uint64_t windows_get_offset(vmi_instance_t vmi, const char* offset_name) {
const size_t max_length = 100;
windows_instance_t windows = vmi->os_data;
if (windows == NULL) {
errprint("VMI_ERROR: OS instance not initialized\n");
return 0;
}
if (strncmp(offset_name, "win_tasks", max_length) == 0) {
return windows->tasks_offset;
} else if (strncmp(offset_name, "win_pdbase", max_length) == 0) {
return windows->pdbase_offset;
} else if (strncmp(offset_name, "win_pid", max_length) == 0) {
return windows->pid_offset;
} else if (strncmp(offset_name, "win_pname", max_length) == 0) {
if (windows->pname_offset == 0) {
windows->pname_offset = find_pname_offset(vmi,
NULL );
if (windows->pname_offset == 0) {
dbprint(VMI_DEBUG_MISC, "--failed to find pname_offset\n");
return 0;
}
}
return windows->pname_offset;
} else {
warnprint("Invalid offset name in windows_get_offset (%s).\n",
offset_name);
return 0;
}
}
addr_t
windows_find_eprocess(
vmi_instance_t vmi,
char *name)
{
addr_t start_address = 0;
check_magic_func check = get_check_magic_func(vmi);
if (vmi->os.windows_instance.pname_offset == 0) {
vmi->os.windows_instance.pname_offset =
find_pname_offset(vmi, check);
if (vmi->os.windows_instance.pname_offset == 0) {
dbprint("--failed to find pname_offset\n");
return 0;
}
else {
dbprint("**set os.windows_instance.pname_offset (0x%x)\n",
vmi->os.windows_instance.pname_offset);
}
}
if (vmi->init_task) {
start_address =
vmi->init_task - vmi->os.windows_instance.tasks_offset;
}
return find_process_by_name(vmi, check, start_address, name);
}
unsigned long
vmi_get_offset(
vmi_instance_t vmi,
char *offset_name)
{
size_t max_length = 100;
if (strncmp(offset_name, "win_tasks", max_length) == 0) {
return vmi->os.windows_instance.tasks_offset;
}
else if (strncmp(offset_name, "win_pdbase", max_length) == 0) {
return vmi->os.windows_instance.pdbase_offset;
}
else if (strncmp(offset_name, "win_pid", max_length) == 0) {
return vmi->os.windows_instance.pid_offset;
}
else if (strncmp(offset_name, "win_pname", max_length) == 0) {
if (vmi->os.windows_instance.pname_offset == 0) {
vmi->os.windows_instance.pname_offset =
find_pname_offset(vmi, NULL);
if (vmi->os.windows_instance.pname_offset == 0) {
dbprint("--failed to find pname_offset\n");
return 0;
}
}
return vmi->os.windows_instance.pname_offset;
}
else if (strncmp(offset_name, "linux_tasks", max_length) == 0) {
return vmi->os.linux_instance.tasks_offset;
}
else if (strncmp(offset_name, "linux_mm", max_length) == 0) {
return vmi->os.linux_instance.mm_offset;
}
else if (strncmp(offset_name, "linux_pid", max_length) == 0) {
return vmi->os.linux_instance.pid_offset;
}
else if (strncmp(offset_name, "linux_name", max_length) == 0) {
return vmi->os.linux_instance.name_offset;
}
else if (strncmp(offset_name, "linux_pgd", max_length) == 0) {
return vmi->os.linux_instance.pgd_offset;
}
else {
warnprint("Invalid offset name in vmi_get_offset (%s).\n",
offset_name);
return 0;
}
}
addr_t
windows_find_eprocess(
vmi_instance_t vmi,
const char *name)
{
addr_t start_address = 0;
windows_instance_t windows = vmi->os_data;
check_magic_func check = get_check_magic_func(vmi);
if (windows == NULL) {
return 0;
}
if (!windows->pname_offset) {
if(windows->rekall_profile) {
if ( VMI_FAILURE == rekall_profile_symbol_to_rva(windows->rekall_profile, "_EPROCESS", "ImageFileName", &windows->pname_offset) )
return 0;
} else {
windows->pname_offset = find_pname_offset(vmi, check);
}
if (!windows->pname_offset) {
dbprint(VMI_DEBUG_MISC, "--failed to find pname_offset\n");
return 0;
} else {
dbprint(VMI_DEBUG_MISC, "**set os.windows_instance.pname_offset (0x%"PRIx64")\n",
windows->pname_offset);
}
}
if (vmi->init_task) {
start_address = vmi->init_task;
}
return find_process_by_name(vmi, check, start_address, name);
}
