Struct memflow_win32::win32::kernel_builder::Win32KernelBuilder

source · []
pub struct Win32KernelBuilder<T, TK, VK> { /* private fields */ }
Expand description

Builder for a Windows Kernel structure.

This function encapsulates the entire setup process for a Windows target and will make sure the user gets a properly initialized object at the end.

This function is a high level abstraction over the individual parts of initialization a Windows target:

  • Scanning for the ntoskrnl and retrieving the Win32KernelInfo struct.
  • Retrieving the Offsets for the target Windows version.
  • Creating a struct which implements VirtualTranslate2 for virtual to physical address translations.
  • Optionally wrapping the Connector or the VirtualTranslate2 object into a cached object.
  • Initialization of the Kernel structure itself.

Examples

Using the builder with default values:

use memflow::mem::PhysicalMemory;
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build()
        .unwrap();
}

Using the builder with default cache configurations:

use memflow::mem::PhysicalMemory;
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build_default_caches()
        .build()
        .unwrap();
}

Customizing the caches:

use memflow::mem::{PhysicalMemory, CachedPhysicalMemory, CachedVirtualTranslate};
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
    .build_page_cache(|connector, arch| {
        CachedPhysicalMemory::builder(connector)
            .arch(arch)
            .build()
            .unwrap()
    })
    .build_vat_cache(|vat, arch| {
        CachedVirtualTranslate::builder(vat)
            .arch(arch)
            .build()
            .unwrap()
    })
    .build()
    .unwrap();
}

Remarks

Manual initialization of the above examples would look like the following:

use memflow::prelude::v1::*;
use memflow_win32::prelude::{Win32KernelInfo, Win32Offsets, Win32Kernel};

fn test<T: 'static + PhysicalMemory + Clone>(mut connector: T) {
    // Use the ntoskrnl scanner to find the relevant KernelInfo (start_block, arch, dtb, ntoskrnl, etc)
    let kernel_info = Win32KernelInfo::scanner(connector.forward_mut()).scan().unwrap();
    // Download the corresponding pdb from the default symbol store
    let offsets = Win32Offsets::builder().kernel_info(&kernel_info).build().unwrap();

    // Create a struct for doing virtual to physical memory translations
    let vat = DirectTranslate::new();

    // Create a Page Cache layer with default values
    let mut connector_cached = CachedPhysicalMemory::builder(connector)
        .arch(kernel_info.os_info.arch)
        .build()
        .unwrap();

    // Create a Tlb Cache layer with default values
    let vat_cached = CachedVirtualTranslate::builder(vat)
        .arch(kernel_info.os_info.arch)
        .build()
        .unwrap();

    // Initialize the final Kernel object
    let _kernel = Win32Kernel::new(connector_cached, vat_cached, offsets, kernel_info);
}

Implementations

Configures the symbol store to be used when constructing the Kernel. This will override the default symbol store that is being used if no other setting is configured.

Examples
use memflow::mem::PhysicalMemory;
use memflow_win32::prelude::{Win32Kernel, SymbolStore};

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .symbol_store(SymbolStore::new().no_cache())
        .build()
        .unwrap();
}

Disables the symbol store when constructing the Kernel. By default a default symbol store will be used when constructing a kernel. This option allows the user to disable the symbol store alltogether and fall back to the built-in offsets table.

Examples
use memflow::mem::PhysicalMemory;
use memflow_win32::win32::Win32Kernel;
use memflow_win32::offsets::SymbolStore;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .no_symbol_store()
        .build()
        .unwrap();
}

Creates the Kernel structure with default caching enabled.

If this option is specified, the Kernel structure is generated with a (page level cache)[../index.html] with default settings. On top of the page level cache a vat cache will be setupped.

Examples
use memflow::mem::PhysicalMemory;
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build_default_caches()
        .build()
        .unwrap();
}
source

pub fn build_page_cache<TKN, F: FnOnce(T, ArchitectureIdent) -> TKN + 'static>(
    self,
    func: F
) -> Win32KernelBuilder<T, TKN, VK> where
    TKN: PhysicalMemory

Creates a Kernel structure by constructing the page cache from the given closure.

This function accepts a FnOnce closure that is being evaluated after the ntoskrnl has been found.

Examples
use memflow::mem::{PhysicalMemory, CachedPhysicalMemory};
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build_page_cache(|connector, arch| {
            CachedPhysicalMemory::builder(connector)
                .arch(arch)
                .build()
                .unwrap()
        })
        .build()
        .unwrap();
}

Creates a Kernel structure by constructing the vat cache from the given closure.

This function accepts a FnOnce closure that is being evaluated after the ntoskrnl has been found.

Examples
use memflow::mem::{PhysicalMemory, CachedVirtualTranslate};
use memflow_win32::win32::Win32Kernel;

fn test<T: 'static + PhysicalMemory + Clone>(connector: T) {
    let _kernel = Win32Kernel::builder(connector)
        .build_vat_cache(|vat, arch| {
            CachedVirtualTranslate::builder(vat)
                .arch(arch)
                .build()
                .unwrap()
        })
        .build()
        .unwrap();
}

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Performs the conversion.

This is always WithMetadata_<Self, Self>

Performs the conversion.

Gets a reference to a field, determined by offset. Read more

Gets a muatble reference to a field, determined by offset. Read more

Gets a const pointer to a field, the field is determined by offset. Read more

Gets a mutable pointer to a field, determined by offset. Read more

Replaces a field (determined by offset) with value, returning the previous value of the field. Read more

Swaps a field (determined by offset) with the same field in right. Read more

Gets a copy of a field (determined by offset). The field is determined by offset. Read more

Replaces a field (determined by offset) with value, returning the previous value of the field. Read more

Swaps a field (determined by offset) with the same field in right. Read more

Gets a copy of a field (determined by offset). The field is determined by offset. Read more

Compares the address of self with the address of other. Read more

Emulates the pipeline operator, allowing method syntax in more places. Read more

The same as piped except that the function takes &Self Useful for functions that take &Self instead of Self. Read more

The same as piped, except that the function takes &mut Self. Useful for functions that take &mut Self instead of Self. Read more

Mutates self using a closure taking self by mutable reference, passing it along the method chain. Read more

Observes the value of self, passing it along unmodified. Useful in long method chains. Read more

fn into_<T>(self) -> T where
    Self: Into<T>, 

Performs a conversion with Into. using the turbofish .into_::<_>() syntax. Read more

fn as_ref_<T>(&self) -> &T where
    Self: AsRef<T>,
    T: ?Sized

Performs a reference to reference conversion with AsRef, using the turbofish .as_ref_::<_>() syntax. Read more

fn as_mut_<T>(&mut self) -> &mut T where
    Self: AsMut<T>,
    T: ?Sized

Performs a mutable reference to mutable reference conversion with AsMut, using the turbofish .as_mut_::<_>() syntax. Read more

fn drop_(self)

Drops self using method notation. Alternative to std::mem::drop. Read more

Transmutes the element type of this pointer.. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.

This is always Self.

Converts a value back to the original type.

Converts a reference back to the original type.

Converts a mutable reference back to the original type.

Converts a box back to the original type.

Converts an Arc back to the original type. Read more

Converts an Rc back to the original type. Read more

Converts a value back to the original type.

Converts a reference back to the original type.

Converts a mutable reference back to the original type.

Converts a box back to the original type.

Converts an Arc back to the original type.

Converts an Rc back to the original type.