void
dump_exports(
vmi_instance_t vmi,
struct export_table *et,
addr_t base_addr,
vmi_pid_t pid)
{
addr_t base1 = base_addr + et->address_of_names;
addr_t base2 = base_addr + et->address_of_name_ordinals;
addr_t base3 = base_addr + et->address_of_functions;
uint32_t i = 0;
/* print names */
for (; i < et->number_of_names; ++i) {
uint32_t rva = 0;
uint16_t ordinal = 0;
uint32_t loc = 0;
char *str = NULL;
vmi_read_32_va(vmi, base1 + i * sizeof(uint32_t), pid, &rva);
if (rva) {
str = rva_to_string(vmi, (addr_t) rva, base_addr, pid);
if (str) {
vmi_read_16_va(vmi, base2 + i * sizeof(uint16_t), pid,
&ordinal);
vmi_read_32_va(vmi, base3 + ordinal + sizeof(uint32_t),
pid, &loc);
printf("%s:%d:0x%"PRIx32"\n", str, ordinal, loc);
free(str);
}
}
}
}
/* returns a windows PE export from an RVA*/
char*
windows_rva_to_export(
vmi_instance_t vmi,
addr_t rva,
addr_t base_vaddr,
vmi_pid_t pid)
{
struct export_table et;
addr_t et_rva;
size_t et_size;
int aon_index = -1;
int aof_index = -1;
char* symbol = NULL;
// get export table structure
if (peparse_get_export_table(vmi, base_vaddr, pid, &et, &et_rva, &et_size) != VMI_SUCCESS) {
dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get export table\n");
return NULL;
}
if(rva>=et_rva && rva < et_rva+et_size) {
dbprint(VMI_DEBUG_MISC, "--PEParse: symbol @ %u:0x%"PRIx64" is forwarded\n", pid, base_vaddr+rva);
return NULL;
}
addr_t base1 = base_vaddr + et.address_of_names;
addr_t base2 = base_vaddr + et.address_of_name_ordinals;
addr_t base3 = base_vaddr + et.address_of_functions;
uint32_t i = 0;
for (; i < et.number_of_functions; ++i) {
uint32_t name_rva = 0;
uint16_t ordinal = 0;
uint32_t loc = 0;
if(VMI_FAILURE==vmi_read_16_va(vmi, base2 + i * sizeof(uint16_t), pid, &ordinal))
continue;
if(VMI_FAILURE==vmi_read_32_va(vmi, base3 + ordinal + sizeof(uint32_t), pid, &loc))
continue;
if(loc==rva) {
if(i < et.number_of_names && VMI_SUCCESS==vmi_read_32_va(vmi, base1 + i * sizeof(uint32_t), pid, &name_rva) && name_rva) {
symbol = rva_to_string(vmi, (addr_t)name_rva, base_vaddr, pid);
return symbol;
}
dbprint(VMI_DEBUG_MISC, "--PEParse: symbol @ %u:0x%"PRIx64" is exported by ordinal only\n", pid, base_vaddr+rva);
break;
}
}
return NULL;
}
int
get_aof_index(
vmi_instance_t vmi,
int aon_index,
struct export_table *et,
addr_t base_addr,
vmi_pid_t pid)
{
addr_t aof_index_loc =
base_addr + et->address_of_name_ordinals +
aon_index * sizeof(uint16_t);
uint16_t aof_index = 0;
if (vmi_read_16_va(vmi, aof_index_loc, pid, &aof_index) ==
VMI_SUCCESS) {
return (int) aof_index;
}
else {
return -1;
}
}
/*根据data,执行vmi函数,并发送返回值*/
int rvmi_handle_data(int fd, char *buf)
{
int vmiFunNum;
int i=0;
char delims[] = " ";
char *vmiFunArg[5] = {NULL,NULL,NULL,NULL};
char returnBuf[100];
char * returnVal =NULL;
vmiFunArg[i] = strtok(buf, delims );
while( vmiFunArg[i] != NULL )
{
i++;
vmiFunArg[i] = strtok( NULL, delims );
}
vmiFunNum = atoi(vmiFunArg[0]);
//printf("vmifun %d\n",vmiFunNum);
switch(vmiFunNum)
{
case 1: break;
case 2: break;
case 3:
{
int vmiID=atoi(vmiFunArg[1]);
sprintf(returnBuf, "%d\0", vmi_destroy(vmiArr[vmiID]) );
vmiFlagArr[vmiID]=0;
returnVal = returnBuf;
}
break;
case 13:
{
sprintf(returnBuf, "%lu\0", vmi_get_offset(vmiArr[atoi(vmiFunArg[1])], vmiFunArg[2]) );
returnVal = returnBuf;
}
break;
case 23:
{
for(i=0;i<MAX_DOMU_PER_MACHINE;i++)
{
if(0 == vmiFlagArr[i])
break;
}
vmi_init(&vmiArr[i], atoi(vmiFunArg[1]), vmiFunArg[2]);
vmiFlagArr[i]=1;
sprintf(returnBuf,"%d\0",i);
returnVal = returnBuf;
}
break;
case 38:
{
uint16_t tmp;
vmi_read_16_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]), &tmp);
sprintf(returnBuf, "%hu\0", tmp);
returnVal = returnBuf;
}
break;
case 40:
{
uint32_t tmp;
vmi_read_32_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]), &tmp);
sprintf(returnBuf, "%u\0", tmp);
returnVal = returnBuf;
}
break;
case 44:
{
uint64_t tmp;
vmi_read_64_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]), &tmp);
sprintf(returnBuf, "%lu\0", tmp);
returnVal = returnBuf;
}
break;
case 50:
{
addr_t tmp;
vmi_read_addr_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]), &tmp);
sprintf(returnBuf, "%lu\0", tmp);
returnVal = returnBuf;
}
break;
case 55:
{
sprintf(returnBuf, "%s\0", vmi_read_str_va(vmiArr[atoi(vmiFunArg[1])], atol(vmiFunArg[2]), atoi(vmiFunArg[3]) ));
returnVal = returnBuf;
}
break;
case 67:
{
sprintf(returnBuf, "%lu\0", vmi_translate_ksym2v(vmiArr[atoi(vmiFunArg[1])], vmiFunArg[2]) );
returnVal = returnBuf;
}
break;
default:break;
}
write (fd, returnVal, 100);
return 1;
}
