Exemple #1
0
addr_t
windows_find_cr3(
    vmi_instance_t vmi)
{
    get_kpgd_method2(vmi);
    return vmi->kpgd;
}
Exemple #2
0
status_t
windows_init(
    vmi_instance_t vmi)
{
    status_t status = VMI_FAILURE;
    windows_instance_t windows = NULL;
    os_interface_t os_interface = NULL;
    status_t real_kpgd_found = VMI_FAILURE;

    if (vmi->config == NULL) {
        errprint("VMI_ERROR: No config table found\n");
        return VMI_FAILURE;
    }

    if (vmi->os_data != NULL) {
        errprint("VMI_ERROR: os data already initialized, resetting\n");
    } else {
        vmi->os_data = safe_malloc(sizeof(struct windows_instance));
    }

    bzero(vmi->os_data, sizeof(struct windows_instance));
    windows = vmi->os_data;
    windows->version = VMI_OS_WINDOWS_UNKNOWN;

    g_hash_table_foreach(vmi->config, (GHFunc)windows_read_config_ghashtable_entries, vmi);

    /* Need to provide this functions so that find_page_mode will work */
    os_interface = safe_malloc(sizeof(struct os_interface));
    bzero(os_interface, sizeof(struct os_interface));
    os_interface->os_get_offset = windows_get_offset;
    os_interface->os_pid_to_pgd = windows_pid_to_pgd;
    os_interface->os_pgd_to_pid = windows_pgd_to_pid;
    os_interface->os_ksym2v = windows_kernel_symbol_to_address;
    os_interface->os_usym2rva = windows_export_to_rva;
    os_interface->os_v2sym = windows_rva_to_export;
    os_interface->os_read_unicode_struct = windows_read_unicode_struct;
    os_interface->os_teardown = windows_teardown;

    vmi->os_interface = os_interface;

    if(VMI_FAILURE == check_pdbase_offset(vmi)) {
        goto error_exit;
    }

    /* At this point we still don't have a directory table base,
     * so first we try to get it via the driver (fastest way).
     * If the driver gets us a dtb, it will be used _only_ during the init phase,
     * and will be replaced by the real kpgd later. */
    if(VMI_FAILURE == driver_get_vcpureg(vmi, &vmi->kpgd, CR3, 0)) {
        if(VMI_FAILURE == get_kpgd_method2(vmi)) {
            errprint("Could not get kpgd, will not be able to determine page mode\n");
            goto error_exit;
        } else {
            real_kpgd_found = VMI_SUCCESS;
        }
    }

    if(VMI_FAILURE == init_core(vmi)) {
        goto error_exit;
    }

    if (VMI_PM_UNKNOWN == vmi->page_mode) {
        if (VMI_FAILURE == find_page_mode(vmi)) {
            errprint("Failed to find correct page mode.\n");
            goto error_exit;
        }
    }

    if (VMI_SUCCESS == real_kpgd_found) {
        status = VMI_SUCCESS;
        goto done;
    }

    /* If we have a dtb via the driver we need to get the real kpgd */
    if (VMI_SUCCESS == get_kpgd_method0(vmi)) {
        dbprint(VMI_DEBUG_MISC, "--kpgd method0 success\n");
        status = VMI_SUCCESS;
        goto done;
    }
    if (VMI_SUCCESS == get_kpgd_method1(vmi)) {
        dbprint(VMI_DEBUG_MISC, "--kpgd method1 success\n");
        status = VMI_SUCCESS;
        goto done;
    }

    if (VMI_SUCCESS == get_kpgd_method2(vmi)) {
        dbprint(VMI_DEBUG_MISC, "--kpgd method2 success\n");
        status = VMI_SUCCESS;
        goto done;
    }

    vmi->kpgd = 0;
    errprint("Failed to find kernel page directory.\n");
    goto error_exit;

done:
    return status;

error_exit:
    windows_teardown(vmi);
    return VMI_FAILURE;
}
Exemple #3
0
status_t
windows_init(
    vmi_instance_t vmi)
{
    status_t status = VMI_FAILURE;
    windows_instance_t windows = NULL;
    os_interface_t os_interface = NULL;

    if (vmi->config == NULL) {
        errprint("VMI_ERROR: No config table found\n");
        return VMI_FAILURE;
    }

    if (vmi->os_data != NULL) {
        errprint("VMI_ERROR: os data already initialized, resetting\n");
    } else {
        vmi->os_data = safe_malloc(sizeof(struct windows_instance));
    }

    bzero(vmi->os_data, sizeof(struct windows_instance));
    windows = vmi->os_data;
    windows->version = VMI_OS_WINDOWS_UNKNOWN;

    g_hash_table_foreach(vmi->config, (GHFunc)windows_read_config_ghashtable_entries, vmi);

    /* Need to provide this functions so that find_page_mode will work */
    os_interface = safe_malloc(sizeof(struct os_interface));
    bzero(os_interface, sizeof(struct os_interface));
    os_interface->os_get_offset = windows_get_offset;
    os_interface->os_pid_to_pgd = windows_pid_to_pgd;
    os_interface->os_pgd_to_pid = windows_pgd_to_pid;
    os_interface->os_ksym2v = windows_kernel_symbol_to_address;
    os_interface->os_usym2rva = windows_export_to_rva;
    os_interface->os_rva2sym = windows_rva_to_export;
    os_interface->os_teardown = windows_teardown;

    vmi->os_interface = os_interface;

    if(VMI_FAILURE == check_pdbase_offset(vmi)) {
        goto error_exit;
    }

    if (VMI_PM_UNKNOWN == vmi->page_mode) {
        if(VMI_FAILURE == get_kpgd_method2(vmi)) {
          errprint("Could not get kpgd, will not be able to determine page mode\n");
          goto error_exit;
        }

        if(VMI_FAILURE == init_core(vmi)) {
            goto error_exit;
        }

        if (VMI_FAILURE == find_page_mode(vmi)) {
            errprint("Failed to find correct page mode.\n");
            goto error_exit;
        }
    } else if(VMI_FAILURE == init_core(vmi)) {
        goto error_exit;
    }

    if (vmi->kpgd) {
        /* This can happen for file because find_cr3() is called and this
         * is set via get_kpgd_method2() */
        status = VMI_SUCCESS;
    } else
    if (VMI_SUCCESS == get_kpgd_method0(vmi)) {
        dbprint(VMI_DEBUG_MISC, "--kpgd method0 success\n");
        status = VMI_SUCCESS;
    } else
    if (VMI_SUCCESS == get_kpgd_method1(vmi)) {
        dbprint(VMI_DEBUG_MISC, "--kpgd method1 success\n");
        status = VMI_SUCCESS;
    } else
    if (VMI_SUCCESS == get_kpgd_method2(vmi)) {
        dbprint(VMI_DEBUG_MISC, "--kpgd method2 success\n");
        status = VMI_SUCCESS;
    } else {
        errprint("Failed to find kernel page directory.\n");
        goto error_exit;
    }

    return status;

error_exit:
    windows_teardown(vmi);
    return VMI_FAILURE;
}