vmi-os-windows 0.7.0

Windows OS specific code for VMI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

use vmi_core::{Va, VmiError, VmiState, VmiVa, driver::VmiRead};

use crate::{ArchAdapter, WindowsError, WindowsOs, offset};

/// A subkey index cell of a registry key.
///
/// The Configuration Manager walks `_CM_KEY_INDEX` cells to enumerate a
/// `_CM_KEY_NODE`'s children. Four variants share the same shape and are
/// distinguished by the signature. `il`, `fl`, and `hl` are leaf lists.
/// `ir` is a root index list whose entries point at leaf lists.
///
/// # Implementation Details
///
/// Corresponds to `_CM_KEY_INDEX`.
pub struct WindowsKeyIndex<'a, Driver>
where
    Driver: VmiRead,
    Driver::Architecture: ArchAdapter<Driver>,
{
    /// The VMI state.
    vmi: VmiState<'a, WindowsOs<Driver>>,

    /// Address of the `_CM_KEY_INDEX` structure.
    va: Va,
}

impl<Driver> VmiVa for WindowsKeyIndex<'_, Driver>
where
    Driver: VmiRead,
    Driver::Architecture: ArchAdapter<Driver>,
{
    fn va(&self) -> Va {
        self.va
    }
}

impl<'a, Driver> WindowsKeyIndex<'a, Driver>
where
    Driver: VmiRead,
    Driver::Architecture: ArchAdapter<Driver>,
{
    /// Signature of a plain leaf list (`il`).
    ///
    /// Each entry is a single `HCELL_INDEX`.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `CM_KEY_INDEX_LEAF`.
    pub const INDEX_LEAF_SIGNATURE: u16 = 0x696c;

    /// Signature of a fast leaf list (`fl`).
    ///
    /// Each entry pairs an `HCELL_INDEX` with a 4-byte name hint.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `CM_KEY_FAST_LEAF`.
    pub const FAST_LEAF_SIGNATURE: u16 = 0x666c;

    /// Signature of a hash leaf list (`hl`).
    ///
    /// Each entry pairs an `HCELL_INDEX` with an NT name hash.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `CM_KEY_HASH_LEAF`.
    pub const HASH_LEAF_SIGNATURE: u16 = 0x686c;

    /// Signature of a root index list (`ir`).
    ///
    /// Each entry is an `HCELL_INDEX` pointing to a leaf list.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `CM_KEY_INDEX_ROOT`.
    pub const INDEX_ROOT_SIGNATURE: u16 = 0x6972;

    /// Creates a new key index.
    pub fn new(vmi: VmiState<'a, WindowsOs<Driver>>, va: Va) -> Self {
        Self { vmi, va }
    }

    /// Returns the signature of the index.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `_CM_KEY_INDEX.Signature`.
    pub fn signature(&self) -> Result<u16, VmiError> {
        let CM_KEY_INDEX = offset!(self.vmi, _CM_KEY_INDEX);

        self.vmi.read_u16(self.va + CM_KEY_INDEX.Signature.offset())
    }

    /// Returns the number of entries in the list.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `_CM_KEY_INDEX.Count`.
    pub fn count(&self) -> Result<u16, VmiError> {
        let CM_KEY_INDEX = offset!(self.vmi, _CM_KEY_INDEX);

        self.vmi.read_u16(self.va + CM_KEY_INDEX.Count.offset())
    }

    /// Returns the address of the first entry in the index.
    ///
    /// # Implementation Details
    ///
    /// Corresponds to `_CM_KEY_INDEX.List`.
    pub fn list(&self) -> Result<Va, VmiError> {
        let CM_KEY_INDEX = offset!(self.vmi, _CM_KEY_INDEX);

        Ok(self.va + CM_KEY_INDEX.List.offset())
    }

    /// Returns the byte size of one entry.
    ///
    /// 4 bytes for `il` and `ir`. 8 bytes for `fl` and `hl`, which pair
    /// each `HCELL_INDEX` with a 4-byte name hint or hash.
    ///
    /// Reads the signature. Prefer [`entry_size_for`] when the signature is
    /// already in scope.
    ///
    /// [`entry_size_for`]: Self::entry_size_for
    pub fn entry_size(&self) -> Result<u64, VmiError> {
        Self::entry_size_for(self.signature()?)
    }

    /// Returns the byte size of one entry for a given index signature.
    ///
    /// Variant of [`entry_size`] that takes the signature directly, avoiding
    /// the read.
    ///
    /// [`entry_size`]: Self::entry_size
    pub fn entry_size_for(signature: u16) -> Result<u64, VmiError> {
        match signature {
            // `_CM_KEY_INDEX.List` is `HCELL_INDEX[]`, sizeof(HCELL_INDEX) == 4.
            Self::INDEX_LEAF_SIGNATURE | Self::INDEX_ROOT_SIGNATURE => Ok(4),
            // `_CM_KEY_FAST_INDEX.List` is `CM_INDEX[]`, sizeof(CM_INDEX) == 8.
            Self::FAST_LEAF_SIGNATURE | Self::HASH_LEAF_SIGNATURE => Ok(8),
            _ => Err(WindowsError::CorruptedStruct("CM_KEY_INDEX.Signature").into()),
        }
    }
}