vmi-os-windows 0.7.0

Windows OS specific code for VMI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211

use once_cell::unsync::OnceCell;
use vmi_core::{Va, VmiError, VmiState, VmiVa, driver::VmiRead};

use super::{WindowsHive, WindowsHiveCellIndex, WindowsKeyNode};
use crate::{ArchAdapter, WindowsError, WindowsOs, offset};

/// A Windows registry key control block.
///
/// A registry key in the kernel mode registry cache. It helps the Configuration
/// Manager manage registry keys efficiently by avoiding redundant registry
/// lookups.
///
/// # Implementation Details
///
/// Corresponds to `_CM_KEY_CONTROL_BLOCK`.
pub struct WindowsKeyControlBlock<'a, Driver>
where
    Driver: VmiRead,
    Driver::Architecture: ArchAdapter<Driver>,
{
    /// The VMI state.
    vmi: VmiState<'a, WindowsOs<Driver>>,

    /// Address of the `_CM_KEY_CONTROL_BLOCK` structure.
    va: Va,

    /// Cached address of the `_CM_NAME_CONTROL_BLOCK` structure.
    name_block: OnceCell<Va>,
}

impl<Driver> VmiVa for WindowsKeyControlBlock<'_, Driver>
where
    Driver: VmiRead,
    Driver::Architecture: ArchAdapter<Driver>,
{
    fn va(&self) -> Va {
        self.va
    }
}

impl<'a, Driver> WindowsKeyControlBlock<'a, Driver>
where
    Driver: VmiRead,
    Driver::Architecture: ArchAdapter<Driver>,
{
    /// Creates a new Windows key control block.
    pub fn new(vmi: VmiState<'a, WindowsOs<Driver>>, va: Va) -> Self {
        Self {
            vmi,
            va,
            name_block: OnceCell::new(),
        }
    }

    /// Returns the reference count of the key control block.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `_CM_KEY_CONTROL_BLOCK.RefCount`.
    pub fn refcount(&self) -> Result<u64, VmiError> {
        let CM_KEY_CONTROL_BLOCK = offset!(self.vmi, _CM_KEY_CONTROL_BLOCK);

        let refcount = self
            .vmi
            .read_field(self.va, &CM_KEY_CONTROL_BLOCK.RefCount)?;

        Ok(refcount)
    }

    /// Returns whether the key control block has been marked as discarded.
    ///
    /// A discarded KCB no longer backs a live key node. The cache slot is
    /// kept alive only until its reference count drops to zero.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `_CM_KEY_CONTROL_BLOCK.Discarded` or
    /// `_CM_KEY_CONTROL_BLOCK.Delete`.
    pub fn discarded(&self) -> Result<bool, VmiError> {
        let CM_KEY_CONTROL_BLOCK = offset!(self.vmi, _CM_KEY_CONTROL_BLOCK);

        let discarded = self
            .vmi
            .read_field(self.va, &CM_KEY_CONTROL_BLOCK.Discarded)?;

        Ok(CM_KEY_CONTROL_BLOCK.Discarded.extract(discarded) != 0)
    }

    /// Returns the parent key control block.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `_CM_KEY_CONTROL_BLOCK.ParentKcb`.
    pub fn parent(&self) -> Result<Option<WindowsKeyControlBlock<'a, Driver>>, VmiError> {
        let CM_KEY_CONTROL_BLOCK = offset!(self.vmi, _CM_KEY_CONTROL_BLOCK);

        let parent_kcb = self
            .vmi
            .read_va_native(self.va + CM_KEY_CONTROL_BLOCK.ParentKcb.offset())?;

        if parent_kcb.is_null() {
            return Ok(None);
        }

        Ok(Some(WindowsKeyControlBlock::new(self.vmi, parent_kcb)))
    }

    /// Returns the name of the key.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `_CM_KEY_CONTROL_BLOCK.NameBlock`.
    /// If the `_CM_NAME_CONTROL_BLOCK.Compressed` field is set, the name is
    /// read as an ASCII string. Otherwise, the name is read as a UTF-16
    /// string.
    pub fn name(&self) -> Result<String, VmiError> {
        let CM_NAME_CONTROL_BLOCK = offset!(self.vmi, _CM_NAME_CONTROL_BLOCK);

        let name_block = self.name_block()?;

        let compressed = self
            .vmi
            .read_field(name_block, &CM_NAME_CONTROL_BLOCK.Compressed)?;

        let compressed = CM_NAME_CONTROL_BLOCK.Compressed.extract(compressed) != 0;

        let name_length = self
            .vmi
            .read_field(name_block, &CM_NAME_CONTROL_BLOCK.NameLength)?;

        if compressed {
            self.vmi.read_string_limited(
                name_block + CM_NAME_CONTROL_BLOCK.Name.offset(),
                name_length as usize,
            )
        }
        else {
            self.vmi.read_string_utf16_limited(
                name_block + CM_NAME_CONTROL_BLOCK.Name.offset(),
                name_length as usize,
            )
        }
    }

    /// Returns the name control block associated with the key control block.
    fn name_block(&self) -> Result<Va, VmiError> {
        self.name_block
            .get_or_try_init(|| {
                let CM_KEY_CONTROL_BLOCK = offset!(self.vmi, _CM_KEY_CONTROL_BLOCK);

                let name_block = self
                    .vmi
                    .read_va_native(self.va + CM_KEY_CONTROL_BLOCK.NameBlock.offset())?;

                if name_block.is_null() {
                    return Err(
                        WindowsError::CorruptedStruct("CM_KEY_CONTROL_BLOCK.NameBlock").into(),
                    );
                }

                Ok(name_block)
            })
            .copied()
    }

    /// Returns the hive that owns this key control block.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `_CM_KEY_CONTROL_BLOCK.KeyHive`.
    pub fn hive(&self) -> Result<Option<WindowsHive<'a, Driver>>, VmiError> {
        let CM_KEY_CONTROL_BLOCK = offset!(self.vmi, _CM_KEY_CONTROL_BLOCK);

        let key_hive = self
            .vmi
            .read_va_native(self.va + CM_KEY_CONTROL_BLOCK.KeyHive.offset())?;

        if key_hive.is_null() {
            return Ok(None);
        }

        Ok(Some(WindowsHive::new(self.vmi, key_hive)))
    }

    /// Returns the key node backing this key control block.
    ///
    /// # Implementation Details
    ///
    /// Resolves `_CM_KEY_CONTROL_BLOCK.KeyCell` against
    /// `_CM_KEY_CONTROL_BLOCK.KeyHive`.
    pub fn key_node(&self) -> Result<Option<WindowsKeyNode<'a, Driver>>, VmiError> {
        let CM_KEY_CONTROL_BLOCK = offset!(self.vmi, _CM_KEY_CONTROL_BLOCK);

        let hive = match self.hive()? {
            Some(hive) => hive,
            None => return Ok(None),
        };

        let key_cell = self
            .vmi
            .read_u32(self.va + CM_KEY_CONTROL_BLOCK.KeyCell.offset())?;

        if key_cell == 0 {
            return Ok(None);
        }

        Ok(hive
            .cell(WindowsHiveCellIndex::new(key_cell))?
            .map(|va| WindowsKeyNode::new(self.vmi, hive.va, va)))
    }
}