/* Tries to find the kernel page directory by doing an exhaustive search
* through the memory space for the System process. The page directory
* location is then pulled from this eprocess struct.
*/
static status_t
get_kpgd_method2(
vmi_instance_t vmi)
{
addr_t sysproc = 0;
windows_instance_t windows = NULL;
if (vmi->os_data == NULL) {
errprint("VMI_ERROR: No OS data initialized\n");
return VMI_FAILURE;
}
windows = vmi->os_data;
sysproc = windows->sysproc;
/* get address for System process */
if (!sysproc) {
if ((sysproc = windows_find_eprocess(vmi, "System")) == 0) {
dbprint(VMI_DEBUG_MISC, "--failed to find System process.\n");
goto error_exit;
}
printf("LibVMI Suggestion: set win_sysproc=0x%"PRIx64" in libvmi.conf for faster startup.\n",
sysproc);
}
dbprint(VMI_DEBUG_MISC, "--got PA to PsInitialSystemProcess (0x%.16"PRIx64").\n",
sysproc);
/* get address for page directory (from system process) */
if (VMI_FAILURE ==
vmi_read_addr_pa(vmi,
sysproc +
windows->pdbase_offset,
&vmi->kpgd)) {
dbprint(VMI_DEBUG_MISC, "--failed to resolve PD for System process\n");
goto error_exit;
}
if (!vmi->kpgd) {
dbprint(VMI_DEBUG_MISC, "--kpgd was zero\n");
goto error_exit;
}
dbprint(VMI_DEBUG_MISC, "**set kpgd (0x%.16"PRIx64").\n", vmi->kpgd);
if (VMI_FAILURE ==
vmi_read_addr_pa(vmi,
sysproc + windows->tasks_offset,
&vmi->init_task)) {
dbprint(VMI_DEBUG_MISC, "--failed to resolve address of System process\n");
goto error_exit;
}
vmi->init_task -= windows->tasks_offset;
dbprint(VMI_DEBUG_MISC, "**set init_task (0x%.16"PRIx64").\n", vmi->init_task);
return VMI_SUCCESS;
error_exit:
return VMI_FAILURE;
}
/* Tries to find the kernel page directory by doing an exhaustive search
* through the memory space for the System process. The page directory
* location is then pulled from this eprocess struct.
*/
static status_t
get_kpgd_method2(
vmi_instance_t vmi)
{
addr_t sysproc = 0;
windows_instance_t windows = NULL;
if (vmi->os_data == NULL) {
errprint("VMI_ERROR: No OS data initialized\n");
return VMI_FAILURE;
}
windows = vmi->os_data;
sysproc = windows->sysproc;
/* get address for System process */
if (!sysproc) {
if ((sysproc = windows_find_eprocess(vmi, "System")) == 0) {
dbprint(VMI_DEBUG_MISC, "--failed to find System process.\n");
goto error_exit;
}
printf("LibVMI Suggestion: set win_sysproc=0x%"PRIx64" in libvmi.conf for faster startup.\n",
sysproc);
}
dbprint(VMI_DEBUG_MISC, "--got PA to PsInitialSystemProcess (0x%.16"PRIx64").\n",
sysproc);
/* Get address for page directory (from system process).
We are reading 64-bit value here deliberately as we might not know the page mode yet */
if (VMI_FAILURE ==
vmi_read_64_pa(vmi,
sysproc +
windows->pdbase_offset,
&vmi->kpgd)) {
dbprint(VMI_DEBUG_MISC, "--failed to resolve PD for System process\n");
goto error_exit;
}
if (!vmi->kpgd) {
dbprint(VMI_DEBUG_MISC, "--kpgd was zero\n");
goto error_exit;
}
if (VMI_FAILURE ==
vmi_read_64_pa(vmi,
sysproc + windows->tasks_offset,
&vmi->init_task)) {
dbprint(VMI_DEBUG_MISC, "--failed to resolve address of System process\n");
goto error_exit;
}
vmi->init_task -= windows->tasks_offset;
/* If the page mode is already known to be 32-bit we just mask the value here.
If don't know the page mode yet it will be determined using heuristics in find_page_mode later. */
switch(vmi->page_mode) {
case VMI_PM_LEGACY:
case VMI_PM_PAE: {
uint32_t mask = ~0;
vmi->kpgd &= mask;
vmi->init_task &= mask;
break;
}
default: break;
}
dbprint(VMI_DEBUG_MISC, "**set kpgd (0x%.16"PRIx64").\n", vmi->kpgd);
dbprint(VMI_DEBUG_MISC, "**set init_task (0x%.16"PRIx64").\n", vmi->init_task);
return VMI_SUCCESS;
error_exit:
return VMI_FAILURE;
}
