memflow-win32-ffi 0.1.5

C bindings to memflow-win32
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321

#ifndef MEMFLOW_WIN32_H
#define MEMFLOW_WIN32_H

#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include "memflow.h"

typedef struct Kernel_FFIMemory__FFIVirtualTranslate Kernel_FFIMemory__FFIVirtualTranslate;

typedef struct Win32ModuleInfo Win32ModuleInfo;

typedef struct Win32ProcessInfo Win32ProcessInfo;

typedef struct Win32Process_FFIVirtualMemory Win32Process_FFIVirtualMemory;

typedef Kernel_FFIMemory__FFIVirtualTranslate Kernel;

typedef struct StartBlock {
    Address kernel_hint;
    Address dtb;
} StartBlock;

typedef struct Win32Version {
    uint32_t nt_major_version;
    uint32_t nt_minor_version;
    uint32_t nt_build_number;
} Win32Version;

/**
 * Type alias for a PID.
 */
typedef uint32_t PID;

typedef Win32Process_FFIVirtualMemory Win32Process;

typedef struct Win32ArchOffsets {
    uintptr_t peb_ldr;
    uintptr_t ldr_list;
    uintptr_t ldr_data_base;
    uintptr_t ldr_data_size;
    uintptr_t ldr_data_full_name;
    uintptr_t ldr_data_base_name;
} Win32ArchOffsets;

typedef struct Win32ModuleListInfo {
    Address module_base;
    Win32ArchOffsets offsets;
} Win32ModuleListInfo;

#ifdef __cplusplus
extern "C" {
#endif // __cplusplus

/**
 * Build a cloneable kernel object with default caching parameters
 *
 * This function will take ownership of the input `mem` object.
 *
 * # Safety
 *
 * `mem` must be a heap allocated memory reference, created by one of the API's functions.
 * Reference to it becomes invalid.
 */
Kernel *kernel_build(CloneablePhysicalMemoryObj *mem);

/**
 * Build a cloneable kernel object with custom caching parameters
 *
 * This function will take ownership of the input `mem` object.
 *
 * vat_cache_entries must be positive, or the program will panic upon memory reads or writes.
 *
 * # Safety
 *
 * `mem` must be a heap allocated memory reference, created by one of the API's functions.
 * Reference to it becomes invalid.
 */
Kernel *kernel_build_custom(CloneablePhysicalMemoryObj *mem,
                            uint64_t page_cache_time_ms,
                            PageType page_cache_flags,
                            uintptr_t page_cache_size_kb,
                            uint64_t vat_cache_time_ms,
                            uintptr_t vat_cache_entries);

Kernel *kernel_clone(const Kernel *kernel);

/**
 * Free a kernel object
 *
 * This will free the input `kernel` object (including the underlying memory object)
 *
 * # Safety
 *
 * `kernel` must be a valid reference heap allocated by one of the above functions.
 */
void kernel_free(Kernel *kernel);

/**
 * Destroy a kernel object and return its underlying memory object
 *
 * This will free the input `kernel` object, and return the underlying memory object. It will free
 * the object from any additional caching that `kernel` had in place.
 *
 * # Safety
 *
 * `kernel` must be a valid reference heap allocated by one of the above functions.
 */
CloneablePhysicalMemoryObj *kernel_destroy(Kernel *kernel);

StartBlock kernel_start_block(const Kernel *kernel);

Win32Version kernel_winver(const Kernel *kernel);

Win32Version kernel_winver_unmasked(const Kernel *kernel);

/**
 * Retrieve a list of peorcess addresses
 *
 * # Safety
 *
 * `buffer` must be a valid buffer of size at least `max_size`
 */
uintptr_t kernel_eprocess_list(Kernel *kernel, Address *buffer, uintptr_t max_size);

/**
 * Retrieve a list of processes
 *
 * This will fill `buffer` with a list of win32 process information. These processes will need to be
 * individually freed with `process_info_free`
 *
 * # Safety
 *
 * `buffer` must be a valid that can contain at least `max_size` references to `Win32ProcessInfo`.
 */
uintptr_t kernel_process_info_list(Kernel *kernel, Win32ProcessInfo **buffer, uintptr_t max_size);

Win32ProcessInfo *kernel_kernel_process_info(Kernel *kernel);

Win32ProcessInfo *kernel_process_info_from_eprocess(Kernel *kernel, Address eprocess);

/**
 * Retrieve process information by name
 *
 * # Safety
 *
 * `name` must be a valid null terminated string
 */
Win32ProcessInfo *kernel_process_info(Kernel *kernel, const char *name);

Win32ProcessInfo *kernel_process_info_pid(Kernel *kernel, PID pid);

