You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
281 lines
6.2 KiB
C
281 lines
6.2 KiB
C
4 years ago
|
|
||
|
#ifndef WINTOOLS_H
|
||
|
#define WINTOOLS_H
|
||
|
|
||
|
#ifdef __cplusplus
|
||
|
extern "C" {
|
||
|
#endif
|
||
|
|
||
|
/**
|
||
|
* @file wintools.h
|
||
|
* @brief Defines the main vmread functions
|
||
|
*
|
||
|
* Provides all utilities and structures for Windows operating systems.
|
||
|
*/
|
||
|
|
||
|
#include "definitions.h"
|
||
|
#include "winstructs.h"
|
||
|
|
||
|
typedef struct WinOffsets
|
||
|
{
|
||
|
int64_t apl;
|
||
|
int64_t session;
|
||
|
int64_t stackCount;
|
||
|
int64_t imageFileName;
|
||
|
int64_t dirBase;
|
||
|
int64_t peb;
|
||
|
int64_t peb32;
|
||
|
int64_t threadListHead;
|
||
|
int64_t threadListEntry;
|
||
|
int64_t teb;
|
||
|
} WinOffsets;
|
||
|
|
||
|
typedef struct WinProc
|
||
|
{
|
||
|
uint64_t process;
|
||
|
uint64_t physProcess;
|
||
|
uint64_t dirBase;
|
||
|
uint64_t pid;
|
||
|
char* name;
|
||
|
} WinProc;
|
||
|
|
||
|
typedef struct WinProcList
|
||
|
{
|
||
|
WinProc* list;
|
||
|
size_t size;
|
||
|
} WinProcList;
|
||
|
|
||
|
typedef struct WinExport
|
||
|
{
|
||
|
char* name;
|
||
|
uint64_t address;
|
||
|
} WinExport;
|
||
|
|
||
|
typedef struct WinExportList
|
||
|
{
|
||
|
WinExport* list;
|
||
|
size_t size;
|
||
|
} WinExportList;
|
||
|
|
||
|
typedef struct WinModule
|
||
|
{
|
||
|
uint64_t baseAddress;
|
||
|
uint64_t entryPoint;
|
||
|
uint64_t sizeOfModule;
|
||
|
char* name;
|
||
|
short loadCount;
|
||
|
} WinModule;
|
||
|
|
||
|
typedef struct WinModuleList
|
||
|
{
|
||
|
WinModule* list;
|
||
|
size_t size;
|
||
|
} WinModuleList;
|
||
|
|
||
|
typedef struct WinCtx
|
||
|
{
|
||
|
ProcessData process;
|
||
|
WinOffsets offsets;
|
||
|
uint64_t ntKernel;
|
||
|
uint16_t ntVersion;
|
||
|
uint32_t ntBuild;
|
||
|
WinExportList ntExports;
|
||
|
WinProc initialProcess;
|
||
|
} WinCtx;
|
||
|
|
||
|
/**
|
||
|
* @brief Initialize the vmread context
|
||
|
*
|
||
|
* @param ctx context to be initialized
|
||
|
* @param pid target process ID
|
||
|
*
|
||
|
* Initialize ctx by using pid. If pid is 0,
|
||
|
* the function tries to determine it automatically.
|
||
|
*
|
||
|
* @return
|
||
|
* 0 if initialization was successful;
|
||
|
* otherwise, the return value is an error value.
|
||
|
*/
|
||
|
int InitializeContext(WinCtx* ctx, pid_t pid);
|
||
|
|
||
|
/**
|
||
|
* @brief Free the vmread context
|
||
|
*
|
||
|
* @param ctx context to free
|
||
|
*
|
||
|
* It frees all the data inside the ctx making it free to be disposed
|
||
|
*
|
||
|
* @return
|
||
|
* Always 0
|
||
|
*/
|
||
|
int FreeContext(WinCtx* ctx);
|
||
|
|
||
|
/**
|
||
|
* @brief Get the NT header of a module
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
* @param process target process
|
||
|
* @param address base address of the target module
|
||
|
* @param header buffer to read the header to
|
||
|
* @param is64Bit flag that returns if the module is 64-bit
|
||
|
*
|
||
|
* header has to be at least one page long, and @is64Bit can not be NULL.
