int main(int argc, char **argv) { vmi_instance_t vmi; /* this is the VM that we are looking at */ if (argc != 3) { printf("Usage: %s name|domid <domain name|domain id>\n", argv[0]); return 1; } // if uint32_t domid = VMI_INVALID_DOMID; GHashTable *config = g_hash_table_new(g_str_hash, g_str_equal); if(strcmp(argv[1],"name")==0) { g_hash_table_insert(config, "name", argv[2]); } else if(strcmp(argv[1],"domid")==0) { domid = atoi(argv[2]); g_hash_table_insert(config, "domid", &domid); } else { printf("You have to specify either name or domid!\n"); return 1; } /* partialy initialize the libvmi library */ if (vmi_init_custom(&vmi, VMI_AUTO | VMI_INIT_PARTIAL | VMI_CONFIG_GHASHTABLE, config) == VMI_FAILURE) { printf("Failed to init LibVMI library.\n"); g_hash_table_destroy(config); return 1; } g_hash_table_destroy(config); /* the nice thing about the windows kernel is that it's page aligned */ uint32_t i; uint32_t found = 0; for(i = 0; i < MAX_SEARCH_SIZE; i += PAGE_SIZE) { uint8_t pe[MAX_HEADER_SIZE]; if(VMI_SUCCESS == peparse_get_image_phys(vmi, i, MAX_HEADER_SIZE, pe)) { if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, i, pe)) { printf("Windows Kernel found @ 0x%"PRIx32"\n", i); print_os_version(vmi, i, pe); print_guid(vmi, i, pe); print_pe_header(vmi, i, pe); found=1; break; } } } /* cleanup any memory associated with the LibVMI instance */ vmi_destroy(vmi); if(found) return 0; return 1; }
int main(int argc, char **argv) { vmi_instance_t vmi; /* this is the VM that we are looking at */ if (argc != 2) { printf("Usage: %s <domain name>\n", argv[0]); return 1; } // if /* partialy initialize the libvmi library */ if (vmi_init(&vmi, VMI_AUTO | VMI_INIT_PARTIAL, argv[1]) == VMI_FAILURE) { printf("Failed to init LibVMI library.\n"); return 1; } /* the nice thing about the windows kernel is that it's page aligned */ uint32_t i; uint32_t found = 0; for(i = 0; i < MAX_SEARCH_SIZE; i += PAGE_SIZE) { uint8_t pe[MAX_HEADER_SIZE]; if(VMI_SUCCESS == peparse_get_image_phys(vmi, i, MAX_HEADER_SIZE, pe)) { if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, i, pe)) { printf("Windows Kernel found @ 0x%"PRIx32"\n", i); print_os_version(vmi, i, pe); print_guid(vmi, i, pe); print_pe_header(vmi, i, pe); found=1; break; } } } /* cleanup any memory associated with the LibVMI instance */ vmi_destroy(vmi); if(found) return 0; return 1; }
int main(int argc, char **argv) { vmi_instance_t vmi = NULL; vmi_mode_t mode; /* this is the VM that we are looking at */ if (argc != 3) { printf("Usage: %s name|domid <domain name|domain id>\n", argv[0]); return 1; } // if void *domain; uint64_t domid = VMI_INVALID_DOMID; uint64_t init_flags = 0; if(strcmp(argv[1],"name")==0) { domain = (void*)argv[2]; init_flags |= VMI_INIT_DOMAINNAME; } else if(strcmp(argv[1],"domid")==0) { domid = strtoull(argv[2], NULL, 0); domain = (void*)&domid; init_flags |= VMI_INIT_DOMAINID; } else { printf("You have to specify either name or domid!\n"); return 1; } if (VMI_FAILURE == vmi_get_access_mode(vmi, domain, init_flags, NULL, &mode) ) return 1; /* initialize the libvmi library */ if (VMI_FAILURE == vmi_init(&vmi, mode, domain, init_flags, NULL, NULL)) { printf("Failed to init LibVMI library.\n"); return 1; } max_mem = vmi_get_max_physical_address(vmi); /* the nice thing about the windows kernel is that it's page aligned */ uint32_t found = 0; access_context_t ctx = { .translate_mechanism = VMI_TM_NONE, }; for(ctx.addr = 0; ctx.addr < max_mem; ctx.addr += PAGE_SIZE) { uint8_t pe[MAX_HEADER_SIZE]; if(VMI_SUCCESS == peparse_get_image(vmi, &ctx, MAX_HEADER_SIZE, pe)) { if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, ctx.addr, pe)) { printf("Windows Kernel found @ 0x%" PRIx64 "\n", ctx.addr); print_os_version(pe); print_guid(vmi, ctx.addr, pe); print_pe_header(vmi, ctx.addr, pe); found=1; break; } } } /* cleanup any memory associated with the LibVMI instance */ vmi_destroy(vmi); if(found) return 0; return 1; }