/**
 * Create a process by looking up its name
 *
 * This will consume `kernel` and free it later on.
 *
 * # Safety
 *
 * `name` must be a valid null terminated string
 *
 * `kernel` must be a valid reference to `Kernel`. After the function the reference to it becomes
 * invalid.
 */
Win32Process *kernel_into_process(Kernel *kernel, const char *name);

/**
 * Create a process by looking up its PID
 *
 * This will consume `kernel` and free it later on.
 *
 * # Safety
 *
 * `kernel` must be a valid reference to `Kernel`. After the function the reference to it becomes
 * invalid.
 */
Win32Process *kernel_into_process_pid(Kernel *kernel, PID pid);

/**
 * Create a kernel process insatance
 *
 * This will consume `kernel` and free it later on.
 *
 * # Safety
 *
 * `kernel` must be a valid reference to `Kernel`. After the function the reference to it becomes
 * invalid.
 */
Win32Process *kernel_into_kernel_process(Kernel *kernel);

OsProcessModuleInfoObj *module_info_trait(Win32ModuleInfo *info);

/**
 * Free a win32 module info instance.
 *
 * Note that it is not the same as `OsProcessModuleInfoObj`, and those references need to be freed
 * manually.
 *
 * # Safety
 *
 * `info` must be a unique heap allocated reference to `Win32ModuleInfo`, and after this call the
 * reference will become invalid.
 */
void module_info_free(Win32ModuleInfo *info);

/**
 * Create a process with kernel and process info
 *
 * # Safety
 *
 * `kernel` must be a valid heap allocated reference to a `Kernel` object. After the function
 * call, the reference becomes invalid.
 */
Win32Process *process_with_kernel(Kernel *kernel, const Win32ProcessInfo *proc_info);

/**
 * Retrieve refernce to the underlying virtual memory object
 *
 * This will return a static reference to the virtual memory object. It will only be valid as long
 * as `process` if valid, and needs to be freed manually using `virt_free` regardless if the
 * process if freed or not.
 */
VirtualMemoryObj *process_virt_mem(Win32Process *process);

Win32Process *process_clone(const Win32Process *process);

/**
 * Frees the `process`
 *
 * # Safety
 *
 * `process` must be a valid heap allocated reference to a `Win32Process` object. After the
 * function returns, the reference becomes invalid.
 */
void process_free(Win32Process *process);

/**
 * Retrieve a process module list
 *
 * This will fill up to `max_len` elements into `out` with references to `Win32ModuleInfo` objects.
 *
 * These references then need to be freed with `module_info_free`
 *
 * # Safety
 *
 * `out` must be a valid buffer able to contain `max_len` references to `Win32ModuleInfo`.
 */
uintptr_t process_module_list(Win32Process *process, Win32ModuleInfo **out, uintptr_t max_len);

/**
 * Retrieve the main module of the process
 *
 * This function searches for a module with a base address
 * matching the section_base address from the ProcessInfo structure.
 * It then returns a reference to a newly allocated
 * `Win32ModuleInfo` object, if a module was found (null otherwise).
 *
 * The reference later needs to be freed with `module_info_free`
 *
 * # Safety
 *
 * `process` must be a valid Win32Process pointer.
 */
Win32ModuleInfo *process_main_module_info(Win32Process *process);

/**
 * Lookup a module
 *
 * This will search for a module called `name`, and return a reference to a newly allocated
 * `Win32ModuleInfo` object, if a module was found (null otherwise).
 *
 * The reference later needs to be freed with `module_info_free`
 *
 * # Safety
 *
 * `process` must be a valid Win32Process pointer.
 * `name` must be a valid null terminated string.
 */
Win32ModuleInfo *process_module_info(Win32Process *process, const char *name);

OsProcessInfoObj *process_info_trait(Win32ProcessInfo *info);

Address process_info_dtb(const Win32ProcessInfo *info);

Address process_info_section_base(const Win32ProcessInfo *info);

int32_t process_info_exit_status(const Win32ProcessInfo *info);

Address process_info_ethread(const Win32ProcessInfo *info);

Address process_info_wow64(const Win32ProcessInfo *info);

Address process_info_peb(const Win32ProcessInfo *info);

Address process_info_peb_native(const Win32ProcessInfo *info);

Address process_info_peb_wow64(const Win32ProcessInfo *info);

Address process_info_teb(const Win32ProcessInfo *info);

Address process_info_teb_wow64(const Win32ProcessInfo *info);

Win32ModuleListInfo process_info_module_info(const Win32ProcessInfo *info);

Win32ModuleListInfo process_info_module_info_native(const Win32ProcessInfo *info);

/**
 * Free a process information reference
 *
 * # Safety
 *
 * `info` must be a valid heap allocated reference to a Win32ProcessInfo structure
 */
void process_info_free(Win32ProcessInfo *info);

#ifdef __cplusplus
} // extern "C"
#endif // __cplusplus

#endif /* MEMFLOW_WIN32_H */