vmi-os-windows 0.7.0

Windows OS specific code for VMI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

mod control_area;
pub(crate) mod handle_table;
mod handle_table_entry;
pub(crate) mod hive;
mod image;
mod kprcb;
mod luid;
mod module;
mod name_info;
mod object;
mod object_attributes;
mod peb;
mod peb_ldr_data;
mod process_parameters;
mod region;
mod segment;
mod session;
mod sid;
mod teb;
mod trap_frame;
mod unloaded_driver;
mod user_module;
mod wow64;

pub use self::{
    control_area::WindowsControlArea,
    handle_table::WindowsHandleTable,
    handle_table_entry::WindowsHandleTableEntry,
    hive::{
        WindowsHive, WindowsHiveBaseBlock, WindowsHiveCellIndex, WindowsHiveMapDirectory,
        WindowsHiveMapEntry, WindowsHiveMapTable, WindowsHiveStorageType, WindowsKeyControlBlock,
        WindowsKeyIndex, WindowsKeyNode, WindowsKeyValue, WindowsKeyValueData,
        WindowsKeyValueFlags, WindowsKeyValueType,
    },
    image::WindowsImage,
    kprcb::WindowsKernelProcessorBlock,
    luid::WindowsLuid,
    module::WindowsModule,
    name_info::WindowsObjectHeaderNameInfo,
    object::{
        FromWindowsObject, ParseObjectTypeError, WindowsDirectoryObject, WindowsFileObject,
        WindowsImpersonationLevel, WindowsObject, WindowsObjectType, WindowsObjectTypeKind,
        WindowsPrivilege, WindowsProcess, WindowsSectionObject, WindowsThread, WindowsThreadState,
        WindowsThreadWaitReason, WindowsToken, WindowsTokenFlags, WindowsTokenPrivilege,
        WindowsTokenSource, WindowsTokenType,
    },
    object_attributes::WindowsObjectAttributes,
    peb::{Peb, PebLayout, WindowsPeb, WindowsPebBase},
    peb_ldr_data::{
        LdrDataTableEntry, LdrDataTableEntryLayout, PebLdrData, PebLdrDataLayout,
        WindowsPebLdrData, WindowsPebLdrDataBase,
    },
    process_parameters::{
        CurDir, CurDirLayout, RtlUserProcessParameters, RtlUserProcessParametersLayout,
        WindowsProcessParameters, WindowsProcessParametersBase,
    },
    region::WindowsRegion,
    segment::WindowsSegment,
    session::WindowsSession,
    sid::{WindowsSid, WindowsSidAndAttributes, WindowsSidAttributes},
    teb::{Teb, TebLayout, WindowsTeb, WindowsTebBase},
    trap_frame::WindowsTrapFrame,
    unloaded_driver::WindowsUnloadedDriver,
    user_module::{WindowsUserModule, WindowsUserModuleBase},
    wow64::{
        WOW64_TLS_APCLIST, WOW64_TLS_CPURESERVED, WOW64_TLS_FILESYSREDIR, WOW64_TLS_TEMPLIST,
        WOW64_TLS_USERCALLBACKDATA, WOW64_TLS_WOW64INFO, WindowsWow64Kind,
    },
};

/// A Windows processor mode.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum WindowsProcessorMode {
    /// Request originated from kernel-mode code.
    KernelMode,

    /// Request originated from user-mode code.
    UserMode,
}

impl From<u8> for WindowsProcessorMode {
    fn from(value: u8) -> Self {
        match value {
            0 => Self::KernelMode,
            1 => Self::UserMode,
            _ => {
                // Assume any non-0 value is user mode.
                tracing::warn!(value, "unknown processor mode value");
                Self::UserMode
            }
        }
    }
}