int main(int argc, char **argv) {
vmi_instance_t vmi;
/* this is the VM that we are looking at */
if (argc != 3) {
printf("Usage: %s name|domid <domain name|domain id>\n", argv[0]);
return 1;
} // if
uint32_t domid = VMI_INVALID_DOMID;
GHashTable *config = g_hash_table_new(g_str_hash, g_str_equal);
if(strcmp(argv[1],"name")==0) {
g_hash_table_insert(config, "name", argv[2]);
} else
if(strcmp(argv[1],"domid")==0) {
domid = atoi(argv[2]);
g_hash_table_insert(config, "domid", &domid);
} else {
printf("You have to specify either name or domid!\n");
return 1;
}
/* partialy initialize the libvmi library */
if (vmi_init_custom(&vmi, VMI_AUTO | VMI_INIT_PARTIAL | VMI_CONFIG_GHASHTABLE, config) == VMI_FAILURE) {
printf("Failed to init LibVMI library.\n");
g_hash_table_destroy(config);
return 1;
}
g_hash_table_destroy(config);
/* the nice thing about the windows kernel is that it's page aligned */
uint32_t i;
uint32_t found = 0;
for(i = 0; i < MAX_SEARCH_SIZE; i += PAGE_SIZE) {
uint8_t pe[MAX_HEADER_SIZE];
if(VMI_SUCCESS == peparse_get_image_phys(vmi, i, MAX_HEADER_SIZE, pe)) {
if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, i, pe)) {
printf("Windows Kernel found @ 0x%"PRIx32"\n", i);
print_os_version(vmi, i, pe);
print_guid(vmi, i, pe);
print_pe_header(vmi, i, pe);
found=1;
break;
}
}
}
/* cleanup any memory associated with the LibVMI instance */
vmi_destroy(vmi);
if(found) return 0;
return 1;
}
addr_t
get_ntoskrnl_base(
vmi_instance_t vmi,
addr_t page_paddr)
{
uint8_t page[VMI_PS_4KB];
addr_t ret = 0;
for(; page_paddr + VMI_PS_4KB < vmi->size; page_paddr += VMI_PS_4KB) {
uint8_t page[VMI_PS_4KB];
status_t rc = peparse_get_image_phys(vmi, page_paddr, VMI_PS_4KB, page);
if(VMI_FAILURE == rc) {
continue;
}
struct pe_header *pe_header = NULL;
struct dos_header *dos_header = NULL;
void *optional_pe_header = NULL;
uint16_t optional_header_type = 0;
struct export_table et;
peparse_assign_headers(page, &dos_header, &pe_header, &optional_header_type, &optional_pe_header, NULL, NULL);
addr_t export_header_offset =
peparse_get_idd_rva(IMAGE_DIRECTORY_ENTRY_EXPORT, &optional_header_type, optional_pe_header, NULL, NULL);
if(!export_header_offset || page_paddr + export_header_offset > vmi->size)
continue;
uint32_t nbytes = vmi_read_pa(vmi, page_paddr + export_header_offset, &et, sizeof(struct export_table));
if(nbytes == sizeof(struct export_table) && !(et.export_flags || !et.name) ) {
if(page_paddr + et.name + 12 > vmi->size) {
continue;
}
unsigned char name[13] = {0};
vmi_read_pa(vmi, page_paddr + et.name, name, 12);
if(!strcmp("ntoskrnl.exe", (char*)name)) {
ret = page_paddr;
break;
}
} else {
continue;
}
}
return ret;
}
int main(int argc, char **argv) {
vmi_instance_t vmi;
/* this is the VM that we are looking at */
if (argc != 2) {
printf("Usage: %s <domain name>\n", argv[0]);
return 1;
} // if
/* partialy initialize the libvmi library */
if (vmi_init(&vmi, VMI_AUTO | VMI_INIT_PARTIAL, argv[1]) == VMI_FAILURE) {
printf("Failed to init LibVMI library.\n");
return 1;
}
/* the nice thing about the windows kernel is that it's page aligned */
uint32_t i;
uint32_t found = 0;
for(i = 0; i < MAX_SEARCH_SIZE; i += PAGE_SIZE) {
uint8_t pe[MAX_HEADER_SIZE];
if(VMI_SUCCESS == peparse_get_image_phys(vmi, i, MAX_HEADER_SIZE, pe)) {
if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, i, pe)) {
printf("Windows Kernel found @ 0x%"PRIx32"\n", i);
print_os_version(vmi, i, pe);
print_guid(vmi, i, pe);
print_pe_header(vmi, i, pe);
found=1;
break;
}
}
}
/* cleanup any memory associated with the LibVMI instance */
vmi_destroy(vmi);
if(found) return 0;
return 1;
}
