status_t
windows_kernel_symbol_to_address(
vmi_instance_t vmi,
const char *symbol,
addr_t *kernel_base_address,
addr_t *address)
{
/* see if we have a cr3 value */
reg_t cr3 = 0;
windows_instance_t windows = vmi->os_data;
if (vmi->os_data == NULL) {
return VMI_FAILURE;
}
if (vmi->kpgd) {
cr3 = vmi->kpgd;
}
else {
driver_get_vcpureg(vmi, &cr3, CR3, 0);
}
dbprint("--windows symbol lookup (%s)\n", symbol);
if (kernel_base_address) {
*kernel_base_address = windows->ntoskrnl_va;
}
/* check kpcr if we have a cr3 */
if ( /*cr3 && */ VMI_SUCCESS ==
windows_kpcr_lookup(vmi, symbol, address)) {
dbprint("--got symbol from kpcr (%s --> 0x%"PRIx64").\n", symbol,
*address);
return VMI_SUCCESS;
}
dbprint("--kpcr lookup failed, trying kernel PE export table\n");
/* check exports */
if (VMI_SUCCESS
== windows_export_to_rva(vmi, windows->ntoskrnl_va, 0, symbol,
address)) {
addr_t rva = *address;
*address = windows->ntoskrnl_va + rva;
dbprint("--got symbol from PE export table (%s --> 0x%.16"PRIx64").\n",
symbol, *address);
return VMI_SUCCESS;
}
dbprint("--kernel PE export table failed, nothing left to try\n");
return VMI_FAILURE;
}
status_t
windows_kernel_symbol_to_address(
vmi_instance_t vmi,
const char *symbol,
addr_t *kernel_base_address,
addr_t *address)
{
status_t ret = VMI_FAILURE;
addr_t rva = 0;
windows_instance_t windows = vmi->os_data;
if (windows == NULL || !windows->ntoskrnl_va) {
goto exit;
}
dbprint(VMI_DEBUG_MISC, "--windows symbol lookup (%s)\n", symbol);
if (windows->sysmap) {
dbprint(VMI_DEBUG_MISC, "--trying kernel sysmap\n");
if (VMI_SUCCESS == windows_system_map_symbol_to_address(vmi, symbol, NULL, &rva)) {
*address = windows->ntoskrnl_va + rva;
dbprint(VMI_DEBUG_MISC, "--got symbol from kernel sysmap (%s --> 0x%.16"PRIx64").\n",
symbol, *address);
ret = VMI_SUCCESS;
goto success;
}
dbprint(VMI_DEBUG_MISC, "--kernel sysmap lookup failed\n");
}
if (VMI_SUCCESS == windows_kdbg_lookup(vmi, symbol, address)) {
dbprint(VMI_DEBUG_MISC, "--got symbol from kdbg (%s --> 0x%"PRIx64").\n", symbol, *address);
ret = VMI_SUCCESS;
goto success;
}
dbprint(VMI_DEBUG_MISC, "--kdbg lookup failed\n");
dbprint(VMI_DEBUG_MISC, "--trying kernel PE export table\n");
/* check exports */
if (VMI_SUCCESS == windows_export_to_rva(vmi, windows->ntoskrnl_va, 0, symbol, &rva)) {
*address = windows->ntoskrnl_va + rva;
dbprint(VMI_DEBUG_MISC, "--got symbol from PE export table (%s --> 0x%.16"PRIx64").\n",
symbol, *address);
ret = VMI_SUCCESS;
goto success;
}
dbprint(VMI_DEBUG_MISC, "--kernel PE export table failed\n");
goto exit;
success:
if (kernel_base_address) {
*kernel_base_address = windows->ntoskrnl_va;
}
exit:
return ret;
}