addr_t
windows_find_eprocess_list_pgd(
vmi_instance_t vmi,
addr_t pgd)
{
int pdbase_offset = 0;
size_t len = 0;
addr_t list_head = 0;
if (vmi->os_data == NULL) {
return 0;
}
if (VMI_FAILURE == vmi_read_addr_ksym(vmi, "PsInitialSystemProcess", &list_head)) {
return 0;
}
pdbase_offset = ((windows_instance_t)vmi->os_data)->pdbase_offset;
if(vmi->page_mode == VMI_PM_LEGACY || vmi->page_mode == VMI_PM_PAE)
len = sizeof(uint32_t);
else
len = sizeof(addr_t);
return eprocess_list_search(vmi, list_head, pdbase_offset, len, &pgd);
}
addr_t
windows_find_eprocess_list_pid(
vmi_instance_t vmi,
int pid)
{
int pid_offset = vmi->os.windows_instance.pid_offset;
size_t len = sizeof(int);
return eprocess_list_search(vmi, pid_offset, len, &pid);
}
addr_t
windows_find_eprocess_list_pid(
vmi_instance_t vmi,
vmi_pid_t pid)
{
size_t len = sizeof(vmi_pid_t);
int pid_offset = 0;
addr_t list_head = 0;
if ( !vmi->os_data )
return 0;
if ( VMI_FAILURE == vmi_read_addr_ksym(vmi, "PsInitialSystemProcess", &list_head) )
return 0;
pid_offset = ((windows_instance_t)vmi->os_data)->pid_offset;
return eprocess_list_search(vmi, list_head, pid_offset, len, &pid);
}
static status_t
get_kpgd_method0(
vmi_instance_t vmi)
{
addr_t sysproc_va = 0;
addr_t sysproc_pa = 0;
addr_t active_process_head = 0;
windows_instance_t windows = NULL;
vmi_pid_t pid = 4;
size_t len = sizeof(vmi_pid_t);
addr_t kpgd = 0;
if (vmi->os_data == NULL) {
errprint("VMI_ERROR: No OS data initialized\n");
return VMI_FAILURE;
}
windows = vmi->os_data;
if (VMI_FAILURE == vmi_read_addr_ksym(vmi, "PsActiveProcessHead", &active_process_head)) {
dbprint(VMI_DEBUG_MISC, "--failed to resolve PsActiveProcessHead\n");
goto error_exit;
}
dbprint(VMI_DEBUG_MISC, "--starting search from PsActiveProcessHead (0x%.16"PRIx64") using kpgd (0x%.16"PRIx64").\n",
active_process_head, vmi->kpgd);
sysproc_va = eprocess_list_search(vmi, active_process_head - windows->tasks_offset, windows->pid_offset, len, &pid);
if (sysproc_va == 0) {
dbprint(VMI_DEBUG_MISC, "--failed to find system process with pid 4\n");
goto error_exit;
}
sysproc_va -= windows->tasks_offset;
dbprint(VMI_DEBUG_MISC, "--Found System process at %lx\n", sysproc_va);
sysproc_pa = vmi_translate_kv2p(vmi, sysproc_va);
if (sysproc_pa == 0) {
dbprint(VMI_DEBUG_MISC, "--failed to translate System process\n");
goto error_exit;
}
dbprint(VMI_DEBUG_MISC, "--Found System process physical address at %lx\n", sysproc_pa);
if (VMI_FAILURE ==
vmi_read_addr_pa(vmi,
sysproc_pa +
windows->pdbase_offset,
&kpgd)) {
dbprint(VMI_DEBUG_MISC, "--failed to resolve pointer for system process\n");
goto error_exit;
}
if (!kpgd) {
dbprint(VMI_DEBUG_MISC, "--kpgd was zero\n");
goto error_exit;
}
vmi->kpgd = kpgd;
dbprint(VMI_DEBUG_MISC, "**set kpgd (0x%.16"PRIx64").\n", vmi->kpgd);
vmi->init_task = sysproc_va;
dbprint(VMI_DEBUG_MISC, "**set init_task (0x%.16"PRIx64").\n", vmi->init_task);
return VMI_SUCCESS;
error_exit:
return VMI_FAILURE;
}
