_address; block_pa < vmi->size;
block_pa += BLOCK_SIZE) {
read = vmi_read_pa(vmi, block_pa, block_buffer, BLOCK_SIZE);
if (BLOCK_SIZE != read) {
continue;
}
for (offset = 0; offset < BLOCK_SIZE; offset += 8) {
memcpy(&value, block_buffer + offset, 4);
if (check(value)) { // look for specific magic #
char *procname =
windows_get_eprocess_name(vmi, block_pa + offset);
if (procname) {
if (strncmp(procname, name, 50) == 0) {
free(procname);
return block_pa + offset;
}
free(procname);
}
}
}
}
return 0;
}
