This repository has been archived by the owner on Sep 29, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 82
/
wintools.h
280 lines (250 loc) · 6.17 KB
/
wintools.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
#ifndef WINTOOLS_H
#define WINTOOLS_H
#ifdef __cplusplus
extern "C" {
#endif
/**
* @file wintools.h
* @brief Defines the main vmread functions
*
* Provides all utilities and structures for Windows operating systems.
*/
#include "definitions.h"
#include "winstructs.h"
typedef struct WinOffsets
{
int64_t apl;
int64_t session;
int64_t stackCount;
int64_t imageFileName;
int64_t dirBase;
int64_t peb;
int64_t peb32;
int64_t threadListHead;
int64_t threadListEntry;
int64_t teb;
} WinOffsets;
typedef struct WinProc
{
uint64_t process;
uint64_t physProcess;
uint64_t dirBase;
uint64_t pid;
char* name;
} WinProc;
typedef struct WinProcList
{
WinProc* list;
size_t size;
} WinProcList;
typedef struct WinExport
{
char* name;
uint64_t address;
} WinExport;
typedef struct WinExportList
{
WinExport* list;
size_t size;
} WinExportList;
typedef struct WinModule
{
uint64_t baseAddress;
uint64_t entryPoint;
uint64_t sizeOfModule;
char* name;
short loadCount;
} WinModule;
typedef struct WinModuleList
{
WinModule* list;
size_t size;
} WinModuleList;
typedef struct WinCtx
{
ProcessData process;
WinOffsets offsets;
uint64_t ntKernel;
uint16_t ntVersion;
uint32_t ntBuild;
WinExportList ntExports;
WinProc initialProcess;
} WinCtx;
/**
* @brief Initialize the vmread context
*
* @param ctx context to be initialized
* @param pid target process ID
*
* Initialize ctx by using pid. If pid is 0,
* the function tries to determine it automatically.
*
* @return
* 0 if initialization was successful;
* otherwise, the return value is an error value.
*/
int InitializeContext(WinCtx* ctx, pid_t pid);
/**
* @brief Free the vmread context
*
* @param ctx context to free
*
* It frees all the data inside the ctx making it free to be disposed
*
* @return
* Always 0
*/
int FreeContext(WinCtx* ctx);
/**
* @brief Get the NT header of a module
*
* @param ctx vmread context
* @param process target process
* @param address base address of the target module
* @param header buffer to read the header to
* @param is64Bit flag that returns if the module is 64-bit
*
* header has to be at least one page long, and @is64Bit can not be NULL.
*
* @return
* Pointer to the NT header, if it was found;
* otherwise @c NULL
*/
IMAGE_NT_HEADERS* GetNTHeader(const WinCtx* ctx, const WinProc* process, uint64_t address, uint8_t* header, uint8_t* is64Bit);
/**
* @brief Parse module export table, writing them to the export list
*
* @param ctx vmread context
* @param process target process
* @param moduleBase base address of the module
* @param exports address to the export table (parsed from the header)
* @param outList the list that gets the data written to
*
* @return
* 0 on success;
* Otherwise a positive error number indicating stage of the failure
*/
int ParseExportTable(const WinCtx* ctx, const WinProc* process, uint64_t moduleBase, IMAGE_DATA_DIRECTORY* exports, WinExportList* outList);
/**
* @brief Generate a module export list
*
* @param ctx vmread context
* @param process target process
* @param moduleBase base address
* @param outList the output list
*
* @return
* 0 on success;
* Otherwise either -1, or a positive number indicating stage of the failure
*/
int GenerateExportList(const WinCtx* ctx, const WinProc* process, uint64_t moduleBase, WinExportList* outList);
/**
* @brief Free the data inside the export list
*
* @param list list to be freed
*/
void FreeExportList(WinExportList list);
/**
* @brief Get the address of a module export
*
* @param ctx vmread context
* @param process target process
* @param module base address of the module
* @param procName target export name
*
* This function generates an export list and immediately frees it, so it is advised against using it extensively. See GetProcAddress.
*
* @return
* Virtual address of the export, 0, if not found
*/
uint64_t GetProcAddress(const WinCtx* ctx, const WinProc* process, uint64_t module, const char* procName);
/**
* @brief Find the proc address inside a given export list
*
* @param exports the list to be searched
* @param procName target export name
*
* @return
* Virtual address of the export, 0, if not found
*/
uint64_t FindProcAddress(const WinExportList exports, const char* procName);
/**
* @brief Generate the list of processes
*
* @param ctx vmread context
*
* @return
* A structure representing the process list
*/
WinProcList GenerateProcessList(const WinCtx* ctx);
/**
* @brief Free the data inside a process list
*
* @param list the list to have its data freed
*/
void FreeProcessList(WinProcList list);
/**
* @brief Generate the module list of a process
*
* @param ctx vmread context
* @param process target process
*
* @return
* A structure representing all modules loaded by the given process
*/
WinModuleList GenerateModuleList(const WinCtx* ctx, const WinProc* process);
/**
* @brief GenerateKernelModuleList
*
* @param ctx vmread context
*
* @return
* A structure representing all modules loaded by the kernel
*/
WinModuleList GenerateKernelModuleList(const WinCtx* ctx);
/**
* @brief Free a given module list
*
* @param list list to have its data freed in
*/
void FreeModuleList(WinModuleList list);
/**
* @brief Find the module by a given name
*
* @param list list to perform search in
* @param moduleName target module name
*
* @return
* A pointer to the found module information, @c NULL if not found
*/
const WinModule* GetModuleInfo(const WinModuleList list, const char* moduleName);
/**
* @brief Get the process environment block
*
* @param ctx vmread context
* @param process target process
*
* Note that there is no error checking in this function. Even though PEB should always exist,
* the returned data may be garbage
*
* @return
* The environment block
*/
PEB GetPeb(const WinCtx* ctx, const WinProc* process);
/**
* @brief Get the process environment block (32-bit version)
*
* @param ctx vmread context
* @param process target process
*
* Note that there is no error checking in this function. Even though PEB should always exist,
* the returned data may be garbage
*
* @return
* The environment block
*/
PEB32 GetPeb32(const WinCtx* ctx, const WinProc* process);
#ifdef __cplusplus
}
#endif
#endif