forked from ufrisk/MemProcFS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vmmwinobj.h
165 lines (147 loc) · 4.21 KB
/
vmmwinobj.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
// vmmwinobj.h : declarations of functionality related to windows object manager.
//
// (c) Ulf Frisk, 2021-2023
// Author: Ulf Frisk, [email protected]
//
#ifndef __VMMWINOBJ_H__
#define __VMMWINOBJ_H__
#include "vmm.h"
#define VMMWINOBJ_FILE_OBJECT_SUBSECTION_MAX 0x20
typedef enum {
VMMWINOBJ_TYPE_NONE = 0,
VMMWINOBJ_TYPE_FILE = 1,
} VMMWINOBJ_TYPE;
typedef struct tdOB_VMMWINOBJ_OBJECT {
OB ObHdr;
QWORD va;
VMMWINOBJ_TYPE tp;
DWORD _FutureUse;
} OB_VMMWINOBJ_OBJECT, *POB_VMMWINOBJ_OBJECT;
typedef struct tVMMWINOBJ_FILE_SUBSECTION {
QWORD vaSubsectionBase; // PTR _MMPTE
DWORD dwStartingSector; // Sector = 512bytes
DWORD dwNumberOfFullSectors;
DWORD dwPtesInSubsection;
} VMMWINOBJ_FILE_SUBSECTION, *PVMMWINOBJ_FILE_SUBSECTION;
typedef struct tdOB_VMMWINOBJ_FILE {
OB ObHdr;
QWORD va;
VMMWINOBJ_TYPE tp;
DWORD _FutureUse;
QWORD vaSectionObjectPointers;
QWORD _Reserved2;
QWORD cb;
BOOL fData;
BOOL fCache;
BOOL fImage;
DWORD dwNameHash;
LPSTR uszPath;
LPSTR uszName;
QWORD vaControlArea;
struct {
BOOL fValid;
QWORD va;
QWORD cbFileSize;
QWORD cbFileSizeValid;
QWORD cbSectionSize;
QWORD vaVacbs;
} _SHARED_CACHE_MAP;
struct {
BOOL fValid;
QWORD va;
QWORD cbSizeOfSegment;
QWORD vaPrototypePte;
} _SEGMENT;
DWORD _Reserved1;
DWORD cSUBSECTION;
PVMMWINOBJ_FILE_SUBSECTION pSUBSECTION;
} OB_VMMWINOBJ_FILE, *POB_VMMWINOBJ_FILE;
/*
* Initialize the Object sub-system. This should ideally be done on Vmm Init().
* -- H
*/
VOID VmmWinObj_Initialize(_In_ VMM_HANDLE H);
/*
* Create an object manager map and assign to the global vmm context upon success.
* CALLER DECREF: return
* -- H
* -- return
*/
PVMMOB_MAP_OBJECT VmmWinObjMgr_Initialize(_In_ VMM_HANDLE H);
/*
* Refresh the Object sub-system.
* -- H
*/
VOID VmmWinObj_Refresh(_In_ VMM_HANDLE H);
/*
* Cleanup the Object sub-system. This should ideally be done on Vmm Close().
* -- H
*/
VOID VmmWinObj_Close(_In_ VMM_HANDLE H);
/*
* Retrieve an object from the object cache.
* CALLER DECREF: return
* -- H
* -- va = virtual address of the object to retrieve.
* -- return = the object, NULL if not found in cache.
*/
POB_VMMWINOBJ_OBJECT VmmWinObj_Get(_In_ VMM_HANDLE H, _In_ QWORD va);
/*
* Retrieve all _FILE_OBJECT related to a process.
* CALLER DECREF: *ppmObFiles
* -- H
* -- pProcess
* -- ppmObFiles
* -- fHandles = TRUE = files from handles, FALSE = files from VADs
* -- return
*/
_Success_(return)
BOOL VmmWinObjFile_GetByProcess(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess, _Out_ POB_MAP *ppmObFiles, _In_ BOOL fHandles);
/*
* Read a contigious amount of file data and report the number of bytes read.
* -- H
* -- pFile
* -- cbOffset
* -- pb
* -- cb
* -- fVmmRead = flags as in VMM_FLAG_*
* -- return = the number of bytes read.
*/
_Success_(return != 0)
DWORD VmmWinObjFile_Read(_In_ VMM_HANDLE H, _In_ POB_VMMWINOBJ_FILE pFile, _In_ QWORD cbOffset, _Out_writes_(cb) PBYTE pb, _In_ DWORD cb, _In_ QWORD fVmmRead);
/*
* Create an kernel device map and assign to the global vmm context upon success.
* CALLER DECREF: return
* -- H
* -- return
*/
PVMMOB_MAP_KDEVICE VmmWinObjKDev_Initialize(_In_ VMM_HANDLE H);
/*
* Create an kernel driver map and assign to the global vmm context upon success.
* CALLER DECREF: return
* -- H
* -- return
*/
PVMMOB_MAP_KDRIVER VmmWinObjKDrv_Initialize(_In_ VMM_HANDLE H);
/*
* Vfs Read: helper function to read object files in an object information dir.
* -- H
* -- uszPathFile
* -- iTypeIndex = the object type index in the ObjectTypeTable
* -- vaObject
* -- pb
* -- cb
* -- pcbRead
* -- cbOffset
* -- return
*/
NTSTATUS VmmWinObjDisplay_VfsRead(_In_ VMM_HANDLE H, _In_ LPSTR uszPathFile, _In_opt_ DWORD iTypeIndex, _In_ QWORD vaObject, _Out_writes_to_(cb, *pcbRead) PBYTE pb, _In_ DWORD cb, _Out_ PDWORD pcbRead, _In_ QWORD cbOffset);
/*
* Vfs List: helper function to list object files in an object information dir.
* -- H
* -- iTypeIndex = the object type index in the ObjectTypeTable
* -- vaObject
* -- pFileList
*/
VOID VmmWinObjDisplay_VfsList(_In_ VMM_HANDLE H, _In_opt_ DWORD iTypeIndex, _In_ QWORD vaObject, _Inout_ PHANDLE pFileList);
#endif /* __VMMWINOBJ_H__ */