|
||
|
*
|
||
|
* @return
|
||
|
* Pointer to the NT header, if it was found;
|
||
|
* otherwise @c NULL
|
||
|
*/
|
||
|
IMAGE_NT_HEADERS* GetNTHeader(const WinCtx* ctx, const WinProc* process, uint64_t address, uint8_t* header, uint8_t* is64Bit);
|
||
|
|
||
|
/**
|
||
|
* @brief Parse module export table, writing them to the export list
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
* @param process target process
|
||
|
* @param moduleBase base address of the module
|
||
|
* @param exports address to the export table (parsed from the header)
|
||
|
* @param outList the list that gets the data written to
|
||
|
*
|
||
|
* @return
|
||
|
* 0 on success;
|
||
|
* Otherwise a positive error number indicating stage of the failure
|
||
|
*/
|
||
|
int ParseExportTable(const WinCtx* ctx, const WinProc* process, uint64_t moduleBase, IMAGE_DATA_DIRECTORY* exports, WinExportList* outList);
|
||
|
|
||
|
/**
|
||
|
* @brief Generate a module export list
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
* @param process target process
|
||
|
* @param moduleBase base address
|
||
|
* @param outList the output list
|
||
|
*
|
||
|
* @return
|
||
|
* 0 on success;
|
||
|
* Otherwise either -1, or a positive number indicating stage of the failure
|
||
|
*/
|
||
|
int GenerateExportList(const WinCtx* ctx, const WinProc* process, uint64_t moduleBase, WinExportList* outList);
|
||
|
|
||
|
/**
|
||
|
* @brief Free the data inside the export list
|
||
|
*
|
||
|
* @param list list to be freed
|
||
|
*/
|
||
|
void FreeExportList(WinExportList list);
|
||
|
|
||
|
/**
|
||
|
* @brief Get the address of a module export
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
* @param process target process
|
||
|
* @param module base address of the module
|
||
|
* @param procName target export name
|
||
|
*
|
||
|
* This function generates an export list and immediately frees it, so it is advised against using it extensively. See GetProcAddress.
|
||
|
*
|
||
|
* @return
|
||
|
* Virtual address of the export, 0, if not found
|
||
|
*/
|
||
|
uint64_t GetProcAddress(const WinCtx* ctx, const WinProc* process, uint64_t module, const char* procName);
|
||
|
|
||
|
/**
|
||
|
* @brief Find the proc address inside a given export list
|
||
|
*
|
||
|
* @param exports the list to be searched
|
||
|
* @param procName target export name
|
||
|
*
|
||
|
* @return
|
||
|
* Virtual address of the export, 0, if not found
|
||
|
*/
|
||
|
uint64_t FindProcAddress(const WinExportList exports, const char* procName);
|
||
|
|
||
|
/**
|
||
|
* @brief Generate the list of processes
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
*
|
||
|
* @return
|
||
|
* A structure representing the process list
|
||
|
*/
|
||
|
WinProcList GenerateProcessList(const WinCtx* ctx);
|
||
|
|
||
|
/**
|
||
|
* @brief Free the data inside a process list
|
||
|
*
|
||
|
* @param list the list to have its data freed
|
||
|
*/
|
||
|
void FreeProcessList(WinProcList list);
|
||
|
|
||
|
/**
|
||
|
* @brief Generate the module list of a process
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
* @param process target process
|
||
|
*
|
||
|
* @return
|
||
|
* A structure representing all modules loaded by the given process
|
||
|
*/
|
||
|
WinModuleList GenerateModuleList(const WinCtx* ctx, const WinProc* process);
|
||
|
|
||
|
/**
|
||
|
* @brief GenerateKernelModuleList
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
*
|
||
|
* @return
|
||
|
* A structure representing all modules loaded by the kernel
|
||
|
*/
|
||
|
WinModuleList GenerateKernelModuleList(const WinCtx* ctx);
|
||
|
|
||
|
/**
|
||
|
* @brief Free a given module list
|
||
|
*
|
||
|
* @param list list to have its data freed in
|
||
|
*/
|
||
|
void FreeModuleList(WinModuleList list);
|
||
|
|
||
|
/**
|
||
|
* @brief Find the module by a given name
|
||
|
*
|
||
|
* @param list list to perform search in
|
||
|
* @param moduleName target module name
|
||
|
*
|
||
|
* @return
|
||
|
* A pointer to the found module information, @c NULL if not found
|
||
|
*/
|
||
|
const WinModule* GetModuleInfo(const WinModuleList list, const char* moduleName);
|
||
|
|
||
|
/**
|
||
|
* @brief Get the process environment block
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
* @param process target process
|
||
|
*
|
||
|
* Note that there is no error checking in this function. Even though PEB should always exist,
|
||
|
* the returned data may be garbage
|
||
|
*
|
||
|
* @return
|
||
|
* The environment block
|
||
|
*/
|
||
|
PEB GetPeb(const WinCtx* ctx, const WinProc* process);
|
||
|
|
||
|
/**
|
||
|
* @brief Get the process environment block (32-bit version)
|
||
|
*
|
||
|
* @param ctx vmread context
|
||
|
* @param process target process
|
||
|
*
|
||
|
* Note that there is no error checking in this function. Even though PEB should always exist,
|
||
|
* the returned data may be garbage
|
||
|
*
|
||
|
* @return
|
||
|
* The environment block
|
||
|
*/
|
||
|
PEB32 GetPeb32(const WinCtx* ctx, const WinProc* process);
|
||
|
|
||
|
#ifdef __cplusplus
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
#endif
|