Exemplo n.º 1
0
int main(int argc, char **argv) {

    vmi_instance_t vmi;

    /* this is the VM that we are looking at */
    if (argc != 3) {
        printf("Usage: %s name|domid <domain name|domain id>\n", argv[0]);
        return 1;
    }   // if

    uint32_t domid = VMI_INVALID_DOMID;
    GHashTable *config = g_hash_table_new(g_str_hash, g_str_equal);

    if(strcmp(argv[1],"name")==0) {
        g_hash_table_insert(config, "name", argv[2]);
    } else
    if(strcmp(argv[1],"domid")==0) {
        domid = atoi(argv[2]);
        g_hash_table_insert(config, "domid", &domid);
    } else {
        printf("You have to specify either name or domid!\n");
        return 1;
    }

    /* partialy initialize the libvmi library */
    if (vmi_init_custom(&vmi, VMI_AUTO | VMI_INIT_PARTIAL | VMI_CONFIG_GHASHTABLE, config) == VMI_FAILURE) {
        printf("Failed to init LibVMI library.\n");
        g_hash_table_destroy(config);
        return 1;
    }
    g_hash_table_destroy(config);

    /* the nice thing about the windows kernel is that it's page aligned */
    uint32_t i;
    uint32_t found = 0;
    for(i = 0; i < MAX_SEARCH_SIZE; i += PAGE_SIZE) {

        uint8_t pe[MAX_HEADER_SIZE];

        if(VMI_SUCCESS == peparse_get_image_phys(vmi, i, MAX_HEADER_SIZE, pe)) {
            if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, i, pe)) {

                printf("Windows Kernel found @ 0x%"PRIx32"\n", i);
                print_os_version(vmi, i, pe);
                print_guid(vmi, i, pe);
                print_pe_header(vmi, i, pe);
                found=1;
                break;
            }
        }
    }

    /* cleanup any memory associated with the LibVMI instance */
    vmi_destroy(vmi);

    if(found) return 0;
    return 1;
}
Exemplo n.º 2
0
addr_t
get_ntoskrnl_base(
    vmi_instance_t vmi,
    addr_t page_paddr)
{
    uint8_t page[VMI_PS_4KB];
    addr_t ret = 0;

    for(; page_paddr + VMI_PS_4KB < vmi->size; page_paddr += VMI_PS_4KB) {

        uint8_t page[VMI_PS_4KB];
        status_t rc = peparse_get_image_phys(vmi, page_paddr, VMI_PS_4KB, page);
        if(VMI_FAILURE == rc) {
            continue;
        }

        struct pe_header *pe_header = NULL;
        struct dos_header *dos_header = NULL;
        void *optional_pe_header = NULL;
        uint16_t optional_header_type = 0;
        struct export_table et;

        peparse_assign_headers(page, &dos_header, &pe_header, &optional_header_type, &optional_pe_header, NULL, NULL);
        addr_t export_header_offset =
            peparse_get_idd_rva(IMAGE_DIRECTORY_ENTRY_EXPORT, &optional_header_type, optional_pe_header, NULL, NULL);

        if(!export_header_offset || page_paddr + export_header_offset > vmi->size)
            continue;

        uint32_t nbytes = vmi_read_pa(vmi, page_paddr + export_header_offset, &et, sizeof(struct export_table));
        if(nbytes == sizeof(struct export_table) && !(et.export_flags || !et.name) ) {

            if(page_paddr + et.name + 12 > vmi->size) {
                continue;
            }

            unsigned char name[13] = {0};
            vmi_read_pa(vmi, page_paddr + et.name, name, 12);
            if(!strcmp("ntoskrnl.exe", (char*)name)) {
                ret = page_paddr;
                break;
            }
        } else {
            continue;
        }
    }

    return ret;
}
Exemplo n.º 3
0
int main(int argc, char **argv) {

    vmi_instance_t vmi;

    /* this is the VM that we are looking at */
    if (argc != 2) {
        printf("Usage: %s <domain name>\n", argv[0]);
        return 1;
    }   // if

    /* partialy initialize the libvmi library */
    if (vmi_init(&vmi, VMI_AUTO | VMI_INIT_PARTIAL, argv[1]) == VMI_FAILURE) {
        printf("Failed to init LibVMI library.\n");
        return 1;
    }

    /* the nice thing about the windows kernel is that it's page aligned */
    uint32_t i;
    uint32_t found = 0;
    for(i = 0; i < MAX_SEARCH_SIZE; i += PAGE_SIZE) {

        uint8_t pe[MAX_HEADER_SIZE];

        if(VMI_SUCCESS == peparse_get_image_phys(vmi, i, MAX_HEADER_SIZE, pe)) {
            if(VMI_SUCCESS == is_WINDOWS_KERNEL(vmi, i, pe)) {

                printf("Windows Kernel found @ 0x%"PRIx32"\n", i);
                print_os_version(vmi, i, pe);
                print_guid(vmi, i, pe);
                print_pe_header(vmi, i, pe);
                found=1;
                break;
            }
        }
    }

    /* cleanup any memory associated with the LibVMI instance */
    vmi_destroy(vmi);

    if(found) return 0;
    return 1;
}